cobaltstrike | 91f41182946b4722174a07d0ae28a6ae687b3186635bb7cd3597e691b0ad7e0d

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ca69430f95b025473b8ac1a2a775a33f
SHA1

65194119da266097fa47377cb307f5cabb2d2137
SHA256

91f41182946b4722174a07d0ae28a6ae687b3186635bb7cd3597e691b0ad7e0d
SHA512

d22e5b7e4a2b7dba83fb22aa8189eb9e72542bdf0f73f410b094454fb84f76467019bfb3cf23e6b16da719cb93a81671af8a83339a290a7160f5e27f1604937f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c65-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c63-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2572-118-0x00007FF6265F0000-0x00007FF626941000-memory.dmp	xmrig
behavioral2/memory/400-128-0x00007FF767990000-0x00007FF767CE1000-memory.dmp	xmrig
behavioral2/memory/3112-121-0x00007FF6855C0000-0x00007FF685911000-memory.dmp	xmrig
behavioral2/memory/4216-120-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp	xmrig
behavioral2/memory/3604-117-0x00007FF773610000-0x00007FF773961000-memory.dmp	xmrig
behavioral2/memory/4908-109-0x00007FF76CC10000-0x00007FF76CF61000-memory.dmp	xmrig
behavioral2/memory/4548-103-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp	xmrig
behavioral2/memory/8-94-0x00007FF7F4510000-0x00007FF7F4861000-memory.dmp	xmrig
behavioral2/memory/4384-81-0x00007FF6781D0000-0x00007FF678521000-memory.dmp	xmrig
behavioral2/memory/3532-78-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp	xmrig
behavioral2/memory/1384-72-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	xmrig
behavioral2/memory/2316-130-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp	xmrig
behavioral2/memory/4696-134-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp	xmrig
behavioral2/memory/4708-136-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp	xmrig
behavioral2/memory/1056-137-0x00007FF685920000-0x00007FF685C71000-memory.dmp	xmrig
behavioral2/memory/3952-138-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp	xmrig
behavioral2/memory/1384-139-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	xmrig
behavioral2/memory/652-145-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp	xmrig
behavioral2/memory/764-150-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp	xmrig
behavioral2/memory/2584-161-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp	xmrig
behavioral2/memory/3504-160-0x00007FF654640000-0x00007FF654991000-memory.dmp	xmrig
behavioral2/memory/2352-158-0x00007FF630B30000-0x00007FF630E81000-memory.dmp	xmrig
behavioral2/memory/4708-163-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp	xmrig
behavioral2/memory/3520-162-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp	xmrig
behavioral2/memory/1384-164-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	xmrig
behavioral2/memory/3532-219-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp	xmrig
behavioral2/memory/4384-221-0x00007FF6781D0000-0x00007FF678521000-memory.dmp	xmrig
behavioral2/memory/4548-223-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp	xmrig
behavioral2/memory/4216-225-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp	xmrig
behavioral2/memory/2572-227-0x00007FF6265F0000-0x00007FF626941000-memory.dmp	xmrig
behavioral2/memory/2316-229-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp	xmrig
behavioral2/memory/400-232-0x00007FF767990000-0x00007FF767CE1000-memory.dmp	xmrig
behavioral2/memory/4696-235-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp	xmrig
behavioral2/memory/1056-237-0x00007FF685920000-0x00007FF685C71000-memory.dmp	xmrig
behavioral2/memory/3952-239-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp	xmrig
behavioral2/memory/652-251-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp	xmrig
behavioral2/memory/764-253-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp	xmrig
behavioral2/memory/8-255-0x00007FF7F4510000-0x00007FF7F4861000-memory.dmp	xmrig
behavioral2/memory/4908-257-0x00007FF76CC10000-0x00007FF76CF61000-memory.dmp	xmrig
behavioral2/memory/3504-259-0x00007FF654640000-0x00007FF654991000-memory.dmp	xmrig
behavioral2/memory/3604-261-0x00007FF773610000-0x00007FF773961000-memory.dmp	xmrig
behavioral2/memory/3112-263-0x00007FF6855C0000-0x00007FF685911000-memory.dmp	xmrig
behavioral2/memory/2352-266-0x00007FF630B30000-0x00007FF630E81000-memory.dmp	xmrig
behavioral2/memory/2584-267-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp	xmrig
behavioral2/memory/3520-269-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp	xmrig
behavioral2/memory/4708-271-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3532	rBhcwgA.exe
4384	IPzLmHF.exe
4548	lZZOteu.exe
4216	rllCmKd.exe
2572	yYxpTYj.exe
2316	XFtsVlI.exe
400	SycJmbc.exe
4696	YjacNjT.exe
1056	Tvqcujr.exe
3952	FjNytEh.exe
652	qkkkdBd.exe
764	FCaYCzq.exe
8	jkAuIzZ.exe
3504	hROAVcj.exe
4908	iLrnHJc.exe
3604	cUAbqsV.exe
2352	PkSWnYQ.exe
3112	tGlWNMn.exe
2584	MMNMadz.exe
3520	wVifTIC.exe
4708	nKbRjPQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-0-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	upx
behavioral2/files/0x0008000000023c65-4.dat	upx
behavioral2/memory/3532-6-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c68-22.dat	upx
behavioral2/files/0x0007000000023c69-23.dat	upx
behavioral2/memory/2572-29-0x00007FF6265F0000-0x00007FF626941000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-27.dat	upx
behavioral2/memory/4548-24-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-18.dat	upx
behavioral2/memory/4384-16-0x00007FF6781D0000-0x00007FF678521000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-42.dat	upx
behavioral2/files/0x0007000000023c6b-46.dat	upx
behavioral2/files/0x0007000000023c6c-49.dat	upx
behavioral2/memory/4696-48-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp	upx
behavioral2/memory/2316-40-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp	upx
behavioral2/memory/4216-33-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp	upx
behavioral2/memory/400-39-0x00007FF767990000-0x00007FF767CE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6d-52.dat	upx
behavioral2/memory/1056-56-0x00007FF685920000-0x00007FF685C71000-memory.dmp	upx
behavioral2/memory/3952-60-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp	upx
behavioral2/files/0x0008000000023c63-61.dat	upx
behavioral2/files/0x0007000000023c6e-65.dat	upx
behavioral2/memory/652-66-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-70.dat	upx
behavioral2/files/0x0007000000023c71-77.dat	upx
behavioral2/files/0x0007000000023c74-96.dat	upx
behavioral2/memory/3504-100-0x00007FF654640000-0x00007FF654991000-memory.dmp	upx
behavioral2/memory/2352-110-0x00007FF630B30000-0x00007FF630E81000-memory.dmp	upx
behavioral2/memory/2572-118-0x00007FF6265F0000-0x00007FF626941000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-126.dat	upx
behavioral2/memory/400-128-0x00007FF767990000-0x00007FF767CE1000-memory.dmp	upx
behavioral2/memory/2584-127-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-123.dat	upx
behavioral2/memory/3520-122-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp	upx
behavioral2/memory/3112-121-0x00007FF6855C0000-0x00007FF685911000-memory.dmp	upx
behavioral2/memory/4216-120-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp	upx
behavioral2/memory/3604-117-0x00007FF773610000-0x00007FF773961000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-114.dat	upx
behavioral2/files/0x0007000000023c75-112.dat	upx
behavioral2/memory/4908-109-0x00007FF76CC10000-0x00007FF76CF61000-memory.dmp	upx
behavioral2/memory/4548-103-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp	upx
behavioral2/memory/8-94-0x00007FF7F4510000-0x00007FF7F4861000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-92.dat	upx
behavioral2/files/0x0007000000023c72-88.dat	upx
behavioral2/memory/4384-81-0x00007FF6781D0000-0x00007FF678521000-memory.dmp	upx
behavioral2/memory/3532-78-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp	upx
behavioral2/memory/764-74-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp	upx
behavioral2/memory/1384-72-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	upx
behavioral2/memory/2316-130-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp	upx
behavioral2/memory/4696-134-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp	upx
behavioral2/memory/4708-136-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-133.dat	upx
behavioral2/memory/1056-137-0x00007FF685920000-0x00007FF685C71000-memory.dmp	upx
behavioral2/memory/3952-138-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp	upx
behavioral2/memory/1384-139-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	upx
behavioral2/memory/652-145-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp	upx
behavioral2/memory/764-150-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp	upx
behavioral2/memory/2584-161-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp	upx
behavioral2/memory/3504-160-0x00007FF654640000-0x00007FF654991000-memory.dmp	upx
behavioral2/memory/2352-158-0x00007FF630B30000-0x00007FF630E81000-memory.dmp	upx
behavioral2/memory/4708-163-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp	upx
behavioral2/memory/3520-162-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp	upx
behavioral2/memory/1384-164-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp	upx
behavioral2/memory/3532-219-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rBhcwgA.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPzLmHF.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFtsVlI.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkkkdBd.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iLrnHJc.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rllCmKd.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYxpTYj.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkAuIzZ.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUAbqsV.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PkSWnYQ.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKbRjPQ.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SycJmbc.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Tvqcujr.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FjNytEh.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MMNMadz.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lZZOteu.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjacNjT.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCaYCzq.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hROAVcj.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tGlWNMn.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wVifTIC.exe	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 3532	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1384 wrote to memory of 3532	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1384 wrote to memory of 4384	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1384 wrote to memory of 4384	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1384 wrote to memory of 4548	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1384 wrote to memory of 4548	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1384 wrote to memory of 4216	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1384 wrote to memory of 4216	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1384 wrote to memory of 2572	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1384 wrote to memory of 2572	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1384 wrote to memory of 2316	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1384 wrote to memory of 2316	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1384 wrote to memory of 400	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1384 wrote to memory of 400	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1384 wrote to memory of 4696	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1384 wrote to memory of 4696	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1384 wrote to memory of 1056	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1384 wrote to memory of 1056	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1384 wrote to memory of 3952	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1384 wrote to memory of 3952	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1384 wrote to memory of 652	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1384 wrote to memory of 652	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1384 wrote to memory of 764	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1384 wrote to memory of 764	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1384 wrote to memory of 8	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1384 wrote to memory of 8	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1384 wrote to memory of 3504	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1384 wrote to memory of 3504	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1384 wrote to memory of 4908	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1384 wrote to memory of 4908	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1384 wrote to memory of 3604	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1384 wrote to memory of 3604	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1384 wrote to memory of 2352	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1384 wrote to memory of 2352	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1384 wrote to memory of 3112	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1384 wrote to memory of 3112	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1384 wrote to memory of 2584	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1384 wrote to memory of 2584	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1384 wrote to memory of 3520	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1384 wrote to memory of 3520	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1384 wrote to memory of 4708	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1384 wrote to memory of 4708	1384	2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-27_ca69430f95b025473b8ac1a2a775a33f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System\rBhcwgA.exe
  C:\Windows\System\rBhcwgA.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\IPzLmHF.exe
  C:\Windows\System\IPzLmHF.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\lZZOteu.exe
  C:\Windows\System\lZZOteu.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\rllCmKd.exe
  C:\Windows\System\rllCmKd.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\yYxpTYj.exe
  C:\Windows\System\yYxpTYj.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\XFtsVlI.exe
  C:\Windows\System\XFtsVlI.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\SycJmbc.exe
  C:\Windows\System\SycJmbc.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\YjacNjT.exe
  C:\Windows\System\YjacNjT.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\Tvqcujr.exe
  C:\Windows\System\Tvqcujr.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\FjNytEh.exe
  C:\Windows\System\FjNytEh.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\qkkkdBd.exe
  C:\Windows\System\qkkkdBd.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\FCaYCzq.exe
  C:\Windows\System\FCaYCzq.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\jkAuIzZ.exe
  C:\Windows\System\jkAuIzZ.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\hROAVcj.exe
  C:\Windows\System\hROAVcj.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\iLrnHJc.exe
  C:\Windows\System\iLrnHJc.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\cUAbqsV.exe
  C:\Windows\System\cUAbqsV.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\PkSWnYQ.exe
  C:\Windows\System\PkSWnYQ.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\tGlWNMn.exe
  C:\Windows\System\tGlWNMn.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\MMNMadz.exe
  C:\Windows\System\MMNMadz.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\wVifTIC.exe
  C:\Windows\System\wVifTIC.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\nKbRjPQ.exe
  C:\Windows\System\nKbRjPQ.exe
  2⤵
  - Executes dropped EXE
  PID:4708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FCaYCzq.exe

Filesize
5.2MB

MD5
825a1b3954144125a595670b698dece8

SHA1
24ff3030f63c2c67fea8f5ba0bfa35e89fa3232c

SHA256
d6cbc84ea1f2825f032310596f96880529f6e64d5b85dacd652e49b4e93cb36d

SHA512
def42f0c134a57bd44ea71a07fe2c77c71e02a3ba6526436961b623e3eb96bd4dd9cde5d3feb844f6d5b6afb9d4e81c6d067d10619bf5bb221a82a5497241646

Download Submit
C:\Windows\System\FjNytEh.exe

Filesize
5.2MB

MD5
d1765cd5ec51a350c562f503c83d2eba

SHA1
e599f2783a005606456e3424be7e4485098b1cba

SHA256
fe36d51745eaab772121da869159ab4f38edbf77d0e9ad18cc16515b88da663a

SHA512
8923701ebd24206f425f8f3afc7a68ee7ff3644113366fc448d43a47c298fdfd1ac293a9ec2f88fcfa0a0cb65585a979dd683c5eec8f2e906a257389cb2809bd

Download Submit
C:\Windows\System\IPzLmHF.exe

Filesize
5.2MB

MD5
5a1ebd84523cce5f5e34a6b80506d3e5

SHA1
8de09a8f752cfa404b0c8a9905bc1da8ba084675

SHA256
eacc81c1a072859b366dab415f33cf434502118bdcda4406433a987a5c0685a2

SHA512
b55a42cfc3e88fcaf77e30b16de49da6e1c4891ac9a1ccafbea8ef407fe69af33351af3e907c642df49c58e574b99dee27a73fea3c6a3e16a9aa1b9ac0699020

Download Submit
C:\Windows\System\MMNMadz.exe

Filesize
5.2MB

MD5
e9d4a5de72b64b8bf1e8a8514a81a102

SHA1
8cd509d94b2bc613b3238b8490d8562850cd98a5

SHA256
9244636bde6745c7f572de6338b16aa0a2cdbd40954f171c31f128797e3b4156

SHA512
e7462483869e74d983b92489f531467ef418da6d97b5e8fefc6c9af60bc7ab5c5257abba457103337ae556445175cef22dedc2ee50ce4ee0355c647cd75c1725

Download Submit
C:\Windows\System\PkSWnYQ.exe

Filesize
5.2MB

MD5
f4b405f5df432d480a17a83041afeb70

SHA1
921d71ba765bd184a8d1a3465a6a471ee848251a

SHA256
59c7988f3bd2612e492ef572b84c356739cec32bdbce4739a6dc0f9bba7eced3

SHA512
a0d80231a116952c98a10b63553a46ef8cba9562a57eb2c4af3fe9a74c498efcee4dd5304639284ee16addb8be5e5985e02aa3187ad144afa9609b226d8366e3

Download Submit
C:\Windows\System\SycJmbc.exe

Filesize
5.2MB

MD5
35e2f9f4cca596337748dc21fdc83bb9

SHA1
f8a39dcc546e5e143df5bdf73b0ba44721c6b454

SHA256
5038e5bd19cd6312a6be62c2a2cb644aa4c1c2b69a8e89dba9e49517c6bdf8c7

SHA512
23aa5e03b441c2b9e6adfd6face63882e4c91860844e04b78fd702533dcfdeb18ccdb397b79f2f54e6940d061afc8b082e7fc08d571ef915ce552231a0ee5c06

Download Submit
C:\Windows\System\Tvqcujr.exe

Filesize
5.2MB

MD5
7c89c7391200d27593db07055a57b385

SHA1
3d9157e95b5d866a71b4561482c0b523f9b3321a

SHA256
86fb4995cd5a7bc7c6ae67dd7b153a0d2dd411e2602cafb90227031965c59167

SHA512
9b91de3a269eb53e363400c17973f990eaf7a6e319d38d91827784d9d7269a4a20b334d8840beb27890b27035bc3f82cefa118c9738555fab7247fcf58afe893

Download Submit
C:\Windows\System\XFtsVlI.exe

Filesize
5.2MB

MD5
ab69e99c2cfca3858ecdda099ed5c62f

SHA1
27bd068c3706450b12e23dbe08d31a1b37131049

SHA256
5d9381bc988fb277adf1a52a2aefd7209da1b1b5a6e8f5ba34330ca30d791e20

SHA512
d10b43ce7148812e273dee99fd526540cc4ca837edb5ff85a199e61fa981c707d8f73fc7ac746c7c6ed1511779e1e8d07463fedeb41c7c54b887325b8b2a3159

Download Submit
C:\Windows\System\YjacNjT.exe

Filesize
5.2MB

MD5
971e3e4a21ae8b3b3f8f245ed99cd17a

SHA1
2cd0c5263e593cd3ee9374b3993dd5d0c70dab52

SHA256
5b681808c32ccfe0e985ae312ad65b702a6da73f53be702ee7f6aeea942c2cc5

SHA512
97ee07323962ce71bb079f7c1e967e4a7b1ca9dc0a75d6815fe49e259e4ad57eca450ca8d100e3dcaffe6ef27fd278f0f51942bff76c9ef1f6447468406da59d

Download Submit
C:\Windows\System\cUAbqsV.exe

Filesize
5.2MB

MD5
f9cbb5f2dfe695e02cdbbc96a5901054

SHA1
f1f8b5f63f6d1e323990697bfab67bdca9e1e4c1

SHA256
593aa009e013aaa6dfeec08c7c244c65a14481abf0fffc55c65d0d6737984fab

SHA512
d1c5b4bd73a4272858d24ac227938cb359dfbfa14d18cc37006d67e94022f22a1ba85540c617b3f6d04a848f86928f953638112bbb61126069be8f6bf32299c8

Download Submit
C:\Windows\System\hROAVcj.exe

Filesize
5.2MB

MD5
07d7a5aeb96872c10ca2d3c8254515a7

SHA1
44c3991293af6f2f1067839716828d01207f1406

SHA256
cb23c30427eb7f7a76243f5c640e49482ddb90905d1568cafe334dd0471818ea

SHA512
cefebb09d5e3e3d5b1fa80f58973c259286166436ce3c599cc2a074c3b2a35dd405a2fca17153a31c5ae7a4b8040c7b2218ecc4f9448ed26cef92aa870cf0ef9

Download Submit
C:\Windows\System\iLrnHJc.exe

Filesize
5.2MB

MD5
f756ccb4ab30f91412f333da2b466b42

SHA1
72dc4fbe8a884b4c7eadf48f0868af66d1f059b0

SHA256
0f011bf9bca6b5971efe146e73317548f924a090c54cc36b02226d555ec5f3a1

SHA512
02a3f261a620c647e50eb6458df311901324915cc92bbc92f36080cf2b32b297fab2dbfac6c0d0d0373296330282bc678fe0dcfea8b1fe871a683fe355135ab6

Download Submit
C:\Windows\System\jkAuIzZ.exe

Filesize
5.2MB

MD5
00d8f40dee4842e5abecbf04351e1010

SHA1
8785d4c310b442d7ae3f18da8b800273063edd90

SHA256
de0650359e4d5131839c384e270337c7b787bac07ff78a6cfb4d4279d590ed93

SHA512
64627b62ba9bdf18b5e1bc400f87b6ed30496edcbdc8715546ecb010baeb2d96bd3b4f1ac0b2d570be2c20da968d321b2623d679d9fe751694ae726b26027050

Download Submit
C:\Windows\System\lZZOteu.exe

Filesize
5.2MB

MD5
2f13ccd0f21f1d88d00d64ae6c53a35f

SHA1
12f7d316cd2627aa936f68dfab0aed5a9e0c5232

SHA256
b5015350917491b839525e327748f8a7227067bd9a2fe4a7b342408bbadc29a2

SHA512
3210d3c0b0e28418f894835e848dd74bc69e79e1f289ced877b3f13f4ac31d140fe0b6f0c2c5058b9b4b5a07266cd03bc98d09a8efc200923007a85a368d30a6

Download Submit
C:\Windows\System\nKbRjPQ.exe

Filesize
5.2MB

MD5
24e37c3ed57afe33db98221129dd7d5a

SHA1
1b61195a82e70a0ccfbbe457a43a06eb9cfe5615

SHA256
b539bb7262ccdc42aca23cc2af9884ae7915f66f1b9e09b23b6de3e047f25d7c

SHA512
9b78adec47664eac6491eb46ec390bfe4bae6de6a730bd9a1fe4cbf77978b312c9702170019781ffb4b1b6fd0466d2dd07d3c160fd88bf7775bd2061f13d64ed

Download Submit
C:\Windows\System\qkkkdBd.exe

Filesize
5.2MB

MD5
eca588fa1d3d9394209c1bacac5a4c85

SHA1
d319aa7fc568d5568fe339026c4f2bdabf619f9e

SHA256
a6881a472905d559ad41d3c8c4ce9f1f6444e664d5db570ead34f5ec64c8d70c

SHA512
147ceb1334b44e25289847eb14d551ce700f61d6a4312e990b2dfd2ef4dc33d8e95175dfb354e4029fc11139900d69f69a55cef225de574e61a98c299ddd804b

Download Submit
C:\Windows\System\rBhcwgA.exe

Filesize
5.2MB

MD5
0aae6d915c9b4c2d3ef279a79b7e3b80

SHA1
19ff4d44faf86e5711611f0511f68f417b14fa87

SHA256
3967ad0d7dfdc4f7ec7baec77e24b3bbdfdd66dffbf4597ef1a1eafcaa36084b

SHA512
5878a09b6794df86dfc6be97a52bbb8afbd5f593e0ace0b9c7f910b438ecf0510de3bc9cf40fa4728b47086aebf03a4ff5ceea676c3af856022cb43f871cbcab

Download Submit
C:\Windows\System\rllCmKd.exe

Filesize
5.2MB

MD5
559b8d2b8d855171091232e0b5a0721d

SHA1
5bca2440aae38a64a12b39994bbc89759f612b71

SHA256
ac6fc0f24c946eca4295396c8e75f7c0f3c5d6a8c026c75015ef4b3e28f51a4a

SHA512
e86238d3f82e3f56baf84ec8aa9e3018dbc5d8c75ddd467da64cdd83bf9acaf2459b197a8cd739caf60ae19dae9a9f29104d3c838f8e0d0c19f7fb6ba0eaec0d

Download Submit
C:\Windows\System\tGlWNMn.exe

Filesize
5.2MB

MD5
4040d68ef5bbb0982df685ff0da2fc4f

SHA1
1418675fb808dc0c7c8c1bd5b55c5e81c5d7be9a

SHA256
7ece4f64a179c60c0fa480bce880d5ceffaf604f7cfff44f184750754614e257

SHA512
395580b4bf33605ec45ed0b643b8d96254178c438d9e805f5034fe9ff60a2c38fbd0dd1cffd42016f3f8e0ff0365938da790c5aed35bf60165baf2c62ab3c694

Download Submit
C:\Windows\System\wVifTIC.exe

Filesize
5.2MB

MD5
d9c2075e7dbc0d9b31042ba60cb12176

SHA1
ef8c72b76811dda94dcc1ade5d9b721a80a92360

SHA256
8c4d95f09bb217558d97eef374abad598a069a56f369d668db085800d091ae27

SHA512
1d2f147dd1d019519a5949814e51776fed7200620e31fb4163cdbf4b231fb1721ae2e7948b68e9689992480a6ca0d90bf904001b288ada2e47d9b5f5f779959a

Download Submit
C:\Windows\System\yYxpTYj.exe

Filesize
5.2MB

MD5
3d551f6ef069292b8178d03e04b24c22

SHA1
cc75ef2025f21a82595731a5035a17ea264947d3

SHA256
ef5a807c8d05867b3331ddb6869ca5b97a3ef7c6d8576e5b89c6607804731d68

SHA512
358b87519c8acfe04618003809b168755a968165c3140044aa6851eed93ed69f55e6b91048d9613b3d2f8de1fd1a1bc63d780aeb31a5590939b862cb5b1dcc79

Download Submit
memory/8-94-0x00007FF7F4510000-0x00007FF7F4861000-memory.dmp

Filesize
3.3MB

Download
memory/8-255-0x00007FF7F4510000-0x00007FF7F4861000-memory.dmp

Filesize
3.3MB

Download
memory/400-128-0x00007FF767990000-0x00007FF767CE1000-memory.dmp

Filesize
3.3MB

Download
memory/400-39-0x00007FF767990000-0x00007FF767CE1000-memory.dmp

Filesize
3.3MB

Download
memory/400-232-0x00007FF767990000-0x00007FF767CE1000-memory.dmp

Filesize
3.3MB

Download
memory/652-66-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/652-251-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/652-145-0x00007FF7AAD70000-0x00007FF7AB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/764-74-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp

Filesize
3.3MB

Download
memory/764-253-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp

Filesize
3.3MB

Download
memory/764-150-0x00007FF67AF70000-0x00007FF67B2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-56-0x00007FF685920000-0x00007FF685C71000-memory.dmp

Filesize
3.3MB

Download
memory/1056-237-0x00007FF685920000-0x00007FF685C71000-memory.dmp

Filesize
3.3MB

Download
memory/1056-137-0x00007FF685920000-0x00007FF685C71000-memory.dmp

Filesize
3.3MB

Download
memory/1384-164-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp

Filesize
3.3MB

Download
memory/1384-0-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp

Filesize
3.3MB

Download
memory/1384-72-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp

Filesize
3.3MB

Download
memory/1384-1-0x00000260D3900000-0x00000260D3910000-memory.dmp

Filesize
64KB

Download
memory/1384-139-0x00007FF7C0E30000-0x00007FF7C1181000-memory.dmp

Filesize
3.3MB

Download
memory/2316-40-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp

Filesize
3.3MB

Download
memory/2316-229-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp

Filesize
3.3MB

Download
memory/2316-130-0x00007FF7A7000000-0x00007FF7A7351000-memory.dmp

Filesize
3.3MB

Download
memory/2352-266-0x00007FF630B30000-0x00007FF630E81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-158-0x00007FF630B30000-0x00007FF630E81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-110-0x00007FF630B30000-0x00007FF630E81000-memory.dmp

Filesize
3.3MB

Download
memory/2572-227-0x00007FF6265F0000-0x00007FF626941000-memory.dmp

Filesize
3.3MB

Download
memory/2572-29-0x00007FF6265F0000-0x00007FF626941000-memory.dmp

Filesize
3.3MB

Download
memory/2572-118-0x00007FF6265F0000-0x00007FF626941000-memory.dmp

Filesize
3.3MB

Download
memory/2584-267-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-161-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-127-0x00007FF68B490000-0x00007FF68B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-121-0x00007FF6855C0000-0x00007FF685911000-memory.dmp

Filesize
3.3MB

Download
memory/3112-263-0x00007FF6855C0000-0x00007FF685911000-memory.dmp

Filesize
3.3MB

Download
memory/3504-100-0x00007FF654640000-0x00007FF654991000-memory.dmp

Filesize
3.3MB

Download
memory/3504-259-0x00007FF654640000-0x00007FF654991000-memory.dmp

Filesize
3.3MB

Download
memory/3504-160-0x00007FF654640000-0x00007FF654991000-memory.dmp

Filesize
3.3MB

Download
memory/3520-162-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp

Filesize
3.3MB

Download
memory/3520-122-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp

Filesize
3.3MB

Download
memory/3520-269-0x00007FF6F1540000-0x00007FF6F1891000-memory.dmp

Filesize
3.3MB

Download
memory/3532-78-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-219-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-6-0x00007FF65F270000-0x00007FF65F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-117-0x00007FF773610000-0x00007FF773961000-memory.dmp

Filesize
3.3MB

Download
memory/3604-261-0x00007FF773610000-0x00007FF773961000-memory.dmp

Filesize
3.3MB

Download
memory/3952-60-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-138-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-239-0x00007FF6DE730000-0x00007FF6DEA81000-memory.dmp

Filesize
3.3MB

Download
memory/4216-120-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-225-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-33-0x00007FF68ADA0000-0x00007FF68B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-221-0x00007FF6781D0000-0x00007FF678521000-memory.dmp

Filesize
3.3MB

Download
memory/4384-81-0x00007FF6781D0000-0x00007FF678521000-memory.dmp

Filesize
3.3MB

Download
memory/4384-16-0x00007FF6781D0000-0x00007FF678521000-memory.dmp

Filesize
3.3MB

Download
memory/4548-24-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-223-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-103-0x00007FF76B990000-0x00007FF76BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-235-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp

Filesize
3.3MB

Download
memory/4696-134-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp

Filesize
3.3MB

Download
memory/4696-48-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp

Filesize
3.3MB

Download
memory/4708-163-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-136-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-271-0x00007FF740C80000-0x00007FF740FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-109-0x00007FF76CC10000-0x00007FF76CF61000-memory.dmp

Filesize
3.3MB

Download
memory/4908-257-0x00007FF76CC10000-0x00007FF76CF61000-memory.dmp

Filesize
3.3MB

Download