cobaltstrike | 902cdd2d23aa4bc3e854a4aed7705e6b4dc37ece0af7eddc9029c868c0100978

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

666f5062d0728dce804332a5f7a13c2c
SHA1

7531be2de8adef4ac4fecfbb507faafa614b4130
SHA256

902cdd2d23aa4bc3e854a4aed7705e6b4dc37ece0af7eddc9029c868c0100978
SHA512

69d8b875326efafaa3f328887d1c7516037f90a796ff423d7dc34a3718b54b312ffc99594c9009f068a2a25df8aa801d5575578048c131cf872f81be4be429bb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b62-5.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc3-9.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023bb2-14.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd1-26.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-33.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd2-29.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-79.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bb3-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-110.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-114.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-63.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-58.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2756-119-0x00007FF6D49E0000-0x00007FF6D4D31000-memory.dmp	xmrig
behavioral2/memory/3040-122-0x00007FF7BEBD0000-0x00007FF7BEF21000-memory.dmp	xmrig
behavioral2/memory/1940-121-0x00007FF691030000-0x00007FF691381000-memory.dmp	xmrig
behavioral2/memory/2116-120-0x00007FF7351D0000-0x00007FF735521000-memory.dmp	xmrig
behavioral2/memory/2952-118-0x00007FF728690000-0x00007FF7289E1000-memory.dmp	xmrig
behavioral2/memory/2656-107-0x00007FF7B8BF0000-0x00007FF7B8F41000-memory.dmp	xmrig
behavioral2/memory/1072-75-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp	xmrig
behavioral2/memory/1716-130-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp	xmrig
behavioral2/memory/2360-133-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp	xmrig
behavioral2/memory/3372-134-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	xmrig
behavioral2/memory/3568-132-0x00007FF75F300000-0x00007FF75F651000-memory.dmp	xmrig
behavioral2/memory/1704-131-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp	xmrig
behavioral2/memory/2868-129-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	xmrig
behavioral2/memory/3372-128-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	xmrig
behavioral2/memory/3932-140-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp	xmrig
behavioral2/memory/1072-142-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp	xmrig
behavioral2/memory/700-149-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp	xmrig
behavioral2/memory/4688-148-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig
behavioral2/memory/2108-144-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp	xmrig
behavioral2/memory/2432-150-0x00007FF702E40000-0x00007FF703191000-memory.dmp	xmrig
behavioral2/memory/1452-138-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp	xmrig
behavioral2/memory/4460-137-0x00007FF755880000-0x00007FF755BD1000-memory.dmp	xmrig
behavioral2/memory/1896-145-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp	xmrig
behavioral2/memory/4324-135-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp	xmrig
behavioral2/memory/3372-151-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	xmrig
behavioral2/memory/2868-214-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	xmrig
behavioral2/memory/1716-216-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp	xmrig
behavioral2/memory/1704-218-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp	xmrig
behavioral2/memory/3568-222-0x00007FF75F300000-0x00007FF75F651000-memory.dmp	xmrig
behavioral2/memory/2360-221-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp	xmrig
behavioral2/memory/4324-224-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp	xmrig
behavioral2/memory/4460-227-0x00007FF755880000-0x00007FF755BD1000-memory.dmp	xmrig
behavioral2/memory/2952-228-0x00007FF728690000-0x00007FF7289E1000-memory.dmp	xmrig
behavioral2/memory/1452-230-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp	xmrig
behavioral2/memory/2756-232-0x00007FF6D49E0000-0x00007FF6D4D31000-memory.dmp	xmrig
behavioral2/memory/1072-234-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp	xmrig
behavioral2/memory/3932-240-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp	xmrig
behavioral2/memory/1940-242-0x00007FF691030000-0x00007FF691381000-memory.dmp	xmrig
behavioral2/memory/2116-246-0x00007FF7351D0000-0x00007FF735521000-memory.dmp	xmrig
behavioral2/memory/2108-245-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp	xmrig
behavioral2/memory/2656-250-0x00007FF7B8BF0000-0x00007FF7B8F41000-memory.dmp	xmrig
behavioral2/memory/3040-249-0x00007FF7BEBD0000-0x00007FF7BEF21000-memory.dmp	xmrig
behavioral2/memory/2432-252-0x00007FF702E40000-0x00007FF703191000-memory.dmp	xmrig
behavioral2/memory/700-254-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp	xmrig
behavioral2/memory/1896-256-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp	xmrig
behavioral2/memory/4688-258-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2868	CsDVMsv.exe
1716	okhOgSb.exe
1704	dQNdAub.exe
3568	nQZhgWz.exe
2360	cApXfcP.exe
4324	nMkuquS.exe
2952	xJuobMe.exe
4460	qmdaHFU.exe
1452	bWsnFJy.exe
2756	mHhcQPY.exe
3932	LixIVun.exe
2116	OzvYrnI.exe
1072	mtsWmWi.exe
1940	ctxfmqs.exe
2108	IhJoPfB.exe
3040	vgvBBPt.exe
2656	bQFuXGf.exe
1896	aSZEXZL.exe
4688	qAJNpEk.exe
2432	XVRrszS.exe
700	YQGoHDW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3372-0-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	upx
behavioral2/files/0x000c000000023b62-5.dat	upx
behavioral2/files/0x000e000000023bc3-9.dat	upx
behavioral2/files/0x000d000000023bb2-14.dat	upx
behavioral2/files/0x0009000000023bd1-26.dat	upx
behavioral2/memory/2360-30-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bcc-33.dat	upx
behavioral2/files/0x0009000000023bd2-29.dat	upx
behavioral2/memory/1704-23-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp	upx
behavioral2/memory/1716-19-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp	upx
behavioral2/memory/2868-7-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	upx
behavioral2/files/0x0009000000023bd3-41.dat	upx
behavioral2/memory/3568-37-0x00007FF75F300000-0x00007FF75F651000-memory.dmp	upx
behavioral2/memory/4460-51-0x00007FF755880000-0x00007FF755BD1000-memory.dmp	upx
behavioral2/files/0x0008000000023bde-68.dat	upx
behavioral2/files/0x0008000000023c0f-79.dat	upx
behavioral2/files/0x000c000000023bb3-93.dat	upx
behavioral2/files/0x0008000000023c11-105.dat	upx
behavioral2/files/0x0008000000023c13-110.dat	upx
behavioral2/memory/2432-117-0x00007FF702E40000-0x00007FF703191000-memory.dmp	upx
behavioral2/memory/2756-119-0x00007FF6D49E0000-0x00007FF6D4D31000-memory.dmp	upx
behavioral2/memory/3040-122-0x00007FF7BEBD0000-0x00007FF7BEF21000-memory.dmp	upx
behavioral2/memory/700-123-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp	upx
behavioral2/memory/1940-121-0x00007FF691030000-0x00007FF691381000-memory.dmp	upx
behavioral2/memory/2116-120-0x00007FF7351D0000-0x00007FF735521000-memory.dmp	upx
behavioral2/memory/2952-118-0x00007FF728690000-0x00007FF7289E1000-memory.dmp	upx
behavioral2/memory/4688-115-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx
behavioral2/files/0x0008000000023c18-114.dat	upx
behavioral2/files/0x0008000000023c12-113.dat	upx
behavioral2/files/0x0008000000023c10-112.dat	upx
behavioral2/memory/1896-111-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp	upx
behavioral2/memory/2656-107-0x00007FF7B8BF0000-0x00007FF7B8F41000-memory.dmp	upx
behavioral2/memory/2108-92-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp	upx
behavioral2/files/0x0008000000023bdd-86.dat	upx
behavioral2/files/0x0008000000023c0e-85.dat	upx
behavioral2/memory/1072-75-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp	upx
behavioral2/files/0x0008000000023bdf-74.dat	upx
behavioral2/files/0x0008000000023bdc-73.dat	upx
behavioral2/memory/3932-71-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd9-63.dat	upx
behavioral2/files/0x000e000000023bd7-58.dat	upx
behavioral2/memory/1452-57-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp	upx
behavioral2/memory/4324-49-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp	upx
behavioral2/memory/1716-130-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp	upx
behavioral2/memory/2360-133-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp	upx
behavioral2/memory/3372-134-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	upx
behavioral2/memory/3568-132-0x00007FF75F300000-0x00007FF75F651000-memory.dmp	upx
behavioral2/memory/1704-131-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp	upx
behavioral2/memory/2868-129-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	upx
behavioral2/memory/3372-128-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	upx
behavioral2/memory/3932-140-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp	upx
behavioral2/memory/1072-142-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp	upx
behavioral2/memory/700-149-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp	upx
behavioral2/memory/4688-148-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx
behavioral2/memory/2108-144-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp	upx
behavioral2/memory/2432-150-0x00007FF702E40000-0x00007FF703191000-memory.dmp	upx
behavioral2/memory/1452-138-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp	upx
behavioral2/memory/4460-137-0x00007FF755880000-0x00007FF755BD1000-memory.dmp	upx
behavioral2/memory/1896-145-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp	upx
behavioral2/memory/4324-135-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp	upx
behavioral2/memory/3372-151-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp	upx
behavioral2/memory/2868-214-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	upx
behavioral2/memory/1716-216-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp	upx
behavioral2/memory/1704-218-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\okhOgSb.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dQNdAub.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nMkuquS.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qmdaHFU.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mHhcQPY.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OzvYrnI.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mtsWmWi.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CsDVMsv.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctxfmqs.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LixIVun.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xJuobMe.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bQFuXGf.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQZhgWz.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bWsnFJy.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IhJoPfB.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aSZEXZL.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgvBBPt.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qAJNpEk.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YQGoHDW.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XVRrszS.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cApXfcP.exe	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2868	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3372 wrote to memory of 2868	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3372 wrote to memory of 1716	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3372 wrote to memory of 1716	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3372 wrote to memory of 1704	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3372 wrote to memory of 1704	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3372 wrote to memory of 3568	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3372 wrote to memory of 3568	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3372 wrote to memory of 2360	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3372 wrote to memory of 2360	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3372 wrote to memory of 4324	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3372 wrote to memory of 4324	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3372 wrote to memory of 2952	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3372 wrote to memory of 2952	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3372 wrote to memory of 4460	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3372 wrote to memory of 4460	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3372 wrote to memory of 1452	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3372 wrote to memory of 1452	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3372 wrote to memory of 2756	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3372 wrote to memory of 2756	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3372 wrote to memory of 3932	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3372 wrote to memory of 3932	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3372 wrote to memory of 2116	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3372 wrote to memory of 2116	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3372 wrote to memory of 1072	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3372 wrote to memory of 1072	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3372 wrote to memory of 1940	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3372 wrote to memory of 1940	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3372 wrote to memory of 2108	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3372 wrote to memory of 2108	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3372 wrote to memory of 1896	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3372 wrote to memory of 1896	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3372 wrote to memory of 3040	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3372 wrote to memory of 3040	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3372 wrote to memory of 2656	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3372 wrote to memory of 2656	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3372 wrote to memory of 4688	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3372 wrote to memory of 4688	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3372 wrote to memory of 700	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3372 wrote to memory of 700	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3372 wrote to memory of 2432	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3372 wrote to memory of 2432	3372	2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_666f5062d0728dce804332a5f7a13c2c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\System\CsDVMsv.exe
  C:\Windows\System\CsDVMsv.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\okhOgSb.exe
  C:\Windows\System\okhOgSb.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\dQNdAub.exe
  C:\Windows\System\dQNdAub.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\nQZhgWz.exe
  C:\Windows\System\nQZhgWz.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\cApXfcP.exe
  C:\Windows\System\cApXfcP.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\nMkuquS.exe
  C:\Windows\System\nMkuquS.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\xJuobMe.exe
  C:\Windows\System\xJuobMe.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\qmdaHFU.exe
  C:\Windows\System\qmdaHFU.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\bWsnFJy.exe
  C:\Windows\System\bWsnFJy.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\mHhcQPY.exe
  C:\Windows\System\mHhcQPY.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\LixIVun.exe
  C:\Windows\System\LixIVun.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\OzvYrnI.exe
  C:\Windows\System\OzvYrnI.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\mtsWmWi.exe
  C:\Windows\System\mtsWmWi.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\ctxfmqs.exe
  C:\Windows\System\ctxfmqs.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\IhJoPfB.exe
  C:\Windows\System\IhJoPfB.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\aSZEXZL.exe
  C:\Windows\System\aSZEXZL.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\vgvBBPt.exe
  C:\Windows\System\vgvBBPt.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\bQFuXGf.exe
  C:\Windows\System\bQFuXGf.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\qAJNpEk.exe
  C:\Windows\System\qAJNpEk.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\YQGoHDW.exe
  C:\Windows\System\YQGoHDW.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\XVRrszS.exe
  C:\Windows\System\XVRrszS.exe
  2⤵
  - Executes dropped EXE
  PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CsDVMsv.exe

Filesize
5.2MB

MD5
3389ddb661d8b6848a97f7be4b04bbf1

SHA1
304a4fd53eb09af7c44540fb805871c4f74c3c81

SHA256
43933e8d4d4186210aa9ae6f51366126457a327e46bd0cfecb73b2ff22392b76

SHA512
fb99967ee04824161ba26a5ddffa74cf33ae1528c95eaaf8bedc3daaddfc6b0925713986f145e5db2ce8a26d290e8596d656b137aee80e7c83889643e56fd407

Download Submit
C:\Windows\System\IhJoPfB.exe

Filesize
5.2MB

MD5
538054d040574d9b104ca74bec827a82

SHA1
e5760626e78d7bf0c3b57b2820dfbdb2a023181b

SHA256
929523d7c102d17011976f2a3a35a288c600bf2a199fe894867c534af0435ce1

SHA512
b8d38f8c3beeff39ff847804a1ca6f91b71478fa7d254e63956b9e6c848fa9780b52c3049e2ef46c409cd531b96d926a72353ad768db673bd290f6e084bbe644

Download Submit
C:\Windows\System\LixIVun.exe

Filesize
5.2MB

MD5
153e28e1f48cf5362e577cd1951d09cc

SHA1
6ac6293824de7b9ef9318f9669c06b6311578041

SHA256
38199323c7206e0de83865820641e66f88d2b208887e730d36711c2f91aa45cd

SHA512
f91bbb8c70f2b23a6aca55b6c1cd6898b1f66754cee1b571065c2299b55affb827ed43b1e7efbb022e819b8c494c354e38fab54d7a8e67680e368ffe7c4a3364

Download Submit
C:\Windows\System\OzvYrnI.exe

Filesize
5.2MB

MD5
dde5a20a0eab4314c397be5467128994

SHA1
83a151af72a52b5e4c9dd979548d84c51c27d670

SHA256
b5f783c60bb267aede636fcf27a5df2a6c26859a63389ee9b69c910606204355

SHA512
bfbc7ea2244f1fa03706b7376050432be0024cd9b0e290cd8a69a75e8ec9653c475ad11ea62eb5c23d2b981ac04042d9e8140ccf727411db6cc591b18b440659

Download Submit
C:\Windows\System\XVRrszS.exe

Filesize
5.2MB

MD5
157531a39bcf44547ae048aa0f96b620

SHA1
4cc222800154eec3f8f4f7fde486f25b9942b0e3

SHA256
24125b7a67b010d70dd6b3640db0344dc34c9163412657becd7d2817a49e76a2

SHA512
1613717d9fd928190bcd881c25bc6a172e852033659eebe53361ef4fd2aece27ed88e05f22f84eded6ce79b63d9de072290d6ab8ecbbfa64dcd78b9cf2d828b7

Download Submit
C:\Windows\System\YQGoHDW.exe

Filesize
5.2MB

MD5
a4c9b65b71239afc595857278de1b0ce

SHA1
6cf923fc13fa45e0af04dc3ef11c8e05ec869584

SHA256
8c7c7e516bd501678edb55fa7cbbe9176ee067cd16aa49baf76ec1f36ce94ee0

SHA512
1abede745ac456d3434e9b732c0133d1ff8cb60459174d185f7daf1861eb1c3c620eef1bce4e74e5a0cc3f021226f188dc1e88bd7f7b01cdb18a19564535d9c9

Download Submit
C:\Windows\System\aSZEXZL.exe

Filesize
5.2MB

MD5
e35191dbdfdb15bddc30e3743aaaab45

SHA1
961e16752f82e9008284f169bc273c6d5b27c8e2

SHA256
82fd57c49be9a94223874f11b09e711f6e9284a49a51a76407e5409cef39410e

SHA512
8839ba316ef7ed7b9e1c5a01720fb2ac6941c49c5338aa25351fd49b819a50960150400ea5a4ee8a84904af533b527a2942ec22dd21de267ccfd2ca499e40899

Download Submit
C:\Windows\System\bQFuXGf.exe

Filesize
5.2MB

MD5
81c5a715c4821fa0507af98820839f78

SHA1
c1388733e9b944bbdeb00fd89ab27adfe2a39fe2

SHA256
fb6cc9c728cb28a0326895296a4d757039e0dee88c8cd6f10ba972efb3341a65

SHA512
44a28b8c007a711530c251fcb51721372b3164d5d860ab748ebcd2f724e56f51898db5e7e8e47d86a48df18cfd6a38824bdc7373430f5dd09035aa7f4791ba5b

Download Submit
C:\Windows\System\bWsnFJy.exe

Filesize
5.2MB

MD5
9ae79ae68d17767e9c2f8aa30aec684b

SHA1
b586428d383dbde82c706421d9c1ee9e9c62c59b

SHA256
d4f3ba582da6e166d94eb10e28870103c1d59f72a957f70fc4cbc1ba3cf17c12

SHA512
b55b45576dbd2d3159331f3077dbfd2b73e5a7405f71f5fb58d16dde7a6f2ad9477da54659a6ed69f0085e3627e2c21fa15c39d69fc7511c6500d9b3d444e484

Download Submit
C:\Windows\System\cApXfcP.exe

Filesize
5.2MB

MD5
d592da16d70ef7c1e5c2737718d1cb4c

SHA1
55e6803942f16ceae63bfda04cbb778c5412a15f

SHA256
6a33b5633415fcd7da268bfb8cc7e9ce36ea3776ff8993c5c0088b29f913af9f

SHA512
8e2151955127ad45e2998753306202eaff005f34b140eefd61412a3994a4fb192d07fcd7ee4b265758dfb3e967dff09cf2d9b9da700d6fc5e1dbcc55dc169487

Download Submit
C:\Windows\System\ctxfmqs.exe

Filesize
5.2MB

MD5
5e13d03e4bd38ebd77e612542fbbe293

SHA1
6a5e24ad52e916642e68353f9b364c5a28473da5

SHA256
7f546a87544665f8aaba578e051c2fcfa37e1d0a9319f0492c63404a11c02dc2

SHA512
5d5ab856ff6f82ed4e4f9e18fc573215ff5c72e9ade97c36a3d6f7a1ff4de5500965e6af3d87003ce463f65c94a71423afa2511eaa2a9a43ef5be252d2767557

Download Submit
C:\Windows\System\dQNdAub.exe

Filesize
5.2MB

MD5
1cd89c77032582d1684433b96d88a549

SHA1
9dcf2fa519f94328d7f9ecf329bcebbbe7a090d6

SHA256
998b5e4ce4b456f7d91f8215b3e83535f3a9238db3f01adc20ea65ab7481acc9

SHA512
1ea619d55c9146c763c7f7ac83dd9119a6ff95b5b097dd0cfc72afb503e1e86f0ddec55db655b65033e9e115b097ccd6bd71881139778c361feeb42931a253e7

Download Submit
C:\Windows\System\mHhcQPY.exe

Filesize
5.2MB

MD5
7625bf95b9d98f73b7dce33119a84d92

SHA1
ed998cf8468cec50fc04c4338bb1005d04d0ee41

SHA256
4fa42c362038efd6ae899fd2c4cea65eb613d77a3f8b052c7b28d05519b93516

SHA512
c16f2e370c8468f02e1c87f88971d9fe049a98383ebdc16c975a80c7c2a2da4738c565383d3c655d7b0f267810db2b94b38efc1cb451f9a747ffc41cfe186840

Download Submit
C:\Windows\System\mtsWmWi.exe

Filesize
5.2MB

MD5
9b3ebff1832431525b411d7db1334cfc

SHA1
3adb439dfd1520c05df6ba7aba38eba280b77236

SHA256
7acab81cb4527ae72f2dd6ce7b5023cf399cd1989f6a43ba846b32b8504c4434

SHA512
ea2c499cb2c5735723ae4a03d9c11f7d05fa66e24fbc3728fbf3afcd400378eba430eb2dd026acecf5c11467dd911a280da7a6d267d1b8252ece35627a919b0d

Download Submit
C:\Windows\System\nMkuquS.exe

Filesize
5.2MB

MD5
a46fadcd4e0a291c65cb88fdfa4dc7c5

SHA1
a45b7f6717f04d5412d8ba412444c401427f31fb

SHA256
e6dfa9ddfcdc60528249a52d78f7e65f53989d8c6e088305b61f854cf7691932

SHA512
da824d9035d5f2d813ac4ecd653545f95075eb819e6cfbf19f97e9ca2769332a0251cedb28ef20d165a4e95274406268fd42292ac969322f2efc37b646c6db55

Download Submit
C:\Windows\System\nQZhgWz.exe

Filesize
5.2MB

MD5
850aa58b1cdbcd5e338989593ca80834

SHA1
46e980d06c42f4fa8c614c2d9ccc46aa3050b8c7

SHA256
129ac9970ff116d999ed0dd40717821594a6c9eb56728a29fa6ca7fb794e2957

SHA512
a499c89af30b9931571457f54daabd4fb9dd90c0da9ffae034a13e8e24ee707e52a3ccbd8fbc7c1aa33047bc4ae103f7d4cfadceef54a9796ebdc2f8fcfe59dd

Download Submit
C:\Windows\System\okhOgSb.exe

Filesize
5.2MB

MD5
605610d13149b2ccfc37c75c5d55ab36

SHA1
f0b7ec535e70c0d83ae40e9238c1bc8a9fe041c0

SHA256
ae7dbeae61a2e4fceeabc752c47a478ca2dd7543bd108311c4e364e8e8390683

SHA512
725dd1aec942da690a951f1b1d9af14059cf766139d4104fbacf2403a46a1db4e93ccb76eac528896a475c35da2dc029b294c252aefc3f30b1926991cdd6f1c2

Download Submit
C:\Windows\System\qAJNpEk.exe

Filesize
5.2MB

MD5
a2af79f0ca58a64b66a6e74b9b0086f1

SHA1
9c3df110ccca75416d26f4a1b9bcd74bb3f3deac

SHA256
c8d57c38990afa0ee5993483740e8ad750e724f35dbfb6f7b0b7a0d5abdf72ef

SHA512
c0889965c5fc5fe0be3a339ad1dbbd99f5df64942fee36d233d86e50614a559d19fb5ced77f5e8061524ae8fc8faa8d07a8648ff22106be42b8a9b567f97bf7e

Download Submit
C:\Windows\System\qmdaHFU.exe

Filesize
5.2MB

MD5
2abf1eab49700c5dec4a19536c07736a

SHA1
b56743bcfb6c2c3299222335d7cfbe978f307fbd

SHA256
44eb78103858d190e717dbe335414b4f283fc4bedce6ed65e7b8abb44c6265d3

SHA512
40c2a673a936838ab24a57efac33afd10126f2dedbf718651dc4b465153862dbd21b0519b08f43b4ce328215747d68f32a58ff60814a7558e101b82e84ded494

Download Submit
C:\Windows\System\vgvBBPt.exe

Filesize
5.2MB

MD5
6a71bd014525f40ea0501148c027aab9

SHA1
6b6b0aba62c136a4e25965cf76cbd4a30b99320a

SHA256
a2d6149018b9a9253577dbce24057ee0a788e31627a519a471beccc9069f85d7

SHA512
b000dcd1d1205866292e762c2b0cc6f1cd5899fd0bcefbbafbbdbb9837c706ccb00680b9f0efe3cea228081ea6881c39d0f41b1bb2a21e1b45a7a09f205f757f

Download Submit
C:\Windows\System\xJuobMe.exe

Filesize
5.2MB

MD5
0281834cd927204b0e4bd2c95112c697

SHA1
26e260212c095f5ad0dcad4db124409b6536ff14

SHA256
5ed08d9696e5ac009bfd8bdcfeeac6ab0c34f43498b8d144e8b68bfb5f9b5b9d

SHA512
b9ad6aac28d3459505777d99cc2c5049fc2e9493fdc39d62b7a08045422ab31f1ba3ea0ca4c54ceb26c724582c7c1b090d53f2788ddfa03bd9f75155753ce067

Download Submit
memory/700-254-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp

Filesize
3.3MB

Download
memory/700-149-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp

Filesize
3.3MB

Download
memory/700-123-0x00007FF73C550000-0x00007FF73C8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1072-75-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp

Filesize
3.3MB

Download
memory/1072-142-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp

Filesize
3.3MB

Download
memory/1072-234-0x00007FF6A4900000-0x00007FF6A4C51000-memory.dmp

Filesize
3.3MB

Download
memory/1452-230-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp

Filesize
3.3MB

Download
memory/1452-138-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp

Filesize
3.3MB

Download
memory/1452-57-0x00007FF7ED510000-0x00007FF7ED861000-memory.dmp

Filesize
3.3MB

Download
memory/1704-131-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp

Filesize
3.3MB

Download
memory/1704-218-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp

Filesize
3.3MB

Download
memory/1704-23-0x00007FF7AADE0000-0x00007FF7AB131000-memory.dmp

Filesize
3.3MB

Download
memory/1716-130-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp

Filesize
3.3MB

Download
memory/1716-216-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp

Filesize
3.3MB

Download
memory/1716-19-0x00007FF6477B0000-0x00007FF647B01000-memory.dmp

Filesize
3.3MB

Download
memory/1896-111-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp

Filesize
3.3MB

Download
memory/1896-145-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp

Filesize
3.3MB

Download
memory/1896-256-0x00007FF6CE340000-0x00007FF6CE691000-memory.dmp

Filesize
3.3MB

Download
memory/1940-242-0x00007FF691030000-0x00007FF691381000-memory.dmp

Filesize
3.3MB

Download
memory/1940-121-0x00007FF691030000-0x00007FF691381000-memory.dmp

Filesize
3.3MB

Download
memory/2108-245-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-92-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-144-0x00007FF7BC860000-0x00007FF7BCBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-246-0x00007FF7351D0000-0x00007FF735521000-memory.dmp

Filesize
3.3MB

Download
memory/2116-120-0x00007FF7351D0000-0x00007FF735521000-memory.dmp

Filesize
3.3MB

Download
memory/2360-30-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-133-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-221-0x00007FF6E0470000-0x00007FF6E07C1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-117-0x00007FF702E40000-0x00007FF703191000-memory.dmp

Filesize
3.3MB

Download
memory/2432-150-0x00007FF702E40000-0x00007FF703191000-memory.dmp

Filesize
3.3MB

Download
memory/2432-252-0x00007FF702E40000-0x00007FF703191000-memory.dmp

Filesize
3.3MB

Download
memory/2656-250-0x00007FF7B8BF0000-0x00007FF7B8F41000-memory.dmp

Filesize
3.3MB

Download
memory/2656-107-0x00007FF7B8BF0000-0x00007FF7B8F41000-memory.dmp

Filesize
3.3MB

Download
memory/2756-119-0x00007FF6D49E0000-0x00007FF6D4D31000-memory.dmp

Filesize
3.3MB

Download
memory/2756-232-0x00007FF6D49E0000-0x00007FF6D4D31000-memory.dmp

Filesize
3.3MB

Download
memory/2868-129-0x00007FF606DB0000-0x00007FF607101000-memory.dmp

Filesize
3.3MB

Download
memory/2868-7-0x00007FF606DB0000-0x00007FF607101000-memory.dmp

Filesize
3.3MB

Download
memory/2868-214-0x00007FF606DB0000-0x00007FF607101000-memory.dmp

Filesize
3.3MB

Download
memory/2952-228-0x00007FF728690000-0x00007FF7289E1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-118-0x00007FF728690000-0x00007FF7289E1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-249-0x00007FF7BEBD0000-0x00007FF7BEF21000-memory.dmp

Filesize
3.3MB

Download
memory/3040-122-0x00007FF7BEBD0000-0x00007FF7BEF21000-memory.dmp

Filesize
3.3MB

Download
memory/3372-0-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-128-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-151-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-1-0x0000021BC3880000-0x0000021BC3890000-memory.dmp

Filesize
64KB

Download
memory/3372-134-0x00007FF7F2C70000-0x00007FF7F2FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-222-0x00007FF75F300000-0x00007FF75F651000-memory.dmp

Filesize
3.3MB

Download
memory/3568-132-0x00007FF75F300000-0x00007FF75F651000-memory.dmp

Filesize
3.3MB

Download
memory/3568-37-0x00007FF75F300000-0x00007FF75F651000-memory.dmp

Filesize
3.3MB

Download
memory/3932-140-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-71-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-240-0x00007FF70F270000-0x00007FF70F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-49-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4324-135-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4324-224-0x00007FF6C4AC0000-0x00007FF6C4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4460-51-0x00007FF755880000-0x00007FF755BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-137-0x00007FF755880000-0x00007FF755BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-227-0x00007FF755880000-0x00007FF755BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-115-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/4688-148-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/4688-258-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download