cobaltstrike | aaa90031b17f191463dadc7e423b999a612735a8b23fe70055ac3902ec740f36

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

88fcea69dece02da8fabda98f770c001
SHA1

80d8176f038d7c7b215315dd6b2c0352b9ab7df4
SHA256

aaa90031b17f191463dadc7e423b999a612735a8b23fe70055ac3902ec740f36
SHA512

081262e69694171e3e575c7d945c0c2b8d3ccd4fd5afcd9b592e7eaaa5dfa730d00f7db30fa547d7d5cea1153305e9a6874f1c6bbed8c3e0af74950ccff71c2d
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBib+56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b6f-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-46.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b74-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-135.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-142.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-147.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/748-54-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	xmrig
behavioral2/memory/3084-64-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp	xmrig
behavioral2/memory/2400-63-0x00007FF752370000-0x00007FF7526C1000-memory.dmp	xmrig
behavioral2/memory/4072-59-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp	xmrig
behavioral2/memory/536-70-0x00007FF763360000-0x00007FF7636B1000-memory.dmp	xmrig
behavioral2/memory/2116-96-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp	xmrig
behavioral2/memory/704-106-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp	xmrig
behavioral2/memory/1028-87-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp	xmrig
behavioral2/memory/4856-78-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp	xmrig
behavioral2/memory/4072-125-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp	xmrig
behavioral2/memory/1372-128-0x00007FF711730000-0x00007FF711A81000-memory.dmp	xmrig
behavioral2/memory/612-141-0x00007FF64F620000-0x00007FF64F971000-memory.dmp	xmrig
behavioral2/memory/3924-139-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp	xmrig
behavioral2/memory/4740-131-0x00007FF7012C0000-0x00007FF701611000-memory.dmp	xmrig
behavioral2/memory/2364-127-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp	xmrig
behavioral2/memory/5008-126-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp	xmrig
behavioral2/memory/452-124-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp	xmrig
behavioral2/memory/748-150-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	xmrig
behavioral2/memory/2096-161-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp	xmrig
behavioral2/memory/4880-162-0x00007FF7EBBF0000-0x00007FF7EBF41000-memory.dmp	xmrig
behavioral2/memory/2156-160-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp	xmrig
behavioral2/memory/3944-159-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp	xmrig
behavioral2/memory/4036-158-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp	xmrig
behavioral2/memory/4292-175-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp	xmrig
behavioral2/memory/748-177-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	xmrig
behavioral2/memory/2400-208-0x00007FF752370000-0x00007FF7526C1000-memory.dmp	xmrig
behavioral2/memory/3084-211-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp	xmrig
behavioral2/memory/536-212-0x00007FF763360000-0x00007FF7636B1000-memory.dmp	xmrig
behavioral2/memory/704-218-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp	xmrig
behavioral2/memory/1028-220-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp	xmrig
behavioral2/memory/2116-216-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp	xmrig
behavioral2/memory/4856-219-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp	xmrig
behavioral2/memory/452-234-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp	xmrig
behavioral2/memory/4072-236-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp	xmrig
behavioral2/memory/2364-238-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp	xmrig
behavioral2/memory/5008-240-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp	xmrig
behavioral2/memory/4740-242-0x00007FF7012C0000-0x00007FF701611000-memory.dmp	xmrig
behavioral2/memory/1372-244-0x00007FF711730000-0x00007FF711A81000-memory.dmp	xmrig
behavioral2/memory/3924-252-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp	xmrig
behavioral2/memory/3944-250-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp	xmrig
behavioral2/memory/2156-249-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp	xmrig
behavioral2/memory/4036-254-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp	xmrig
behavioral2/memory/612-263-0x00007FF64F620000-0x00007FF64F971000-memory.dmp	xmrig
behavioral2/memory/2096-262-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp	xmrig
behavioral2/memory/4292-267-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp	xmrig
behavioral2/memory/4880-266-0x00007FF7EBBF0000-0x00007FF7EBF41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2400	GIQZhaI.exe
3084	MEKLaDR.exe
536	hMjJRzE.exe
4856	eRXBEQm.exe
1028	gwfvkTY.exe
2116	RkHDTQh.exe
704	mgPcXpj.exe
452	ERiyxFD.exe
4072	DgrwHvr.exe
5008	BCvPfrg.exe
2364	ppQtjdM.exe
4740	PgJSSHg.exe
1372	LDdlkZD.exe
3924	OwsihYD.exe
4036	PwFIeJD.exe
3944	BCwXVvb.exe
2156	tdwbzkP.exe
2096	uIyXsow.exe
612	yxdhUEX.exe
4292	NEYpYGq.exe
4880	ZYrxqrA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-0-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	upx
behavioral2/files/0x000d000000023b6f-12.dat	upx
behavioral2/files/0x000a000000023b82-18.dat	upx
behavioral2/memory/4856-27-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-32.dat	upx
behavioral2/files/0x000a000000023b83-36.dat	upx
behavioral2/files/0x000a000000023b85-42.dat	upx
behavioral2/memory/704-41-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp	upx
behavioral2/memory/2116-39-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp	upx
behavioral2/memory/1028-31-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-25.dat	upx
behavioral2/files/0x000a000000023b80-19.dat	upx
behavioral2/memory/536-23-0x00007FF763360000-0x00007FF7636B1000-memory.dmp	upx
behavioral2/memory/3084-17-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp	upx
behavioral2/memory/2400-8-0x00007FF752370000-0x00007FF7526C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-46.dat	upx
behavioral2/files/0x000c000000023b74-52.dat	upx
behavioral2/memory/748-54-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-60.dat	upx
behavioral2/files/0x000a000000023b89-65.dat	upx
behavioral2/memory/3084-64-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp	upx
behavioral2/memory/2400-63-0x00007FF752370000-0x00007FF7526C1000-memory.dmp	upx
behavioral2/memory/4072-59-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp	upx
behavioral2/memory/452-48-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp	upx
behavioral2/memory/536-70-0x00007FF763360000-0x00007FF7636B1000-memory.dmp	upx
behavioral2/memory/2364-69-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp	upx
behavioral2/memory/5008-66-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-82.dat	upx
behavioral2/files/0x000a000000023b8c-86.dat	upx
behavioral2/files/0x000a000000023b8a-89.dat	upx
behavioral2/memory/2116-96-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-98.dat	upx
behavioral2/files/0x000a000000023b8f-105.dat	upx
behavioral2/memory/2156-112-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-108.dat	upx
behavioral2/memory/3944-107-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp	upx
behavioral2/memory/704-106-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp	upx
behavioral2/memory/4036-97-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp	upx
behavioral2/memory/3924-88-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp	upx
behavioral2/memory/1028-87-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp	upx
behavioral2/memory/1372-81-0x00007FF711730000-0x00007FF711A81000-memory.dmp	upx
behavioral2/memory/4740-79-0x00007FF7012C0000-0x00007FF701611000-memory.dmp	upx
behavioral2/memory/4856-78-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp	upx
behavioral2/memory/4072-125-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp	upx
behavioral2/memory/1372-128-0x00007FF711730000-0x00007FF711A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-135.dat	upx
behavioral2/files/0x000a000000023b93-142.dat	upx
behavioral2/memory/612-141-0x00007FF64F620000-0x00007FF64F971000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-147.dat	upx
behavioral2/memory/3924-139-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-134.dat	upx
behavioral2/memory/2096-132-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp	upx
behavioral2/memory/4740-131-0x00007FF7012C0000-0x00007FF701611000-memory.dmp	upx
behavioral2/memory/2364-127-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp	upx
behavioral2/memory/5008-126-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp	upx
behavioral2/memory/452-124-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp	upx
behavioral2/memory/748-150-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp	upx
behavioral2/memory/2096-161-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp	upx
behavioral2/memory/4880-162-0x00007FF7EBBF0000-0x00007FF7EBF41000-memory.dmp	upx
behavioral2/memory/2156-160-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp	upx
behavioral2/memory/3944-159-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp	upx
behavioral2/memory/4036-158-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp	upx
behavioral2/memory/4292-149-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp	upx
behavioral2/memory/4292-175-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PwFIeJD.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gwfvkTY.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgJSSHg.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwsihYD.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NEYpYGq.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZYrxqrA.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMjJRzE.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eRXBEQm.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RkHDTQh.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgPcXpj.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ppQtjdM.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BCwXVvb.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tdwbzkP.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GIQZhaI.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ERiyxFD.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DgrwHvr.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BCvPfrg.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDdlkZD.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uIyXsow.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxdhUEX.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MEKLaDR.exe	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 2400	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 748 wrote to memory of 2400	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 748 wrote to memory of 3084	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 748 wrote to memory of 3084	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 748 wrote to memory of 536	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 748 wrote to memory of 536	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 748 wrote to memory of 4856	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 748 wrote to memory of 4856	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 748 wrote to memory of 1028	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 748 wrote to memory of 1028	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 748 wrote to memory of 2116	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 748 wrote to memory of 2116	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 748 wrote to memory of 704	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 748 wrote to memory of 704	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 748 wrote to memory of 452	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 748 wrote to memory of 452	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 748 wrote to memory of 4072	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 748 wrote to memory of 4072	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 748 wrote to memory of 5008	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 748 wrote to memory of 5008	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 748 wrote to memory of 2364	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 748 wrote to memory of 2364	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 748 wrote to memory of 1372	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 748 wrote to memory of 1372	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 748 wrote to memory of 4740	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 748 wrote to memory of 4740	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 748 wrote to memory of 3924	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 748 wrote to memory of 3924	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 748 wrote to memory of 4036	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 748 wrote to memory of 4036	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 748 wrote to memory of 3944	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 748 wrote to memory of 3944	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 748 wrote to memory of 2156	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 748 wrote to memory of 2156	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 748 wrote to memory of 2096	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 748 wrote to memory of 2096	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 748 wrote to memory of 612	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 748 wrote to memory of 612	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 748 wrote to memory of 4292	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 748 wrote to memory of 4292	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 748 wrote to memory of 4880	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 748 wrote to memory of 4880	748	2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-08_88fcea69dece02da8fabda98f770c001_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\System\GIQZhaI.exe
  C:\Windows\System\GIQZhaI.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\MEKLaDR.exe
  C:\Windows\System\MEKLaDR.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\hMjJRzE.exe
  C:\Windows\System\hMjJRzE.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\eRXBEQm.exe
  C:\Windows\System\eRXBEQm.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\gwfvkTY.exe
  C:\Windows\System\gwfvkTY.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\RkHDTQh.exe
  C:\Windows\System\RkHDTQh.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\mgPcXpj.exe
  C:\Windows\System\mgPcXpj.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\ERiyxFD.exe
  C:\Windows\System\ERiyxFD.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\DgrwHvr.exe
  C:\Windows\System\DgrwHvr.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\BCvPfrg.exe
  C:\Windows\System\BCvPfrg.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\ppQtjdM.exe
  C:\Windows\System\ppQtjdM.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\LDdlkZD.exe
  C:\Windows\System\LDdlkZD.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\PgJSSHg.exe
  C:\Windows\System\PgJSSHg.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\OwsihYD.exe
  C:\Windows\System\OwsihYD.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\PwFIeJD.exe
  C:\Windows\System\PwFIeJD.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\BCwXVvb.exe
  C:\Windows\System\BCwXVvb.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\tdwbzkP.exe
  C:\Windows\System\tdwbzkP.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\uIyXsow.exe
  C:\Windows\System\uIyXsow.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\yxdhUEX.exe
  C:\Windows\System\yxdhUEX.exe
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\System\NEYpYGq.exe
  C:\Windows\System\NEYpYGq.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\ZYrxqrA.exe
  C:\Windows\System\ZYrxqrA.exe
  2⤵
  - Executes dropped EXE
  PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BCvPfrg.exe

Filesize
5.2MB

MD5
e58381ac732a1bfd3f153d5dccdc597b

SHA1
58df9190607e94738224f68dfeeb2bf613996382

SHA256
ab29a0331752bf5fd55ba6f11a1975df6cdd0eeb75f7899e389beea37ff4eafd

SHA512
07bdf86672b44f9082e0f00f77b63a39a1398e3f635eaf7b71cb927d1b95646de69e9b72f2d45066a13b68e0f7778bcd17effd8853165657284a0f051350fe21

Download Submit
C:\Windows\System\BCwXVvb.exe

Filesize
5.2MB

MD5
66684ff76c552d833014074e930fd99b

SHA1
bf6433dbe1397d461972b02506fbc1d534a61e8e

SHA256
95b4953fa3438b2ca779b712a9b3104b4fdb4cbb1153207606d078e2fab8f95f

SHA512
54cab15f0d6ae8606f7fa6f86a2fb8f3336fe2aceb94b5e474471827628846a9e0bf12c8316912ef08eaa604aa31c8156f6fea3a7a07ee0e714aa30ce45574e3

Download Submit
C:\Windows\System\DgrwHvr.exe

Filesize
5.2MB

MD5
210f7395af739ddf6358c33f5d1875b1

SHA1
cfdf97f5f771502e8ed8dff02865a40c11c8dbaa

SHA256
d93a7d23e0b6e7ddd8f1fdd13f8158cbeeafc9a3f55114ceb51c39a7e2a05d08

SHA512
756d06b9e20565b353836007482d429d2c8b0ddc9d698c91da981a9d0c170b5c315566e535f2463e096ea71eb7b007eeabdfc5f9701510cc3152a44fba04a80f

Download Submit
C:\Windows\System\ERiyxFD.exe

Filesize
5.2MB

MD5
1c087decaddac12d54128f539efa4613

SHA1
e48db2199e06f837b17575ec9c6d50907229891c

SHA256
06a84f62ae7b53f6ad2cbf1633b8ec8ed56e45c73a0b4731647a6aa00a4c07f5

SHA512
2def7fd6153417a142009862b9885e41f7b538463fc37336d286a0f0d72e626c84201448b771dabf601798c0c888d456afb94b6f7c1dcda03a3eeeb60cd6f91d

Download Submit
C:\Windows\System\GIQZhaI.exe

Filesize
5.2MB

MD5
da5ce2d22c298528a5b332251385c9f3

SHA1
8486ff0aeab21121553b81f072d5fbd02e3c4b94

SHA256
79d6e6b1e844890052d2344a22355f16ddda423449c668146f6d7a17547f9e4c

SHA512
3b977cf42f6f465c9c422ed2f6f8948e42287605e1fc7cdac1f40512ff1d795d01e52b549eb380b5f4ded1f7f6601e130bc7922ca9a574f4cd478300ae9ba25f

Download Submit
C:\Windows\System\LDdlkZD.exe

Filesize
5.2MB

MD5
eef020d4dec4a504b062f8910c55a549

SHA1
abc44015b0080ee310893e4344390b7690ed90d1

SHA256
57f2c8660cd09a0332e22722b9686eecbf221306933dca3627acc6254eed1106

SHA512
f4d34c503583c50229232b79633993df5a70372663ba502d1283d576b91338f235a239b9f2e1aacebfe5d02bffecbd9c67ecd5f61766833d74a49befc90744b8

Download Submit
C:\Windows\System\MEKLaDR.exe

Filesize
5.2MB

MD5
14ae4caf0ffdf09a827d8835c7141d7b

SHA1
81e9d252481301452caa732da8fbec910776cb7e

SHA256
15333c8af6afa431f39a2a5554f30eaa7dab99ad3b6b50d25c6146a7f216d8f5

SHA512
8ded388364fc12fa9b6a2abd457f71baea3002d84406c4912849bc2e631b31fee2396202817fcd5b8ac9175abc793f9dbfcb5850d3de140de6eacca719bbf80e

Download Submit
C:\Windows\System\NEYpYGq.exe

Filesize
5.2MB

MD5
e904e70dff2e5721f2a45b950cc4c38f

SHA1
b625cf2dbc5730fb4a4aa6e434e4b8c4f2fd034c

SHA256
dbf5c01a5b2397a389be701190887702633cc5e0b06b349c560abda72997b41e

SHA512
906760f461a99657cbea73801ee736872046bc83749360483fb64832f5cce27917b414a7e630a055ec4d07cc7699b41c394f5ebbfe79982b0838d7fa6c284cd7

Download Submit
C:\Windows\System\OwsihYD.exe

Filesize
5.2MB

MD5
a7aae1bccb6932960882ca9fb8b91047

SHA1
1048e12387fc56fe5163dc1ca323a81790d9f897

SHA256
67b2e9e1531b785bb21b5b2f74579d240411c2e5378b3e35d5f9ec05dba08147

SHA512
5123839d0dbe4edad50abbc5f093cd29ad31ba0180fc31f87cf2e9bd28bd56f7812d9fde6dd7bf7c5e534f4f1597294ef3a450785107bd5d6843569e8beb35c4

Download Submit
C:\Windows\System\PgJSSHg.exe

Filesize
5.2MB

MD5
343a76e508d67ace5fd2ce801c794193

SHA1
a863d7a0f47739bbf71f79989f03f6aa2d34d57e

SHA256
f6d4351df087a7f6f3705362fd93d21e3507100d1755e8eb50c3b86df1d5fc36

SHA512
e8da8e30aa8807c7825cc695d2c13c7cca95eeeb3bde7cb0ef3240c8cee57cc3560dffbad4c30ca243ec6a2bcfc61fcf630c26f7140e68629ccc8c3690e53085

Download Submit
C:\Windows\System\PwFIeJD.exe

Filesize
5.2MB

MD5
d0f2036ba9aa714ea27c0727cfa01c31

SHA1
4af4c26aa92572ef69d80bcf11aea308d5b2b6e4

SHA256
990e3e5efcfb31e4f24cf3b66d62b09a3ae0ae798b1a80605e4b843d8488e5a7

SHA512
10ded684638eea1e74d5ec1ba0ea0bdb296f8adb3ec86fe5d8b2f8264f68c77b4478ab3bec5fe4e1cec14600f6503afc0b3abb13d04650a1d8d7734c1ab116e2

Download Submit
C:\Windows\System\RkHDTQh.exe

Filesize
5.2MB

MD5
c19d6b93c3f2bc87671ec031e6cffeab

SHA1
ed757fcb7464ffe397093df5ac174517cdda4a7c

SHA256
cea316187ba27308cc3c30374e8f133eb0be055d28a481d8523e73624256c106

SHA512
e07b0446695fc8c70f728c29ac3aaaa494db0ca8eae77557a83e4e3cd441a695b509703341524cc5e3ac7674bf99f9f262637c95ad23789caa74282222aac612

Download Submit
C:\Windows\System\ZYrxqrA.exe

Filesize
5.2MB

MD5
3db77b0afdb8963b05ad76c9270cca86

SHA1
6d472e0b4b7c7c6673e1eb7bdda1012f4b541406

SHA256
b84e9cca5925d3a2d66d216ef0b98a04aef8559613aa5877ec2d2e9c8aefb663

SHA512
a60eaa4af7fc0d752536f94e962067d8cc36ceec21018a69e0df67bee4fef3a00065be96f99fdc0dcf2d828edad929a4e8a8de0312c3bf557372181fedef3d85

Download Submit
C:\Windows\System\eRXBEQm.exe

Filesize
5.2MB

MD5
e0f22c86d4079a8c955c52ab108c4811

SHA1
fe2c33ab89d3fc67aeba8ff35d145ca00e3271b9

SHA256
cd8d5e7314e0582feb4cac7e12b9aba0e28a118fa99d9d66336b99808a987c52

SHA512
f2ff602146c0a5961d8da6edab3ce88d65f85b9c79e64540596096639dd0ea8293c7fe095bb12fe2ac13018b4269c051c95ba2b3178428479165a599fc985277

Download Submit
C:\Windows\System\gwfvkTY.exe

Filesize
5.2MB

MD5
05df50d28c942f9bca89158301fe58e3

SHA1
9074dc0f509b9e8165aff3c4d9e800963138a8b1

SHA256
3373c5c9adeaa430ff491260bc545498d028140a8946c0806359aab813ea2444

SHA512
8518e9b59baf44e4668588d3f79e5abed215dac89737be005f9006ec498ccd33d69fa1d2bfe419bbdc59512b0a8a6c5a3ae919cad604c5a7b416b4554b34fe5f

Download Submit
C:\Windows\System\hMjJRzE.exe

Filesize
5.2MB

MD5
d352f3a3217a95d6b1c5e55e4a939d5d

SHA1
4433a8472a1302f2f119947a2091ac53fc14f77a

SHA256
0aa035e9d5a367986434938f6c588d16faa23a942bee94bfe1b31cb0afcd6076

SHA512
6e4e3552668b3a0a7d3ac0ed0d72b7c9363110a8afd3821143859cae6ea80a4360e65b6dfcd64bceb086a759a0860b9caf2bac1d412da53a2bcd5f8509aac674

Download Submit
C:\Windows\System\mgPcXpj.exe

Filesize
5.2MB

MD5
16eef1fad92932887f1a97087d39eee4

SHA1
b01bb3f7c1881a56531bc7948769fd6a776156fd

SHA256
d87c9eb34d58f8384a9b8cfebb6fb71e2fdab21db0bb144a72003e23643a4883

SHA512
27ae1dbcb68be188e829e88fa9c65f459e781cdb8af1256a5ada8f7f567f09a51f6dba1f3ccf575975406dd16a1b7acaa0f157d04f8b3a5dfb0d88c62161f63c

Download Submit
C:\Windows\System\ppQtjdM.exe

Filesize
5.2MB

MD5
abb3c3de742f010f39d432fbcc99ed54

SHA1
43fb5b3d9c8c54507d41632e201bdc6953a186e8

SHA256
f76f040b8e2c1194a62f9551b171476eebbada77173f23c4f1b219c2cb1cc5f3

SHA512
610e29f99de023b519b500f98c8a664a39c9fa015dafd07d37be8f78ce13bd5854d3622494439d076f954a52727142094f41882181a70f8fad9d831d943ddd5a

Download Submit
C:\Windows\System\tdwbzkP.exe

Filesize
5.2MB

MD5
d823d3119595d7b1abe448e8f59dfd20

SHA1
497ea87404fa738a221518cae38e11551af42e12

SHA256
a66f836962eedff6e6af1f488f487d919ca807a646e9d345c485a1906e70b44d

SHA512
81830614e1adb9c999840a831066db9c14c6c912d6780fc3046dea927641dcb161b0c0fd065b99ee97409914465ed4eba6dcaad46e683f9cd380338b545f06de

Download Submit
C:\Windows\System\uIyXsow.exe

Filesize
5.2MB

MD5
352ea2ee2fb070f0382e6b3f824efaa6

SHA1
b0e31aeaa9a365f1e69b6bb64279002e8e9c848d

SHA256
e70c6fe14a1f04e4357ee1e841378c1efc76a3ee1cfd959f264a5dc7f56082cf

SHA512
0366f8db99effc030b1cc62580345883dd3bb368508419a446ac78e19182a2e004625dcd2656e30f95d9e3afa7bbc09c9dffa51745b65efcba2ccde68ec8ebbb

Download Submit
C:\Windows\System\yxdhUEX.exe

Filesize
5.2MB

MD5
87dac60788e2b76f831107840710bd36

SHA1
a0faa6ca46d5164fad6893d8e460c72b9565afb2

SHA256
41a89434b1ed92a6cdcb9146cc5440a0c20874bddaa836a09e174649ca0fd93d

SHA512
8efc84ec444460c89b214a39d5928170929d45838a196b9c0480313d988c9a6cc80a26101d0452afdbeb3c04e14cd38a985c9fb7ef76647884efc36ab4ec346c

Download Submit
memory/452-234-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp

Filesize
3.3MB

Download
memory/452-124-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp

Filesize
3.3MB

Download
memory/452-48-0x00007FF6B94F0000-0x00007FF6B9841000-memory.dmp

Filesize
3.3MB

Download
memory/536-23-0x00007FF763360000-0x00007FF7636B1000-memory.dmp

Filesize
3.3MB

Download
memory/536-70-0x00007FF763360000-0x00007FF7636B1000-memory.dmp

Filesize
3.3MB

Download
memory/536-212-0x00007FF763360000-0x00007FF7636B1000-memory.dmp

Filesize
3.3MB

Download
memory/612-263-0x00007FF64F620000-0x00007FF64F971000-memory.dmp

Filesize
3.3MB

Download
memory/612-141-0x00007FF64F620000-0x00007FF64F971000-memory.dmp

Filesize
3.3MB

Download
memory/704-106-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/704-218-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/704-41-0x00007FF66F860000-0x00007FF66FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/748-0-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/748-1-0x0000012C50A80000-0x0000012C50A90000-memory.dmp

Filesize
64KB

Download
memory/748-177-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/748-54-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/748-150-0x00007FF78D280000-0x00007FF78D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-87-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp

Filesize
3.3MB

Download
memory/1028-31-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp

Filesize
3.3MB

Download
memory/1028-220-0x00007FF7D23C0000-0x00007FF7D2711000-memory.dmp

Filesize
3.3MB

Download
memory/1372-81-0x00007FF711730000-0x00007FF711A81000-memory.dmp

Filesize
3.3MB

Download
memory/1372-244-0x00007FF711730000-0x00007FF711A81000-memory.dmp

Filesize
3.3MB

Download
memory/1372-128-0x00007FF711730000-0x00007FF711A81000-memory.dmp

Filesize
3.3MB

Download
memory/2096-161-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2096-262-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2096-132-0x00007FF72AB40000-0x00007FF72AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2116-39-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-96-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-216-0x00007FF793A70000-0x00007FF793DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-160-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-112-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-249-0x00007FF61A770000-0x00007FF61AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-238-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp

Filesize
3.3MB

Download
memory/2364-127-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp

Filesize
3.3MB

Download
memory/2364-69-0x00007FF73EA20000-0x00007FF73ED71000-memory.dmp

Filesize
3.3MB

Download
memory/2400-8-0x00007FF752370000-0x00007FF7526C1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-63-0x00007FF752370000-0x00007FF7526C1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-208-0x00007FF752370000-0x00007FF7526C1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-17-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-64-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-211-0x00007FF7D1B70000-0x00007FF7D1EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-252-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-88-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-139-0x00007FF76DAA0000-0x00007FF76DDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-159-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-107-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-250-0x00007FF72C490000-0x00007FF72C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4036-158-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4036-97-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4036-254-0x00007FF77AEA0000-0x00007FF77B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-125-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp

Filesize
3.3MB

Download
memory/4072-59-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp

Filesize
3.3MB

Download
memory/4072-236-0x00007FF7BFAD0000-0x00007FF7BFE21000-memory.dmp

Filesize
3.3MB

Download
memory/4292-149-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-267-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-175-0x00007FF6BE050000-0x00007FF6BE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-131-0x00007FF7012C0000-0x00007FF701611000-memory.dmp

Filesize
3.3MB

Download
memory/4740-242-0x00007FF7012C0000-0x00007FF701611000-memory.dmp

Filesize
3.3MB

Download
memory/4740-79-0x00007FF7012C0000-0x00007FF701611000-memory.dmp

Filesize
3.3MB

Download
memory/4856-219-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp

Filesize
3.3MB

Download
memory/4856-78-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp

Filesize
3.3MB

Download
memory/4856-27-0x00007FF6359D0000-0x00007FF635D21000-memory.dmp

Filesize
3.3MB

Download
memory/4880-162-0x00007FF7EBBF0000-0x00007FF7EBF41000-memory.dmp

Filesize
3.3MB

Download
memory/4880-266-0x00007FF7EBBF0000-0x00007FF7EBF41000-memory.dmp

Filesize
3.3MB

Download
memory/5008-126-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp

Filesize
3.3MB

Download
memory/5008-66-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp

Filesize
3.3MB

Download
memory/5008-240-0x00007FF7016E0000-0x00007FF701A31000-memory.dmp

Filesize
3.3MB

Download