cobaltstrike | 4d54afe70a4e3e53b591de61051ff64ecd34dcb99f7f4e4ad4d7668fa9e6a16d

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2fa3076921b03a50df28c8e7ed043c00
SHA1

e366502aef78906030eb3d7cc9531bebc0d981a5
SHA256

4d54afe70a4e3e53b591de61051ff64ecd34dcb99f7f4e4ad4d7668fa9e6a16d
SHA512

10fb5d336f1d6a5641f5bfe5e1c55e4f76daf2dcb8fb8000a63815a48afccf7f533dbfbf828fa8b96eda5b3f7b0a493d8b8771b109cc066d562cc30238bc9bc9
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibd56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca0-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca1-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-143.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4964-19-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp	xmrig
behavioral2/memory/3188-47-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp	xmrig
behavioral2/memory/4948-53-0x00007FF699530000-0x00007FF699881000-memory.dmp	xmrig
behavioral2/memory/2196-82-0x00007FF7A71D0000-0x00007FF7A7521000-memory.dmp	xmrig
behavioral2/memory/4600-89-0x00007FF68D820000-0x00007FF68DB71000-memory.dmp	xmrig
behavioral2/memory/840-96-0x00007FF78F790000-0x00007FF78FAE1000-memory.dmp	xmrig
behavioral2/memory/884-93-0x00007FF6C4F20000-0x00007FF6C5271000-memory.dmp	xmrig
behavioral2/memory/3388-75-0x00007FF77E130000-0x00007FF77E481000-memory.dmp	xmrig
behavioral2/memory/3232-122-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp	xmrig
behavioral2/memory/3836-118-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp	xmrig
behavioral2/memory/1564-132-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp	xmrig
behavioral2/memory/3188-126-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp	xmrig
behavioral2/memory/1788-125-0x00007FF704E30000-0x00007FF705181000-memory.dmp	xmrig
behavioral2/memory/4844-124-0x00007FF646920000-0x00007FF646C71000-memory.dmp	xmrig
behavioral2/memory/3480-123-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp	xmrig
behavioral2/memory/2636-133-0x00007FF6840B0000-0x00007FF684401000-memory.dmp	xmrig
behavioral2/memory/2864-120-0x00007FF738DB0000-0x00007FF739101000-memory.dmp	xmrig
behavioral2/memory/336-116-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	xmrig
behavioral2/memory/316-141-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp	xmrig
behavioral2/memory/336-147-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	xmrig
behavioral2/memory/5108-146-0x00007FF636790000-0x00007FF636AE1000-memory.dmp	xmrig
behavioral2/memory/4988-139-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp	xmrig
behavioral2/memory/336-149-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	xmrig
behavioral2/memory/2736-168-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp	xmrig
behavioral2/memory/3644-169-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp	xmrig
behavioral2/memory/4964-204-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp	xmrig
behavioral2/memory/3836-206-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp	xmrig
behavioral2/memory/2864-208-0x00007FF738DB0000-0x00007FF739101000-memory.dmp	xmrig
behavioral2/memory/3232-210-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp	xmrig
behavioral2/memory/4948-224-0x00007FF699530000-0x00007FF699881000-memory.dmp	xmrig
behavioral2/memory/3188-226-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp	xmrig
behavioral2/memory/1788-228-0x00007FF704E30000-0x00007FF705181000-memory.dmp	xmrig
behavioral2/memory/4844-230-0x00007FF646920000-0x00007FF646C71000-memory.dmp	xmrig
behavioral2/memory/3480-243-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp	xmrig
behavioral2/memory/3388-244-0x00007FF77E130000-0x00007FF77E481000-memory.dmp	xmrig
behavioral2/memory/4600-241-0x00007FF68D820000-0x00007FF68DB71000-memory.dmp	xmrig
behavioral2/memory/2196-239-0x00007FF7A71D0000-0x00007FF7A7521000-memory.dmp	xmrig
behavioral2/memory/884-237-0x00007FF6C4F20000-0x00007FF6C5271000-memory.dmp	xmrig
behavioral2/memory/1564-233-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp	xmrig
behavioral2/memory/840-235-0x00007FF78F790000-0x00007FF78FAE1000-memory.dmp	xmrig
behavioral2/memory/2636-246-0x00007FF6840B0000-0x00007FF684401000-memory.dmp	xmrig
behavioral2/memory/5108-248-0x00007FF636790000-0x00007FF636AE1000-memory.dmp	xmrig
behavioral2/memory/4988-252-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp	xmrig
behavioral2/memory/316-251-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp	xmrig
behavioral2/memory/2736-257-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp	xmrig
behavioral2/memory/3644-259-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3836	EpiLssE.exe
4964	AxPkQOY.exe
2864	JhVKBse.exe
4948	IwQsiVI.exe
3232	vLZMCHe.exe
3480	AImQhnM.exe
1788	LDWPgiq.exe
3188	glsvtKU.exe
4844	xPHPrtg.exe
4600	mkkeMRl.exe
3388	GkgSFaF.exe
2196	aCzERIN.exe
884	BntWtLb.exe
840	jBlsuJs.exe
1564	lZYSJBi.exe
2636	loiPMlG.exe
4988	ptMaSVY.exe
316	eXGFdWJ.exe
5108	ARPfKtm.exe
2736	BLFzMOS.exe
3644	PPHcXfB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/336-0-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca0-5.dat	upx
behavioral2/files/0x0007000000023ca5-9.dat	upx
behavioral2/files/0x0007000000023ca7-37.dat	upx
behavioral2/files/0x0007000000023ca6-25.dat	upx
behavioral2/memory/2864-24-0x00007FF738DB0000-0x00007FF739101000-memory.dmp	upx
behavioral2/memory/4964-19-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-27.dat	upx
behavioral2/files/0x0007000000023ca4-11.dat	upx
behavioral2/memory/3836-7-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp	upx
behavioral2/memory/3232-35-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp	upx
behavioral2/memory/3188-47-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp	upx
behavioral2/memory/3480-44-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-43.dat	upx
behavioral2/memory/4948-53-0x00007FF699530000-0x00007FF699881000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-58.dat	upx
behavioral2/files/0x0007000000023caf-83.dat	upx
behavioral2/memory/2196-82-0x00007FF7A71D0000-0x00007FF7A7521000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-87.dat	upx
behavioral2/memory/4600-89-0x00007FF68D820000-0x00007FF68DB71000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-99.dat	upx
behavioral2/memory/2636-108-0x00007FF6840B0000-0x00007FF684401000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-114.dat	upx
behavioral2/files/0x0007000000023cb3-112.dat	upx
behavioral2/files/0x0008000000023ca1-110.dat	upx
behavioral2/memory/5108-109-0x00007FF636790000-0x00007FF636AE1000-memory.dmp	upx
behavioral2/memory/316-105-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp	upx
behavioral2/memory/4988-103-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp	upx
behavioral2/memory/840-96-0x00007FF78F790000-0x00007FF78FAE1000-memory.dmp	upx
behavioral2/memory/884-93-0x00007FF6C4F20000-0x00007FF6C5271000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-86.dat	upx
behavioral2/memory/1564-85-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-80.dat	upx
behavioral2/memory/3388-75-0x00007FF77E130000-0x00007FF77E481000-memory.dmp	upx
behavioral2/memory/4844-73-0x00007FF646920000-0x00007FF646C71000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-72.dat	upx
behavioral2/files/0x0007000000023ca9-65.dat	upx
behavioral2/memory/1788-61-0x00007FF704E30000-0x00007FF705181000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-57.dat	upx
behavioral2/memory/3232-122-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp	upx
behavioral2/memory/3836-118-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp	upx
behavioral2/memory/1564-132-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp	upx
behavioral2/memory/3188-126-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp	upx
behavioral2/memory/1788-125-0x00007FF704E30000-0x00007FF705181000-memory.dmp	upx
behavioral2/memory/4844-124-0x00007FF646920000-0x00007FF646C71000-memory.dmp	upx
behavioral2/memory/3480-123-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp	upx
behavioral2/memory/2636-133-0x00007FF6840B0000-0x00007FF684401000-memory.dmp	upx
behavioral2/memory/2864-120-0x00007FF738DB0000-0x00007FF739101000-memory.dmp	upx
behavioral2/memory/336-116-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-137.dat	upx
behavioral2/memory/316-141-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp	upx
behavioral2/memory/3644-145-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp	upx
behavioral2/memory/336-147-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	upx
behavioral2/memory/5108-146-0x00007FF636790000-0x00007FF636AE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-143.dat	upx
behavioral2/memory/2736-140-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp	upx
behavioral2/memory/4988-139-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp	upx
behavioral2/memory/336-149-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp	upx
behavioral2/memory/2736-168-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp	upx
behavioral2/memory/3644-169-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp	upx
behavioral2/memory/4964-204-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp	upx
behavioral2/memory/3836-206-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp	upx
behavioral2/memory/2864-208-0x00007FF738DB0000-0x00007FF739101000-memory.dmp	upx
behavioral2/memory/3232-210-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AImQhnM.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xPHPrtg.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDWPgiq.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkgSFaF.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loiPMlG.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLFzMOS.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PPHcXfB.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BntWtLb.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EpiLssE.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JhVKBse.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IwQsiVI.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vLZMCHe.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\glsvtKU.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mkkeMRl.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aCzERIN.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jBlsuJs.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lZYSJBi.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ptMaSVY.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ARPfKtm.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AxPkQOY.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eXGFdWJ.exe	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 3836	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 336 wrote to memory of 3836	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 336 wrote to memory of 4964	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 336 wrote to memory of 4964	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 336 wrote to memory of 2864	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 336 wrote to memory of 2864	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 336 wrote to memory of 4948	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 336 wrote to memory of 4948	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 336 wrote to memory of 3232	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 336 wrote to memory of 3232	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 336 wrote to memory of 3480	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 336 wrote to memory of 3480	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 336 wrote to memory of 4844	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 336 wrote to memory of 4844	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 336 wrote to memory of 1788	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 336 wrote to memory of 1788	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 336 wrote to memory of 3188	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 336 wrote to memory of 3188	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 336 wrote to memory of 4600	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 336 wrote to memory of 4600	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 336 wrote to memory of 3388	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 336 wrote to memory of 3388	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 336 wrote to memory of 2196	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 336 wrote to memory of 2196	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 336 wrote to memory of 884	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 336 wrote to memory of 884	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 336 wrote to memory of 840	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 336 wrote to memory of 840	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 336 wrote to memory of 1564	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 336 wrote to memory of 1564	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 336 wrote to memory of 2636	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 336 wrote to memory of 2636	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 336 wrote to memory of 4988	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 336 wrote to memory of 4988	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 336 wrote to memory of 316	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 336 wrote to memory of 316	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 336 wrote to memory of 5108	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 336 wrote to memory of 5108	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 336 wrote to memory of 2736	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 336 wrote to memory of 2736	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 336 wrote to memory of 3644	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 336 wrote to memory of 3644	336	2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_2fa3076921b03a50df28c8e7ed043c00_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\System\EpiLssE.exe
  C:\Windows\System\EpiLssE.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\AxPkQOY.exe
  C:\Windows\System\AxPkQOY.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\JhVKBse.exe
  C:\Windows\System\JhVKBse.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\IwQsiVI.exe
  C:\Windows\System\IwQsiVI.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\vLZMCHe.exe
  C:\Windows\System\vLZMCHe.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\AImQhnM.exe
  C:\Windows\System\AImQhnM.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\xPHPrtg.exe
  C:\Windows\System\xPHPrtg.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\LDWPgiq.exe
  C:\Windows\System\LDWPgiq.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\glsvtKU.exe
  C:\Windows\System\glsvtKU.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\mkkeMRl.exe
  C:\Windows\System\mkkeMRl.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\GkgSFaF.exe
  C:\Windows\System\GkgSFaF.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\aCzERIN.exe
  C:\Windows\System\aCzERIN.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\BntWtLb.exe
  C:\Windows\System\BntWtLb.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\jBlsuJs.exe
  C:\Windows\System\jBlsuJs.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\lZYSJBi.exe
  C:\Windows\System\lZYSJBi.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\loiPMlG.exe
  C:\Windows\System\loiPMlG.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\ptMaSVY.exe
  C:\Windows\System\ptMaSVY.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\eXGFdWJ.exe
  C:\Windows\System\eXGFdWJ.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\ARPfKtm.exe
  C:\Windows\System\ARPfKtm.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\BLFzMOS.exe
  C:\Windows\System\BLFzMOS.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\PPHcXfB.exe
  C:\Windows\System\PPHcXfB.exe
  2⤵
  - Executes dropped EXE
  PID:3644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AImQhnM.exe

Filesize
5.2MB

MD5
f918c316eaecb07ea81e0a72a17260bd

SHA1
debe3efc2a26dee1bec0280b4bc5f167fbfe3632

SHA256
c9ded38ae00fff4972acf6a3dd8da6c9ed49da8e88b205f36b97f0dddbdb089d

SHA512
3f2b3811d093c0669e8cb531ecb4911e65fbb79e0f609fd5b139096c69e0220b428eaa61dd2aab3e1b61ccde40c5dbd72b808f3d5478bf10cd19b30b6821734a

Download Submit
C:\Windows\System\ARPfKtm.exe

Filesize
5.2MB

MD5
717c9da1ef4fe65af1d6265f5a6a4649

SHA1
dc2487701e1815f1e5a9147b18d5c460a6d6a4c9

SHA256
b77404a9a04b9c798e31fd955f1d54a8cedfd43e67f1d16026d7c704f30c15ef

SHA512
1d9c665eba76b88870237c18469e93fedfce607425d93c792e2f66d165db640d8928536cad2eac614205dd9fdd437d0ed5cde3e10bb0730c11f32ef0bfad51eb

Download Submit
C:\Windows\System\AxPkQOY.exe

Filesize
5.2MB

MD5
cfb49e3d048452547b8632f923a5c3c9

SHA1
ff23101c8ba3d3ab05a5eabc759b0015bd91113d

SHA256
a0bc9c38d383643f5d16a8e77d3527dd70f26255cd94c26afe3faf759b4c4c3f

SHA512
369486c88fcf9ee8fa4a99b0898882d3d2b060e0ab3b98dfd8b32bfe8b5947d69e7197f857ef94e430d72e2d8da4f7c211511e1715990b592722e78956006ea9

Download Submit
C:\Windows\System\BLFzMOS.exe

Filesize
5.2MB

MD5
50c8b23f82bb1f5c5659010389ad27ed

SHA1
5330bb15ca958c25c49debe425489f12881751aa

SHA256
2377e3d5deb4aa49393b1c0201898fcb9354a8e209bff88e5effb71e81cd5180

SHA512
84d1eaac809d400038e233f3577602ebac25d25c0c7f172264d5b5c2dd035cdd494c9e9f0a0587c94bddf0185d27e5ae80a77c8d44d97468347ff300b2aaf9b5

Download Submit
C:\Windows\System\BntWtLb.exe

Filesize
5.2MB

MD5
6484ee3ee3f13c53286743f926f96b2d

SHA1
f802cc29870b1755b8a2b0abd10b930c04368f43

SHA256
1ed3c8bac9ef96d09bc480122c28649b535ddbf11c7d2a11660cd0f88d469894

SHA512
5d8cff89e6e42a10a68767540e2650f0d160cc1812a9006441394c538f784270b124d1dad602a56faa5dc7c5f41c973726031d935e8efe5c20486c5855ec7a15

Download Submit
C:\Windows\System\EpiLssE.exe

Filesize
5.2MB

MD5
5bc76ae6030e30a4c57610331f5b34b3

SHA1
01094e757a80827e040fe2e3b7726e6f56d9eb16

SHA256
86dd9e03831b763b403e2686aaced9b6fcc13920e047ceaadd34106df703e1e3

SHA512
4ac5622de0947826af32473599f9739f620986cae52f31b8bfde8d41afe97632e69cd4d2736bfb0ce88ceadcdf8cb4faf18bd5300332d7d7cbad644e1a2796af

Download Submit
C:\Windows\System\GkgSFaF.exe

Filesize
5.2MB

MD5
2df061ff7c78993519028b6b849fecba

SHA1
fd13a4ee892339c59eb7e3e5cefd7bbf35505e61

SHA256
940c015fbf1fedacccb8367f210bb39e8c88440b14f32db5c4d88f71acfd8c3c

SHA512
866bde5886f3862ef1d58678e1076e4dc1c26d8ef71446fa5e84b901c4b5e16ff52d18b33fcb0ffa2ba5973bc16a3e09af8f749a5b1dfc0c4568a086c23174ab

Download Submit
C:\Windows\System\IwQsiVI.exe

Filesize
5.2MB

MD5
2c2cd0a78d2906b1218100b86e6cbeee

SHA1
ce9ddf8bc7b0f28a1b5ac470a163e700ba013de2

SHA256
12da0ff1d247f85d49e309cdac1cda6798a731cbb4ea2dd9a285ff042e0d061d

SHA512
7c9571cd04c3ff4940d8dd4f1fdd85d3636b62d9f1e52a76d008c2bbd0db0b8d7196f3720efb1c6a17f9f98b91e2283339d50ee5eb8f6d7d99b20c4be263ac02

Download Submit
C:\Windows\System\JhVKBse.exe

Filesize
5.2MB

MD5
7b13708f698a3eb57edf7e68e9cae842

SHA1
4ec60022dd551a5efe9bfafc78bfdee6d9bcbbbc

SHA256
4a923e05a6d2d7de25cf80002216bbd3d6e59826eae8eb2751e4f489841f7936

SHA512
cd01d08cf332580f81d4089a96f7d1c9f0cb3784627702c793dec32920c6b41806dbaac9f40bed62f28537887c324cf90eb09bbb071b4fd3dac8b32a58ee3a60

Download Submit
C:\Windows\System\LDWPgiq.exe

Filesize
5.2MB

MD5
383045b00efa28f37d77e953351cd37b

SHA1
c31b076f258f2dbd6a171517d603b7beb59724dd

SHA256
e83158b99da0a5d4735156b88848f44c5121f68b45d9019685b94321f1fa3247

SHA512
58fa17c3c89b3cc8cdd6ee1fabeee4f38b44a95ea38c2ae3579636d7de9ad73e73d271f6767f4c22dfcd08afdf005f5162c5cbab7ddaa88e39f304b77889b104

Download Submit
C:\Windows\System\PPHcXfB.exe

Filesize
5.2MB

MD5
201b27ff6d6fa5ef151989d8bb39d7a4

SHA1
eb3eada2873203d01feff54dd5823c1bb6cfe447

SHA256
e16a97b36e2c2037e7838dc469069f226a7e5b71d787d984f72a5f3590299080

SHA512
12f5384dac8a67d18a0b50e58a06a9a087d3e64e8d9e40b61d00c5a5504d4099f5a3132b817a2aeb4478e88788df245132ee07d33a4d9bc10ab499fb7bf84f5f

Download Submit
C:\Windows\System\aCzERIN.exe

Filesize
5.2MB

MD5
e405998e7c84af2e21327902272b5f6d

SHA1
b4f2d7def68a4fb3521c9f639a85657d6d4e1f09

SHA256
d2087e1970a6fca000c01230cebf1603e3c1f0a5505de472a5e219574cab4fe8

SHA512
a3c03c3dd46cf4f2b2eeacfec09e98af2086309c70a132f23918d6b12c6c7e4b64004a510e61c569cc0773c15b9448db94ae2c40c2b246b4df1f4e0f578d3b43

Download Submit
C:\Windows\System\eXGFdWJ.exe

Filesize
5.2MB

MD5
66d2f82c2eb785a57900cb3446b13802

SHA1
00b10de09c9d6e46b0772273a5d1c1e3071c493c

SHA256
d1e8a8d863579d5aebf0b8d086eb87b45a1d9826f36001e4cc9e294cfc398057

SHA512
2b44e524836696cb8e2af62a6529e3bccdb5b1d5f8e54d885cc0c41c37d09c19f88ee336058162abfd2c52db49f20b449915105e8e49dddf7a3fbc17538b0d93

Download Submit
C:\Windows\System\glsvtKU.exe

Filesize
5.2MB

MD5
6222bb855ed752366f2f82c69e6b6eca

SHA1
4928ceea10c38f9c831259ec19a21d5f23aee797

SHA256
41cadf9ebd471da113531df1be78f975490db81b002e2229d3bc23e8786031e5

SHA512
e880d914c9f3cc1af923b96b902513aad822b7d4f52c44d2f8b3d909874c643c426d56c4a7add1f4d0b56ec677e6f6b406db4d5ad2d0d1dd902905b5cd35aeb8

Download Submit
C:\Windows\System\jBlsuJs.exe

Filesize
5.2MB

MD5
5e7a9e76ee7374b8bbdd4735aa56d53a

SHA1
bc4587dca180a1522b339b5767e42aff1f40dd7d

SHA256
ad8d3cc23d9b0600d119f73e7af292117b525e9dff32e6e1ac1e817ad568e2a2

SHA512
6dfd615e43f7a1fe833c8df1e8bc221f0feb8973fb3a015959d30e15d77d4aaedecd5d95c2d55e10e1853ca3f94edf23b00c1273e6aa3ad64352c1b1a608f526

Download Submit
C:\Windows\System\lZYSJBi.exe

Filesize
5.2MB

MD5
c9f45e8564acecd3c89a52eab023aba6

SHA1
53426963defc08b24ee1eb50bd29ee81bd69b891

SHA256
7dedb7633e79b1f95013f81da16cb9841c4c265ea54bdea6d202d8058baac6cc

SHA512
0217259e828b9954f92e3fd93ac1406396cba0b2752889639ddd9ca6e88f0620f3d9044b8300e1e19d85bf08f07a8fca047687de244f0d3710953d43783599c2

Download Submit
C:\Windows\System\loiPMlG.exe

Filesize
5.2MB

MD5
b6315d76e56cfb45b7bcb39b52bb6345

SHA1
5f772cc89b2fd017f23f5a44666f367937dee007

SHA256
fc8e87c45448090e8c96095406fd519c9f2c55d42edb18354b934bf253a167c2

SHA512
f961b43c379d5626f2f188ce6f4dd011de0d47537d7062f97cd67eefc43907fed99481f706244595315f8fbc233e699c98955df13dc664ba49a85085bb12cf15

Download Submit
C:\Windows\System\mkkeMRl.exe

Filesize
5.2MB

MD5
3173dfaddb85fb1715008d7d1b9d66fd

SHA1
76a415c4174aa2d4e00ea224a0be3825d5999efc

SHA256
e9981b6147e3d9513baca7641665b67f1ac8b8e199e205db6d8d53f5a220c7d2

SHA512
6b57cef0bd1429a498c4816c8639c8d57fcf001791a146ad9ad9e3683baeabdaaa8815d64e66025d9cef2ab1fd1875a4f28c171de2d80e73324e360ddb635954

Download Submit
C:\Windows\System\ptMaSVY.exe

Filesize
5.2MB

MD5
1eb00a54b2290e353a11ce9477f81080

SHA1
60212cc2257659bdd247b99966f2b9fb88f1075f

SHA256
fb6b8d054018cdf69cc49431acb667366cd29f9fbdef9d32995df6833700abc7

SHA512
d01e717a0c8c9848db75a39cc9a8b41fe3067653c32f58077d0b966d2dd0e5ee7a949147255fe34a645a0b0543ddaa468af292c55fcb918194e71724a92d0b0b

Download Submit
C:\Windows\System\vLZMCHe.exe

Filesize
5.2MB

MD5
3ca6562f7a1a99aa4260f1b910b7d134

SHA1
3a871134f5fdf299f4602bc2a9d5320276947d18

SHA256
f753de886daf49473bb68823aa42d1a30656b7f4ff3ca4b94c7b9bf806f9b71e

SHA512
5e25031bfcbcfa4c67dbb3190fb9902ed48bcdf37a60d30a0272c10db23b0aaa80dd2faa4830c35d722ce7610046b67be7c3c80396031d3129f2e80c1f9fd2f8

Download Submit
C:\Windows\System\xPHPrtg.exe

Filesize
5.2MB

MD5
dcf3bc03026b94c2eb7f0a49fc4747b8

SHA1
f52aeb94b9ef93a6d8952ea05c50f538f6f11166

SHA256
ec3f033bbbb4bb1424af434b69904c8931f9f3af2046fbf89149b772b2462cb8

SHA512
951bab5f96e2b09f7da371a3f5d42c8c37fb40fca3f286b678b005d74c9105a78783bd8d9dfb45746d7efba45083261eb95f2946f293463c73c225c633474605

Download Submit
memory/316-105-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp

Filesize
3.3MB

Download
memory/316-251-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp

Filesize
3.3MB

Download
memory/316-141-0x00007FF60EFC0000-0x00007FF60F311000-memory.dmp

Filesize
3.3MB

Download
memory/336-0-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp

Filesize
3.3MB

Download
memory/336-1-0x000002076BB90000-0x000002076BBA0000-memory.dmp

Filesize
64KB

Download
memory/336-147-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp

Filesize
3.3MB

Download
memory/336-149-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp

Filesize
3.3MB

Download
memory/336-116-0x00007FF7BFC90000-0x00007FF7BFFE1000-memory.dmp

Filesize
3.3MB

Download
memory/840-96-0x00007FF78F790000-0x00007FF78FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/840-235-0x00007FF78F790000-0x00007FF78FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/884-93-0x00007FF6C4F20000-0x00007FF6C5271000-memory.dmp

Filesize
3.3MB

Download
memory/884-237-0x00007FF6C4F20000-0x00007FF6C5271000-memory.dmp

Filesize
3.3MB

Download
memory/1564-85-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-233-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-132-0x00007FF6CCD80000-0x00007FF6CD0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-228-0x00007FF704E30000-0x00007FF705181000-memory.dmp

Filesize
3.3MB

Download
memory/1788-61-0x00007FF704E30000-0x00007FF705181000-memory.dmp

Filesize
3.3MB

Download
memory/1788-125-0x00007FF704E30000-0x00007FF705181000-memory.dmp

Filesize
3.3MB

Download
memory/2196-82-0x00007FF7A71D0000-0x00007FF7A7521000-memory.dmp

Filesize
3.3MB

Download
memory/2196-239-0x00007FF7A71D0000-0x00007FF7A7521000-memory.dmp

Filesize
3.3MB

Download
memory/2636-246-0x00007FF6840B0000-0x00007FF684401000-memory.dmp

Filesize
3.3MB

Download
memory/2636-108-0x00007FF6840B0000-0x00007FF684401000-memory.dmp

Filesize
3.3MB

Download
memory/2636-133-0x00007FF6840B0000-0x00007FF684401000-memory.dmp

Filesize
3.3MB

Download
memory/2736-168-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-140-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-257-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-120-0x00007FF738DB0000-0x00007FF739101000-memory.dmp

Filesize
3.3MB

Download
memory/2864-208-0x00007FF738DB0000-0x00007FF739101000-memory.dmp

Filesize
3.3MB

Download
memory/2864-24-0x00007FF738DB0000-0x00007FF739101000-memory.dmp

Filesize
3.3MB

Download
memory/3188-126-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp

Filesize
3.3MB

Download
memory/3188-47-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp

Filesize
3.3MB

Download
memory/3188-226-0x00007FF7F1930000-0x00007FF7F1C81000-memory.dmp

Filesize
3.3MB

Download
memory/3232-122-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-35-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-210-0x00007FF6DF260000-0x00007FF6DF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-244-0x00007FF77E130000-0x00007FF77E481000-memory.dmp

Filesize
3.3MB

Download
memory/3388-75-0x00007FF77E130000-0x00007FF77E481000-memory.dmp

Filesize
3.3MB

Download
memory/3480-123-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp

Filesize
3.3MB

Download
memory/3480-243-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp

Filesize
3.3MB

Download
memory/3480-44-0x00007FF6C16C0000-0x00007FF6C1A11000-memory.dmp

Filesize
3.3MB

Download
memory/3644-259-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp

Filesize
3.3MB

Download
memory/3644-169-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp

Filesize
3.3MB

Download
memory/3644-145-0x00007FF6FA420000-0x00007FF6FA771000-memory.dmp

Filesize
3.3MB

Download
memory/3836-206-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-118-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-7-0x00007FF6BCC60000-0x00007FF6BCFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-89-0x00007FF68D820000-0x00007FF68DB71000-memory.dmp

Filesize
3.3MB

Download
memory/4600-241-0x00007FF68D820000-0x00007FF68DB71000-memory.dmp

Filesize
3.3MB

Download
memory/4844-230-0x00007FF646920000-0x00007FF646C71000-memory.dmp

Filesize
3.3MB

Download
memory/4844-73-0x00007FF646920000-0x00007FF646C71000-memory.dmp

Filesize
3.3MB

Download
memory/4844-124-0x00007FF646920000-0x00007FF646C71000-memory.dmp

Filesize
3.3MB

Download
memory/4948-224-0x00007FF699530000-0x00007FF699881000-memory.dmp

Filesize
3.3MB

Download
memory/4948-53-0x00007FF699530000-0x00007FF699881000-memory.dmp

Filesize
3.3MB

Download
memory/4964-204-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-19-0x00007FF6A0060000-0x00007FF6A03B1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-103-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp

Filesize
3.3MB

Download
memory/4988-252-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp

Filesize
3.3MB

Download
memory/4988-139-0x00007FF7D0340000-0x00007FF7D0691000-memory.dmp

Filesize
3.3MB

Download
memory/5108-146-0x00007FF636790000-0x00007FF636AE1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-109-0x00007FF636790000-0x00007FF636AE1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-248-0x00007FF636790000-0x00007FF636AE1000-memory.dmp

Filesize
3.3MB

Download