cobaltstrike | 8a4eedfc71c8ca99c52ff3e61bcaa3e8e79d456b9c5fb4ce06be6ee60e4a23a1

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6c2751406ed2bbb6949e691245ab0cc2
SHA1

4cad312aee8d7e3ed09d536e25d8f7b980e18a56
SHA256

8a4eedfc71c8ca99c52ff3e61bcaa3e8e79d456b9c5fb4ce06be6ee60e4a23a1
SHA512

dd5dcefcafaeb2d40a668bcda45d93a24c410559349bb50462230783b30879e1da30b36743924ec46125bbfc0c0324b29763d4a6d98533a0d696be7c7485f816
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibd56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c8d-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c8e-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-78.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3652-90-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp	xmrig
behavioral2/memory/4864-83-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp	xmrig
behavioral2/memory/4472-74-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp	xmrig
behavioral2/memory/5008-67-0x00007FF678140000-0x00007FF678491000-memory.dmp	xmrig
behavioral2/memory/4684-60-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	xmrig
behavioral2/memory/840-125-0x00007FF683850000-0x00007FF683BA1000-memory.dmp	xmrig
behavioral2/memory/1624-126-0x00007FF74BF60000-0x00007FF74C2B1000-memory.dmp	xmrig
behavioral2/memory/3852-128-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp	xmrig
behavioral2/memory/1400-132-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	xmrig
behavioral2/memory/116-133-0x00007FF6C95A0000-0x00007FF6C98F1000-memory.dmp	xmrig
behavioral2/memory/4588-131-0x00007FF62A770000-0x00007FF62AAC1000-memory.dmp	xmrig
behavioral2/memory/5092-129-0x00007FF629400000-0x00007FF629751000-memory.dmp	xmrig
behavioral2/memory/2164-130-0x00007FF64B140000-0x00007FF64B491000-memory.dmp	xmrig
behavioral2/memory/1480-127-0x00007FF6EAE10000-0x00007FF6EB161000-memory.dmp	xmrig
behavioral2/memory/624-134-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp	xmrig
behavioral2/memory/2224-135-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp	xmrig
behavioral2/memory/4684-136-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	xmrig
behavioral2/memory/2220-137-0x00007FF610220000-0x00007FF610571000-memory.dmp	xmrig
behavioral2/memory/2416-141-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp	xmrig
behavioral2/memory/4296-151-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp	xmrig
behavioral2/memory/4752-150-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp	xmrig
behavioral2/memory/3412-149-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	xmrig
behavioral2/memory/4248-152-0x00007FF7253F0000-0x00007FF725741000-memory.dmp	xmrig
behavioral2/memory/4684-161-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	xmrig
behavioral2/memory/5008-209-0x00007FF678140000-0x00007FF678491000-memory.dmp	xmrig
behavioral2/memory/4472-215-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp	xmrig
behavioral2/memory/4864-217-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp	xmrig
behavioral2/memory/3652-230-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp	xmrig
behavioral2/memory/1400-232-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	xmrig
behavioral2/memory/624-234-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp	xmrig
behavioral2/memory/2224-236-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp	xmrig
behavioral2/memory/2220-238-0x00007FF610220000-0x00007FF610571000-memory.dmp	xmrig
behavioral2/memory/2416-240-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp	xmrig
behavioral2/memory/4296-242-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp	xmrig
behavioral2/memory/3412-244-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	xmrig
behavioral2/memory/4752-246-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp	xmrig
behavioral2/memory/4248-248-0x00007FF7253F0000-0x00007FF725741000-memory.dmp	xmrig
behavioral2/memory/840-250-0x00007FF683850000-0x00007FF683BA1000-memory.dmp	xmrig
behavioral2/memory/116-256-0x00007FF6C95A0000-0x00007FF6C98F1000-memory.dmp	xmrig
behavioral2/memory/1624-258-0x00007FF74BF60000-0x00007FF74C2B1000-memory.dmp	xmrig
behavioral2/memory/1480-260-0x00007FF6EAE10000-0x00007FF6EB161000-memory.dmp	xmrig
behavioral2/memory/3852-262-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp	xmrig
behavioral2/memory/5092-264-0x00007FF629400000-0x00007FF629751000-memory.dmp	xmrig
behavioral2/memory/2164-267-0x00007FF64B140000-0x00007FF64B491000-memory.dmp	xmrig
behavioral2/memory/4588-268-0x00007FF62A770000-0x00007FF62AAC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5008	faaiBYd.exe
4472	dLTJZqt.exe
4864	sGIWXEa.exe
3652	gzcqkIr.exe
1400	DcaXjhC.exe
624	Umvnxow.exe
2224	lMAaoXc.exe
2220	FzIQYkx.exe
2416	PRZjada.exe
4296	VqHTYXO.exe
3412	zAfKJip.exe
4752	VEnPXUC.exe
4248	KGQhwVB.exe
840	GXfLUXB.exe
116	eayVnGM.exe
1624	gaOseBx.exe
1480	FgLZumg.exe
3852	BjqvbvW.exe
5092	KMakkPl.exe
2164	NVEzZwF.exe
4588	KsfLdZm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4684-0-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	upx
behavioral2/files/0x0008000000023c8d-4.dat	upx
behavioral2/memory/5008-8-0x00007FF678140000-0x00007FF678491000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-11.dat	upx
behavioral2/files/0x0007000000023c92-10.dat	upx
behavioral2/memory/4472-13-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp	upx
behavioral2/memory/4864-19-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-23.dat	upx
behavioral2/memory/3652-24-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c8e-27.dat	upx
behavioral2/memory/1400-28-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-33.dat	upx
behavioral2/files/0x0007000000023c95-43.dat	upx
behavioral2/memory/2224-42-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp	upx
behavioral2/memory/624-36-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-47.dat	upx
behavioral2/memory/2220-48-0x00007FF610220000-0x00007FF610571000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-53.dat	upx
behavioral2/files/0x0007000000023c98-59.dat	upx
behavioral2/memory/4296-61-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-66.dat	upx
behavioral2/files/0x0007000000023c9c-80.dat	upx
behavioral2/files/0x0007000000023c9e-91.dat	upx
behavioral2/files/0x0007000000023ca0-106.dat	upx
behavioral2/files/0x0007000000023ca2-116.dat	upx
behavioral2/files/0x0007000000023ca4-123.dat	upx
behavioral2/files/0x0007000000023ca3-121.dat	upx
behavioral2/files/0x0007000000023ca1-111.dat	upx
behavioral2/files/0x0007000000023c9f-102.dat	upx
behavioral2/files/0x0007000000023c9d-94.dat	upx
behavioral2/memory/3652-90-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp	upx
behavioral2/memory/4248-84-0x00007FF7253F0000-0x00007FF725741000-memory.dmp	upx
behavioral2/memory/4864-83-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-78.dat	upx
behavioral2/memory/4752-75-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp	upx
behavioral2/memory/4472-74-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp	upx
behavioral2/memory/3412-68-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	upx
behavioral2/memory/5008-67-0x00007FF678140000-0x00007FF678491000-memory.dmp	upx
behavioral2/memory/4684-60-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	upx
behavioral2/memory/2416-54-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp	upx
behavioral2/memory/840-125-0x00007FF683850000-0x00007FF683BA1000-memory.dmp	upx
behavioral2/memory/1624-126-0x00007FF74BF60000-0x00007FF74C2B1000-memory.dmp	upx
behavioral2/memory/3852-128-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp	upx
behavioral2/memory/1400-132-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	upx
behavioral2/memory/116-133-0x00007FF6C95A0000-0x00007FF6C98F1000-memory.dmp	upx
behavioral2/memory/4588-131-0x00007FF62A770000-0x00007FF62AAC1000-memory.dmp	upx
behavioral2/memory/5092-129-0x00007FF629400000-0x00007FF629751000-memory.dmp	upx
behavioral2/memory/2164-130-0x00007FF64B140000-0x00007FF64B491000-memory.dmp	upx
behavioral2/memory/1480-127-0x00007FF6EAE10000-0x00007FF6EB161000-memory.dmp	upx
behavioral2/memory/624-134-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp	upx
behavioral2/memory/2224-135-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp	upx
behavioral2/memory/4684-136-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	upx
behavioral2/memory/2220-137-0x00007FF610220000-0x00007FF610571000-memory.dmp	upx
behavioral2/memory/2416-141-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp	upx
behavioral2/memory/4296-151-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp	upx
behavioral2/memory/4752-150-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp	upx
behavioral2/memory/3412-149-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	upx
behavioral2/memory/4248-152-0x00007FF7253F0000-0x00007FF725741000-memory.dmp	upx
behavioral2/memory/4684-161-0x00007FF656970000-0x00007FF656CC1000-memory.dmp	upx
behavioral2/memory/5008-209-0x00007FF678140000-0x00007FF678491000-memory.dmp	upx
behavioral2/memory/4472-215-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp	upx
behavioral2/memory/4864-217-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp	upx
behavioral2/memory/3652-230-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp	upx
behavioral2/memory/1400-232-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DcaXjhC.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Umvnxow.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FzIQYkx.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGQhwVB.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gaOseBx.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FgLZumg.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\faaiBYd.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzcqkIr.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zAfKJip.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GXfLUXB.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eayVnGM.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVEzZwF.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KsfLdZm.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dLTJZqt.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lMAaoXc.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PRZjada.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqHTYXO.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BjqvbvW.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMakkPl.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGIWXEa.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEnPXUC.exe	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 5008	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4684 wrote to memory of 5008	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4684 wrote to memory of 4472	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4684 wrote to memory of 4472	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4684 wrote to memory of 4864	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4684 wrote to memory of 4864	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4684 wrote to memory of 3652	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4684 wrote to memory of 3652	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4684 wrote to memory of 1400	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4684 wrote to memory of 1400	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4684 wrote to memory of 624	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4684 wrote to memory of 624	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4684 wrote to memory of 2224	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4684 wrote to memory of 2224	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4684 wrote to memory of 2220	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4684 wrote to memory of 2220	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4684 wrote to memory of 2416	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4684 wrote to memory of 2416	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4684 wrote to memory of 4296	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4684 wrote to memory of 4296	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4684 wrote to memory of 3412	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4684 wrote to memory of 3412	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4684 wrote to memory of 4752	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4684 wrote to memory of 4752	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4684 wrote to memory of 4248	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4684 wrote to memory of 4248	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4684 wrote to memory of 840	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4684 wrote to memory of 840	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4684 wrote to memory of 116	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4684 wrote to memory of 116	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4684 wrote to memory of 1624	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4684 wrote to memory of 1624	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4684 wrote to memory of 1480	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4684 wrote to memory of 1480	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4684 wrote to memory of 3852	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4684 wrote to memory of 3852	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4684 wrote to memory of 5092	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4684 wrote to memory of 5092	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4684 wrote to memory of 2164	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4684 wrote to memory of 2164	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4684 wrote to memory of 4588	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4684 wrote to memory of 4588	4684	2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_6c2751406ed2bbb6949e691245ab0cc2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\System\faaiBYd.exe
  C:\Windows\System\faaiBYd.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\dLTJZqt.exe
  C:\Windows\System\dLTJZqt.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\sGIWXEa.exe
  C:\Windows\System\sGIWXEa.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\gzcqkIr.exe
  C:\Windows\System\gzcqkIr.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\DcaXjhC.exe
  C:\Windows\System\DcaXjhC.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\Umvnxow.exe
  C:\Windows\System\Umvnxow.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\lMAaoXc.exe
  C:\Windows\System\lMAaoXc.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\FzIQYkx.exe
  C:\Windows\System\FzIQYkx.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\PRZjada.exe
  C:\Windows\System\PRZjada.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\VqHTYXO.exe
  C:\Windows\System\VqHTYXO.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\zAfKJip.exe
  C:\Windows\System\zAfKJip.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\VEnPXUC.exe
  C:\Windows\System\VEnPXUC.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\KGQhwVB.exe
  C:\Windows\System\KGQhwVB.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\GXfLUXB.exe
  C:\Windows\System\GXfLUXB.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\eayVnGM.exe
  C:\Windows\System\eayVnGM.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\gaOseBx.exe
  C:\Windows\System\gaOseBx.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\FgLZumg.exe
  C:\Windows\System\FgLZumg.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\BjqvbvW.exe
  C:\Windows\System\BjqvbvW.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\KMakkPl.exe
  C:\Windows\System\KMakkPl.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\NVEzZwF.exe
  C:\Windows\System\NVEzZwF.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\KsfLdZm.exe
  C:\Windows\System\KsfLdZm.exe
  2⤵
  - Executes dropped EXE
  PID:4588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BjqvbvW.exe

Filesize
5.2MB

MD5
f06728ff372a7dd04a13e7dfd513e6a6

SHA1
aa2051bf6fa79fb3d61b3ff50c6f9a0c7bef7515

SHA256
6b3ca37d01d62855b00c22aa5b48656127952aac7b8202f9ee59b91178b83ca8

SHA512
4ebb16a5d4ed33a91db2e341cf057dcb3f6d868248608d151ddca6a3c7c6fa8fc86d6e062e0221776e8682062f6ff3c0d0d3d5b3af6c9c436fca77e760c86469

Download Submit
C:\Windows\System\DcaXjhC.exe

Filesize
5.2MB

MD5
95eb14390825755976bdbaf7c59a9eb6

SHA1
2a7614d8bedc58bda13f851556b47260b9d281c6

SHA256
80b8824c46e0aa0d97e578d2957d5b720219291cdd8ce26c73db971ecaea9a36

SHA512
1b3c760bb3febd970c29fc795dd1af5e6d0ffb37b1869d3c395c0012cedea6002bead2a82d4ba538432719cced5c5f4fa84030aa4711e435a8c17972ad30f697

Download Submit
C:\Windows\System\FgLZumg.exe

Filesize
5.2MB

MD5
84c0b3236bdb852170f8b003b64acb49

SHA1
58a8476627813e545607dbcea0d6696062e2183b

SHA256
3175bebcb976ae04d68f9b56fa6a3298c0926ba3738b3875e523152f17b9e4d6

SHA512
d5adbbb43f4e294b03ec01edba4d70fb6be0d7352c570b8032a2c13d471d7cd96423ace45f9b2497fdce94c2f5bb8567a1ce3a24289345e99235e00ab7d39e9d

Download Submit
C:\Windows\System\FzIQYkx.exe

Filesize
5.2MB

MD5
d7e68e11126a1a0ba036a0d8936b8b87

SHA1
7333ecac0b424a5da92cc45aeb44792c6b951173

SHA256
eab1ecb4d298bfaf620acd49b096d5ec24090831ef164e1a5abc426603dc07d3

SHA512
8ff4db50a8536ab5dfa94e59eaf7fd8ab694535bb5d2f7c376f3099c3385bd6e29d501c5f234537efc96c5f587e73d5ddbe0f018c27e691ddb889e2e8461a528

Download Submit
C:\Windows\System\GXfLUXB.exe

Filesize
5.2MB

MD5
86783e694eb47811c6d832791b0bdec6

SHA1
41fe9cca2785f292c972a7328bac06a13433f2dc

SHA256
f2dbe93336e9ce3a999a86617b493f0dcc65131f4971102efabe3de7f98390a1

SHA512
4ba3434464d2abb4e977d3685e2267015ee66f0525c42c2f0942218492c962c724e639db79ffe78cedb8a322b0bbdd32656fff157092f71c80b8ee22ae06fa72

Download Submit
C:\Windows\System\KGQhwVB.exe

Filesize
5.2MB

MD5
7f3643d7c8960429f713ddc9254c22a4

SHA1
bd92402314503ad4066df6f184d2196de2837fb0

SHA256
c57e143f7a5ae97c56079d54fbf029ab30e3f5fc9d0078ab67cf57a7f605bb88

SHA512
50cf49adaaab65e92633d104fb15bd1b9ce72a84d0f9acb75acb35cc382f64cd32e7baf26786fffc87c2127a97567dce0eea491195c4b027fa1cc48eb8a443cf

Download Submit
C:\Windows\System\KMakkPl.exe

Filesize
5.2MB

MD5
1b40940144c48f91097c235ee122ef87

SHA1
041ad3b08c2afe55b5cc229429f0f9a025b4d603

SHA256
5390f465b027d234b62cf2151055fc8ce31d886bd1ee2d488bab89ed73cf9e60

SHA512
f641efe416e010910d34d3a5f34738d5f522772f27ff8ce6f0bc2c7f06ad2a4e8c4d9100f89a28b95cd7fcbc89abbce3a829ec5600ee1888caa10a9117329b4c

Download Submit
C:\Windows\System\KsfLdZm.exe

Filesize
5.2MB

MD5
8cc13f1f58081743b7bc4a33227a99f1

SHA1
cb295aa83c403dcfb282738efb277f6ae63afafd

SHA256
5bb8b2468a0c6d95975deac28e557fb4e48960663c3b123c1ab8438f54c49455

SHA512
7783d306580c1753b9bdf3cf27ad9cd8d73d8700eb4a80491e214ffdeb23f3273098d3ddb89c3003549a0d04ae21f08571766c51b009b3c7c6d8f3036b763987

Download Submit
C:\Windows\System\NVEzZwF.exe

Filesize
5.2MB

MD5
188979a247d8d1deafad21cc8ceb98ea

SHA1
6fef84e75af664cb5b4886c0c5298c3c52be4ac3

SHA256
40bef7e7819c53e482ee6586c91e1a7bd550e824574904e1caa39c1487a52529

SHA512
8a8cbc4fe1db15343e98c3deb2ff29eac9c74c87666a4c97dc8f3f072e9d0e68e1198ac3a6487e2d7b132dafee8f767ae1dfa8684a5ea56b56cae6c4bc34d23a

Download Submit
C:\Windows\System\PRZjada.exe

Filesize
5.2MB

MD5
8f05ecb00b3329bbd790dcc612c53c9b

SHA1
8599af47156904493c3b2e829ba6b44fa30e5bc0

SHA256
9e9ebad8c5f8ce865e389e3fcfc50e6623cb907122ac8dfce6a2d769effe53b4

SHA512
b803b9e72f09afb4cee368e9d953a535d442676da7790404e31efc523988639a33b958482515bf29d7cc96dc697e0f4f6cb3865f062f6aca06aa2a004877ea0f

Download Submit
C:\Windows\System\Umvnxow.exe

Filesize
5.2MB

MD5
6030ef1ade1c72e57b39f8ac72be1b94

SHA1
9ab47fc996c70796174932b0a4b5d5ec285fa040

SHA256
8a2e5d395e6d80e0e6d1efbc8f4f1ab5be9a1d1101a9103b835ce1ba16436f90

SHA512
03b24a8a3730bf8a5006a33fa0cd7f1a94fee05fd20eb4993bc3e2edffc08ce29a9819a750312e87091b25b2efd2936b44112077fb6657c2c57b2b5c2a46ed89

Download Submit
C:\Windows\System\VEnPXUC.exe

Filesize
5.2MB

MD5
69fe83c674adc29ef375fe87f445048d

SHA1
135c84e7806460a208df0a58329f32cf7f2e0c14

SHA256
51a5b5f5946228a79c1456b37079be0ef368773628147a299aee0d09a4cdef7d

SHA512
f2f1f536a011063e4becad4a793462ecdee6fd63c300c5dc7c18fd6249e2b05e09fbc7e778682beeda8af01e3210b68053eff6a92945aaa89713aba6710a9357

Download Submit
C:\Windows\System\VqHTYXO.exe

Filesize
5.2MB

MD5
8323564dcd48d3c1902dfac32b9a2154

SHA1
d8a3d03927eedf70a1394cf3ced027f96675d3b1

SHA256
62bb53700b0b0fc51d934c37ab163cc3015e16915901cd2230b46445ce8ad003

SHA512
7932c9c14ec05cc457649f9c247b70854b81695b1c3a9c731137a0347a7e8656000016df02dc075d1ce064eb77acff9ebc5a6c210b4b3619549351085decf2fb

Download Submit
C:\Windows\System\dLTJZqt.exe

Filesize
5.2MB

MD5
ea92b8265e3620955224370cb8d5abca

SHA1
148674537de0c515041c07d1aee912102cd4a026

SHA256
4e3625b30140431bf16005f0284d6cbc91fb64b9949e69191f1cbf1df5ddf56b

SHA512
320b316ac60b0e9010e81254862677653ec8a2f749a0f46b4947630d6bf1431f6163399a7c7d916008ac19c6dead42f30d4ec48c7bc6a3115aef143ed4b0fdb1

Download Submit
C:\Windows\System\eayVnGM.exe

Filesize
5.2MB

MD5
ce36b039ef7ccc322e7bae06295817fe

SHA1
d1eb55ce0eea1e3080e66d79a54269c19d773dc7

SHA256
83255ce44db8c366ec53e546086ba9159319eca717f8ecc3d1af6b4cf2f8d741

SHA512
0e6f0142c3648567994d6d70da432d9405e9336f6834ce952eaec84dc6bc5a3a7ca511a0a55a9cbd1dcd414e37fef329ffe6ce8e42d9acdce1f2fcddb4e4fde7

Download Submit
C:\Windows\System\faaiBYd.exe

Filesize
5.2MB

MD5
c27b92767888acd37b6ba00294d3771d

SHA1
29cc83227e9fb6dcd24919cd744800dc52df57d6

SHA256
9c849070dc941e99df86f6c08db458c7ea5eaa97d69bd209e29d6323da37d391

SHA512
6260ca82d43c1fb42074254233e8b4e5fa1d0b9bd457dd64cb01e0057ec269b5907021a54e0bbcc87d8bd1bc109b55e1d02cf9758bf43c57a4c6cc0378343d9a

Download Submit
C:\Windows\System\gaOseBx.exe

Filesize
5.2MB

MD5
c6ae30f367e791960de320e1b0e3840b

SHA1
b41b558701ca47d2e8c9995ab03d4984e26c5cbb

SHA256
d98e134d60d5ce8dd2cdff61cca9ce192fde9ff17bd5b9183e6708441d195e6b

SHA512
b6ed087f2aba3877022544fa304265cc5ba3fde3d2d05022b2f11788a17299dc30cfbe2f031185b50af7e771c7feda05c566f6cb409b4c8ba1c1faa100be4ff5

Download Submit
C:\Windows\System\gzcqkIr.exe

Filesize
5.2MB

MD5
2c49b81624a3cff7b3757523e07d65ff

SHA1
8286a7a39791784d940afd8a7dd23ad0ca1dc4c3

SHA256
8ae9bd2d3392954286259d41db12e2b8e900bb01f3e136f5ad080b737092dc80

SHA512
c3742a705f14697dfc9da2415e19991c2ede0a2d68d7e6fa93431de3c0d2847359651b0b965b0edf5c84f5096fadd8010ebee4b6ac4dbe7e5153f7b8df7efa56

Download Submit
C:\Windows\System\lMAaoXc.exe

Filesize
5.2MB

MD5
b6648c3c981475bfe93d3601c889fd25

SHA1
9ddc1735a2ae84f722d16952233f6c60aa08b5eb

SHA256
9c816501f83db2c8b52349eabbc7db9e829bd9fdc22ba93b859376b684546aaf

SHA512
d1c59bb4b4ea5cb493975ebf00d9acf0ee4c2ea2f8a24bfa4eae4dc778e27867f5f5c95c662fe01332da3297fcf8f7ca8f7363d9d15557e47ae30be95f1f1d95

Download Submit
C:\Windows\System\sGIWXEa.exe

Filesize
5.2MB

MD5
d72a5919d09871ada5e3cf9b0b9fadea

SHA1
01638d731f2fa79f0ca678052128700dd70f8635

SHA256
afc56d6827bcbbf971cbd75d1b6053fb85afcf86e687cd272c25ac9231540f65

SHA512
95e2766da211eabac23a0da4681b5b7dc4e9195f496edd0e5eafdced1a0eb016bce6e8c3a6ddf0d17ff1e7d8069b742aa0bd85dab4f7bfbd0e7a9c1e59f106ba

Download Submit
C:\Windows\System\zAfKJip.exe

Filesize
5.2MB

MD5
c2460da888cf062e91f391cdcd11cde0

SHA1
024f09f05b46fe5ab59d242b27591a5ab05a80ba

SHA256
e8a2f8726cfe702bcf9e37fd14f6281785a3b686299153707bc59647afdfd35c

SHA512
140d5df1671edf9293356ecb105a2727e43b5b368f990ebfe7c2226b4bfef0688f3c168394de041b78c9c5023eda61d064fba1267aa331c81fb79894bdf884bd

Download Submit
memory/116-133-0x00007FF6C95A0000-0x00007FF6C98F1000-memory.dmp

Filesize
3.3MB

Download
memory/116-256-0x00007FF6C95A0000-0x00007FF6C98F1000-memory.dmp

Filesize
3.3MB

Download
memory/624-234-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp

Filesize
3.3MB

Download
memory/624-134-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp

Filesize
3.3MB

Download
memory/624-36-0x00007FF7C6E00000-0x00007FF7C7151000-memory.dmp

Filesize
3.3MB

Download
memory/840-125-0x00007FF683850000-0x00007FF683BA1000-memory.dmp

Filesize
3.3MB

Download
memory/840-250-0x00007FF683850000-0x00007FF683BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-28-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp

Filesize
3.3MB

Download
memory/1400-132-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp

Filesize
3.3MB

Download
memory/1400-232-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp

Filesize
3.3MB

Download
memory/1480-260-0x00007FF6EAE10000-0x00007FF6EB161000-memory.dmp

Filesize
3.3MB

Download
memory/1480-127-0x00007FF6EAE10000-0x00007FF6EB161000-memory.dmp

Filesize
3.3MB

Download
memory/1624-126-0x00007FF74BF60000-0x00007FF74C2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-258-0x00007FF74BF60000-0x00007FF74C2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-267-0x00007FF64B140000-0x00007FF64B491000-memory.dmp

Filesize
3.3MB

Download
memory/2164-130-0x00007FF64B140000-0x00007FF64B491000-memory.dmp

Filesize
3.3MB

Download
memory/2220-137-0x00007FF610220000-0x00007FF610571000-memory.dmp

Filesize
3.3MB

Download
memory/2220-48-0x00007FF610220000-0x00007FF610571000-memory.dmp

Filesize
3.3MB

Download
memory/2220-238-0x00007FF610220000-0x00007FF610571000-memory.dmp

Filesize
3.3MB

Download
memory/2224-135-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-42-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-236-0x00007FF7F6DA0000-0x00007FF7F70F1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-54-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp

Filesize
3.3MB

Download
memory/2416-141-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp

Filesize
3.3MB

Download
memory/2416-240-0x00007FF6C91E0000-0x00007FF6C9531000-memory.dmp

Filesize
3.3MB

Download
memory/3412-244-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3412-68-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3412-149-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3652-90-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-230-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-24-0x00007FF711D50000-0x00007FF7120A1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-128-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp

Filesize
3.3MB

Download
memory/3852-262-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp

Filesize
3.3MB

Download
memory/4248-248-0x00007FF7253F0000-0x00007FF725741000-memory.dmp

Filesize
3.3MB

Download
memory/4248-152-0x00007FF7253F0000-0x00007FF725741000-memory.dmp

Filesize
3.3MB

Download
memory/4248-84-0x00007FF7253F0000-0x00007FF725741000-memory.dmp

Filesize
3.3MB

Download
memory/4296-151-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-242-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-61-0x00007FF6BCDA0000-0x00007FF6BD0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-215-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp

Filesize
3.3MB

Download
memory/4472-74-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp

Filesize
3.3MB

Download
memory/4472-13-0x00007FF794BF0000-0x00007FF794F41000-memory.dmp

Filesize
3.3MB

Download
memory/4588-268-0x00007FF62A770000-0x00007FF62AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-131-0x00007FF62A770000-0x00007FF62AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-1-0x00000291F43E0000-0x00000291F43F0000-memory.dmp

Filesize
64KB

Download
memory/4684-60-0x00007FF656970000-0x00007FF656CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-161-0x00007FF656970000-0x00007FF656CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-136-0x00007FF656970000-0x00007FF656CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-0-0x00007FF656970000-0x00007FF656CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-246-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-150-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-75-0x00007FF6D9B20000-0x00007FF6D9E71000-memory.dmp

Filesize
3.3MB

Download
memory/4864-83-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp

Filesize
3.3MB

Download
memory/4864-217-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp

Filesize
3.3MB

Download
memory/4864-19-0x00007FF7DDE20000-0x00007FF7DE171000-memory.dmp

Filesize
3.3MB

Download
memory/5008-209-0x00007FF678140000-0x00007FF678491000-memory.dmp

Filesize
3.3MB

Download
memory/5008-8-0x00007FF678140000-0x00007FF678491000-memory.dmp

Filesize
3.3MB

Download
memory/5008-67-0x00007FF678140000-0x00007FF678491000-memory.dmp

Filesize
3.3MB

Download
memory/5092-264-0x00007FF629400000-0x00007FF629751000-memory.dmp

Filesize
3.3MB

Download
memory/5092-129-0x00007FF629400000-0x00007FF629751000-memory.dmp

Filesize
3.3MB

Download