cobaltstrike | f0434f1a58dd1d4d6202f0358a0710d373a4408bf56837e0815c332967c99543

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

873fe2aa4976c6f077b7831b76dddd74
SHA1

0926501ffdd509d6d03fd9cc0b53d327806fda28
SHA256

f0434f1a58dd1d4d6202f0358a0710d373a4408bf56837e0815c332967c99543
SHA512

a2fa302f891de7de317c6149fc919ffbc1c60b56327a26d73e6b677e947b9b88d03df7ae84e14a51c9a95f200b0be5bb73e9321c3a3458e68ff2d8e45a79c6fe
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibd56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c91-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c92-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-136.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3960-56-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	xmrig
behavioral2/memory/3256-64-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp	xmrig
behavioral2/memory/1248-62-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp	xmrig
behavioral2/memory/740-65-0x00007FF7C1670000-0x00007FF7C19C1000-memory.dmp	xmrig
behavioral2/memory/4996-82-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp	xmrig
behavioral2/memory/4060-75-0x00007FF759D00000-0x00007FF75A051000-memory.dmp	xmrig
behavioral2/memory/1328-92-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp	xmrig
behavioral2/memory/4484-94-0x00007FF717EA0000-0x00007FF7181F1000-memory.dmp	xmrig
behavioral2/memory/4352-109-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp	xmrig
behavioral2/memory/5016-103-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp	xmrig
behavioral2/memory/3712-97-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp	xmrig
behavioral2/memory/3500-90-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp	xmrig
behavioral2/memory/4192-134-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp	xmrig
behavioral2/memory/4660-141-0x00007FF748870000-0x00007FF748BC1000-memory.dmp	xmrig
behavioral2/memory/4384-124-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp	xmrig
behavioral2/memory/2940-150-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp	xmrig
behavioral2/memory/2064-151-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp	xmrig
behavioral2/memory/3900-157-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	xmrig
behavioral2/memory/3760-159-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp	xmrig
behavioral2/memory/4552-169-0x00007FF758560000-0x00007FF7588B1000-memory.dmp	xmrig
behavioral2/memory/1404-168-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	xmrig
behavioral2/memory/2244-171-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp	xmrig
behavioral2/memory/3960-162-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	xmrig
behavioral2/memory/3960-185-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	xmrig
behavioral2/memory/1248-218-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp	xmrig
behavioral2/memory/3256-220-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp	xmrig
behavioral2/memory/4060-226-0x00007FF759D00000-0x00007FF75A051000-memory.dmp	xmrig
behavioral2/memory/3500-230-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp	xmrig
behavioral2/memory/4996-229-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp	xmrig
behavioral2/memory/4352-232-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp	xmrig
behavioral2/memory/1328-236-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp	xmrig
behavioral2/memory/3712-234-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp	xmrig
behavioral2/memory/5016-238-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp	xmrig
behavioral2/memory/740-242-0x00007FF7C1670000-0x00007FF7C19C1000-memory.dmp	xmrig
behavioral2/memory/4384-247-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp	xmrig
behavioral2/memory/4192-249-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp	xmrig
behavioral2/memory/2940-251-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp	xmrig
behavioral2/memory/4484-256-0x00007FF717EA0000-0x00007FF7181F1000-memory.dmp	xmrig
behavioral2/memory/2064-258-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp	xmrig
behavioral2/memory/3760-261-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp	xmrig
behavioral2/memory/3900-262-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	xmrig
behavioral2/memory/2244-269-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp	xmrig
behavioral2/memory/1404-271-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	xmrig
behavioral2/memory/4552-273-0x00007FF758560000-0x00007FF7588B1000-memory.dmp	xmrig
behavioral2/memory/4660-275-0x00007FF748870000-0x00007FF748BC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1248	tXszmAm.exe
3256	pooxHdF.exe
4060	hdhuUHs.exe
4996	suMKlTl.exe
3500	zHsHobd.exe
1328	seOgwus.exe
3712	feToxSU.exe
5016	GgCYSyn.exe
4352	qNKHuJO.exe
740	KvUCXNs.exe
4384	GLZJyYn.exe
4192	dsvhTyD.exe
2940	BARhpgr.exe
4484	VjLBwbW.exe
2064	VoHYCoB.exe
3900	HfCBAPr.exe
3760	yWMUvzi.exe
2244	wKiOFfo.exe
1404	PxHjmtl.exe
4552	nAgrkJx.exe
4660	igmdCFE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3960-0-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	upx
behavioral2/files/0x0008000000023c91-6.dat	upx
behavioral2/memory/1248-8-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-14.dat	upx
behavioral2/files/0x0007000000023c95-15.dat	upx
behavioral2/memory/3256-17-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-27.dat	upx
behavioral2/files/0x0007000000023c97-28.dat	upx
behavioral2/files/0x0007000000023c9a-38.dat	upx
behavioral2/files/0x0007000000023c9b-50.dat	upx
behavioral2/files/0x0007000000023c9c-53.dat	upx
behavioral2/memory/4352-52-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp	upx
behavioral2/memory/5016-48-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp	upx
behavioral2/memory/3712-42-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-40.dat	upx
behavioral2/memory/1328-39-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp	upx
behavioral2/memory/3500-32-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp	upx
behavioral2/memory/4996-26-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp	upx
behavioral2/memory/4060-19-0x00007FF759D00000-0x00007FF75A051000-memory.dmp	upx
behavioral2/memory/3960-56-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	upx
behavioral2/files/0x0008000000023c92-59.dat	upx
behavioral2/memory/3256-64-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp	upx
behavioral2/memory/1248-62-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp	upx
behavioral2/memory/740-65-0x00007FF7C1670000-0x00007FF7C19C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-68.dat	upx
behavioral2/memory/4384-69-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp	upx
behavioral2/files/0x0008000000023c9f-74.dat	upx
behavioral2/memory/4192-76-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-84.dat	upx
behavioral2/memory/2940-83-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp	upx
behavioral2/memory/4996-82-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp	upx
behavioral2/memory/4060-75-0x00007FF759D00000-0x00007FF75A051000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-87.dat	upx
behavioral2/memory/1328-92-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp	upx
behavioral2/memory/4484-94-0x00007FF717EA0000-0x00007FF7181F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-102.dat	upx
behavioral2/files/0x0007000000023ca5-111.dat	upx
behavioral2/memory/3760-110-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp	upx
behavioral2/memory/4352-109-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp	upx
behavioral2/memory/3900-106-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	upx
behavioral2/memory/5016-103-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-101.dat	upx
behavioral2/memory/2064-98-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp	upx
behavioral2/memory/3712-97-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp	upx
behavioral2/memory/3500-90-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-118.dat	upx
behavioral2/memory/2244-119-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp	upx
behavioral2/memory/1404-126-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-127.dat	upx
behavioral2/memory/4192-134-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-132.dat	upx
behavioral2/memory/4552-139-0x00007FF758560000-0x00007FF7588B1000-memory.dmp	upx
behavioral2/memory/4660-141-0x00007FF748870000-0x00007FF748BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-136.dat	upx
behavioral2/memory/4384-124-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp	upx
behavioral2/memory/2940-150-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp	upx
behavioral2/memory/2064-151-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp	upx
behavioral2/memory/3900-157-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	upx
behavioral2/memory/3760-159-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp	upx
behavioral2/memory/4552-169-0x00007FF758560000-0x00007FF7588B1000-memory.dmp	upx
behavioral2/memory/1404-168-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	upx
behavioral2/memory/2244-171-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp	upx
behavioral2/memory/3960-162-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	upx
behavioral2/memory/3960-185-0x00007FF6762B0000-0x00007FF676601000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hdhuUHs.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\suMKlTl.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dsvhTyD.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HfCBAPr.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yWMUvzi.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igmdCFE.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pooxHdF.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feToxSU.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qNKHuJO.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\seOgwus.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KvUCXNs.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLZJyYn.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VoHYCoB.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAgrkJx.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHsHobd.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GgCYSyn.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BARhpgr.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VjLBwbW.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wKiOFfo.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxHjmtl.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tXszmAm.exe	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 1248	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3960 wrote to memory of 1248	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3960 wrote to memory of 3256	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3960 wrote to memory of 3256	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3960 wrote to memory of 4060	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3960 wrote to memory of 4060	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3960 wrote to memory of 4996	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3960 wrote to memory of 4996	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3960 wrote to memory of 3500	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3960 wrote to memory of 3500	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3960 wrote to memory of 1328	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3960 wrote to memory of 1328	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3960 wrote to memory of 3712	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3960 wrote to memory of 3712	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3960 wrote to memory of 5016	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3960 wrote to memory of 5016	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3960 wrote to memory of 4352	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3960 wrote to memory of 4352	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3960 wrote to memory of 740	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3960 wrote to memory of 740	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3960 wrote to memory of 4384	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3960 wrote to memory of 4384	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3960 wrote to memory of 4192	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3960 wrote to memory of 4192	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3960 wrote to memory of 2940	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3960 wrote to memory of 2940	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3960 wrote to memory of 4484	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3960 wrote to memory of 4484	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3960 wrote to memory of 2064	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3960 wrote to memory of 2064	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3960 wrote to memory of 3900	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3960 wrote to memory of 3900	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3960 wrote to memory of 3760	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3960 wrote to memory of 3760	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3960 wrote to memory of 2244	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3960 wrote to memory of 2244	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3960 wrote to memory of 1404	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3960 wrote to memory of 1404	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3960 wrote to memory of 4552	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3960 wrote to memory of 4552	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3960 wrote to memory of 4660	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3960 wrote to memory of 4660	3960	2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_873fe2aa4976c6f077b7831b76dddd74_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\System\tXszmAm.exe
  C:\Windows\System\tXszmAm.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\pooxHdF.exe
  C:\Windows\System\pooxHdF.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\hdhuUHs.exe
  C:\Windows\System\hdhuUHs.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\suMKlTl.exe
  C:\Windows\System\suMKlTl.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\zHsHobd.exe
  C:\Windows\System\zHsHobd.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\seOgwus.exe
  C:\Windows\System\seOgwus.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\feToxSU.exe
  C:\Windows\System\feToxSU.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\GgCYSyn.exe
  C:\Windows\System\GgCYSyn.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\qNKHuJO.exe
  C:\Windows\System\qNKHuJO.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\KvUCXNs.exe
  C:\Windows\System\KvUCXNs.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\GLZJyYn.exe
  C:\Windows\System\GLZJyYn.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\dsvhTyD.exe
  C:\Windows\System\dsvhTyD.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\BARhpgr.exe
  C:\Windows\System\BARhpgr.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\VjLBwbW.exe
  C:\Windows\System\VjLBwbW.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\VoHYCoB.exe
  C:\Windows\System\VoHYCoB.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\HfCBAPr.exe
  C:\Windows\System\HfCBAPr.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\yWMUvzi.exe
  C:\Windows\System\yWMUvzi.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\wKiOFfo.exe
  C:\Windows\System\wKiOFfo.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\PxHjmtl.exe
  C:\Windows\System\PxHjmtl.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\nAgrkJx.exe
  C:\Windows\System\nAgrkJx.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\igmdCFE.exe
  C:\Windows\System\igmdCFE.exe
  2⤵
  - Executes dropped EXE
  PID:4660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BARhpgr.exe

Filesize
5.2MB

MD5
f3b251916729bf2749bb6888385f08a1

SHA1
264c657f6f8aa7c4f48aa6422c43e9a10652187b

SHA256
5ef39fffabbc9ab09f45d20411caaef309d20997482b9161159c2d78b67c67f5

SHA512
6dcc89ab4bdf61079b1aaa16dd1f5ef686fd5dae360bc48505ba215809b2ccbe9c2ac93f05a6669066f0d29a90864dc10dfee293cdff4b7b57820c137915266e

Download Submit
C:\Windows\System\GLZJyYn.exe

Filesize
5.2MB

MD5
6a0c9860c641bcbccf0df0be467474bf

SHA1
080b52dc623972e6b0de5b28400dd1819459d422

SHA256
113dac5bb9a3329366a0850d65be62c75b9a541bae2d83a6f4d24bfc7b9cc782

SHA512
76f250b5bfb68aa9d8434cbc759ba4e6402637c4723e629f2c95510de0d667885d277181cbb9d27072b66a8af34db04bcd40d5b90310b14e0e631e5370cc93a6

Download Submit
C:\Windows\System\GgCYSyn.exe

Filesize
5.2MB

MD5
d23c32a06eac98a17007647acaa380cf

SHA1
c2362361cd7d20ad0d043a75073874fa43c1a9a6

SHA256
12f8c4ba8eb5083f4238ce5123f0dd4ffa7ba361f7831740a2d636cd795e9f86

SHA512
6233f9f6c35b255a6bab5875a3ca9bfeefc8e735ba0ea5b4c4e1bd110cd2d7c81ace755668c5483cdc6a246973fb683c9e87b19e6a2f3c53c68a21973debe7f5

Download Submit
C:\Windows\System\HfCBAPr.exe

Filesize
5.2MB

MD5
80616ee1085ed7fb6d17e8ced370206d

SHA1
ee80bfb86f02437dcacdbf0aa0b1dd1523a6a1b5

SHA256
8033ff272b1dffcb7fd03fd0a57fb4d56d988ba3afa0d71e15cc9e92f52888b1

SHA512
5cb2a9a0c2a10533cf2ee7707ddefc23746a619072378bcb7ef78a1c9d922b7ea208a06aea6c1ea738de25704e939d9067ed9db788e4f8c4061a2a4087a516bf

Download Submit
C:\Windows\System\KvUCXNs.exe

Filesize
5.2MB

MD5
ac41c7114e5e9b17a5b969c09f4afb6c

SHA1
94d4985d72491af905981afee0167b01a3537287

SHA256
a9e32675d392eb2c4aa13858d1030f29dcc992b4fd6515e3a9dcbebbeef1eb81

SHA512
d3cb78506f44bb186c873262e1f800d706f432154fa32a50a0fd68cbf81279f1c4c23bfdfc2d9d394eeeb8800115beef91eaabab86829547091f5e2092ce3be7

Download Submit
C:\Windows\System\PxHjmtl.exe

Filesize
5.2MB

MD5
2593fd2fd3e55581c9900539b88cd8fc

SHA1
9fe6ec3bf2665ca9e63b0ca7be0d2a3cf4eb0675

SHA256
cba8e9ac66696b83cb5e6436e216747f2b92394799e07805b99f003ce0c9a848

SHA512
f1fb056a3e6c17e9d75595f121c4a18601a0e31f1f68704f4491878c317c01e9594dbb815bd9b645c73e79e4cc75be4a69ee39759f244b6d45cd3625e359f63f

Download Submit
C:\Windows\System\VjLBwbW.exe

Filesize
5.2MB

MD5
46a5fa1b9262059789238a4cc651cf81

SHA1
b9646b6df5179a76afea6c064a3f4fc608ea8f2f

SHA256
cac12fc9cdc2a95c4b670c30343ccb849d209189a7246f8737f8760d2697eb94

SHA512
73579ad035135cb1060d56b29fab71ae60ab514af7500ebb888f1f514833ba344fb4c4ac96deb703a7f9464e5814a0d77040fed6fde4ce0ec8bf44c380bc1cfc

Download Submit
C:\Windows\System\VoHYCoB.exe

Filesize
5.2MB

MD5
74cf277c6255b44ce2f68dc3ddbcc187

SHA1
6aaf08c8f4d8e0b061b9f6b79a5928e198308cb6

SHA256
1d8a06073e1b5b93bf649290eb9e3a19f635fb501be5647566be953af4cb9d42

SHA512
01e0589122c019a0f9724ed8743d194f09ec4544fd05c0260c9dec74efceb767b0095d111d2ff4b118789fd643b76861a9140eb055eaba460504c82feeb42e72

Download Submit
C:\Windows\System\dsvhTyD.exe

Filesize
5.2MB

MD5
f77ec113568752552140bc7bdc21302d

SHA1
b6907d2dc3b42f0b221b942a600837bd23105e00

SHA256
868ffb25ed9c243fd25632c43ef14e3d1197da5afa13eb90d36e1d5c4d492996

SHA512
08e68afdd2a5dfd4520b22bd22ee5c5ec39ac762221dce5383c814b2766d3ec77b4966b46fe235ba16d22239d2f87ce59eeae1005451c116dbd65c08c7f655f7

Download Submit
C:\Windows\System\feToxSU.exe

Filesize
5.2MB

MD5
749e728c609b194f81f7d2dd7bb0444e

SHA1
c6721344a51cf4300ffa335e8fe94ae451a79a92

SHA256
9cc3e47051994106d92b74cbb14412553084a8ca279c7d4f9febdc28ae7f032a

SHA512
bcd70ec9053bd736b7ffd070bffef16ca66d5ee07080e0ab9266abee873f4757006da9ec8836ca04c1ffbd84664b786c4a1a3a6b1b92e3e44bac909d22d70843

Download Submit
C:\Windows\System\hdhuUHs.exe

Filesize
5.2MB

MD5
45ce10e6e0b53a56ed27636cea60fb46

SHA1
e452f58037670b8a7c7b2f9a6ed94c68d51932d8

SHA256
3f67fd6717f1f4a8923d66223a6528557b491bb1bf9ecb7777195bb9cd1b92d6

SHA512
f71683704e02318041ad569cbeb86075f37c8504a23b676174a838dfa8e5b36ffab59d37762f19b0b0a24d8ed980323c092c01b8c13c27dc54f7ec2eef66d878

Download Submit
C:\Windows\System\igmdCFE.exe

Filesize
5.2MB

MD5
6f12840b128690fa25c1a8048b906e97

SHA1
8b7205e5d121633eb29aed2c8be83bee740aa7c6

SHA256
09f9ceb5430d059dc0e131d1b8c918d32bba47cc207d86085152c719abe8ee76

SHA512
e9e4c047418a43feed68fbdec99e0fa0cd967f0a7244cbc4f2f5da15839b7f6c5d56d6ade267d6b3936226ce550c8c89e160acc3365bfb2bd70a35a19b39d6bb

Download Submit
C:\Windows\System\nAgrkJx.exe

Filesize
5.2MB

MD5
7be338a2c04af7a11f62af8f4652606e

SHA1
6323fd35b186f12d82f6dd90cca639321aeec65b

SHA256
1187acbf747e8cc02601d86ce1b0c9efb2a79818c787d53e555e967b76dd00e9

SHA512
ed0bb5e5e249cee9f71b257e11e9563a34787d0442130aacd9d14ce51c29f108d7f7b4103ceedc42835336a51c355796ac052471c7339814224df733a76c954a

Download Submit
C:\Windows\System\pooxHdF.exe

Filesize
5.2MB

MD5
336816ce3947bb52878acd64fadffde1

SHA1
787c4c27be93245c9b9fe91056d61584efb6dfb2

SHA256
095707662f2ef090b58b284d6bf215d1084c9f6df83fa3afb6cb3e2740a4ffe5

SHA512
37f16b32e6a48b2884542c8c978c696f9af0dc170c6d3b70cf10234d119a473fd07ba2f1610bf22f81d43e032536b9d4b93a30249678c43ba5ed2c7f52d00c25

Download Submit
C:\Windows\System\qNKHuJO.exe

Filesize
5.2MB

MD5
0f1ed6495e528ef11c34b999031f652b

SHA1
20ac5a38716685641423246d1277d6787a4bd59a

SHA256
509038819cba48033f8a8da3b1643223c5460f26096be92feb8364f73e26f301

SHA512
818e73e8f422324c32eb83a74bb7110e6c1193571d5a065baf8d2c0997dd84312ac8e89595dab104a164ccf976bcb35abfad077e24d36735467645ba7f836af5

Download Submit
C:\Windows\System\seOgwus.exe

Filesize
5.2MB

MD5
3c02fd6c51b620848967d1802749b93b

SHA1
91303b498ae49d50fb92adabb294a3971ffda92d

SHA256
9e0fb34f058b352eb26fdba8a4c41daedec4fc0019dc89cef732046edd1c0ea7

SHA512
766fd43abffe3334b26f95da99f489f2ffc909f939c900f87933395eb2f0fd63031beefb49879e339680789457db94fcf0994b14a925d8d610971cf9ad84a3f5

Download Submit
C:\Windows\System\suMKlTl.exe

Filesize
5.2MB

MD5
93fdffc19fa3d7a2c2c141c6116757ac

SHA1
34da0abe7cbfe06e4d7d148deb18b00f4a8725fc

SHA256
5c47c384c7dce27c2499883034c50693bb35df4322f30bac0f317a98fb5ff5b6

SHA512
9e59ee884cf5e1b8fb0593c52f5255fdff9a6ad7376a12da7f02bf8d08ef4cd6c27c008c7fd877255c0a4aa6124c4dfdd94bf3701c21e2fb58df7a575bcd24e6

Download Submit
C:\Windows\System\tXszmAm.exe

Filesize
5.2MB

MD5
3eb14e738936d935da92bd333fbd0124

SHA1
15d0508982cc3d2781b9963bdcf49d6e9d965230

SHA256
aac046025914d0725a51ab7b9990bf8f31b8b164f7a11bc56c2325a5bda460fc

SHA512
cc04d8fa04fac37a21a66d2d568521bd5b807a2dad824a9c749fe999135b460556ebf88433d74c5296612573b9803ad348dc9d9466e8a59629ba405954906de1

Download Submit
C:\Windows\System\wKiOFfo.exe

Filesize
5.2MB

MD5
b2237baf13dbc18a4eaa84bea7f20a7b

SHA1
49eeea895af3c3ebf4710bbaf88b957dc94741d5

SHA256
21e27d721812a9320927d1d7bca28eedeb2af150b07164038de4abf140731873

SHA512
8772603555bdbae53c687fbe5330a4e0caf727ee23f9a44dcd877d73de7c0369bbac8de2fca7281c75c257f8f3d5f17160513f24c8076223d73813966758a4cc

Download Submit
C:\Windows\System\yWMUvzi.exe

Filesize
5.2MB

MD5
8c271876412e9d874dfda7767f9ffd52

SHA1
fcbe92981cebb160a45fe0b4bfdcb40dfaacf8fd

SHA256
d1466848d537f3d5970bb82955236abec77314a803797240f87b5e2a37a61772

SHA512
f261cbef8151d5d13c7a3b4aa1d962317f047533fcd8df8e4491a27e76810c56324364821ad1cf37dcfd5a3aab8e1f628d0dddc30cd77adc96d5ee833fbc75f3

Download Submit
C:\Windows\System\zHsHobd.exe

Filesize
5.2MB

MD5
128cf4e0c19f1436f6893b13eea3d99e

SHA1
8dcca606b7b9659ed76d33226a5d7aec26aeed8b

SHA256
3e9c08fc5228165afedc13dc0770411d38d9e5119ae483cfbca55ebb74d1180a

SHA512
527fea970c70f4587c0107432ac0ab51bced12d0a027d785c324257364c80610aad4809f30dca16aafe73e4bc7e37ebe19147ed0c23564b6b90f140acd61b57d

Download Submit
memory/740-65-0x00007FF7C1670000-0x00007FF7C19C1000-memory.dmp

Filesize
3.3MB

Download
memory/740-242-0x00007FF7C1670000-0x00007FF7C19C1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-218-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp

Filesize
3.3MB

Download
memory/1248-62-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp

Filesize
3.3MB

Download
memory/1248-8-0x00007FF79B0E0000-0x00007FF79B431000-memory.dmp

Filesize
3.3MB

Download
memory/1328-236-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-39-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-92-0x00007FF6510A0000-0x00007FF6513F1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-168-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-126-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-271-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-151-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-258-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-98-0x00007FF7B4820000-0x00007FF7B4B71000-memory.dmp

Filesize
3.3MB

Download
memory/2244-171-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-269-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-119-0x00007FF6FE470000-0x00007FF6FE7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-83-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-150-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-251-0x00007FF6D66A0000-0x00007FF6D69F1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-64-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp

Filesize
3.3MB

Download
memory/3256-220-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp

Filesize
3.3MB

Download
memory/3256-17-0x00007FF6F5140000-0x00007FF6F5491000-memory.dmp

Filesize
3.3MB

Download
memory/3500-32-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-90-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-230-0x00007FF7D0A60000-0x00007FF7D0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-97-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp

Filesize
3.3MB

Download
memory/3712-42-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp

Filesize
3.3MB

Download
memory/3712-234-0x00007FF68E710000-0x00007FF68EA61000-memory.dmp

Filesize
3.3MB

Download
memory/3760-261-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-110-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-159-0x00007FF746B80000-0x00007FF746ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-106-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/3900-262-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/3900-157-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/3960-1-0x0000020073810000-0x0000020073820000-memory.dmp

Filesize
64KB

Download
memory/3960-185-0x00007FF6762B0000-0x00007FF676601000-memory.dmp

Filesize
3.3MB

Download
memory/3960-162-0x00007FF6762B0000-0x00007FF676601000-memory.dmp

Filesize
3.3MB

Download
memory/3960-0-0x00007FF6762B0000-0x00007FF676601000-memory.dmp

Filesize
3.3MB

Download
memory/3960-56-0x00007FF6762B0000-0x00007FF676601000-memory.dmp

Filesize
3.3MB

Download
memory/4060-75-0x00007FF759D00000-0x00007FF75A051000-memory.dmp

Filesize
3.3MB

Download
memory/4060-19-0x00007FF759D00000-0x00007FF75A051000-memory.dmp

Filesize
3.3MB

Download
memory/4060-226-0x00007FF759D00000-0x00007FF75A051000-memory.dmp

Filesize
3.3MB

Download
memory/4192-249-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp

Filesize
3.3MB

Download
memory/4192-76-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp

Filesize
3.3MB

Download
memory/4192-134-0x00007FF7FE710000-0x00007FF7FEA61000-memory.dmp

Filesize
3.3MB

Download
memory/4352-52-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-232-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-109-0x00007FF7EFD80000-0x00007FF7F00D1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-247-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp

Filesize
3.3MB

Download
memory/4384-69-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp

Filesize
3.3MB

Download
memory/4384-124-0x00007FF74D2F0000-0x00007FF74D641000-memory.dmp

Filesize
3.3MB

Download
memory/4484-256-0x00007FF717EA0000-0x00007FF7181F1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-94-0x00007FF717EA0000-0x00007FF7181F1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-273-0x00007FF758560000-0x00007FF7588B1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-169-0x00007FF758560000-0x00007FF7588B1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-139-0x00007FF758560000-0x00007FF7588B1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-141-0x00007FF748870000-0x00007FF748BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-275-0x00007FF748870000-0x00007FF748BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-229-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-82-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-26-0x00007FF6121A0000-0x00007FF6124F1000-memory.dmp

Filesize
3.3MB

Download
memory/5016-48-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp

Filesize
3.3MB

Download
memory/5016-103-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp

Filesize
3.3MB

Download
memory/5016-238-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp

Filesize
3.3MB

Download