cobaltstrike | 12543f833aa6146e1234e79df28e8988ba826e69ed9e99726d511945dcc747e6

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

65d760b3462d23a111eecc5dc5527a36
SHA1

69deff511aa8a5c6515669cbed4c12b18b74f2a9
SHA256

12543f833aa6146e1234e79df28e8988ba826e69ed9e99726d511945dcc747e6
SHA512

a4281db427e9aeda1801f3b8e7a26c9ade54eecd9116b35385417330c78f6f268c3e39ed0fb71aa5971f491e5f14deab62cf39c91b10c5b71ad91e8fd4b3c339
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibd56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023cba-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cbf-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-140.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-147.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3368-16-0x00007FF6E94A0000-0x00007FF6E97F1000-memory.dmp	xmrig
behavioral2/memory/4652-20-0x00007FF784C90000-0x00007FF784FE1000-memory.dmp	xmrig
behavioral2/memory/4208-52-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	xmrig
behavioral2/memory/3372-60-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	xmrig
behavioral2/memory/2032-80-0x00007FF636690000-0x00007FF6369E1000-memory.dmp	xmrig
behavioral2/memory/1516-94-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp	xmrig
behavioral2/memory/1664-128-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp	xmrig
behavioral2/memory/1844-119-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp	xmrig
behavioral2/memory/4604-110-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp	xmrig
behavioral2/memory/3052-88-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp	xmrig
behavioral2/memory/2664-79-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp	xmrig
behavioral2/memory/4276-138-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp	xmrig
behavioral2/memory/4068-145-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp	xmrig
behavioral2/memory/4208-148-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	xmrig
behavioral2/memory/1536-156-0x00007FF758010000-0x00007FF758361000-memory.dmp	xmrig
behavioral2/memory/4940-163-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp	xmrig
behavioral2/memory/4600-162-0x00007FF676670000-0x00007FF6769C1000-memory.dmp	xmrig
behavioral2/memory/2472-161-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp	xmrig
behavioral2/memory/4544-160-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp	xmrig
behavioral2/memory/1180-159-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp	xmrig
behavioral2/memory/4272-158-0x00007FF790B40000-0x00007FF790E91000-memory.dmp	xmrig
behavioral2/memory/812-157-0x00007FF621350000-0x00007FF6216A1000-memory.dmp	xmrig
behavioral2/memory/4512-170-0x00007FF721D40000-0x00007FF722091000-memory.dmp	xmrig
behavioral2/memory/4208-171-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	xmrig
behavioral2/memory/3368-211-0x00007FF6E94A0000-0x00007FF6E97F1000-memory.dmp	xmrig
behavioral2/memory/3372-210-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	xmrig
behavioral2/memory/4652-213-0x00007FF784C90000-0x00007FF784FE1000-memory.dmp	xmrig
behavioral2/memory/2664-221-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp	xmrig
behavioral2/memory/3052-223-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp	xmrig
behavioral2/memory/1844-229-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp	xmrig
behavioral2/memory/1664-231-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp	xmrig
behavioral2/memory/4604-226-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp	xmrig
behavioral2/memory/1516-227-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp	xmrig
behavioral2/memory/4276-233-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp	xmrig
behavioral2/memory/4068-245-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp	xmrig
behavioral2/memory/2032-247-0x00007FF636690000-0x00007FF6369E1000-memory.dmp	xmrig
behavioral2/memory/812-251-0x00007FF621350000-0x00007FF6216A1000-memory.dmp	xmrig
behavioral2/memory/1536-250-0x00007FF758010000-0x00007FF758361000-memory.dmp	xmrig
behavioral2/memory/4272-255-0x00007FF790B40000-0x00007FF790E91000-memory.dmp	xmrig
behavioral2/memory/4544-257-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp	xmrig
behavioral2/memory/4600-262-0x00007FF676670000-0x00007FF6769C1000-memory.dmp	xmrig
behavioral2/memory/2472-260-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp	xmrig
behavioral2/memory/1180-263-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp	xmrig
behavioral2/memory/4940-266-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp	xmrig
behavioral2/memory/4512-269-0x00007FF721D40000-0x00007FF722091000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3372	hwbYPDM.exe
3368	hEryTux.exe
4652	XKdhltz.exe
2664	GgxaWHu.exe
3052	nxQsOuE.exe
1516	rlBfZwp.exe
4604	hAxUcwQ.exe
1844	PCObAYF.exe
1664	iwEkuPF.exe
4276	AGpFgyF.exe
4068	xgrMUfZ.exe
2032	eOhEzbJ.exe
1536	QxbUbvY.exe
812	ndAbWRG.exe
4272	tTAitmw.exe
1180	qoianhu.exe
4544	UmpEVyW.exe
2472	CwZikMo.exe
4600	oaBnGyh.exe
4940	VUTOVvH.exe
4512	TnMDakU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4208-0-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	upx
behavioral2/files/0x000a000000023cba-5.dat	upx
behavioral2/files/0x0007000000023cc3-8.dat	upx
behavioral2/files/0x0007000000023cc2-10.dat	upx
behavioral2/memory/3368-16-0x00007FF6E94A0000-0x00007FF6E97F1000-memory.dmp	upx
behavioral2/memory/4652-20-0x00007FF784C90000-0x00007FF784FE1000-memory.dmp	upx
behavioral2/memory/3372-6-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-23.dat	upx
behavioral2/files/0x0008000000023cbf-35.dat	upx
behavioral2/files/0x0007000000023cc6-39.dat	upx
behavioral2/files/0x0007000000023cc7-47.dat	upx
behavioral2/memory/4208-52-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-59.dat	upx
behavioral2/memory/4276-61-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp	upx
behavioral2/memory/3372-60-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-54.dat	upx
behavioral2/memory/1664-53-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp	upx
behavioral2/memory/1844-50-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp	upx
behavioral2/memory/4604-46-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp	upx
behavioral2/memory/1516-38-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp	upx
behavioral2/memory/3052-34-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-32.dat	upx
behavioral2/memory/2664-27-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-74.dat	upx
behavioral2/memory/2032-80-0x00007FF636690000-0x00007FF6369E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cce-86.dat	upx
behavioral2/memory/1516-94-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp	upx
behavioral2/memory/4272-102-0x00007FF790B40000-0x00007FF790E91000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-116.dat	upx
behavioral2/files/0x0007000000023cd1-120.dat	upx
behavioral2/memory/1664-128-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-126.dat	upx
behavioral2/memory/2472-123-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp	upx
behavioral2/memory/4600-122-0x00007FF676670000-0x00007FF6769C1000-memory.dmp	upx
behavioral2/memory/1844-119-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp	upx
behavioral2/memory/4544-118-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-115.dat	upx
behavioral2/memory/1180-114-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp	upx
behavioral2/memory/4604-110-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-98.dat	upx
behavioral2/memory/812-90-0x00007FF621350000-0x00007FF6216A1000-memory.dmp	upx
behavioral2/memory/3052-88-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-85.dat	upx
behavioral2/memory/1536-84-0x00007FF758010000-0x00007FF758361000-memory.dmp	upx
behavioral2/memory/2664-79-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-70.dat	upx
behavioral2/memory/4068-69-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp	upx
behavioral2/memory/4276-138-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-140.dat	upx
behavioral2/files/0x0007000000023cd5-147.dat	upx
behavioral2/memory/4512-146-0x00007FF721D40000-0x00007FF722091000-memory.dmp	upx
behavioral2/memory/4068-145-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp	upx
behavioral2/memory/4940-144-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp	upx
behavioral2/memory/4208-148-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	upx
behavioral2/memory/1536-156-0x00007FF758010000-0x00007FF758361000-memory.dmp	upx
behavioral2/memory/4940-163-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp	upx
behavioral2/memory/4600-162-0x00007FF676670000-0x00007FF6769C1000-memory.dmp	upx
behavioral2/memory/2472-161-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp	upx
behavioral2/memory/4544-160-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp	upx
behavioral2/memory/1180-159-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp	upx
behavioral2/memory/4272-158-0x00007FF790B40000-0x00007FF790E91000-memory.dmp	upx
behavioral2/memory/812-157-0x00007FF621350000-0x00007FF6216A1000-memory.dmp	upx
behavioral2/memory/4512-170-0x00007FF721D40000-0x00007FF722091000-memory.dmp	upx
behavioral2/memory/4208-171-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CwZikMo.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TnMDakU.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hwbYPDM.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XKdhltz.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlBfZwp.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgrMUfZ.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTAitmw.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoianhu.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmpEVyW.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaBnGyh.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iwEkuPF.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGpFgyF.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eOhEzbJ.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QxbUbvY.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VUTOVvH.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GgxaWHu.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCObAYF.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEryTux.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nxQsOuE.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hAxUcwQ.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndAbWRG.exe	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3372	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4208 wrote to memory of 3372	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4208 wrote to memory of 3368	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4208 wrote to memory of 3368	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4208 wrote to memory of 4652	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4208 wrote to memory of 4652	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4208 wrote to memory of 2664	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4208 wrote to memory of 2664	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4208 wrote to memory of 3052	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4208 wrote to memory of 3052	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4208 wrote to memory of 1516	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4208 wrote to memory of 1516	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4208 wrote to memory of 4604	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4208 wrote to memory of 4604	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4208 wrote to memory of 1844	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4208 wrote to memory of 1844	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4208 wrote to memory of 1664	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4208 wrote to memory of 1664	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4208 wrote to memory of 4276	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4208 wrote to memory of 4276	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4208 wrote to memory of 4068	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4208 wrote to memory of 4068	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4208 wrote to memory of 2032	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4208 wrote to memory of 2032	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4208 wrote to memory of 1536	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4208 wrote to memory of 1536	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4208 wrote to memory of 812	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4208 wrote to memory of 812	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4208 wrote to memory of 4272	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4208 wrote to memory of 4272	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4208 wrote to memory of 1180	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4208 wrote to memory of 1180	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4208 wrote to memory of 4544	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4208 wrote to memory of 4544	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4208 wrote to memory of 2472	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4208 wrote to memory of 2472	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4208 wrote to memory of 4600	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4208 wrote to memory of 4600	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4208 wrote to memory of 4940	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4208 wrote to memory of 4940	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4208 wrote to memory of 4512	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4208 wrote to memory of 4512	4208	2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_65d760b3462d23a111eecc5dc5527a36_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\System\hwbYPDM.exe
  C:\Windows\System\hwbYPDM.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\hEryTux.exe
  C:\Windows\System\hEryTux.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\XKdhltz.exe
  C:\Windows\System\XKdhltz.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\GgxaWHu.exe
  C:\Windows\System\GgxaWHu.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\nxQsOuE.exe
  C:\Windows\System\nxQsOuE.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\rlBfZwp.exe
  C:\Windows\System\rlBfZwp.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\hAxUcwQ.exe
  C:\Windows\System\hAxUcwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\PCObAYF.exe
  C:\Windows\System\PCObAYF.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\iwEkuPF.exe
  C:\Windows\System\iwEkuPF.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\AGpFgyF.exe
  C:\Windows\System\AGpFgyF.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\xgrMUfZ.exe
  C:\Windows\System\xgrMUfZ.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\eOhEzbJ.exe
  C:\Windows\System\eOhEzbJ.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\QxbUbvY.exe
  C:\Windows\System\QxbUbvY.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\ndAbWRG.exe
  C:\Windows\System\ndAbWRG.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\tTAitmw.exe
  C:\Windows\System\tTAitmw.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\qoianhu.exe
  C:\Windows\System\qoianhu.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\UmpEVyW.exe
  C:\Windows\System\UmpEVyW.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\CwZikMo.exe
  C:\Windows\System\CwZikMo.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\oaBnGyh.exe
  C:\Windows\System\oaBnGyh.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\VUTOVvH.exe
  C:\Windows\System\VUTOVvH.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\TnMDakU.exe
  C:\Windows\System\TnMDakU.exe
  2⤵
  - Executes dropped EXE
  PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGpFgyF.exe

Filesize
5.2MB

MD5
058a6282a54b4a27f9a39c3f2604d460

SHA1
9c718ee95d802a1527ed034584ec9c3251ac6216

SHA256
469f4f1a849f96572b6a1528a0912868ec24a15173b30ae553aa29c0bdfa57ea

SHA512
c5098154948933987a4b1b3d14b3d6de86f79124a2a9b9fbaf1fc2a17eb887a6da0715b4f9ac288da4a98a26218c8817d7c1dffc819fc33f878d069b6b22da2a

Download Submit
C:\Windows\System\CwZikMo.exe

Filesize
5.2MB

MD5
80a5a7f798baf725de09c0f900325b1c

SHA1
239d0ab681b77fe988b3e241a1a182a6b494d3b4

SHA256
9761b871e0d4b8e60e5cd3bbb0363d213e67e415baef5ce1c8a1a16fd8c72842

SHA512
e08a0b9e96fc4594d66ca63375757d8a78cf7e58eca8af8f619e6c5a839d5a29170100151b0bfcf8cba897a6eabed60ef2e47815ba58ba81ae4e4980bf3f0674

Download Submit
C:\Windows\System\GgxaWHu.exe

Filesize
5.2MB

MD5
8b65cb49a02363983fe71d196105178a

SHA1
7f12f97d34ea05d7b7e3e3483162cc4a0d7df5cb

SHA256
1082e8d5491724bcc55b0278b5b295b253353c7421e795dd4753199bdfee3bc9

SHA512
96d6bf7873f0bf82535597d67cf741443f238d9e1d39950e71e4f3fd1276f10536a17638ca5128972152cf57c44a18ca2b7b9f8d8459c5fa6ffa4db50e8eb396

Download Submit
C:\Windows\System\PCObAYF.exe

Filesize
5.2MB

MD5
94caa1d6f4a239da88dce9a2304bbc6e

SHA1
cc7e68ce3a6641e4013d2788b374d2d04e5741d6

SHA256
ec24924becb888042d8c321618f243c1b6dee3a255d6caadbd83f2ab6dd21b11

SHA512
a9aeb3684a4c581290e5009a7857d7f9b7fc47971da4731bb12a8eb5eac8dabf32cb819edb91b756dfbd753fc318ad30d4b6384abaaf87dbe9a8b7ee67f2a89d

Download Submit
C:\Windows\System\QxbUbvY.exe

Filesize
5.2MB

MD5
a02dcec6a68b106cd869925bf5bb9e62

SHA1
4773300724a84774a9f996394e6337938e62fd21

SHA256
5106ad188bf8fa5f6f88dfb7a201b0091e78fd2d30ee9b8907932606aa93ebdb

SHA512
e41c0803494496935d255f05bc5123cb7a30e260a1dab2beb972d255c4184b8b9df1a5aeb3e1a27bf5c29234f104efb6e08ba11f98c2cef17591a225551d6fee

Download Submit
C:\Windows\System\TnMDakU.exe

Filesize
5.2MB

MD5
018ae6976d254b0fa99a9df1fec868ce

SHA1
18aca6d0a4e94d2b5ef47f0daa7bd48bc29d9bef

SHA256
4c4da358266e5d85d69fb3aa5f0aacbcabba2d14f3009977d79757197c5b14ca

SHA512
a4695f65e6e1eaea77fdebabfd3ff95412b59b92dc287f37463f49b838ddcc42782b5f8f77d0352a1b3d436e07316a5a9e1f1ecf0ac25c4b9a141e834e7a90b0

Download Submit
C:\Windows\System\UmpEVyW.exe

Filesize
5.2MB

MD5
548039f117b21121a1ce26935f19fee3

SHA1
483d4225095876eea734d825d948e1031be179a6

SHA256
f5029ea6813cf5cd708353cf39e528161a0985dd57027a56b98101831a00e0eb

SHA512
ed099b8b31ce405f7d8c15a0dd4270ed069717f932031d8b9e383e5de4063d2ae491e43efbe31f16b9e71f3b72f67a602627709683f9dbc54e770b30d169dc77

Download Submit
C:\Windows\System\VUTOVvH.exe

Filesize
5.2MB

MD5
d44fd4937adf7f7be66652f5b565afb8

SHA1
35602ef8937cc06ead7bde33fb67524ee9ccec97

SHA256
a827cbaf27dd07fb8c2b14c0e01094d4f57a3f1e3028f4a56464ac7af197d0af

SHA512
a4391812e1c63d78009a6e25d6bd37d870e30b1b4583d76c5e7116565b977a057c18d9a1817c096a450db120ddd77c21774b557927d149ab8b7732ec66c81ca0

Download Submit
C:\Windows\System\XKdhltz.exe

Filesize
5.2MB

MD5
15143877c315e8152c10fbe322d08b32

SHA1
9e4c7548fa73a3112fcb902354d7b44eccc8a07e

SHA256
0ecb6cf474091a88aff1fe7a32116e8eb7e467fe0d9f5ee16b209e76ec71d41b

SHA512
8228f8370675a7552a437cf4510c7ee8d4ccdc8491e23cf897570e9a8f06c4aa90fa20589faa261568042004c5373ed674cf02b522a5f28346c04dcd8531d5c3

Download Submit
C:\Windows\System\eOhEzbJ.exe

Filesize
5.2MB

MD5
8398eee1e6113cb2bd1d738510e88c4b

SHA1
8c1eaf8fd60da5d0d2b8d01b9c9705d39d93413c

SHA256
68731729c2dbd1ff2da5538d6ca2d4c5ead353f9cdf6e0e033a2d338709bdf26

SHA512
86a25041f16333b455c08b09fa874887430d7f20881d57bbc35757e6884bab61449b1da97b07cae71b4ec9fd40a68791e3907c56fdaee02c2f0dcb0e4f96cfc9

Download Submit
C:\Windows\System\hAxUcwQ.exe

Filesize
5.2MB

MD5
999c70ece45adb6b0b8169677c52ab3c

SHA1
e7c54cc40a5092543fe6c27ea5f533b27057d7d1

SHA256
ca5f1755092592ca71c5e4538280363474659811e3a162e50a26696d39653fa0

SHA512
8fe8f28f1e27292c42d5c0a5cb6f108a53cc60919a8e6018666eb772927f80fd29c45b4bf9899c21be5349b7e75a9b04b7cf82e00c3eda29e39ece4d2ae45b9a

Download Submit
C:\Windows\System\hEryTux.exe

Filesize
5.2MB

MD5
b1840a29baab2733e62945ba510054d9

SHA1
2231c5a8a2318defeb0c6d5d560eaecd0f4bfb39

SHA256
386b887b09f167a77e3dc76868213a988f7d9e56d035785d088b5ebe7dc1b2de

SHA512
42c5f27b09cbf0e5602d68d395471dca42bf8f568a04fa3084c132f9d2401ae6e0bcd775f22c3347876da5a0e8ecea30cab6a29ffb7f68e1538b6afbca920ce1

Download Submit
C:\Windows\System\hwbYPDM.exe

Filesize
5.2MB

MD5
7eef1be463b5c650bcfff24641fa3fbb

SHA1
f64af38b4cb85f288541fed513543ef6a4b27737

SHA256
fc4af6be884acd0cfbbde24333fb599c593e685f4feabbefd276456cf0024dc3

SHA512
d6d6f3608429a295ab3da7973ae0c83125e93e7876a2f04e853253dbc50afeb13122d739a9b3daa3686c7df7fc07191112708050a66737a3b2ae0d5481483f56

Download Submit
C:\Windows\System\iwEkuPF.exe

Filesize
5.2MB

MD5
bb7e6c5d77aeed6e7b3a3da7b752b363

SHA1
a929a02d8a6bb88133bef563d125e562cf73352f

SHA256
c1192ad9206c7797bc6953ffb64f6b8d5a33c2e3c67fc11c92cca4bea087c1ff

SHA512
e5ca1452a346c8bc48f85c4f2041aaa5f688f9456d036cb8dcb144952a2909ecd34f79eb26e22dfb6cc67d7c7864438255e6fa6ee09c2f7e618cc3d38ec6cce0

Download Submit
C:\Windows\System\ndAbWRG.exe

Filesize
5.2MB

MD5
c4d8b12853dd9f8d1f4ec7dde95d854d

SHA1
3f40e4016f0e481e1a7978e045ce74cb98229363

SHA256
b7f94668f4d2a6332fa3a93d180713366faf8f66088da509255340fa6fc6ea0e

SHA512
a1b68c6f69e36ca1fa8cab0f00b11166e4e401bc70e36193ba7774bb08ff3b4b112d4dba54965fc8929e887a9de0737ce3a2e6d0549f6f6731de1a70ca9f9858

Download Submit
C:\Windows\System\nxQsOuE.exe

Filesize
5.2MB

MD5
70ee63626415c23c28f09185694aa5f4

SHA1
f5435edb168faefec265bc342a10f68e78a3216a

SHA256
b086f8ae1ee76e699c9db5633ef0c2a6a473aa29d8af4284c10e3aadb5b9938e

SHA512
d3a5d7943b43aa8f4e1caafc1567d506adc79055df6b05777458e7d5f5439740976eb4f4003488a1a34249dd70c01cd8413c1fba2ad1c56b7628979c2284001d

Download Submit
C:\Windows\System\oaBnGyh.exe

Filesize
5.2MB

MD5
4468ae3cadaa39d724a6dd1db8f3a45e

SHA1
b2d57db7223596892c9f536759aef5ed8688424a

SHA256
9cab83b01c8b362ab69433adf4bd4ce4ead2420cf102eaa9a8bd61ee612d80f2

SHA512
f8ea08144c6c91660f6e5a85fae02f7ebeade1af966ca98287c5b98f6b6df90e53f945a36f3e7c760632e6c89888bc1e1baae9c3542b55c8fdf46fd3081f225a

Download Submit
C:\Windows\System\qoianhu.exe

Filesize
5.2MB

MD5
da3474330211a92254eb700ea871f7ad

SHA1
0f6129461b556d9cb6d705418462d886e80b4b67

SHA256
2465a369f0afc511c38076617e5d786782a3b24fcb536d53d82de71218ba1276

SHA512
8d9b3f45ea89af5ff35ddaef7fa4a1d00203c493cb73574502493e641a8aadedf12174a39c24963cde987f03c1461f47c77a91a88686d4aaf8f35c33e9eb49d7

Download Submit
C:\Windows\System\rlBfZwp.exe

Filesize
5.2MB

MD5
ab6c3d23d5977e12a296117eeaab5820

SHA1
ec14b3cd434268d36b4d75c3da283c0785297e8e

SHA256
1877a673d9de1cf6d32b61d176deb6608203b9797cb8911a26e21e52e5f79660

SHA512
d9fe18cfed9f330e0e8a3dcfacc8514e7d0cfc6c7b275ef2f00cb6f9979f3d68c646068a6d99c429df27f019482cabd52dc3448690d72ac22f0e855398d125bc

Download Submit
C:\Windows\System\tTAitmw.exe

Filesize
5.2MB

MD5
69e0d3ded1af4a0dbe7d6f8c025619e9

SHA1
3b6e39d69b02f3186057857d4efe1a9319572b38

SHA256
8c0598d48f53f20937107ca047a627ce74c750c6c635e111aff8cefe04f2a2ae

SHA512
f82f8641a7d37fabf08186b8d35f539720fa5ec543b027b3eea188b8e5eba17eda5c5acf52c743854557b1e385da213597f3a19b4df0eeeba58d53812a741ee1

Download Submit
C:\Windows\System\xgrMUfZ.exe

Filesize
5.2MB

MD5
83c5f4c707bb6b2a006ec15a09d455e0

SHA1
748a1261873f009d121964414e3e0a3877277ae5

SHA256
d4573dc03941c0964d076196560081859e3cb6aee9fcef918c5ce7f73ecc48bc

SHA512
5c2e26e7c0c664dba5605a67534bd9f4bbeaf4d153704cbf1501fb8c6198a5d4cb2ba9fd4e38db1c4e1c5428ef0d9e520c6bebddf7be0799aef25fc85845ebbe

Download Submit
memory/812-157-0x00007FF621350000-0x00007FF6216A1000-memory.dmp

Filesize
3.3MB

Download
memory/812-90-0x00007FF621350000-0x00007FF6216A1000-memory.dmp

Filesize
3.3MB

Download
memory/812-251-0x00007FF621350000-0x00007FF6216A1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-114-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-159-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-263-0x00007FF60C9A0000-0x00007FF60CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-38-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-94-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-227-0x00007FF7A4A80000-0x00007FF7A4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-250-0x00007FF758010000-0x00007FF758361000-memory.dmp

Filesize
3.3MB

Download
memory/1536-156-0x00007FF758010000-0x00007FF758361000-memory.dmp

Filesize
3.3MB

Download
memory/1536-84-0x00007FF758010000-0x00007FF758361000-memory.dmp

Filesize
3.3MB

Download
memory/1664-53-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp

Filesize
3.3MB

Download
memory/1664-128-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp

Filesize
3.3MB

Download
memory/1664-231-0x00007FF63F0B0000-0x00007FF63F401000-memory.dmp

Filesize
3.3MB

Download
memory/1844-229-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-50-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-119-0x00007FF7F4870000-0x00007FF7F4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-247-0x00007FF636690000-0x00007FF6369E1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-80-0x00007FF636690000-0x00007FF6369E1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-260-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-161-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-123-0x00007FF7BED70000-0x00007FF7BF0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-79-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp

Filesize
3.3MB

Download
memory/2664-221-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp

Filesize
3.3MB

Download
memory/2664-27-0x00007FF65B3E0000-0x00007FF65B731000-memory.dmp

Filesize
3.3MB

Download
memory/3052-34-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp

Filesize
3.3MB

Download
memory/3052-88-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp

Filesize
3.3MB

Download
memory/3052-223-0x00007FF6D15D0000-0x00007FF6D1921000-memory.dmp

Filesize
3.3MB

Download
memory/3368-16-0x00007FF6E94A0000-0x00007FF6E97F1000-memory.dmp

Filesize
3.3MB

Download
memory/3368-211-0x00007FF6E94A0000-0x00007FF6E97F1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-210-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp

Filesize
3.3MB

Download
memory/3372-60-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp

Filesize
3.3MB

Download
memory/3372-6-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp

Filesize
3.3MB

Download
memory/4068-245-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-145-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-69-0x00007FF7E7F50000-0x00007FF7E82A1000-memory.dmp

Filesize
3.3MB

Download
memory/4208-171-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp

Filesize
3.3MB

Download
memory/4208-148-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp

Filesize
3.3MB

Download
memory/4208-52-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp

Filesize
3.3MB

Download
memory/4208-0-0x00007FF78CF30000-0x00007FF78D281000-memory.dmp

Filesize
3.3MB

Download
memory/4208-1-0x0000025E213A0000-0x0000025E213B0000-memory.dmp

Filesize
64KB

Download
memory/4272-158-0x00007FF790B40000-0x00007FF790E91000-memory.dmp

Filesize
3.3MB

Download
memory/4272-102-0x00007FF790B40000-0x00007FF790E91000-memory.dmp

Filesize
3.3MB

Download
memory/4272-255-0x00007FF790B40000-0x00007FF790E91000-memory.dmp

Filesize
3.3MB

Download
memory/4276-233-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp

Filesize
3.3MB

Download
memory/4276-138-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp

Filesize
3.3MB

Download
memory/4276-61-0x00007FF7F9930000-0x00007FF7F9C81000-memory.dmp

Filesize
3.3MB

Download
memory/4512-146-0x00007FF721D40000-0x00007FF722091000-memory.dmp

Filesize
3.3MB

Download
memory/4512-269-0x00007FF721D40000-0x00007FF722091000-memory.dmp

Filesize
3.3MB

Download
memory/4512-170-0x00007FF721D40000-0x00007FF722091000-memory.dmp

Filesize
3.3MB

Download
memory/4544-257-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp

Filesize
3.3MB

Download
memory/4544-160-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp

Filesize
3.3MB

Download
memory/4544-118-0x00007FF6C0040000-0x00007FF6C0391000-memory.dmp

Filesize
3.3MB

Download
memory/4600-122-0x00007FF676670000-0x00007FF6769C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-262-0x00007FF676670000-0x00007FF6769C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-162-0x00007FF676670000-0x00007FF6769C1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-226-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-46-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-110-0x00007FF65EB70000-0x00007FF65EEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-213-0x00007FF784C90000-0x00007FF784FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-20-0x00007FF784C90000-0x00007FF784FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-144-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-163-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-266-0x00007FF66D160000-0x00007FF66D4B1000-memory.dmp

Filesize
3.3MB

Download