cobaltstrike | cc6e0bb06efb785a4e4e3c938bb3062e3a26c0078f81e2cff5d65919e9fb6829

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

44966508581295940c56857c364f5e7b
SHA1

625db84125d70f31ffd4f2e5e6d854eb4779008a
SHA256

cc6e0bb06efb785a4e4e3c938bb3062e3a26c0078f81e2cff5d65919e9fb6829
SHA512

46c9ceccb323b9150f5242f4ec72ece9c17e66485e307235812463ee57026d23369aa42f34eea82c28c6a9ec022dfa2c878f44859acb6b608abbf0e8c5357811
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibd56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b36-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b38-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b37-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3e-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3f-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b40-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3d-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3b-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3a-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b39-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b41-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b42-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b44-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b45-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b43-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b47-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b46-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b4a-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b49-130.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b48-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/416-60-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	xmrig
behavioral2/memory/4684-67-0x00007FF641180000-0x00007FF6414D1000-memory.dmp	xmrig
behavioral2/memory/3112-42-0x00007FF7BB8F0000-0x00007FF7BBC41000-memory.dmp	xmrig
behavioral2/memory/1616-71-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp	xmrig
behavioral2/memory/3608-72-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp	xmrig
behavioral2/memory/4492-81-0x00007FF731E00000-0x00007FF732151000-memory.dmp	xmrig
behavioral2/memory/3852-120-0x00007FF767900000-0x00007FF767C51000-memory.dmp	xmrig
behavioral2/memory/4972-126-0x00007FF7C7980000-0x00007FF7C7CD1000-memory.dmp	xmrig
behavioral2/memory/4568-125-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp	xmrig
behavioral2/memory/924-116-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp	xmrig
behavioral2/memory/2540-97-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp	xmrig
behavioral2/memory/1976-91-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp	xmrig
behavioral2/memory/3052-83-0x00007FF7EAC10000-0x00007FF7EAF61000-memory.dmp	xmrig
behavioral2/memory/416-136-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	xmrig
behavioral2/memory/4484-147-0x00007FF719110000-0x00007FF719461000-memory.dmp	xmrig
behavioral2/memory/1968-148-0x00007FF671490000-0x00007FF6717E1000-memory.dmp	xmrig
behavioral2/memory/4884-150-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp	xmrig
behavioral2/memory/3512-153-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp	xmrig
behavioral2/memory/2400-154-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp	xmrig
behavioral2/memory/3236-152-0x00007FF720F30000-0x00007FF721281000-memory.dmp	xmrig
behavioral2/memory/5044-158-0x00007FF783D00000-0x00007FF784051000-memory.dmp	xmrig
behavioral2/memory/180-157-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp	xmrig
behavioral2/memory/1188-159-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp	xmrig
behavioral2/memory/416-160-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	xmrig
behavioral2/memory/4684-215-0x00007FF641180000-0x00007FF6414D1000-memory.dmp	xmrig
behavioral2/memory/1616-217-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp	xmrig
behavioral2/memory/3608-219-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp	xmrig
behavioral2/memory/4492-221-0x00007FF731E00000-0x00007FF732151000-memory.dmp	xmrig
behavioral2/memory/3112-223-0x00007FF7BB8F0000-0x00007FF7BBC41000-memory.dmp	xmrig
behavioral2/memory/1976-225-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp	xmrig
behavioral2/memory/2540-230-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp	xmrig
behavioral2/memory/1968-232-0x00007FF671490000-0x00007FF6717E1000-memory.dmp	xmrig
behavioral2/memory/3852-237-0x00007FF767900000-0x00007FF767C51000-memory.dmp	xmrig
behavioral2/memory/924-238-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp	xmrig
behavioral2/memory/4484-235-0x00007FF719110000-0x00007FF719461000-memory.dmp	xmrig
behavioral2/memory/3052-249-0x00007FF7EAC10000-0x00007FF7EAF61000-memory.dmp	xmrig
behavioral2/memory/4884-251-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp	xmrig
behavioral2/memory/3512-253-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp	xmrig
behavioral2/memory/3236-255-0x00007FF720F30000-0x00007FF721281000-memory.dmp	xmrig
behavioral2/memory/2400-257-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp	xmrig
behavioral2/memory/4568-261-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp	xmrig
behavioral2/memory/4972-260-0x00007FF7C7980000-0x00007FF7C7CD1000-memory.dmp	xmrig
behavioral2/memory/180-266-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp	xmrig
behavioral2/memory/1188-268-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp	xmrig
behavioral2/memory/5044-265-0x00007FF783D00000-0x00007FF784051000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4684	oWgLWdN.exe
1616	qiiickv.exe
3608	rxAArCY.exe
4492	HHfoMTq.exe
1976	QFEeAIL.exe
3112	DzIxNcj.exe
2540	AmAXwUp.exe
924	CLbDzyI.exe
3852	NbFINTZ.exe
4484	VnKlopx.exe
1968	zvhcVEO.exe
3052	JJfEXFW.exe
4884	DjNhiPp.exe
3236	nGRVzZm.exe
3512	KGcQapA.exe
2400	GjyKFXK.exe
4568	boAnagn.exe
4972	ZgSNqso.exe
180	vNgCDNd.exe
5044	KxplrCd.exe
1188	uCwbgas.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/416-0-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b36-4.dat	upx
behavioral2/memory/4684-8-0x00007FF641180000-0x00007FF6414D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b38-11.dat	upx
behavioral2/files/0x000a000000023b37-10.dat	upx
behavioral2/memory/3608-21-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp	upx
behavioral2/memory/4492-29-0x00007FF731E00000-0x00007FF732151000-memory.dmp	upx
behavioral2/files/0x000a000000023b3c-41.dat	upx
behavioral2/memory/2540-44-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp	upx
behavioral2/memory/924-47-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b3e-52.dat	upx
behavioral2/files/0x000a000000023b3f-57.dat	upx
behavioral2/memory/416-60-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	upx
behavioral2/memory/4684-67-0x00007FF641180000-0x00007FF6414D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b40-69.dat	upx
behavioral2/memory/1968-68-0x00007FF671490000-0x00007FF6717E1000-memory.dmp	upx
behavioral2/memory/4484-63-0x00007FF719110000-0x00007FF719461000-memory.dmp	upx
behavioral2/memory/3852-55-0x00007FF767900000-0x00007FF767C51000-memory.dmp	upx
behavioral2/files/0x000a000000023b3d-49.dat	upx
behavioral2/memory/3112-42-0x00007FF7BB8F0000-0x00007FF7BBC41000-memory.dmp	upx
behavioral2/memory/1976-39-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp	upx
behavioral2/files/0x000a000000023b3b-35.dat	upx
behavioral2/files/0x000a000000023b3a-33.dat	upx
behavioral2/files/0x000a000000023b39-23.dat	upx
behavioral2/memory/1616-14-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp	upx
behavioral2/memory/1616-71-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp	upx
behavioral2/memory/3608-72-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp	upx
behavioral2/files/0x000a000000023b41-75.dat	upx
behavioral2/files/0x000a000000023b42-80.dat	upx
behavioral2/memory/4492-81-0x00007FF731E00000-0x00007FF732151000-memory.dmp	upx
behavioral2/files/0x000a000000023b44-93.dat	upx
behavioral2/files/0x000a000000023b45-105.dat	upx
behavioral2/files/0x000a000000023b43-102.dat	upx
behavioral2/files/0x000a000000023b47-111.dat	upx
behavioral2/files/0x000a000000023b46-112.dat	upx
behavioral2/memory/3852-120-0x00007FF767900000-0x00007FF767C51000-memory.dmp	upx
behavioral2/files/0x000a000000023b4a-127.dat	upx
behavioral2/memory/180-131-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp	upx
behavioral2/memory/1188-133-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp	upx
behavioral2/files/0x000a000000023b49-130.dat	upx
behavioral2/files/0x000a000000023b48-129.dat	upx
behavioral2/memory/5044-128-0x00007FF783D00000-0x00007FF784051000-memory.dmp	upx
behavioral2/memory/4972-126-0x00007FF7C7980000-0x00007FF7C7CD1000-memory.dmp	upx
behavioral2/memory/4568-125-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp	upx
behavioral2/memory/924-116-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp	upx
behavioral2/memory/2400-99-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp	upx
behavioral2/memory/2540-97-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp	upx
behavioral2/memory/3512-95-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp	upx
behavioral2/memory/3236-92-0x00007FF720F30000-0x00007FF721281000-memory.dmp	upx
behavioral2/memory/1976-91-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp	upx
behavioral2/memory/4884-90-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp	upx
behavioral2/memory/3052-83-0x00007FF7EAC10000-0x00007FF7EAF61000-memory.dmp	upx
behavioral2/memory/416-136-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	upx
behavioral2/memory/4484-147-0x00007FF719110000-0x00007FF719461000-memory.dmp	upx
behavioral2/memory/1968-148-0x00007FF671490000-0x00007FF6717E1000-memory.dmp	upx
behavioral2/memory/4884-150-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp	upx
behavioral2/memory/3512-153-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp	upx
behavioral2/memory/2400-154-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp	upx
behavioral2/memory/3236-152-0x00007FF720F30000-0x00007FF721281000-memory.dmp	upx
behavioral2/memory/5044-158-0x00007FF783D00000-0x00007FF784051000-memory.dmp	upx
behavioral2/memory/180-157-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp	upx
behavioral2/memory/1188-159-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp	upx
behavioral2/memory/416-160-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp	upx
behavioral2/memory/4684-215-0x00007FF641180000-0x00007FF6414D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AmAXwUp.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JJfEXFW.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGcQapA.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\boAnagn.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCwbgas.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWgLWdN.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qiiickv.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HHfoMTq.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DzIxNcj.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGRVzZm.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxplrCd.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLbDzyI.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GjyKFXK.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgSNqso.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vNgCDNd.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxAArCY.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QFEeAIL.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NbFINTZ.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnKlopx.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvhcVEO.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjNhiPp.exe	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 4684	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 416 wrote to memory of 4684	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 416 wrote to memory of 1616	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 416 wrote to memory of 1616	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 416 wrote to memory of 3608	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 416 wrote to memory of 3608	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 416 wrote to memory of 4492	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 416 wrote to memory of 4492	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 416 wrote to memory of 1976	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 416 wrote to memory of 1976	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 416 wrote to memory of 3112	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 416 wrote to memory of 3112	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 416 wrote to memory of 2540	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 416 wrote to memory of 2540	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 416 wrote to memory of 924	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 416 wrote to memory of 924	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 416 wrote to memory of 3852	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 416 wrote to memory of 3852	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 416 wrote to memory of 4484	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 416 wrote to memory of 4484	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 416 wrote to memory of 1968	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 416 wrote to memory of 1968	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 416 wrote to memory of 3052	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 416 wrote to memory of 3052	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 416 wrote to memory of 4884	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 416 wrote to memory of 4884	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 416 wrote to memory of 3236	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 416 wrote to memory of 3236	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 416 wrote to memory of 3512	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 416 wrote to memory of 3512	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 416 wrote to memory of 2400	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 416 wrote to memory of 2400	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 416 wrote to memory of 4568	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 416 wrote to memory of 4568	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 416 wrote to memory of 4972	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 416 wrote to memory of 4972	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 416 wrote to memory of 180	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 416 wrote to memory of 180	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 416 wrote to memory of 5044	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 416 wrote to memory of 5044	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 416 wrote to memory of 1188	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 416 wrote to memory of 1188	416	2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_44966508581295940c56857c364f5e7b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\System\oWgLWdN.exe
  C:\Windows\System\oWgLWdN.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\qiiickv.exe
  C:\Windows\System\qiiickv.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\rxAArCY.exe
  C:\Windows\System\rxAArCY.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\HHfoMTq.exe
  C:\Windows\System\HHfoMTq.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\QFEeAIL.exe
  C:\Windows\System\QFEeAIL.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\DzIxNcj.exe
  C:\Windows\System\DzIxNcj.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\AmAXwUp.exe
  C:\Windows\System\AmAXwUp.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\CLbDzyI.exe
  C:\Windows\System\CLbDzyI.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\NbFINTZ.exe
  C:\Windows\System\NbFINTZ.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\VnKlopx.exe
  C:\Windows\System\VnKlopx.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\zvhcVEO.exe
  C:\Windows\System\zvhcVEO.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\JJfEXFW.exe
  C:\Windows\System\JJfEXFW.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\DjNhiPp.exe
  C:\Windows\System\DjNhiPp.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\nGRVzZm.exe
  C:\Windows\System\nGRVzZm.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\KGcQapA.exe
  C:\Windows\System\KGcQapA.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\GjyKFXK.exe
  C:\Windows\System\GjyKFXK.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\boAnagn.exe
  C:\Windows\System\boAnagn.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\ZgSNqso.exe
  C:\Windows\System\ZgSNqso.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\vNgCDNd.exe
  C:\Windows\System\vNgCDNd.exe
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Windows\System\KxplrCd.exe
  C:\Windows\System\KxplrCd.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\uCwbgas.exe
  C:\Windows\System\uCwbgas.exe
  2⤵
  - Executes dropped EXE
  PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmAXwUp.exe

Filesize
5.2MB

MD5
d3c3379b53dc58ba9f13dd72ff13f391

SHA1
06c33aa6e4a64e38cf728214fc5d80f13c2e08ab

SHA256
6db69ac1eae1bb563d04efa451c80195f76454d8cdca83282ee1899f1c191937

SHA512
5238a428c80826675edee4ff4b4ade081b89afa3e6b7ee7a8609753f7a2f892ffc78b1433e3cbfaad320b15ab9ffbf904c10eb8656db7aa343c714f57a3d919a

Download Submit
C:\Windows\System\CLbDzyI.exe

Filesize
5.2MB

MD5
3c5e9f39f357054f7b11adf86bdd2d4e

SHA1
55b403b8d0815b87ea9b8963ffa575bf44c35811

SHA256
d7e7e03328bf2ba1fe2f1bd0b665f4f60c1d379b4facb1c4c05565abfc9e6cc9

SHA512
5c1efb457c2f2f1a52ae0cc6ebbbebe9ac2c07f91fff61b95ccdf72101e4f9ac4494be89d7127f6a504fe559f3419fa0b20ea664cbafbce117e9bf3cd5d4fc23

Download Submit
C:\Windows\System\DjNhiPp.exe

Filesize
5.2MB

MD5
b9f9f552a2ec57e0f70dc460ab41ea4f

SHA1
920b4ef7b17abc7d7021cc7e02b1d100cee89a3a

SHA256
b38a00889f969c0c3bd3ad33f456863fd0290cec33ec052cce54360fa033bbe5

SHA512
abad6b84a2b5b67f9b5d5a2c5f2266ffa0e120e428a6548c26223ab1d174a025040831b903b7b88e2bc1b61a51092072d65ce01b3635dcaf76713ba2a6aaa377

Download Submit
C:\Windows\System\DzIxNcj.exe

Filesize
5.2MB

MD5
68cf3e805014baf87bc48ebae3e20a1d

SHA1
0f173e38d8709774109ec87b71e448c0f8b6ed51

SHA256
89d02590f0dce09a2d4e95a9f7a3480cfe2665e7075d38148b366a5a8fca0169

SHA512
fb9eb208311f7d8cf1bdf83cf3874a6346ac6ba43e78e7060c8dd35e9645d16df177eb5532b6845aa8eeb231f607fa631b7c055c35e1c58667649072b74e83b2

Download Submit
C:\Windows\System\GjyKFXK.exe

Filesize
5.2MB

MD5
f7041f72d4c84cedad4af3ca566cc669

SHA1
90a84b7863165b188c9b05d764296d7b2a943390

SHA256
6aa28953798a35d8ba53909a5f34bcb3d2fc5d8a67740dd5b7a60a2aab0c4749

SHA512
c938a5e09d4e776781907361adcc8430af5bf7dc9f33cd6b1bf47e790351887bcadcb3af586e0df8aa37802a660f1f9249cf7dc29383e48c4d081a6599301ce8

Download Submit
C:\Windows\System\HHfoMTq.exe

Filesize
5.2MB

MD5
ea9fe24982a5931846f45e10d29bb68d

SHA1
8fc9625d33dab4db09b3c400d344edc65b7927aa

SHA256
b712f2326c3d2dcffc71c4b423eeff4287887a3a1e551cd9ec0e082bb9f27a9d

SHA512
0ce85809921822a2ad8fc68189d73e63221eb8239a8285cd709627826229d73416cfb72201622a0b99b3702a3f63de9c1ecc93d813185a3b8a6eef583b8cc211

Download Submit
C:\Windows\System\JJfEXFW.exe

Filesize
5.2MB

MD5
53754032a6263e1577050cfdba201f9e

SHA1
1636e22c835fddf30b31fd01a20917d63c044b89

SHA256
c1481cd21f244c8b63c13dc8df698c164f0b0217a5969720dc3e0b7887dda017

SHA512
2d474b318c83d712f4afb9930e7a8f2bd5a48145debd656218b5dc06ad6ce317ad34723b93a073764d8ae13a9fd501dadb1821e7b89e58a3cda3b1d7c821b0f9

Download Submit
C:\Windows\System\KGcQapA.exe

Filesize
5.2MB

MD5
d391a169013ee431ecdd751ddc27b857

SHA1
adfadbfb72db838800f8201d2024d34a1beed289

SHA256
85d1ad9f61691e3dc1cba523fc041ca8e87cf997d0bb87edba2958af7eaffe3f

SHA512
a94b14a89e8296412bca2956ed3d8c980783ebf6d026a71645a164d798cd3970cdd70ac7d76a48b06caeb09937ea12d4890c400d1589f099bed7cce844c11786

Download Submit
C:\Windows\System\KxplrCd.exe

Filesize
5.2MB

MD5
b024ab706ec9650fb375c6407e02c7d1

SHA1
000f4386ceaafa5598b024a4eb873d51be79cf07

SHA256
d5aa99a9493436f5246f1dbbd1a36609b779cf523bd9ecebb7dfd8e0b6318853

SHA512
e057db7464101b14861bf122b577d389a77787f9b6631ef5af665cc7a0fadf613ac71b1a271f3d542851eed42d03bfe8195d8b6175457440ad5fe5116c249a3a

Download Submit
C:\Windows\System\NbFINTZ.exe

Filesize
5.2MB

MD5
d7351963f09788d600b75d558f9dcf0f

SHA1
b2a07919b91f7518e45b5276d50d781cf75f4d30

SHA256
67cef383164182b5b437444d82d0c983e527657f09906efdf0e170a964f7d44b

SHA512
936862f2a6c582afeef4a6a396dd1b40f102ae342b2a8668ad2ea6188d9b3b09187ca71c5761f7e6d6a0fff9017a5c5deef88ec6a0177f9e06b7c281f680daed

Download Submit
C:\Windows\System\QFEeAIL.exe

Filesize
5.2MB

MD5
96eddbe073e6ceb7ce05e93f1caed864

SHA1
eab91f7c5dedb9b6d4c1ed7e1436fff332a72a41

SHA256
3d9fccb4e5e3678095dca282e14aecb3907e9e6091ba006626e961b9a7238ec6

SHA512
1a257f708671203422ebdb1434536c5b8ad87a2a214657a99bcd4e50cae4f89634b66c6c71d7ff2932461019875eb4af7d2883e041be3babde310b76f92f8fab

Download Submit
C:\Windows\System\VnKlopx.exe

Filesize
5.2MB

MD5
aebfdfdc426aa98cc4c77f7d67172788

SHA1
4826a743636e2b0448773e2208a481af44506a8e

SHA256
3c679fa50706fd4a4320ab2562bb4b9d8bd08aa0b8e95d085ab9f1648906cbc1

SHA512
0116271b0f37f7ed8bc8e637308f1a546b6abdf6d327d2197f715f1541ecb93d628c75a9798134f3efe3afa53a053eb959cde93b9a7e256e036112f517d0c1cc

Download Submit
C:\Windows\System\ZgSNqso.exe

Filesize
5.2MB

MD5
7d6acd94d3ed77929b29e3fe3e8e4ce1

SHA1
72e83c99892e55033ee2910a15cd0449492499fa

SHA256
4add144c4777734a0787157939c945a99e8501548116bbf1b129a22081c9d6a0

SHA512
7d1c8e60b5f005fdc40f5ecd1e971890ac01a3d52c4c52176efee474af72da73f231cd72adb00b98a66e27ef39bcb5ee67fbdeda20c369b27342ffa0161bc455

Download Submit
C:\Windows\System\boAnagn.exe

Filesize
5.2MB

MD5
958f25091ea8abed1ae7988782c865d0

SHA1
121b750f7de61c45e95110e0af58db34d5b05416

SHA256
ef58c62f68f6eb75863c717937ff6c5adfab4fb4bedbf544470537d681ffe1a4

SHA512
320ebe04472e3dcf58821f13681605d62daad44e6f0b4b173c6e1fd05ac786d8bfa391d65f3e7cc9079e449866d4bd23a5127726d2b2dbec4bd88cdf6b9f0c3e

Download Submit
C:\Windows\System\nGRVzZm.exe

Filesize
5.2MB

MD5
518e6b240c9fcefa9be94eb7d5a94dca

SHA1
21ff254463b9241e367aa8377ec7e432619aba11

SHA256
e837a17aab2c57450e478809ec3775e548cb04ad116344ae17d537ba2c16fc45

SHA512
f1d4b218872023a0f3e4a97bca5a8a1d426a7d907c36c7f79f7fd950fd46b92d6b901756cb8445b9077e018f540a7f99aa9e816694b4e778d3cd9c91eb407d31

Download Submit
C:\Windows\System\oWgLWdN.exe

Filesize
5.2MB

MD5
7a34d9fedc38e8b79ed4aefa1687b56f

SHA1
88fadad64912cc3d779ccfdd990d32bd6c2d3932

SHA256
6f4a1f8ac15083afd2c16d80bb3525dd15301229fc588e8967d90b9d9a480490

SHA512
44e30f426e59ea1a85f92bea6d7552efc51fdd003f149f628f3d3152fbe03fe04d13541823ab72750bcb9c1b33af8d5a81594f6f2fa0e5d666a4459d9ced6874

Download Submit
C:\Windows\System\qiiickv.exe

Filesize
5.2MB

MD5
30158a4637bc9690f684f91ee6ee51b4

SHA1
4af2f8248881ca60ab98f8fe34a8990a0f8e7a19

SHA256
1aaabdd887feff1589c5fd465206cbdbe5e14f44be1595658ee4e82b282f6116

SHA512
17f5ea5070dbc0746cb42ef40150280f7d7f86bfe3a1300f3661b2e94e0187d8a5070418c65cc668041f3c3adfeafde1252090612d5188f6bea887208c0982d3

Download Submit
C:\Windows\System\rxAArCY.exe

Filesize
5.2MB

MD5
12fe798ad65f31e9788c0b5c89d46123

SHA1
84e1981c56b39ea2b7daa42b8f8caa46eaeac88a

SHA256
00ab564ecbe0407082c49da9cd127f69d30947d4b13c404b4e43bc16d84e6b3e

SHA512
55a4572a5d93b0caacc9807ed183d52c91293b37946eabcdf61e2b58b1286e281f290e52627e7042afef205eb2ff4b29fce5bd3d29af75300da4bf83cd79fd49

Download Submit
C:\Windows\System\uCwbgas.exe

Filesize
5.2MB

MD5
07adcf678cd9a9ed3e8802e4268eace1

SHA1
fd62b647b127bb881b54cb847723f5db71b3f94a

SHA256
364f9090ca219ebf9fe12b9b435378b9eee4c7422a1332d0558acf765f21dfd5

SHA512
5a2a4131ab120a5bc5975e70d017176b3b4c644a24a8a28d083a1241261ce03de939e6e91daf675287389a0af2b2ff57e4ae25fcae28ae061a074e9ad3c07c59

Download Submit
C:\Windows\System\vNgCDNd.exe

Filesize
5.2MB

MD5
cc1a84dc913f97b2887548d202adb053

SHA1
de285eea2b687a0651e834f420a0819d8d9d3a29

SHA256
5073218a358c1aea611733f190775c2d4080c573194cb47ff3207bc77011c22e

SHA512
99692a01231acf20b84479f7f654d3152fda63ff13ae5440af16b933e0e188493792438a13d68d336612510f8bb25df4a6347a54c9c3eaa65b53a6df41735b7c

Download Submit
C:\Windows\System\zvhcVEO.exe

Filesize
5.2MB

MD5
b8b607320a4a98380c1fc40a29cc989a

SHA1
93f3dcd76096c152f399479dc9bda7d7b16e5b96

SHA256
0af7dc90e968881e9b75c08816ff0d2e328509d21a04b0a719fd1d24f8b577fa

SHA512
08ca7358749b7c4806f4c4a05e9cdf39895832aa9d7f2b3518bd029612a93a26de7e0b6752d8b554decf64383216455231657843089cdc341f1b6e27a105a005

Download Submit
memory/180-266-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp

Filesize
3.3MB

Download
memory/180-157-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp

Filesize
3.3MB

Download
memory/180-131-0x00007FF6AA220000-0x00007FF6AA571000-memory.dmp

Filesize
3.3MB

Download
memory/416-136-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp

Filesize
3.3MB

Download
memory/416-160-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp

Filesize
3.3MB

Download
memory/416-1-0x000002DCD76C0000-0x000002DCD76D0000-memory.dmp

Filesize
64KB

Download
memory/416-60-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp

Filesize
3.3MB

Download
memory/416-0-0x00007FF7B9270000-0x00007FF7B95C1000-memory.dmp

Filesize
3.3MB

Download
memory/924-238-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp

Filesize
3.3MB

Download
memory/924-47-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp

Filesize
3.3MB

Download
memory/924-116-0x00007FF6CD460000-0x00007FF6CD7B1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-159-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp

Filesize
3.3MB

Download
memory/1188-268-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp

Filesize
3.3MB

Download
memory/1188-133-0x00007FF64DDB0000-0x00007FF64E101000-memory.dmp

Filesize
3.3MB

Download
memory/1616-217-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-14-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-71-0x00007FF730F60000-0x00007FF7312B1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-68-0x00007FF671490000-0x00007FF6717E1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-148-0x00007FF671490000-0x00007FF6717E1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-232-0x00007FF671490000-0x00007FF6717E1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-39-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp

Filesize
3.3MB

Download
memory/1976-91-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp

Filesize
3.3MB

Download
memory/1976-225-0x00007FF70D7B0000-0x00007FF70DB01000-memory.dmp

Filesize
3.3MB

Download
memory/2400-257-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp

Filesize
3.3MB

Download
memory/2400-154-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp

Filesize
3.3MB

Download
memory/2400-99-0x00007FF7D0810000-0x00007FF7D0B61000-memory.dmp

Filesize
3.3MB

Download
memory/2540-97-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-230-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-44-0x00007FF76FEA0000-0x00007FF7701F1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-83-0x00007FF7EAC10000-0x00007FF7EAF61000-memory.dmp

Filesize
3.3MB

Download
memory/3052-249-0x00007FF7EAC10000-0x00007FF7EAF61000-memory.dmp

Filesize
3.3MB

Download
memory/3112-42-0x00007FF7BB8F0000-0x00007FF7BBC41000-memory.dmp

Filesize
3.3MB

Download
memory/3112-223-0x00007FF7BB8F0000-0x00007FF7BBC41000-memory.dmp

Filesize
3.3MB

Download
memory/3236-92-0x00007FF720F30000-0x00007FF721281000-memory.dmp

Filesize
3.3MB

Download
memory/3236-255-0x00007FF720F30000-0x00007FF721281000-memory.dmp

Filesize
3.3MB

Download
memory/3236-152-0x00007FF720F30000-0x00007FF721281000-memory.dmp

Filesize
3.3MB

Download
memory/3512-253-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-95-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-153-0x00007FF6CEC70000-0x00007FF6CEFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-219-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp

Filesize
3.3MB

Download
memory/3608-72-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp

Filesize
3.3MB

Download
memory/3608-21-0x00007FF7CE9B0000-0x00007FF7CED01000-memory.dmp

Filesize
3.3MB

Download
memory/3852-55-0x00007FF767900000-0x00007FF767C51000-memory.dmp

Filesize
3.3MB

Download
memory/3852-237-0x00007FF767900000-0x00007FF767C51000-memory.dmp

Filesize
3.3MB

Download
memory/3852-120-0x00007FF767900000-0x00007FF767C51000-memory.dmp

Filesize
3.3MB

Download
memory/4484-63-0x00007FF719110000-0x00007FF719461000-memory.dmp

Filesize
3.3MB

Download
memory/4484-235-0x00007FF719110000-0x00007FF719461000-memory.dmp

Filesize
3.3MB

Download
memory/4484-147-0x00007FF719110000-0x00007FF719461000-memory.dmp

Filesize
3.3MB

Download
memory/4492-221-0x00007FF731E00000-0x00007FF732151000-memory.dmp

Filesize
3.3MB

Download
memory/4492-81-0x00007FF731E00000-0x00007FF732151000-memory.dmp

Filesize
3.3MB

Download
memory/4492-29-0x00007FF731E00000-0x00007FF732151000-memory.dmp

Filesize
3.3MB

Download
memory/4568-125-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-261-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-67-0x00007FF641180000-0x00007FF6414D1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-215-0x00007FF641180000-0x00007FF6414D1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-8-0x00007FF641180000-0x00007FF6414D1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-150-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp

Filesize
3.3MB

Download
memory/4884-251-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp

Filesize
3.3MB

Download
memory/4884-90-0x00007FF774AF0000-0x00007FF774E41000-memory.dmp

Filesize
3.3MB

Download
memory/4972-260-0x00007FF7C7980000-0x00007FF7C7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-126-0x00007FF7C7980000-0x00007FF7C7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-158-0x00007FF783D00000-0x00007FF784051000-memory.dmp

Filesize
3.3MB

Download
memory/5044-128-0x00007FF783D00000-0x00007FF784051000-memory.dmp

Filesize
3.3MB

Download
memory/5044-265-0x00007FF783D00000-0x00007FF784051000-memory.dmp

Filesize
3.3MB

Download