cobaltstrike | ada6145701504b102af715f0b84c484b0a4c476c0b75c3cc4514fa576ebab12f

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

edf9bb88eea12bf1f3db58ac5e01d682
SHA1

e1409fccd0c33aeaca00e41080b352e6cfef5c8f
SHA256

ada6145701504b102af715f0b84c484b0a4c476c0b75c3cc4514fa576ebab12f
SHA512

2738d099fec5b12fcec0951c277c40ce8e849f4ec4e5719c29f204e0de90b70a080b1230180776989471939c5dac322a439526213c459fffe0511c58670c6935
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibd56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c93-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-40.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c95-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/960-16-0x00007FF6C5880000-0x00007FF6C5BD1000-memory.dmp	xmrig
behavioral2/memory/2156-54-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	xmrig
behavioral2/memory/1264-61-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp	xmrig
behavioral2/memory/4968-79-0x00007FF703240000-0x00007FF703591000-memory.dmp	xmrig
behavioral2/memory/2272-78-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp	xmrig
behavioral2/memory/3588-128-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp	xmrig
behavioral2/memory/1636-133-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp	xmrig
behavioral2/memory/4980-122-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp	xmrig
behavioral2/memory/3940-115-0x00007FF672320000-0x00007FF672671000-memory.dmp	xmrig
behavioral2/memory/1660-110-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp	xmrig
behavioral2/memory/4624-95-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	xmrig
behavioral2/memory/4852-74-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp	xmrig
behavioral2/memory/2156-137-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	xmrig
behavioral2/memory/2228-144-0x00007FF701030000-0x00007FF701381000-memory.dmp	xmrig
behavioral2/memory/4992-147-0x00007FF688A00000-0x00007FF688D51000-memory.dmp	xmrig
behavioral2/memory/1892-151-0x00007FF706E30000-0x00007FF707181000-memory.dmp	xmrig
behavioral2/memory/4740-154-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp	xmrig
behavioral2/memory/2604-161-0x00007FF765690000-0x00007FF7659E1000-memory.dmp	xmrig
behavioral2/memory/3652-163-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp	xmrig
behavioral2/memory/1872-164-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp	xmrig
behavioral2/memory/3620-162-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp	xmrig
behavioral2/memory/1088-160-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp	xmrig
behavioral2/memory/4976-165-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp	xmrig
behavioral2/memory/2156-166-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	xmrig
behavioral2/memory/1264-219-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp	xmrig
behavioral2/memory/960-221-0x00007FF6C5880000-0x00007FF6C5BD1000-memory.dmp	xmrig
behavioral2/memory/4852-223-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp	xmrig
behavioral2/memory/2272-225-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp	xmrig
behavioral2/memory/4624-227-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	xmrig
behavioral2/memory/4968-229-0x00007FF703240000-0x00007FF703591000-memory.dmp	xmrig
behavioral2/memory/1660-235-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp	xmrig
behavioral2/memory/3940-237-0x00007FF672320000-0x00007FF672671000-memory.dmp	xmrig
behavioral2/memory/4980-239-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp	xmrig
behavioral2/memory/3588-243-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp	xmrig
behavioral2/memory/1636-245-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp	xmrig
behavioral2/memory/2228-255-0x00007FF701030000-0x00007FF701381000-memory.dmp	xmrig
behavioral2/memory/4992-257-0x00007FF688A00000-0x00007FF688D51000-memory.dmp	xmrig
behavioral2/memory/1892-259-0x00007FF706E30000-0x00007FF707181000-memory.dmp	xmrig
behavioral2/memory/4740-261-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp	xmrig
behavioral2/memory/3652-263-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp	xmrig
behavioral2/memory/2604-265-0x00007FF765690000-0x00007FF7659E1000-memory.dmp	xmrig
behavioral2/memory/3620-268-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp	xmrig
behavioral2/memory/1872-269-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp	xmrig
behavioral2/memory/4976-271-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp	xmrig
behavioral2/memory/1088-274-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1264	ogeuPni.exe
960	YsAlmVp.exe
4852	UbAaVGq.exe
2272	VkxHiaT.exe
4968	TEzyDwA.exe
4624	cBZDpox.exe
1660	seRRqbC.exe
3940	rVWsZNZ.exe
4980	uKlhEph.exe
3588	gwyLjpL.exe
1636	xxPkPjI.exe
2228	jjnCUhi.exe
4992	xblIwFM.exe
1892	uyJVWMv.exe
4740	GVSvyhO.exe
3652	qPxQyxU.exe
1088	vMXOFLM.exe
2604	RfqjHDg.exe
3620	DQOJtdB.exe
1872	KmhEEDl.exe
4976	zenAtnV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2156-0-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	upx
behavioral2/files/0x0009000000023c93-6.dat	upx
behavioral2/memory/1264-7-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-10.dat	upx
behavioral2/files/0x0007000000023c9c-12.dat	upx
behavioral2/files/0x0007000000023c9e-27.dat	upx
behavioral2/files/0x0007000000023c9f-26.dat	upx
behavioral2/files/0x0007000000023ca0-37.dat	upx
behavioral2/memory/4624-36-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	upx
behavioral2/memory/4968-35-0x00007FF703240000-0x00007FF703591000-memory.dmp	upx
behavioral2/memory/2272-25-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp	upx
behavioral2/memory/4852-18-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp	upx
behavioral2/memory/960-16-0x00007FF6C5880000-0x00007FF6C5BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-40.dat	upx
behavioral2/memory/1660-44-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp	upx
behavioral2/files/0x0009000000023c95-47.dat	upx
behavioral2/memory/3940-48-0x00007FF672320000-0x00007FF672671000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-52.dat	upx
behavioral2/memory/2156-54-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-57.dat	upx
behavioral2/memory/4980-55-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp	upx
behavioral2/memory/3588-62-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp	upx
behavioral2/memory/1264-61-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-69.dat	upx
behavioral2/files/0x0007000000023ca6-73.dat	upx
behavioral2/memory/2228-76-0x00007FF701030000-0x00007FF701381000-memory.dmp	upx
behavioral2/memory/4968-79-0x00007FF703240000-0x00007FF703591000-memory.dmp	upx
behavioral2/memory/4992-80-0x00007FF688A00000-0x00007FF688D51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-83.dat	upx
behavioral2/memory/2272-78-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-101.dat	upx
behavioral2/files/0x0007000000023cab-105.dat	upx
behavioral2/files/0x0007000000023cac-111.dat	upx
behavioral2/memory/2604-116-0x00007FF765690000-0x00007FF7659E1000-memory.dmp	upx
behavioral2/memory/3588-128-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-135.dat	upx
behavioral2/memory/4976-134-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp	upx
behavioral2/memory/1636-133-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-131.dat	upx
behavioral2/memory/1872-129-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-126.dat	upx
behavioral2/memory/3620-123-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp	upx
behavioral2/memory/4980-122-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp	upx
behavioral2/memory/3940-115-0x00007FF672320000-0x00007FF672671000-memory.dmp	upx
behavioral2/memory/1088-114-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp	upx
behavioral2/memory/1660-110-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp	upx
behavioral2/memory/3652-104-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-99.dat	upx
behavioral2/memory/4740-96-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp	upx
behavioral2/memory/4624-95-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-92.dat	upx
behavioral2/memory/1892-89-0x00007FF706E30000-0x00007FF707181000-memory.dmp	upx
behavioral2/memory/4852-74-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp	upx
behavioral2/memory/1636-68-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp	upx
behavioral2/memory/2156-137-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp	upx
behavioral2/memory/2228-144-0x00007FF701030000-0x00007FF701381000-memory.dmp	upx
behavioral2/memory/4992-147-0x00007FF688A00000-0x00007FF688D51000-memory.dmp	upx
behavioral2/memory/1892-151-0x00007FF706E30000-0x00007FF707181000-memory.dmp	upx
behavioral2/memory/4740-154-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp	upx
behavioral2/memory/2604-161-0x00007FF765690000-0x00007FF7659E1000-memory.dmp	upx
behavioral2/memory/3652-163-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp	upx
behavioral2/memory/1872-164-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp	upx
behavioral2/memory/3620-162-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp	upx
behavioral2/memory/1088-160-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cBZDpox.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uyJVWMv.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMXOFLM.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KmhEEDl.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ogeuPni.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEzyDwA.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xxPkPjI.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfqjHDg.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qPxQyxU.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DQOJtdB.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zenAtnV.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVWsZNZ.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKlhEph.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jjnCUhi.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GVSvyhO.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gwyLjpL.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xblIwFM.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YsAlmVp.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UbAaVGq.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VkxHiaT.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\seRRqbC.exe	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1264	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2156 wrote to memory of 1264	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2156 wrote to memory of 960	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2156 wrote to memory of 960	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2156 wrote to memory of 4852	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2156 wrote to memory of 4852	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2156 wrote to memory of 2272	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2156 wrote to memory of 2272	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2156 wrote to memory of 4968	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2156 wrote to memory of 4968	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2156 wrote to memory of 4624	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2156 wrote to memory of 4624	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2156 wrote to memory of 1660	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2156 wrote to memory of 1660	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2156 wrote to memory of 3940	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2156 wrote to memory of 3940	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2156 wrote to memory of 4980	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2156 wrote to memory of 4980	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2156 wrote to memory of 3588	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2156 wrote to memory of 3588	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2156 wrote to memory of 1636	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2156 wrote to memory of 1636	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2156 wrote to memory of 2228	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2156 wrote to memory of 2228	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2156 wrote to memory of 4992	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2156 wrote to memory of 4992	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2156 wrote to memory of 1892	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2156 wrote to memory of 1892	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2156 wrote to memory of 4740	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2156 wrote to memory of 4740	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2156 wrote to memory of 3652	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2156 wrote to memory of 3652	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2156 wrote to memory of 1088	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2156 wrote to memory of 1088	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2156 wrote to memory of 2604	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2156 wrote to memory of 2604	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2156 wrote to memory of 3620	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2156 wrote to memory of 3620	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2156 wrote to memory of 1872	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2156 wrote to memory of 1872	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2156 wrote to memory of 4976	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2156 wrote to memory of 4976	2156	2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_edf9bb88eea12bf1f3db58ac5e01d682_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System\ogeuPni.exe
  C:\Windows\System\ogeuPni.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\YsAlmVp.exe
  C:\Windows\System\YsAlmVp.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\UbAaVGq.exe
  C:\Windows\System\UbAaVGq.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\VkxHiaT.exe
  C:\Windows\System\VkxHiaT.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\TEzyDwA.exe
  C:\Windows\System\TEzyDwA.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\cBZDpox.exe
  C:\Windows\System\cBZDpox.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\seRRqbC.exe
  C:\Windows\System\seRRqbC.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\rVWsZNZ.exe
  C:\Windows\System\rVWsZNZ.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\uKlhEph.exe
  C:\Windows\System\uKlhEph.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\gwyLjpL.exe
  C:\Windows\System\gwyLjpL.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\xxPkPjI.exe
  C:\Windows\System\xxPkPjI.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\jjnCUhi.exe
  C:\Windows\System\jjnCUhi.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\xblIwFM.exe
  C:\Windows\System\xblIwFM.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\uyJVWMv.exe
  C:\Windows\System\uyJVWMv.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\GVSvyhO.exe
  C:\Windows\System\GVSvyhO.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\qPxQyxU.exe
  C:\Windows\System\qPxQyxU.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\vMXOFLM.exe
  C:\Windows\System\vMXOFLM.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\RfqjHDg.exe
  C:\Windows\System\RfqjHDg.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\DQOJtdB.exe
  C:\Windows\System\DQOJtdB.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\KmhEEDl.exe
  C:\Windows\System\KmhEEDl.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\zenAtnV.exe
  C:\Windows\System\zenAtnV.exe
  2⤵
  - Executes dropped EXE
  PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DQOJtdB.exe

Filesize
5.2MB

MD5
ba93b23c62f947c6c77b5d6d4b817076

SHA1
962c41ae258954279f0358432e81de878593c6af

SHA256
edc33716d0c54211578d2e4f1268ee6abef403e4f85e8651730790fd6caaaf3e

SHA512
bee6a48c2e926d62be3a34b0a1775f142ceb0362f72dcba4f9b8962a9a9add53a934b56f415739b8f59150d9ed9a98b8e45362ae196594871e43a4f1c362b823

Download Submit
C:\Windows\System\GVSvyhO.exe

Filesize
5.2MB

MD5
c15b1b893148c286152714c9f117c979

SHA1
f32bfb1a488b8b593061fe6b740d646e4051a1a6

SHA256
79ade8b5f593d42d104824472aa20b61b75487025bddd57d9806bf1ee5def6d0

SHA512
32626e0d4554373573739f978c8c2ca067ab758a6ad293ebea0255a84952dd047649c17ced7a0c3e7b2a5668ac484277bc218cd1ea42b5bd5a3896689914bdfe

Download Submit
C:\Windows\System\KmhEEDl.exe

Filesize
5.2MB

MD5
057c25381d162fe8dd478ab72489e2df

SHA1
f55e5c0a41f7df5732f48b07fcd7765f91aabf0c

SHA256
b07647bb0d2ff70dee5834bc41c989a9adaf6a6ef0fb235d13025335f34db2c2

SHA512
334989af75ffcb0bd7d39073564ab11d040bdd86c20d4acc50836d1546df9c0505132a9e66241555745c60928592a977d991ebbf05029c966a1a155300e045f4

Download Submit
C:\Windows\System\RfqjHDg.exe

Filesize
5.2MB

MD5
cf564c4bc938d79a48743887033921b7

SHA1
a35c7915d7963623668428b89ce2f60946caf219

SHA256
3cf855950283eca25d24113b1a9712c7b49e1508a10b955c3eea386827bf9551

SHA512
27332df66bef38310cf4279dc368418377f1ca11a0c2ce4c656425e735504388960be73e4c6e56f8a8743d5b725bb7e620a67483a4de115a5a6951ca07126dde

Download Submit
C:\Windows\System\TEzyDwA.exe

Filesize
5.2MB

MD5
32986e7b13663e882455de5326df9ac9

SHA1
07e6f993d3e928d64b4f1ef517597ea78e081e29

SHA256
e135a1c247ac70959a8a08d7f2b9a477a7c5c9a4fb0cbfbf44f9516eebf9c948

SHA512
17f5814b99c42f662f76fcbc4ce1c9bb9b92c9c2ff89117c570fa7986732178f3c369c3b50842d0df548f28f9017ba2f6635c42a0f53f76d80bbd06786fc4b90

Download Submit
C:\Windows\System\UbAaVGq.exe

Filesize
5.2MB

MD5
960527c4f4beebbe8b21b946b1ee4991

SHA1
e6311e8b3907d6d4bd63298fee842ce75ee33fb1

SHA256
489c57b427d1b7267b40e33e3dcf12471ccec5872483f714da5c0127731e097a

SHA512
6e4122d424a59936c88e6a02d99ccfc460d84d63fbecb8e6e0038072ecc68c5f2a7d90e7501bf16045803f874c71b3aa4e3075eb3fcf7dcdc82d7eb27c6f2abc

Download Submit
C:\Windows\System\VkxHiaT.exe

Filesize
5.2MB

MD5
d684ef07c9fbe81c5bc4b880feb36a21

SHA1
9ef51ded22b0840d442b6049fa760419c388763b

SHA256
d944f91ef62d60a5aa50415954e529a70076210ab43ed3176c9d11b2246b45bb

SHA512
4f169a8d7a0802ceda439ba40777700ef1c836261b73ab36623ad8b437f80c61a3d8d885762082b1a9f1da06faa64aaccea844c04f021ab71184ebce18ca47e6

Download Submit
C:\Windows\System\YsAlmVp.exe

Filesize
5.2MB

MD5
a1b22e064e978914470a071b876b6977

SHA1
0ee6671d54631aa7a21ead86e74af8d3b27a3f9b

SHA256
8a2e11e49050f9638e8f7697db3932a7494453c0a8cab4adfa6c8077fc213e2b

SHA512
d78a65df28614c8627d477a2deeed474c2576a1ef6b6585ce0989502a6d7f6c688e92d8bc9cbd1759d16be44c383091b8d7f450237f4da8acfa931f71358d78c

Download Submit
C:\Windows\System\cBZDpox.exe

Filesize
5.2MB

MD5
aa493267377c7c94056a6645c514cbcb

SHA1
dc95294614ec8a697182aa6ccfa604075f697f41

SHA256
df7a9c67ceffdde7dc8144cfca5682a37bf09ffadece4650c43f9f6ad15803af

SHA512
d279adf6d18791281856841e24f518a783fd594a2d0d288af90acddd528a5d4d50372086edbbf5d3958423b954b026581a099f1c06130e7e0659404fe0904b97

Download Submit
C:\Windows\System\gwyLjpL.exe

Filesize
5.2MB

MD5
5da69c818bf26cef166118930e79f9f5

SHA1
c8dffc8b0b4db72097fbdff568bd6ba81c421007

SHA256
4a48a20567e7a6b699f4cd2b32d018130859c7ca4191b76b6d2a82b4c8ea5be9

SHA512
704d8bf228feee0a929d7f536d6d4e412c281ce198ad3137824fc87f9cdac1265d357900ca8f6ba11db67d1f323cc604903e68159212f15d5166fa2ea44d1bcb

Download Submit
C:\Windows\System\jjnCUhi.exe

Filesize
5.2MB

MD5
4e047b4664b9bb19bfa46c2e76e42470

SHA1
508c7d59638bd943057749c85181f27b5901dcc7

SHA256
0a669665ad585b4aa6694b9e6178a664edfe60bb9a8296f572e88551142a7591

SHA512
1aad820256931a24c6411300d9cbb53b5f4f1f7717a09904f4a5bc08ff2fbf39e2d344b344bf0759bd2f6640e03d9e5a915ba273b80e7583e537ef6bb08490ae

Download Submit
C:\Windows\System\ogeuPni.exe

Filesize
5.2MB

MD5
9e99f1ae922d9993e575994512676d6d

SHA1
a3c144883ca2b059bf5c0f293c55ace780d3fe83

SHA256
3dae60bd8867bb5e41dfc675e840b7555457c552addc382ee1a028f4c6574043

SHA512
7777418a625e758cf7aa5c72b0c2a218259d79c6bbec0226b7b07b29362afac157d482b503befd1ed687539bfd519e77960b10200a79f8414ac0388f6dd2a76c

Download Submit
C:\Windows\System\qPxQyxU.exe

Filesize
5.2MB

MD5
8a50b6c61164eaa1f769ec930ad2935c

SHA1
1c54ad26cb8dbbcb78d75134297edebe00d6db89

SHA256
d0a7cc3460c91d0277ebc385925d4d405d7d23bba33a33faef0f59667201540a

SHA512
94d4497917465bac4344c359f9f0a88966745572c0b6fb031eb08f3919023d724c0043b4f75ddc31ae06f17cfbda3d618baee849f3dd918d28ab4c5f7fc723c0

Download Submit
C:\Windows\System\rVWsZNZ.exe

Filesize
5.2MB

MD5
b18e8400c0e686ae40f67ebcc385fbbc

SHA1
30b0cc4ebf64fd9e4762fb9384533cc3a742a597

SHA256
4cf85d7023d083f56bb2f1f83e1d12b12b03d41bfac13e5a8a67c531a88c2902

SHA512
02c6e9839aad9317411ed58a565a66245c34af78352f016c53f3dbb7d7540d849634fb44f7679d14afcb4327c4c7ede8727afdb61b94c6550a2b81a05c0e19e1

Download Submit
C:\Windows\System\seRRqbC.exe

Filesize
5.2MB

MD5
47beb41c2624a9f6482e71aa2f4d7bc3

SHA1
06e034c1528ba2423d9d543768f4fcdd953208cf

SHA256
e65a3469cf98fde4ae66bdfcdd69a040d73b454e290692176e7f93c530c079c5

SHA512
84922ddaaed305564fd23f6625ce6e025d3b54f3f67e9474fe9d5b48307fc55013ad2554ffd4119cc295bd44820033b1fca6ab31703d64809ecc92a53afe2c16

Download Submit
C:\Windows\System\uKlhEph.exe

Filesize
5.2MB

MD5
7c3ff20ebedaf7af583e4154406f3b6d

SHA1
d70fbe575e9c3d3d4f5fb5a5138b81f3a483dd7b

SHA256
e00c89722b7c05ee3bdd4a0ca529da93e11be13554de0cbf2930e041443163ed

SHA512
8db8a7cfa703915b7152fb2ddf192709da8e14b35916ad5cc3177ac06cf1787e84dbbd80cb933e2defce06796d3d6359db14a112f78b862daac6aec3d2a43aa5

Download Submit
C:\Windows\System\uyJVWMv.exe

Filesize
5.2MB

MD5
2faa5a32aad016064bf36a6f2f7019c7

SHA1
90b5a31a97a57d62593026be8d308376948460d8

SHA256
df5aa7dfeecfcfb764a0356ec0f5592c5aa99d3203b2432a44c3bc6cf11e63af

SHA512
be240460e8ea3fcf2172111d5ba99490b866aaaa01cf1cd341c81ab61a7381efa920f6c5bc9d160fd3c6e7c075ad4507b241298f3b6a5aac61a3ff3f2df6d74e

Download Submit
C:\Windows\System\vMXOFLM.exe

Filesize
5.2MB

MD5
abcb0a4474dc7f6fced4c3029cb46c55

SHA1
c9b47622efbcd4457ad54d439fc2e72115014dc3

SHA256
3227be26e2b805f47c9a1c4430f61a846f1a1ec0f7c4afa213c0c99086e61c15

SHA512
d4d59c4d1baf4ecac0d44e9c963691c05633091989fa78ae409fd6af185998b2c062f7b0972d18ff03d6a1803f67c2b21468fb89e71682054c37fb8ce9e3654d

Download Submit
C:\Windows\System\xblIwFM.exe

Filesize
5.2MB

MD5
c5ef48ba2a64a5a119cd133f18037a5c

SHA1
7336b46f056b86251ab02a120359df0522c20545

SHA256
70b59e12a495e7bdcdaf177a8b329a93360c64aca6d69b3a56dc0118d9a33537

SHA512
556495b150cc33ffc0988a24d62af2886fe087a9c566e36306d86f07458e3fd641ca89bc1b452914791763f15004de6f64777a9182058c3b5910e3360032ef8a

Download Submit
C:\Windows\System\xxPkPjI.exe

Filesize
5.2MB

MD5
44eb806bde0bfbd362f206f06dd63bc9

SHA1
cb43aadf80f6bfe250b55c778ff6e0fc40b0be60

SHA256
2682c9dfec86152b82198f286557c92722af903a24034a6c3b4df26df49602ad

SHA512
95cc02bdb9c8f9191a12b3e0f6bb2b349c03180b1f3b5580fd9a9c583098b25c5a57fe34e1102dd4136dbdd130961092a9d84f4b07e0ec764bba0f0b7c91336b

Download Submit
C:\Windows\System\zenAtnV.exe

Filesize
5.2MB

MD5
7581bfcee4597034f385897d5ac0a344

SHA1
527774a696d0bfb62c1649a501f19c0d65084188

SHA256
948c1d554caa93aee142c17a7f60545bf2593aeba8a597c0a8ef1249c732be5a

SHA512
815affb354109d85feb0c23d97eeb500864715902568cbd2a744c08bbfff2b2372c04acef7a921953be541bdead279651338e836d8ba1ce4aabdb34d70713372

Download Submit
memory/960-221-0x00007FF6C5880000-0x00007FF6C5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/960-16-0x00007FF6C5880000-0x00007FF6C5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-114-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp

Filesize
3.3MB

Download
memory/1088-274-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp

Filesize
3.3MB

Download
memory/1088-160-0x00007FF7097B0000-0x00007FF709B01000-memory.dmp

Filesize
3.3MB

Download
memory/1264-61-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp

Filesize
3.3MB

Download
memory/1264-219-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp

Filesize
3.3MB

Download
memory/1264-7-0x00007FF7E1EF0000-0x00007FF7E2241000-memory.dmp

Filesize
3.3MB

Download
memory/1636-245-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1636-133-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1636-68-0x00007FF6B7BC0000-0x00007FF6B7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1660-235-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-110-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-44-0x00007FF6CC950000-0x00007FF6CCCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-269-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-164-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-129-0x00007FF78DD80000-0x00007FF78E0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-259-0x00007FF706E30000-0x00007FF707181000-memory.dmp

Filesize
3.3MB

Download
memory/1892-151-0x00007FF706E30000-0x00007FF707181000-memory.dmp

Filesize
3.3MB

Download
memory/1892-89-0x00007FF706E30000-0x00007FF707181000-memory.dmp

Filesize
3.3MB

Download
memory/2156-1-0x000001E455810000-0x000001E455820000-memory.dmp

Filesize
64KB

Download
memory/2156-166-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp

Filesize
3.3MB

Download
memory/2156-54-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp

Filesize
3.3MB

Download
memory/2156-137-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp

Filesize
3.3MB

Download
memory/2156-0-0x00007FF6A8010000-0x00007FF6A8361000-memory.dmp

Filesize
3.3MB

Download
memory/2228-144-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/2228-76-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/2228-255-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/2272-78-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp

Filesize
3.3MB

Download
memory/2272-25-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp

Filesize
3.3MB

Download
memory/2272-225-0x00007FF6A5900000-0x00007FF6A5C51000-memory.dmp

Filesize
3.3MB

Download
memory/2604-161-0x00007FF765690000-0x00007FF7659E1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-265-0x00007FF765690000-0x00007FF7659E1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-116-0x00007FF765690000-0x00007FF7659E1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-62-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp

Filesize
3.3MB

Download
memory/3588-243-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp

Filesize
3.3MB

Download
memory/3588-128-0x00007FF77D820000-0x00007FF77DB71000-memory.dmp

Filesize
3.3MB

Download
memory/3620-123-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp

Filesize
3.3MB

Download
memory/3620-268-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp

Filesize
3.3MB

Download
memory/3620-162-0x00007FF6DE400000-0x00007FF6DE751000-memory.dmp

Filesize
3.3MB

Download
memory/3652-263-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp

Filesize
3.3MB

Download
memory/3652-163-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp

Filesize
3.3MB

Download
memory/3652-104-0x00007FF6D2200000-0x00007FF6D2551000-memory.dmp

Filesize
3.3MB

Download
memory/3940-48-0x00007FF672320000-0x00007FF672671000-memory.dmp

Filesize
3.3MB

Download
memory/3940-237-0x00007FF672320000-0x00007FF672671000-memory.dmp

Filesize
3.3MB

Download
memory/3940-115-0x00007FF672320000-0x00007FF672671000-memory.dmp

Filesize
3.3MB

Download
memory/4624-36-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-95-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-227-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-261-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp

Filesize
3.3MB

Download
memory/4740-96-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp

Filesize
3.3MB

Download
memory/4740-154-0x00007FF71BEB0000-0x00007FF71C201000-memory.dmp

Filesize
3.3MB

Download
memory/4852-74-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp

Filesize
3.3MB

Download
memory/4852-223-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp

Filesize
3.3MB

Download
memory/4852-18-0x00007FF7EB310000-0x00007FF7EB661000-memory.dmp

Filesize
3.3MB

Download
memory/4968-79-0x00007FF703240000-0x00007FF703591000-memory.dmp

Filesize
3.3MB

Download
memory/4968-229-0x00007FF703240000-0x00007FF703591000-memory.dmp

Filesize
3.3MB

Download
memory/4968-35-0x00007FF703240000-0x00007FF703591000-memory.dmp

Filesize
3.3MB

Download
memory/4976-165-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-134-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-271-0x00007FF780A70000-0x00007FF780DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-55-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp

Filesize
3.3MB

Download
memory/4980-239-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp

Filesize
3.3MB

Download
memory/4980-122-0x00007FF7C3500000-0x00007FF7C3851000-memory.dmp

Filesize
3.3MB

Download
memory/4992-80-0x00007FF688A00000-0x00007FF688D51000-memory.dmp

Filesize
3.3MB

Download
memory/4992-257-0x00007FF688A00000-0x00007FF688D51000-memory.dmp

Filesize
3.3MB

Download
memory/4992-147-0x00007FF688A00000-0x00007FF688D51000-memory.dmp

Filesize
3.3MB

Download