cobaltstrike | da57c78e16e538c54d1060d07b21200ee3f67996073fabf35b23ca9b0e58bab1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

63aca0f86e1e0ba50843f68f1421b223
SHA1

5fa3daf44d87ad19861341c4ccff8d857f488d6e
SHA256

da57c78e16e538c54d1060d07b21200ee3f67996073fabf35b23ca9b0e58bab1
SHA512

8fecbdecfaecf83250496d1c4803f261be51f0372a556a57a84df370f7d0ea8c03d2492ba0e26a9950221209fc92ec325d25e2ea70056330d5afb649728f1715
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b7e-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-109.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b82-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-87.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/908-125-0x00007FF6CB000000-0x00007FF6CB351000-memory.dmp	xmrig
behavioral2/memory/3980-127-0x00007FF6AAA10000-0x00007FF6AAD61000-memory.dmp	xmrig
behavioral2/memory/1612-126-0x00007FF757BF0000-0x00007FF757F41000-memory.dmp	xmrig
behavioral2/memory/2092-124-0x00007FF62C830000-0x00007FF62CB81000-memory.dmp	xmrig
behavioral2/memory/2776-123-0x00007FF744070000-0x00007FF7443C1000-memory.dmp	xmrig
behavioral2/memory/660-131-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp	xmrig
behavioral2/memory/1580-133-0x00007FF64E210000-0x00007FF64E561000-memory.dmp	xmrig
behavioral2/memory/2012-149-0x00007FF696710000-0x00007FF696A61000-memory.dmp	xmrig
behavioral2/memory/4984-147-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp	xmrig
behavioral2/memory/5012-146-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp	xmrig
behavioral2/memory/3096-144-0x00007FF725680000-0x00007FF7259D1000-memory.dmp	xmrig
behavioral2/memory/4924-142-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp	xmrig
behavioral2/memory/1632-138-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp	xmrig
behavioral2/memory/4836-135-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp	xmrig
behavioral2/memory/1044-134-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp	xmrig
behavioral2/memory/4640-132-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp	xmrig
behavioral2/memory/5048-130-0x00007FF798870000-0x00007FF798BC1000-memory.dmp	xmrig
behavioral2/memory/4904-129-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp	xmrig
behavioral2/memory/2068-145-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	xmrig
behavioral2/memory/3048-140-0x00007FF697210000-0x00007FF697561000-memory.dmp	xmrig
behavioral2/memory/3176-128-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp	xmrig
behavioral2/memory/2468-136-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp	xmrig
behavioral2/memory/3176-150-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp	xmrig
behavioral2/memory/4904-211-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp	xmrig
behavioral2/memory/660-213-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp	xmrig
behavioral2/memory/5048-215-0x00007FF798870000-0x00007FF798BC1000-memory.dmp	xmrig
behavioral2/memory/4640-217-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp	xmrig
behavioral2/memory/1580-219-0x00007FF64E210000-0x00007FF64E561000-memory.dmp	xmrig
behavioral2/memory/2468-224-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp	xmrig
behavioral2/memory/4836-225-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp	xmrig
behavioral2/memory/1044-222-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp	xmrig
behavioral2/memory/3048-234-0x00007FF697210000-0x00007FF697561000-memory.dmp	xmrig
behavioral2/memory/1612-245-0x00007FF757BF0000-0x00007FF757F41000-memory.dmp	xmrig
behavioral2/memory/3096-251-0x00007FF725680000-0x00007FF7259D1000-memory.dmp	xmrig
behavioral2/memory/2068-253-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	xmrig
behavioral2/memory/3980-249-0x00007FF6AAA10000-0x00007FF6AAD61000-memory.dmp	xmrig
behavioral2/memory/5012-247-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp	xmrig
behavioral2/memory/2092-244-0x00007FF62C830000-0x00007FF62CB81000-memory.dmp	xmrig
behavioral2/memory/908-241-0x00007FF6CB000000-0x00007FF6CB351000-memory.dmp	xmrig
behavioral2/memory/4924-240-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp	xmrig
behavioral2/memory/1632-237-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp	xmrig
behavioral2/memory/2776-236-0x00007FF744070000-0x00007FF7443C1000-memory.dmp	xmrig
behavioral2/memory/4984-257-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp	xmrig
behavioral2/memory/2012-256-0x00007FF696710000-0x00007FF696A61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4904	HxSoIpS.exe
5048	zkmqDSI.exe
660	wXgvkRo.exe
4640	HDclKwI.exe
1580	jFnMRkC.exe
1044	gbPzlFW.exe
4836	QFqBCAH.exe
2468	PvqaYqw.exe
2776	vUVPBra.exe
1632	VIuIoDQ.exe
2092	VcjQApR.exe
3048	sptBOyQ.exe
908	fqYwVUI.exe
4924	jBlmNHq.exe
1612	rpdWfCT.exe
3096	UAvYmeg.exe
2068	TUtCSQV.exe
5012	KCjqwgw.exe
4984	LDXJTXX.exe
3980	snfDJXJ.exe
2012	omskZvI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-0-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp	upx
behavioral2/files/0x000c000000023b7e-5.dat	upx
behavioral2/memory/4904-7-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-9.dat	upx
behavioral2/files/0x000a000000023b85-16.dat	upx
behavioral2/files/0x000a000000023b87-19.dat	upx
behavioral2/files/0x000a000000023b88-41.dat	upx
behavioral2/files/0x000a000000023b8a-51.dat	upx
behavioral2/memory/4836-49-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-45.dat	upx
behavioral2/files/0x000a000000023b8c-50.dat	upx
behavioral2/memory/1580-39-0x00007FF64E210000-0x00007FF64E561000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-40.dat	upx
behavioral2/memory/1044-31-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp	upx
behavioral2/memory/4640-30-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp	upx
behavioral2/memory/660-26-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp	upx
behavioral2/memory/5048-14-0x00007FF798870000-0x00007FF798BC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-56.dat	upx
behavioral2/files/0x000a000000023b8f-62.dat	upx
behavioral2/files/0x000a000000023b90-71.dat	upx
behavioral2/files/0x000a000000023b92-83.dat	upx
behavioral2/files/0x000a000000023b91-95.dat	upx
behavioral2/files/0x000a000000023b93-104.dat	upx
behavioral2/files/0x000a000000023b97-113.dat	upx
behavioral2/memory/4984-119-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp	upx
behavioral2/memory/908-125-0x00007FF6CB000000-0x00007FF6CB351000-memory.dmp	upx
behavioral2/memory/3980-127-0x00007FF6AAA10000-0x00007FF6AAD61000-memory.dmp	upx
behavioral2/memory/1612-126-0x00007FF757BF0000-0x00007FF757F41000-memory.dmp	upx
behavioral2/memory/2092-124-0x00007FF62C830000-0x00007FF62CB81000-memory.dmp	upx
behavioral2/memory/2776-123-0x00007FF744070000-0x00007FF7443C1000-memory.dmp	upx
behavioral2/memory/2012-122-0x00007FF696710000-0x00007FF696A61000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-117.dat	upx
behavioral2/memory/5012-116-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-110.dat	upx
behavioral2/files/0x000a000000023b96-109.dat	upx
behavioral2/files/0x000b000000023b82-107.dat	upx
behavioral2/memory/2068-106-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	upx
behavioral2/memory/3096-99-0x00007FF725680000-0x00007FF7259D1000-memory.dmp	upx
behavioral2/memory/4924-98-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-87.dat	upx
behavioral2/memory/3048-80-0x00007FF697210000-0x00007FF697561000-memory.dmp	upx
behavioral2/memory/1632-66-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp	upx
behavioral2/memory/2468-58-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp	upx
behavioral2/memory/660-131-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp	upx
behavioral2/memory/1580-133-0x00007FF64E210000-0x00007FF64E561000-memory.dmp	upx
behavioral2/memory/2012-149-0x00007FF696710000-0x00007FF696A61000-memory.dmp	upx
behavioral2/memory/4984-147-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp	upx
behavioral2/memory/5012-146-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp	upx
behavioral2/memory/3096-144-0x00007FF725680000-0x00007FF7259D1000-memory.dmp	upx
behavioral2/memory/4924-142-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp	upx
behavioral2/memory/1632-138-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp	upx
behavioral2/memory/4836-135-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp	upx
behavioral2/memory/1044-134-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp	upx
behavioral2/memory/4640-132-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp	upx
behavioral2/memory/5048-130-0x00007FF798870000-0x00007FF798BC1000-memory.dmp	upx
behavioral2/memory/4904-129-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp	upx
behavioral2/memory/2068-145-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	upx
behavioral2/memory/3048-140-0x00007FF697210000-0x00007FF697561000-memory.dmp	upx
behavioral2/memory/3176-128-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp	upx
behavioral2/memory/2468-136-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp	upx
behavioral2/memory/3176-150-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp	upx
behavioral2/memory/4904-211-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp	upx
behavioral2/memory/660-213-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp	upx
behavioral2/memory/5048-215-0x00007FF798870000-0x00007FF798BC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VIuIoDQ.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUtCSQV.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXgvkRo.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDclKwI.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFnMRkC.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gbPzlFW.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QFqBCAH.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvqaYqw.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HxSoIpS.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zkmqDSI.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jBlmNHq.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UAvYmeg.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDXJTXX.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VcjQApR.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sptBOyQ.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omskZvI.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpdWfCT.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCjqwgw.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\snfDJXJ.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vUVPBra.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqYwVUI.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4904	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3176 wrote to memory of 4904	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3176 wrote to memory of 5048	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3176 wrote to memory of 5048	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3176 wrote to memory of 660	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3176 wrote to memory of 660	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3176 wrote to memory of 4640	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3176 wrote to memory of 4640	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3176 wrote to memory of 1580	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3176 wrote to memory of 1580	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3176 wrote to memory of 1044	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3176 wrote to memory of 1044	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3176 wrote to memory of 4836	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3176 wrote to memory of 4836	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3176 wrote to memory of 2468	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3176 wrote to memory of 2468	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3176 wrote to memory of 2776	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3176 wrote to memory of 2776	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3176 wrote to memory of 1632	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3176 wrote to memory of 1632	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3176 wrote to memory of 2092	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3176 wrote to memory of 2092	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3176 wrote to memory of 3048	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3176 wrote to memory of 3048	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3176 wrote to memory of 908	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3176 wrote to memory of 908	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3176 wrote to memory of 4924	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3176 wrote to memory of 4924	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3176 wrote to memory of 1612	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3176 wrote to memory of 1612	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3176 wrote to memory of 3096	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3176 wrote to memory of 3096	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3176 wrote to memory of 2068	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3176 wrote to memory of 2068	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3176 wrote to memory of 5012	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3176 wrote to memory of 5012	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3176 wrote to memory of 4984	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3176 wrote to memory of 4984	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3176 wrote to memory of 3980	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3176 wrote to memory of 3980	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3176 wrote to memory of 2012	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3176 wrote to memory of 2012	3176	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\System\HxSoIpS.exe
  C:\Windows\System\HxSoIpS.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\zkmqDSI.exe
  C:\Windows\System\zkmqDSI.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\wXgvkRo.exe
  C:\Windows\System\wXgvkRo.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System\HDclKwI.exe
  C:\Windows\System\HDclKwI.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\jFnMRkC.exe
  C:\Windows\System\jFnMRkC.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\gbPzlFW.exe
  C:\Windows\System\gbPzlFW.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\QFqBCAH.exe
  C:\Windows\System\QFqBCAH.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\PvqaYqw.exe
  C:\Windows\System\PvqaYqw.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\vUVPBra.exe
  C:\Windows\System\vUVPBra.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\VIuIoDQ.exe
  C:\Windows\System\VIuIoDQ.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\VcjQApR.exe
  C:\Windows\System\VcjQApR.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\sptBOyQ.exe
  C:\Windows\System\sptBOyQ.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\fqYwVUI.exe
  C:\Windows\System\fqYwVUI.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\jBlmNHq.exe
  C:\Windows\System\jBlmNHq.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\rpdWfCT.exe
  C:\Windows\System\rpdWfCT.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\UAvYmeg.exe
  C:\Windows\System\UAvYmeg.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\TUtCSQV.exe
  C:\Windows\System\TUtCSQV.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\KCjqwgw.exe
  C:\Windows\System\KCjqwgw.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\LDXJTXX.exe
  C:\Windows\System\LDXJTXX.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\snfDJXJ.exe
  C:\Windows\System\snfDJXJ.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\omskZvI.exe
  C:\Windows\System\omskZvI.exe
  2⤵
  - Executes dropped EXE
  PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HDclKwI.exe

Filesize
5.2MB

MD5
489baf6b69d2cec01d0734850776afb0

SHA1
78314a01a4879d3931e68f49e54d16cc80a92e81

SHA256
918c1594cf851fdf9f8d8c20fe26ea3b5b04ee5710e043f4b0cb0034cf935ffa

SHA512
afabaa9ac8700f5f8a9d1beba87d57f90a79a6b15de39dab63560957af92d7b5c414c488391b83ed8afd7f245a05196a995821120fb00ef036229d23269e77c7

Download Submit
C:\Windows\System\HxSoIpS.exe

Filesize
5.2MB

MD5
39fbd3eb0011f216172bb157c74d352a

SHA1
c6a74d4b83e96481b62e52c9a5390e4e730914c4

SHA256
79239db8973d7d2b680596888483dcbdfdbbaa710c23de62c964397db229ceca

SHA512
4dc28f0fbb49ce7ca1c0c83c47072e0aae99ff9cb547e91bf097124ccbd83f7526702a69c69b4e8940c0d2633407744f39bcc516689e169128cf913317532b27

Download Submit
C:\Windows\System\KCjqwgw.exe

Filesize
5.2MB

MD5
93bf6fe65a3c9661ea7ccabfdbb4383c

SHA1
6f31c96419deb26ab446a93d9b0145060789b80a

SHA256
2adf43031f87eae5cc3e10febaed7d01282ae32d875ee10351e29f08d52a8b76

SHA512
3614de4abb4e5657099eff54f752e7b50759794c13c9317f2beef2037a86f46d2e0f6a9b070781d27fcc91b686afd1ea66259c0ed621b0f245550e02a1eb4762

Download Submit
C:\Windows\System\LDXJTXX.exe

Filesize
5.2MB

MD5
245d063c90205b5ab51983f32a7f4ffa

SHA1
82d9a26ef93178a8c81463efc894af63703fe817

SHA256
4abee899859b7a551584a6e7f01e09b46b14d569a1d5831d4f4d0d373840668f

SHA512
46170d55f7a38b8ef7a2c478c6c9e069567943db542ff28f1ad324e56cf3d37763f8833a9abbd4cef9ead434bc2be86ae1a2a7fa62f38611162ff33450ed89a1

Download Submit
C:\Windows\System\PvqaYqw.exe

Filesize
5.2MB

MD5
d90a4f756f64b315e26ea3260be2f58f

SHA1
7de543e61fe7e8a5a146efaf290ec8c2892f4046

SHA256
86fb5b6adb4b2b44ede997caabd52dc2eac0a14a1a42e2ec1f13a0db4bf1ebd7

SHA512
d7e2f6109d437c78da0e68416265d194f7b28bae1947c1af3285fd08f2fe151595fe1876c4f7f56a49a2276fa40226be44b1d223018dadcac644bb3769207858

Download Submit
C:\Windows\System\QFqBCAH.exe

Filesize
5.2MB

MD5
f9c105d10b305a9f854b1d6c22000633

SHA1
44a9b1a8f424b7805c0ba10bc76996ccecc2071b

SHA256
65a52fe81e9090a085d4c2fe8a0df1b87107c516048ed3364c870fc49ecde7d1

SHA512
17fc36227b18ab3d74f75b06189d6f1ab9a2be478a58ca8e168d52fe5d33e09169f8a47b8b4f9a7b8d575eae171d99055784010ad5bec96be5d15e3d2eab04b3

Download Submit
C:\Windows\System\TUtCSQV.exe

Filesize
5.2MB

MD5
6c0e4a51dc408a6ee4a7e3cf14e26565

SHA1
fcc71aad30bfa10fb09608f40129a7dcf2f4b0fb

SHA256
a7e7d25b6f79b827d8ab86d1a5401b77bdbccdb1948846d52687ceb692bc697b

SHA512
d6aca700ffe138a1db6cb228413e78b1a1044a1d09148462056ec2c7b313fea5c51e957218b573d5cc187342c4723132b64cb70f196d697f461df6498464a5e1

Download Submit
C:\Windows\System\UAvYmeg.exe

Filesize
5.2MB

MD5
dd99b8bcf03e461664c49ab9e7d9f8ef

SHA1
d6e0a6cfd3f48e8236dc27d2c9cbe6bad235ff03

SHA256
c84298b59fd7ee5015af001660303febdd46727535b21db44be0b95fbaeabf16

SHA512
d71f65d85bf4541dd49ed4c00909193cdb9664836f360f3422fb37a30dc50d9d9ab3f4702aa0a385581e4da9fc2c633993458e57130e07ef87ba5f7cc930910c

Download Submit
C:\Windows\System\VIuIoDQ.exe

Filesize
5.2MB

MD5
4a66e50c4b918e1e50d9be03656b0285

SHA1
fa52cb3d44431dec1b73d22b9620e6ea58b363fb

SHA256
1d7803d232f0040d8b8537dd06da303f23f48e5ce1d25eb55d3ed43974034ff5

SHA512
a5a204fd06123293e875970192071aacfe19a72d917b779cc2c3dc0e691a311c55d5dddbe2b876cec81a9df28d1365376208a2ae49cfef6b4ae879d6e53106ec

Download Submit
C:\Windows\System\VcjQApR.exe

Filesize
5.2MB

MD5
dac94a49e4a47f5e0cad30e21f097a37

SHA1
e243e2844363df1e2ccc39671d223888225391ef

SHA256
a3a70b71dcc2f30d0f02ead1caff52bcd4c63c01319428822a26e9e72819fca5

SHA512
0649d6592dca62b53775330e3348b4539e63a91448acd6175e986facc6e22112db5edb9c2ebe87f41e66791fa321260a4639abff3d108cf712438fa57b369d60

Download Submit
C:\Windows\System\fqYwVUI.exe

Filesize
5.2MB

MD5
2d1e5a01a186146442790ab24dabee0d

SHA1
6c530657213b2848247bfdc3fb5a862f30ada8c7

SHA256
612e25c614503f04abaf287e8db12a016db529849b22d2db139c5f2122dae49a

SHA512
ddfece9010e80f73a2cc56d4d8724d2559783e8b0ddda3f543e77223b32b1e5072d041e88a472b2e6af63f54da58ac6e37d82887cea1ee464116a3e7ffb6a85f

Download Submit
C:\Windows\System\gbPzlFW.exe

Filesize
5.2MB

MD5
31d2fa1526042b9dad5cdb4cb8b1d4d4

SHA1
3a17cb4c374c29c060b64e178bd014aa6fdecfef

SHA256
5776c3af3185227d53c695bb69d52c0bdd1669485f4b7bd196b45e8a35ac2f4c

SHA512
f27e448a770a45c744a1de3f44f2bd5a42287d0d0d2b8bdc7ee0df3aaefe0cc07bd058a88c7d7accdcaabb82e3074ecc878db01280eef5408d72c24fdb159df2

Download Submit
C:\Windows\System\jBlmNHq.exe

Filesize
5.2MB

MD5
3f630a9e602e79e7caf23315e8d70a86

SHA1
4ed7555d813d48f18a16da8afefa46e55d745372

SHA256
53628fde5007638eeb976bb003a11ddab23b1ddc28e441b1861e67c2c3364f93

SHA512
7d3d7ec74ec0c8c3fb3f75dd2769470512df4967a2bee914955cd2025967307b285aacab4c9adc50fdb2b87a96f036b87d9a4253f9ba25c3024d7bf77084ae27

Download Submit
C:\Windows\System\jFnMRkC.exe

Filesize
5.2MB

MD5
e5056527fabef0dc915d1c66a5f9e1ae

SHA1
0a79dbb792023da50177a5cf6842b63fd7e490d6

SHA256
a214b42ee858bc76ce24807e7e17f857febd4a284acf5cacf52762aa679665d4

SHA512
8e1a95373f77e41575fa3de4222dc8a21be3f8636f88aef0b205b4374ff8df757f87d8f56e478e934fe7594ebee28502640c8ea4ab51214e94f7ea123be309cd

Download Submit
C:\Windows\System\omskZvI.exe

Filesize
5.2MB

MD5
d8b8ea4062766e58610e74d0c20f3dee

SHA1
cb5e1c5388cb55f9432bd9500c1d753b9d2c4f13

SHA256
aa67079ebaceb7a85caa82156dca1ef1ed92d98e1fcd424d73396400474fadba

SHA512
e144802b7912d009c18114a2e2b399d9272fd4e221ed4bdac43ef6c21700637e3c61759e4d3e3e496beb3a90dc20898667bc12e574951de6437d5d8c9fbb3efe

Download Submit
C:\Windows\System\rpdWfCT.exe

Filesize
5.2MB

MD5
f05d31d4729c90f3e8322f19485a976c

SHA1
75356b0583e10520ebf27c307cde06dc9827b9bb

SHA256
0fc86422aaca11c91def9412e79ab3f169da238c2274b78982c27c75b86795ca

SHA512
139f2eced3dd44d9dfd4630fa211c9fc08c031db8d9d11808756ef98e4c054aac0f459d2bc7d0b99d23435681e908148a29fe7a7bfba2cd606187cd687be8ed6

Download Submit
C:\Windows\System\snfDJXJ.exe

Filesize
5.2MB

MD5
d98d261f37d372a3d958a4fa4842d961

SHA1
2348f7902d958efeddb00f08a5c1a3b222b3dd68

SHA256
aade91d02ddf6ba9cb87cef7a573fc3d7cda73078913ecdd541d08c204f6f4f5

SHA512
e0df30f025edf2a2d6e67f03853c8a6b1fcd906b40824b10c7d90bed1bbd0b86ee8553feff375096834e94cba721c28f7e46bb6167a0f5ffd8c3dcdcf52302f8

Download Submit
C:\Windows\System\sptBOyQ.exe

Filesize
5.2MB

MD5
8f363ce32548cd839e497107de8e63e3

SHA1
c3f0ff94fb0b7d550737c15a489f44ce2fdab93d

SHA256
c591ed12352f5ca9558c4e11cc8cc651b26a4df896d3377b09ddbbe41f5ece15

SHA512
0fe4546138f4c060152ce6b6259044e89fa80cbc892e4fd95bc11eab611315f125e67eddb42d31314c2991ac949285baccd1455cbe761c38d72b06fce917c71e

Download Submit
C:\Windows\System\vUVPBra.exe

Filesize
5.2MB

MD5
182302d8986c16f32b2b21b0fded84eb

SHA1
31d96782155ae2926c6856dd6ce58e0201a54ae5

SHA256
2202382a36d5b4c41e7226d59ed070e0c8f43348c32c7a62e9692aae930a2cce

SHA512
e10db9e7aceb0aa9545dc475647233e817c6b17654f30def15ebee3fe4a93d67a49493fba895fce71c1c4334245abaa20a76a926a056d60e120ccd31c807c9d7

Download Submit
C:\Windows\System\wXgvkRo.exe

Filesize
5.2MB

MD5
e86676296c9d434d1884cc4b3be350e8

SHA1
ba550ece0f30082a4f8426c38b510b94d37fd443

SHA256
f160d9114ac5144a2e12e244ff7662e559e19a37f85582da6a8cb943ab434a91

SHA512
150d105ae2b0184add895d8caf605fb6a98821700968125e19e6a8804e812b69db78a95c9877f6e9831faa83074620f3f45727a1826583ef0d5a48ae13cf4483

Download Submit
C:\Windows\System\zkmqDSI.exe

Filesize
5.2MB

MD5
7b55fa75f832cc982ec6038ccfff8687

SHA1
6fff231303e61fa6a7e8adacad1eaeddca2fa2d9

SHA256
66fcce7cfdfa519904de9a8626a30c80ee28df1ea7ee6bb41117c1e6870f4b71

SHA512
07f67cf0680add92d9e779aee5da50acde382d284772f59ca943239f3b977bc908983fa35223c905b62ccbf76c341dc4c57570db8f5c592ea71124497d7f9661

Download Submit
memory/660-26-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp

Filesize
3.3MB

Download
memory/660-131-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp

Filesize
3.3MB

Download
memory/660-213-0x00007FF7029F0000-0x00007FF702D41000-memory.dmp

Filesize
3.3MB

Download
memory/908-125-0x00007FF6CB000000-0x00007FF6CB351000-memory.dmp

Filesize
3.3MB

Download
memory/908-241-0x00007FF6CB000000-0x00007FF6CB351000-memory.dmp

Filesize
3.3MB

Download
memory/1044-222-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-134-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-31-0x00007FF6DE960000-0x00007FF6DECB1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-133-0x00007FF64E210000-0x00007FF64E561000-memory.dmp

Filesize
3.3MB

Download
memory/1580-39-0x00007FF64E210000-0x00007FF64E561000-memory.dmp

Filesize
3.3MB

Download
memory/1580-219-0x00007FF64E210000-0x00007FF64E561000-memory.dmp

Filesize
3.3MB

Download
memory/1612-245-0x00007FF757BF0000-0x00007FF757F41000-memory.dmp

Filesize
3.3MB

Download
memory/1612-126-0x00007FF757BF0000-0x00007FF757F41000-memory.dmp

Filesize
3.3MB

Download
memory/1632-237-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp

Filesize
3.3MB

Download
memory/1632-138-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp

Filesize
3.3MB

Download
memory/1632-66-0x00007FF66DFF0000-0x00007FF66E341000-memory.dmp

Filesize
3.3MB

Download
memory/2012-149-0x00007FF696710000-0x00007FF696A61000-memory.dmp

Filesize
3.3MB

Download
memory/2012-122-0x00007FF696710000-0x00007FF696A61000-memory.dmp

Filesize
3.3MB

Download
memory/2012-256-0x00007FF696710000-0x00007FF696A61000-memory.dmp

Filesize
3.3MB

Download
memory/2068-253-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/2068-106-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/2068-145-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/2092-244-0x00007FF62C830000-0x00007FF62CB81000-memory.dmp

Filesize
3.3MB

Download
memory/2092-124-0x00007FF62C830000-0x00007FF62CB81000-memory.dmp

Filesize
3.3MB

Download
memory/2468-224-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-58-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-136-0x00007FF72EA90000-0x00007FF72EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-236-0x00007FF744070000-0x00007FF7443C1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-123-0x00007FF744070000-0x00007FF7443C1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-80-0x00007FF697210000-0x00007FF697561000-memory.dmp

Filesize
3.3MB

Download
memory/3048-140-0x00007FF697210000-0x00007FF697561000-memory.dmp

Filesize
3.3MB

Download
memory/3048-234-0x00007FF697210000-0x00007FF697561000-memory.dmp

Filesize
3.3MB

Download
memory/3096-251-0x00007FF725680000-0x00007FF7259D1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-144-0x00007FF725680000-0x00007FF7259D1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-99-0x00007FF725680000-0x00007FF7259D1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-128-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-150-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-0-0x00007FF727D80000-0x00007FF7280D1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-1-0x000001AC48650000-0x000001AC48660000-memory.dmp

Filesize
64KB

Download
memory/3980-249-0x00007FF6AAA10000-0x00007FF6AAD61000-memory.dmp

Filesize
3.3MB

Download
memory/3980-127-0x00007FF6AAA10000-0x00007FF6AAD61000-memory.dmp

Filesize
3.3MB

Download
memory/4640-30-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-217-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-132-0x00007FF7DBE60000-0x00007FF7DC1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-225-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp

Filesize
3.3MB

Download
memory/4836-49-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp

Filesize
3.3MB

Download
memory/4836-135-0x00007FF7AEEB0000-0x00007FF7AF201000-memory.dmp

Filesize
3.3MB

Download
memory/4904-211-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-7-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-129-0x00007FF6CFE60000-0x00007FF6D01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-98-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp

Filesize
3.3MB

Download
memory/4924-142-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp

Filesize
3.3MB

Download
memory/4924-240-0x00007FF6C4E20000-0x00007FF6C5171000-memory.dmp

Filesize
3.3MB

Download
memory/4984-257-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp

Filesize
3.3MB

Download
memory/4984-147-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp

Filesize
3.3MB

Download
memory/4984-119-0x00007FF7D28B0000-0x00007FF7D2C01000-memory.dmp

Filesize
3.3MB

Download
memory/5012-116-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp

Filesize
3.3MB

Download
memory/5012-247-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp

Filesize
3.3MB

Download
memory/5012-146-0x00007FF6BA100000-0x00007FF6BA451000-memory.dmp

Filesize
3.3MB

Download
memory/5048-14-0x00007FF798870000-0x00007FF798BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-130-0x00007FF798870000-0x00007FF798BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-215-0x00007FF798870000-0x00007FF798BC1000-memory.dmp

Filesize
3.3MB

Download