cobaltstrike | 4b607402f1d0e60ac61197c7c7f8d5f147abfe047ffcb2097d6c2a1931759f21

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ea2aa2cec88fd2ca25dc41cc026ab413
SHA1

dc1e6c4d1b102df1d692f5cc095f04d73d2deba7
SHA256

4b607402f1d0e60ac61197c7c7f8d5f147abfe047ffcb2097d6c2a1931759f21
SHA512

19b127eff1e265d35a1264c198876d57446fd96e8ad06434f6160700ab27f6d83d403707c0a57ef8ba91836ecf8536d64014cd9ac541703da2b648d4e2beeb0e
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBib+56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0032000000023b84-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-61.dat	cobalt_reflective_dll
behavioral2/files/0x0032000000023b85-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3712-8-0x00007FF6964F0000-0x00007FF696841000-memory.dmp	xmrig
behavioral2/memory/2020-88-0x00007FF6CDE10000-0x00007FF6CE161000-memory.dmp	xmrig
behavioral2/memory/2324-94-0x00007FF6DD890000-0x00007FF6DDBE1000-memory.dmp	xmrig
behavioral2/memory/100-97-0x00007FF7B9900000-0x00007FF7B9C51000-memory.dmp	xmrig
behavioral2/memory/208-96-0x00007FF7AC710000-0x00007FF7ACA61000-memory.dmp	xmrig
behavioral2/memory/4232-95-0x00007FF63F390000-0x00007FF63F6E1000-memory.dmp	xmrig
behavioral2/memory/1008-89-0x00007FF69B0E0000-0x00007FF69B431000-memory.dmp	xmrig
behavioral2/memory/4384-82-0x00007FF754F00000-0x00007FF755251000-memory.dmp	xmrig
behavioral2/memory/3872-65-0x00007FF635060000-0x00007FF6353B1000-memory.dmp	xmrig
behavioral2/memory/4760-37-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	xmrig
behavioral2/memory/2360-108-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	xmrig
behavioral2/memory/3088-127-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp	xmrig
behavioral2/memory/3788-126-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp	xmrig
behavioral2/memory/3568-111-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp	xmrig
behavioral2/memory/1248-140-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp	xmrig
behavioral2/memory/2848-143-0x00007FF677750000-0x00007FF677AA1000-memory.dmp	xmrig
behavioral2/memory/4760-149-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	xmrig
behavioral2/memory/220-144-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp	xmrig
behavioral2/memory/2360-131-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	xmrig
behavioral2/memory/2552-150-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp	xmrig
behavioral2/memory/2980-151-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp	xmrig
behavioral2/memory/4776-152-0x00007FF61B040000-0x00007FF61B391000-memory.dmp	xmrig
behavioral2/memory/1072-158-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp	xmrig
behavioral2/memory/2100-157-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp	xmrig
behavioral2/memory/2360-159-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	xmrig
behavioral2/memory/3712-214-0x00007FF6964F0000-0x00007FF696841000-memory.dmp	xmrig
behavioral2/memory/3568-216-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp	xmrig
behavioral2/memory/3788-218-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp	xmrig
behavioral2/memory/3088-220-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp	xmrig
behavioral2/memory/4760-222-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	xmrig
behavioral2/memory/4384-224-0x00007FF754F00000-0x00007FF755251000-memory.dmp	xmrig
behavioral2/memory/2020-233-0x00007FF6CDE10000-0x00007FF6CE161000-memory.dmp	xmrig
behavioral2/memory/3872-236-0x00007FF635060000-0x00007FF6353B1000-memory.dmp	xmrig
behavioral2/memory/1248-237-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp	xmrig
behavioral2/memory/1008-241-0x00007FF69B0E0000-0x00007FF69B431000-memory.dmp	xmrig
behavioral2/memory/2848-242-0x00007FF677750000-0x00007FF677AA1000-memory.dmp	xmrig
behavioral2/memory/220-243-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp	xmrig
behavioral2/memory/2324-247-0x00007FF6DD890000-0x00007FF6DDBE1000-memory.dmp	xmrig
behavioral2/memory/208-246-0x00007FF7AC710000-0x00007FF7ACA61000-memory.dmp	xmrig
behavioral2/memory/100-251-0x00007FF7B9900000-0x00007FF7B9C51000-memory.dmp	xmrig
behavioral2/memory/4232-250-0x00007FF63F390000-0x00007FF63F6E1000-memory.dmp	xmrig
behavioral2/memory/2552-258-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp	xmrig
behavioral2/memory/2980-260-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp	xmrig
behavioral2/memory/4776-263-0x00007FF61B040000-0x00007FF61B391000-memory.dmp	xmrig
behavioral2/memory/1072-265-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp	xmrig
behavioral2/memory/2100-267-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3712	BqzWjFC.exe
3568	UDceXKK.exe
3788	pEtTtNN.exe
3088	YTeVacE.exe
4760	cAMfgfF.exe
4384	wlXGMfh.exe
2020	PQkbLQq.exe
1248	UmJeGph.exe
3872	EVuUmxF.exe
1008	Qpzusyv.exe
2848	PuWxCBv.exe
220	Rtulrdt.exe
2324	zdZealL.exe
208	aEPSGaq.exe
100	NmqogIZ.exe
4232	CSbqiQb.exe
2552	mMikhKh.exe
2980	ggeoHIa.exe
4776	IXZBaCk.exe
1072	fvZkZDM.exe
2100	UXUNoKB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-0-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	upx
behavioral2/files/0x0032000000023b84-5.dat	upx
behavioral2/memory/3712-8-0x00007FF6964F0000-0x00007FF696841000-memory.dmp	upx
behavioral2/memory/3788-16-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-26.dat	upx
behavioral2/files/0x000a000000023b8b-31.dat	upx
behavioral2/files/0x000a000000023b8c-32.dat	upx
behavioral2/files/0x000a000000023b8d-39.dat	upx
behavioral2/files/0x000a000000023b8f-48.dat	upx
behavioral2/files/0x000a000000023b90-52.dat	upx
behavioral2/files/0x000a000000023b91-61.dat	upx
behavioral2/files/0x0032000000023b85-72.dat	upx
behavioral2/files/0x000a000000023b93-80.dat	upx
behavioral2/memory/2020-88-0x00007FF6CDE10000-0x00007FF6CE161000-memory.dmp	upx
behavioral2/memory/2324-94-0x00007FF6DD890000-0x00007FF6DDBE1000-memory.dmp	upx
behavioral2/memory/100-97-0x00007FF7B9900000-0x00007FF7B9C51000-memory.dmp	upx
behavioral2/memory/208-96-0x00007FF7AC710000-0x00007FF7ACA61000-memory.dmp	upx
behavioral2/memory/4232-95-0x00007FF63F390000-0x00007FF63F6E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-92.dat	upx
behavioral2/files/0x000a000000023b94-90.dat	upx
behavioral2/memory/1008-89-0x00007FF69B0E0000-0x00007FF69B431000-memory.dmp	upx
behavioral2/memory/4384-82-0x00007FF754F00000-0x00007FF755251000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-77.dat	upx
behavioral2/memory/220-75-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp	upx
behavioral2/memory/2848-69-0x00007FF677750000-0x00007FF677AA1000-memory.dmp	upx
behavioral2/memory/3872-65-0x00007FF635060000-0x00007FF6353B1000-memory.dmp	upx
behavioral2/memory/1248-57-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-50.dat	upx
behavioral2/memory/4760-37-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	upx
behavioral2/memory/3088-29-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-22.dat	upx
behavioral2/files/0x000a000000023b88-19.dat	upx
behavioral2/memory/3568-15-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-100.dat	upx
behavioral2/files/0x000a000000023b97-106.dat	upx
behavioral2/memory/2360-108-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	upx
behavioral2/memory/2980-116-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-121.dat	upx
behavioral2/files/0x000a000000023b9b-123.dat	upx
behavioral2/memory/4776-119-0x00007FF61B040000-0x00007FF61B391000-memory.dmp	upx
behavioral2/memory/1072-125-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp	upx
behavioral2/memory/3088-127-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp	upx
behavioral2/memory/2100-128-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp	upx
behavioral2/memory/3788-126-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-124.dat	upx
behavioral2/memory/3568-111-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp	upx
behavioral2/memory/2552-102-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp	upx
behavioral2/memory/1248-140-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp	upx
behavioral2/memory/2848-143-0x00007FF677750000-0x00007FF677AA1000-memory.dmp	upx
behavioral2/memory/4760-149-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	upx
behavioral2/memory/220-144-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp	upx
behavioral2/memory/2360-131-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	upx
behavioral2/memory/2552-150-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp	upx
behavioral2/memory/2980-151-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp	upx
behavioral2/memory/4776-152-0x00007FF61B040000-0x00007FF61B391000-memory.dmp	upx
behavioral2/memory/1072-158-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp	upx
behavioral2/memory/2100-157-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp	upx
behavioral2/memory/2360-159-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp	upx
behavioral2/memory/3712-214-0x00007FF6964F0000-0x00007FF696841000-memory.dmp	upx
behavioral2/memory/3568-216-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp	upx
behavioral2/memory/3788-218-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp	upx
behavioral2/memory/3088-220-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp	upx
behavioral2/memory/4760-222-0x00007FF671070000-0x00007FF6713C1000-memory.dmp	upx
behavioral2/memory/4384-224-0x00007FF754F00000-0x00007FF755251000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\Qpzusyv.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMikhKh.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fvZkZDM.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zdZealL.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aEPSGaq.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqzWjFC.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAMfgfF.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wlXGMfh.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmJeGph.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVuUmxF.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuWxCBv.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NmqogIZ.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IXZBaCk.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDceXKK.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTeVacE.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PQkbLQq.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CSbqiQb.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pEtTtNN.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Rtulrdt.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggeoHIa.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UXUNoKB.exe	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3712	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2360 wrote to memory of 3712	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2360 wrote to memory of 3568	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2360 wrote to memory of 3568	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2360 wrote to memory of 3788	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2360 wrote to memory of 3788	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2360 wrote to memory of 3088	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2360 wrote to memory of 3088	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2360 wrote to memory of 4760	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2360 wrote to memory of 4760	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2360 wrote to memory of 4384	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2360 wrote to memory of 4384	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2360 wrote to memory of 2020	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2360 wrote to memory of 2020	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2360 wrote to memory of 1248	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2360 wrote to memory of 1248	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2360 wrote to memory of 3872	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2360 wrote to memory of 3872	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2360 wrote to memory of 1008	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2360 wrote to memory of 1008	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2360 wrote to memory of 2848	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2360 wrote to memory of 2848	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2360 wrote to memory of 220	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2360 wrote to memory of 220	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2360 wrote to memory of 2324	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2360 wrote to memory of 2324	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2360 wrote to memory of 208	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2360 wrote to memory of 208	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2360 wrote to memory of 100	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2360 wrote to memory of 100	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2360 wrote to memory of 4232	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2360 wrote to memory of 4232	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2360 wrote to memory of 2552	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2360 wrote to memory of 2552	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2360 wrote to memory of 2980	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2360 wrote to memory of 2980	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2360 wrote to memory of 4776	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2360 wrote to memory of 4776	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2360 wrote to memory of 1072	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2360 wrote to memory of 1072	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2360 wrote to memory of 2100	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2360 wrote to memory of 2100	2360	2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_ea2aa2cec88fd2ca25dc41cc026ab413_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System\BqzWjFC.exe
  C:\Windows\System\BqzWjFC.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\UDceXKK.exe
  C:\Windows\System\UDceXKK.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\pEtTtNN.exe
  C:\Windows\System\pEtTtNN.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\YTeVacE.exe
  C:\Windows\System\YTeVacE.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\cAMfgfF.exe
  C:\Windows\System\cAMfgfF.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\wlXGMfh.exe
  C:\Windows\System\wlXGMfh.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\PQkbLQq.exe
  C:\Windows\System\PQkbLQq.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\UmJeGph.exe
  C:\Windows\System\UmJeGph.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\EVuUmxF.exe
  C:\Windows\System\EVuUmxF.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\Qpzusyv.exe
  C:\Windows\System\Qpzusyv.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\PuWxCBv.exe
  C:\Windows\System\PuWxCBv.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\Rtulrdt.exe
  C:\Windows\System\Rtulrdt.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\zdZealL.exe
  C:\Windows\System\zdZealL.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\aEPSGaq.exe
  C:\Windows\System\aEPSGaq.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\NmqogIZ.exe
  C:\Windows\System\NmqogIZ.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System\CSbqiQb.exe
  C:\Windows\System\CSbqiQb.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\mMikhKh.exe
  C:\Windows\System\mMikhKh.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\ggeoHIa.exe
  C:\Windows\System\ggeoHIa.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\IXZBaCk.exe
  C:\Windows\System\IXZBaCk.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\fvZkZDM.exe
  C:\Windows\System\fvZkZDM.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\UXUNoKB.exe
  C:\Windows\System\UXUNoKB.exe
  2⤵
  - Executes dropped EXE
  PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BqzWjFC.exe

Filesize
5.2MB

MD5
8d1eb5d314c26076d8097a7974251e58

SHA1
c19abee1438ff786d4d5e45e864c805c47e822d4

SHA256
82719642a10577abafa92de7ce0b2c2eaa20b9541ff07edd1a504ee5dc11a4a9

SHA512
464218b7e0fa448ec386e9974182d305dc08ad3d80bef1e7a425d6bc553d3c6d108a26f34f4c01df27c7bc8fe1ef34309f3a5704d7b7ac81eec63577065c9a88

Download Submit
C:\Windows\System\CSbqiQb.exe

Filesize
5.2MB

MD5
cd08cc0515cefc39c1dce4e38455e720

SHA1
2f5d97c28ce497d752ff7179c2ac68e2b60fdfac

SHA256
f4ca5a7297d24cb4c16c74d1065d32dc91a8a3617fcf315d5bf5482e39e807a7

SHA512
6d9908018378d62cb63bcf079f3ee811262def81d6c457626bf508633ea062ede0daac985ab20dca1c53220e1c100b9b73909d6b07d2868e54e5d951d50c4d1f

Download Submit
C:\Windows\System\EVuUmxF.exe

Filesize
5.2MB

MD5
9d1b2a74864f1d5223dacb757f5ef674

SHA1
2ffff910e8a900cef999585fc116652722eb2a56

SHA256
7424e2684e51879f9422f317617cdb5f5e36c410707181715bec70f3eb76ca9d

SHA512
9d8681ad9f1ae57eae19bb703277654f77f6086e8f8c093464801cd7f01a810f3bd8e5b252013e48593b93069eab203a37bada7e276e31d2ec531405803ad078

Download Submit
C:\Windows\System\IXZBaCk.exe

Filesize
5.2MB

MD5
c362d34e136deb9b0cd1ef22c650880d

SHA1
3f1db2eef615aafd609a7decd549fd1d1d9f122c

SHA256
015be3fce8da1a17ebefac25f6cd03552382b41edf74e8f290f458a118dedd1f

SHA512
03eb5aab2a666208d13d5ecd8040d7d1c918ae11c9ef4297f21414d1798776e62ccba10a1859129ca1e7d290810faab64130bc48451c10df70b92d5c0f0ef7e4

Download Submit
C:\Windows\System\NmqogIZ.exe

Filesize
5.2MB

MD5
e6d287b503679686eed0187bc703f229

SHA1
7dfca8f96572bda8a2fbf5ba6e4da9cef9dc7419

SHA256
9e6e67aa3dc283da553cdcc2b8525b40bdbcc8d275ec88e9d525cb642a944b40

SHA512
204414a248749bf33f4db46c1c110fe92891669191e4f96fbf44b82e851e7e37994fb99b0b01b6c49fdaf6185743c54651fa875606a0829977f4acde28fbb3d0

Download Submit
C:\Windows\System\PQkbLQq.exe

Filesize
5.2MB

MD5
1b23a4149fae7ad0d65d3e6d54a3be13

SHA1
e222c3b3f2a195397b9bceed6de1ca630da3381c

SHA256
e7c5ea04ba077c21867a073f0d7d04e7cd0dee29444c9e8987423991c42441cf

SHA512
b1e601cbc329458a6dfab961d38c02ce56940ffb24a6722233b270b6a85fe3140f5cd8256f113699a1386b34a8295e6aa281dd9baa8fde275417fd939e0daef6

Download Submit
C:\Windows\System\PuWxCBv.exe

Filesize
5.2MB

MD5
19af049cb0bea7859c718eb772d85942

SHA1
235ac39b2e3617f49333c0e63e263cba656b31c9

SHA256
d32122bfe0cca16972e1cfc661a6b27c3470f7416a7a37569d752789e6f50225

SHA512
66fd130b191ad9cfb1e0651d139cf21b4f62cc6995d02eaee735315adefdd28ddb9250b5680f46f141fe3f32fafd7c153b241d49de709de3ac74c109577d5eea

Download Submit
C:\Windows\System\Qpzusyv.exe

Filesize
5.2MB

MD5
dfec9b46e5466a843a6ff77d944303c8

SHA1
17b04b89c6be7f60d1440758e028ae3d9ee2d847

SHA256
98c5f775a593ede7ffab6ad29cf29805aeb2536b60e6394ee09ac87a0164514d

SHA512
df34ceff0b2274a550df0ecb271fd09cf23013846082344e887e4ea4d2f565dc3e5ee205e3c48c301da22a285238b668d6853bb80ba860be452679c3208c2c1a

Download Submit
C:\Windows\System\Rtulrdt.exe

Filesize
5.2MB

MD5
5327f039abec22260a9341bac13139c8

SHA1
697bb83c7eead5a761cb57277c424ea278b71bc6

SHA256
860508b0fc683f01f8adc3be89ac17646150ff5617d9c9c4d051e64f297f5554

SHA512
37a51f941939395782ef56c7d4b1af91d2d6c06a19a2adf058a2a1ee4216baa13bcb84da994618c628bb79b4785df69d56e1fc6cff73f7a1910e31a0a2962a6b

Download Submit
C:\Windows\System\UDceXKK.exe

Filesize
5.2MB

MD5
4dd7d2a46e68dfb8703d85796bffbf3b

SHA1
a9998ec61db2c6eda3cdc84a3a2ceda6290ff9de

SHA256
18b0e16ea17f2fc420a9e4bfefd301203bf74bfa205f1c2fe006e2a4c007326e

SHA512
946a55851aa37b141f9ca787537e653d1bd846e3ad9668ab503b459d8b8c871e73865353a5b2272a5b97bc6b55ad5eabed3f107e6133ee271a4ccac4bc15c08f

Download Submit
C:\Windows\System\UXUNoKB.exe

Filesize
5.2MB

MD5
c09d3cd2d0157cb396b6cb627bcef775

SHA1
5e2b511246bfe30fc8307f2a7bd972d2a3c269c6

SHA256
14ae95cc12302d9228fa700de9811960c6731badc17c717654c239f329055cb8

SHA512
050eeea6461a24cbab67f7b1a5e83cd822c89cf71b40a586714b2339347cadb6ace61acb26be5d5f9c2cfdf0d9f9f29457d317f5c68437a4cfadcfc78758bb8a

Download Submit
C:\Windows\System\UmJeGph.exe

Filesize
5.2MB

MD5
c8a4d5fae7ea30c8d7c8d1a61f737950

SHA1
901583f964548bc886aaddd2e599714213c6d8f7

SHA256
42296fbb36cfb161114555fc33b8b4b3a7766044ad40ba4393ff0ff5e6f4f63b

SHA512
f56b0fb3fd949c87f30bb7b415d22b81c972ec6b4b97199a512a16070f2407ddec9903b76d45ee717c1b3f7d38816d836186f98173c94573090f08a6606e0f56

Download Submit
C:\Windows\System\YTeVacE.exe

Filesize
5.2MB

MD5
de0348984f3470393f4efa6d36a1b01d

SHA1
a435923771d85a3b8e7720cb0e30717969ff2454

SHA256
d9269c5ffbdfae66ecfc17547d343d137a2e612df1b3226460f166a2e01a7530

SHA512
0feb1f66ed90a67d10a7df2423ed09b9223420989705496f35540c943b3516f5ccc84d17697a161fc3db5419a830433fbba1897f1bde02d5b56e2661e9e8ea37

Download Submit
C:\Windows\System\aEPSGaq.exe

Filesize
5.2MB

MD5
8e3d5f3e666291f29d1298f2f68df7d6

SHA1
10fcb6127ad87a7fbf37fa85aa1e9e527475da5f

SHA256
a4b69808f49f42efa17b50facbf65ef08ecdb5b7f738b285d55b547cd0443f29

SHA512
7de2ac65349f28f7729c2b115ea1d4257783d7b32e69d8fb99fdd4556af211ba45a889d421e0b0751086a9a7881aec2f2afb291f0c4b3a76c2d3406e98ba0993

Download Submit
C:\Windows\System\cAMfgfF.exe

Filesize
5.2MB

MD5
0c0da46798d714dcf74274fdf1c268b7

SHA1
a8eb4d032323b18c3a38503b2775c32c7be15ae2

SHA256
5814ba84aa5db223f7c86f6ca6313a59cb473b522580d9a155715f541089eac1

SHA512
f6dfdf896743135118e9f2308ce048d0879f6025dabe0e4c57c26b79140b676fcf2488d3090a85aa1645cd2251d8df957602cc49cab16ad8460f49dc4eddf980

Download Submit
C:\Windows\System\fvZkZDM.exe

Filesize
5.2MB

MD5
a30379ecf0451ea52986f27f6fb97c52

SHA1
cbcc3bbcb8f32dce815bee64601f883c4c3647b0

SHA256
c27923494df3b9b2e942478da4e801098705b20ffb8397c0162cd95b5970c48d

SHA512
5adc82a3c251f6b231e869150fafde9a4b18d45c7b67e5674d85e9b2e3cacc478fb6d7af6f2cda065b3db0306e33c194dd0f345a52a5e4fde2df0f76f5c1e354

Download Submit
C:\Windows\System\ggeoHIa.exe

Filesize
5.2MB

MD5
c6df405b2e604792364d24355e0de205

SHA1
771b2f2dba970af760693d6d28d963313873dba7

SHA256
53e51e84fecdbd83df06f86b150e1dc33cac6483cece1883c020d2031161aee8

SHA512
c72ea75c67e2b121f036871892b9e463aa8a366943cab2bb6d03e1a1ab683f03f6ed5e3f4b3d296e47ca2a66e4bfdb672df2b764f2a89b9f3e96276f5f59ca7c

Download Submit
C:\Windows\System\mMikhKh.exe

Filesize
5.2MB

MD5
4b32e6d142c0f0f39c35fc399922a8d3

SHA1
fb752d908ce366a4de37947b88b0e1e506db07a2

SHA256
55305b9011956dbfeab77f2d0e366e48adb9a11c717f4ce09a9566d31e5fb535

SHA512
e4fb41931d9bbc438cfdcb79b14f17b618eb7322f8d2b9a4d67641ccfda0e73658c92bd0e04cc7c1abf5987a6ae0b38035635d0273fea789571fe2ad06a9813c

Download Submit
C:\Windows\System\pEtTtNN.exe

Filesize
5.2MB

MD5
dbdd63662a5935f56e3d6537ee8e570f

SHA1
fee065aae747c7b8e1c1c3a726d58edc239eb60d

SHA256
7d7e3aa9308c71d186bdc57a00ed1e572c58d85409a76d4c419fd52856dac74f

SHA512
cb2809345be7d74711fb78eb9e70d56b414080503c7bcf424739ab4c4754fc6b8c4c906642340b7b67d008d03aa358eee3ac3ca59da98e20fc4b001fab0ce07d

Download Submit
C:\Windows\System\wlXGMfh.exe

Filesize
5.2MB

MD5
614785946ecb9a3050eea3dee8a67146

SHA1
aab0d0558ac0115a7128cce491f0dcc09c465fd6

SHA256
86313479f80bdf9d7acd83fe310a24b757cff4a6a189845a5a282dadccd24196

SHA512
c31ba960b8c5fa830599ea61e4147ad6021e24fefc60329c8b19703a1458f0554f8ed4a48d6f13e5ff48c0fc880d0ab76445586b1863be49bed8743ad14fc133

Download Submit
C:\Windows\System\zdZealL.exe

Filesize
5.2MB

MD5
268c51be7b2e0451a3b9ba313ade4038

SHA1
3130c8b16e3600a1785836e16f49af9424ee4d1e

SHA256
8deae48e785deb9c958a579cddf088183a2791b38464c055b4d7234140392a4a

SHA512
54f5b359ec8a5ab36eed2f9e873c1bc463a9dff1036860c30ecafdccaa420846dc5ba3cf1ad2ac953b9036b2d31ba4300952ccbe0a2c18be125b8ac05981b478

Download Submit
memory/100-97-0x00007FF7B9900000-0x00007FF7B9C51000-memory.dmp

Filesize
3.3MB

Download
memory/100-251-0x00007FF7B9900000-0x00007FF7B9C51000-memory.dmp

Filesize
3.3MB

Download
memory/208-96-0x00007FF7AC710000-0x00007FF7ACA61000-memory.dmp

Filesize
3.3MB

Download
memory/208-246-0x00007FF7AC710000-0x00007FF7ACA61000-memory.dmp

Filesize
3.3MB

Download
memory/220-75-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp

Filesize
3.3MB

Download
memory/220-144-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp

Filesize
3.3MB

Download
memory/220-243-0x00007FF752A90000-0x00007FF752DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-241-0x00007FF69B0E0000-0x00007FF69B431000-memory.dmp

Filesize
3.3MB

Download
memory/1008-89-0x00007FF69B0E0000-0x00007FF69B431000-memory.dmp

Filesize
3.3MB

Download
memory/1072-125-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1072-265-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1072-158-0x00007FF75DC30000-0x00007FF75DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1248-140-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-57-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-237-0x00007FF7F9A50000-0x00007FF7F9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-88-0x00007FF6CDE10000-0x00007FF6CE161000-memory.dmp

Filesize
3.3MB

Download
memory/2020-233-0x00007FF6CDE10000-0x00007FF6CE161000-memory.dmp

Filesize
3.3MB

Download
memory/2100-128-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-267-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-157-0x00007FF7F6C70000-0x00007FF7F6FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-94-0x00007FF6DD890000-0x00007FF6DDBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-247-0x00007FF6DD890000-0x00007FF6DDBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-0-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp

Filesize
3.3MB

Download
memory/2360-1-0x000001E8059D0000-0x000001E8059E0000-memory.dmp

Filesize
64KB

Download
memory/2360-108-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp

Filesize
3.3MB

Download
memory/2360-159-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp

Filesize
3.3MB

Download
memory/2360-131-0x00007FF71BF00000-0x00007FF71C251000-memory.dmp

Filesize
3.3MB

Download
memory/2552-258-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-102-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-150-0x00007FF6EEF50000-0x00007FF6EF2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-242-0x00007FF677750000-0x00007FF677AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-143-0x00007FF677750000-0x00007FF677AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-69-0x00007FF677750000-0x00007FF677AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-151-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp

Filesize
3.3MB

Download
memory/2980-260-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp

Filesize
3.3MB

Download
memory/2980-116-0x00007FF6946D0000-0x00007FF694A21000-memory.dmp

Filesize
3.3MB

Download
memory/3088-127-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp

Filesize
3.3MB

Download
memory/3088-29-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp

Filesize
3.3MB

Download
memory/3088-220-0x00007FF7017F0000-0x00007FF701B41000-memory.dmp

Filesize
3.3MB

Download
memory/3568-15-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp

Filesize
3.3MB

Download
memory/3568-111-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp

Filesize
3.3MB

Download
memory/3568-216-0x00007FF71E1E0000-0x00007FF71E531000-memory.dmp

Filesize
3.3MB

Download
memory/3712-214-0x00007FF6964F0000-0x00007FF696841000-memory.dmp

Filesize
3.3MB

Download
memory/3712-8-0x00007FF6964F0000-0x00007FF696841000-memory.dmp

Filesize
3.3MB

Download
memory/3788-16-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp

Filesize
3.3MB

Download
memory/3788-126-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp

Filesize
3.3MB

Download
memory/3788-218-0x00007FF69D0D0000-0x00007FF69D421000-memory.dmp

Filesize
3.3MB

Download
memory/3872-236-0x00007FF635060000-0x00007FF6353B1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-65-0x00007FF635060000-0x00007FF6353B1000-memory.dmp

Filesize
3.3MB

Download
memory/4232-250-0x00007FF63F390000-0x00007FF63F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4232-95-0x00007FF63F390000-0x00007FF63F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-224-0x00007FF754F00000-0x00007FF755251000-memory.dmp

Filesize
3.3MB

Download
memory/4384-82-0x00007FF754F00000-0x00007FF755251000-memory.dmp

Filesize
3.3MB

Download
memory/4760-222-0x00007FF671070000-0x00007FF6713C1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-149-0x00007FF671070000-0x00007FF6713C1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-37-0x00007FF671070000-0x00007FF6713C1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-152-0x00007FF61B040000-0x00007FF61B391000-memory.dmp

Filesize
3.3MB

Download
memory/4776-263-0x00007FF61B040000-0x00007FF61B391000-memory.dmp

Filesize
3.3MB

Download
memory/4776-119-0x00007FF61B040000-0x00007FF61B391000-memory.dmp

Filesize
3.3MB

Download