cobaltstrike | b2627ff0abeafbb759708aade992e9b6d6ddde130700214382244a982f3c314a

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d755320ef3a26e6f9ae2196200853cbf
SHA1

98e79e851ad677db044288eae60ab1f05b648794
SHA256

b2627ff0abeafbb759708aade992e9b6d6ddde130700214382244a982f3c314a
SHA512

30e7bf669f9a1cb785b51f17075c025e9152edac246e60917b6337c337ac0c7794de3d010c967d240320f0fd33a9ff9edd396e9b56dfdf3bd0b451c88287f32d
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBib+56utgpPFotBER/mQ32lUa

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c93-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-64.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c94-58.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3204-33-0x00007FF7D64C0000-0x00007FF7D6811000-memory.dmp	xmrig
behavioral2/memory/3496-125-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp	xmrig
behavioral2/memory/1860-124-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp	xmrig
behavioral2/memory/2936-122-0x00007FF745FA0000-0x00007FF7462F1000-memory.dmp	xmrig
behavioral2/memory/1028-100-0x00007FF747760000-0x00007FF747AB1000-memory.dmp	xmrig
behavioral2/memory/552-91-0x00007FF638370000-0x00007FF6386C1000-memory.dmp	xmrig
behavioral2/memory/2380-75-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp	xmrig
behavioral2/memory/4868-73-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	xmrig
behavioral2/memory/2428-134-0x00007FF764C10000-0x00007FF764F61000-memory.dmp	xmrig
behavioral2/memory/4868-135-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	xmrig
behavioral2/memory/5080-145-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp	xmrig
behavioral2/memory/3048-144-0x00007FF676E30000-0x00007FF677181000-memory.dmp	xmrig
behavioral2/memory/5092-148-0x00007FF665E00000-0x00007FF666151000-memory.dmp	xmrig
behavioral2/memory/1596-147-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp	xmrig
behavioral2/memory/1920-157-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp	xmrig
behavioral2/memory/992-158-0x00007FF768CB0000-0x00007FF769001000-memory.dmp	xmrig
behavioral2/memory/1664-156-0x00007FF65B410000-0x00007FF65B761000-memory.dmp	xmrig
behavioral2/memory/2320-151-0x00007FF65B540000-0x00007FF65B891000-memory.dmp	xmrig
behavioral2/memory/4400-150-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp	xmrig
behavioral2/memory/3208-155-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/796-153-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp	xmrig
behavioral2/memory/1156-152-0x00007FF661070000-0x00007FF6613C1000-memory.dmp	xmrig
behavioral2/memory/5064-149-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp	xmrig
behavioral2/memory/4868-159-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	xmrig
behavioral2/memory/2380-213-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp	xmrig
behavioral2/memory/552-215-0x00007FF638370000-0x00007FF6386C1000-memory.dmp	xmrig
behavioral2/memory/3204-218-0x00007FF7D64C0000-0x00007FF7D6811000-memory.dmp	xmrig
behavioral2/memory/1028-219-0x00007FF747760000-0x00007FF747AB1000-memory.dmp	xmrig
behavioral2/memory/2428-227-0x00007FF764C10000-0x00007FF764F61000-memory.dmp	xmrig
behavioral2/memory/3496-228-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp	xmrig
behavioral2/memory/1860-230-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp	xmrig
behavioral2/memory/3048-232-0x00007FF676E30000-0x00007FF677181000-memory.dmp	xmrig
behavioral2/memory/5080-234-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp	xmrig
behavioral2/memory/1596-237-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp	xmrig
behavioral2/memory/5092-249-0x00007FF665E00000-0x00007FF666151000-memory.dmp	xmrig
behavioral2/memory/5064-250-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp	xmrig
behavioral2/memory/4400-247-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp	xmrig
behavioral2/memory/796-255-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp	xmrig
behavioral2/memory/2936-259-0x00007FF745FA0000-0x00007FF7462F1000-memory.dmp	xmrig
behavioral2/memory/1156-260-0x00007FF661070000-0x00007FF6613C1000-memory.dmp	xmrig
behavioral2/memory/1664-257-0x00007FF65B410000-0x00007FF65B761000-memory.dmp	xmrig
behavioral2/memory/2320-253-0x00007FF65B540000-0x00007FF65B891000-memory.dmp	xmrig
behavioral2/memory/3208-263-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/992-264-0x00007FF768CB0000-0x00007FF769001000-memory.dmp	xmrig
behavioral2/memory/1920-266-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2380	kFevWqj.exe
552	RhyVEum.exe
1028	gjVkfVl.exe
3204	AnvJvfU.exe
3496	hGXSGIJ.exe
1860	ZDJDPLn.exe
2428	kQEJSOa.exe
3048	qPPfknF.exe
5080	naxaDRE.exe
1596	LdxWkkG.exe
5092	ZLucQPf.exe
5064	DStiZiQ.exe
4400	RfbhubI.exe
2320	ioNrwQz.exe
1156	xoBvEmT.exe
796	qGfmUtG.exe
2936	KsEIKHS.exe
3208	DmpMYzR.exe
1664	plgyQRE.exe
992	jRPTBgX.exe
1920	GyFMigJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4868-0-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-4.dat	upx
behavioral2/files/0x0007000000023c97-11.dat	upx
behavioral2/memory/552-17-0x00007FF638370000-0x00007FF6386C1000-memory.dmp	upx
behavioral2/memory/1028-18-0x00007FF747760000-0x00007FF747AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-27.dat	upx
behavioral2/files/0x0007000000023c9a-30.dat	upx
behavioral2/memory/1860-35-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp	upx
behavioral2/memory/3496-39-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-42.dat	upx
behavioral2/memory/2428-41-0x00007FF764C10000-0x00007FF764F61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-40.dat	upx
behavioral2/memory/3204-33-0x00007FF7D64C0000-0x00007FF7D6811000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-22.dat	upx
behavioral2/memory/2380-12-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-54.dat	upx
behavioral2/files/0x0007000000023ca0-64.dat	upx
behavioral2/files/0x0008000000023c9f-67.dat	upx
behavioral2/files/0x0007000000023ca3-72.dat	upx
behavioral2/memory/5092-80-0x00007FF665E00000-0x00007FF666151000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-98.dat	upx
behavioral2/files/0x0007000000023ca8-108.dat	upx
behavioral2/files/0x0007000000023ca9-118.dat	upx
behavioral2/memory/992-127-0x00007FF768CB0000-0x00007FF769001000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-129.dat	upx
behavioral2/memory/1920-128-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-126.dat	upx
behavioral2/memory/3496-125-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp	upx
behavioral2/memory/1860-124-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp	upx
behavioral2/memory/2936-122-0x00007FF745FA0000-0x00007FF7462F1000-memory.dmp	upx
behavioral2/memory/1664-121-0x00007FF65B410000-0x00007FF65B761000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-115.dat	upx
behavioral2/files/0x0007000000023ca5-114.dat	upx
behavioral2/memory/3208-113-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/796-112-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-106.dat	upx
behavioral2/memory/1028-100-0x00007FF747760000-0x00007FF747AB1000-memory.dmp	upx
behavioral2/memory/1156-99-0x00007FF661070000-0x00007FF6613C1000-memory.dmp	upx
behavioral2/memory/2320-92-0x00007FF65B540000-0x00007FF65B891000-memory.dmp	upx
behavioral2/memory/552-91-0x00007FF638370000-0x00007FF6386C1000-memory.dmp	upx
behavioral2/memory/4400-84-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp	upx
behavioral2/memory/2380-75-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp	upx
behavioral2/memory/4868-73-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-78.dat	upx
behavioral2/memory/5064-71-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp	upx
behavioral2/memory/1596-66-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp	upx
behavioral2/memory/5080-61-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp	upx
behavioral2/files/0x0008000000023c94-58.dat	upx
behavioral2/memory/3048-50-0x00007FF676E30000-0x00007FF677181000-memory.dmp	upx
behavioral2/memory/2428-134-0x00007FF764C10000-0x00007FF764F61000-memory.dmp	upx
behavioral2/memory/4868-135-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp	upx
behavioral2/memory/5080-145-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp	upx
behavioral2/memory/3048-144-0x00007FF676E30000-0x00007FF677181000-memory.dmp	upx
behavioral2/memory/5092-148-0x00007FF665E00000-0x00007FF666151000-memory.dmp	upx
behavioral2/memory/1596-147-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp	upx
behavioral2/memory/1920-157-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp	upx
behavioral2/memory/992-158-0x00007FF768CB0000-0x00007FF769001000-memory.dmp	upx
behavioral2/memory/1664-156-0x00007FF65B410000-0x00007FF65B761000-memory.dmp	upx
behavioral2/memory/2320-151-0x00007FF65B540000-0x00007FF65B891000-memory.dmp	upx
behavioral2/memory/4400-150-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp	upx
behavioral2/memory/3208-155-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/796-153-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp	upx
behavioral2/memory/1156-152-0x00007FF661070000-0x00007FF6613C1000-memory.dmp	upx
behavioral2/memory/5064-149-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qGfmUtG.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KsEIKHS.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RhyVEum.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjVkfVl.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnvJvfU.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfbhubI.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kFevWqj.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LdxWkkG.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DStiZiQ.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRPTBgX.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoBvEmT.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DmpMYzR.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GyFMigJ.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hGXSGIJ.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZDJDPLn.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naxaDRE.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ioNrwQz.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kQEJSOa.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qPPfknF.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZLucQPf.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plgyQRE.exe	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2380	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4868 wrote to memory of 2380	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4868 wrote to memory of 552	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4868 wrote to memory of 552	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4868 wrote to memory of 1028	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4868 wrote to memory of 1028	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4868 wrote to memory of 3204	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4868 wrote to memory of 3204	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4868 wrote to memory of 3496	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4868 wrote to memory of 3496	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4868 wrote to memory of 1860	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4868 wrote to memory of 1860	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4868 wrote to memory of 2428	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4868 wrote to memory of 2428	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4868 wrote to memory of 3048	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4868 wrote to memory of 3048	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4868 wrote to memory of 5080	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4868 wrote to memory of 5080	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4868 wrote to memory of 1596	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4868 wrote to memory of 1596	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4868 wrote to memory of 5092	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4868 wrote to memory of 5092	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4868 wrote to memory of 5064	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4868 wrote to memory of 5064	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4868 wrote to memory of 4400	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4868 wrote to memory of 4400	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4868 wrote to memory of 2320	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4868 wrote to memory of 2320	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4868 wrote to memory of 1156	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4868 wrote to memory of 1156	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4868 wrote to memory of 796	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4868 wrote to memory of 796	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4868 wrote to memory of 2936	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4868 wrote to memory of 2936	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4868 wrote to memory of 3208	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4868 wrote to memory of 3208	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4868 wrote to memory of 1664	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4868 wrote to memory of 1664	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4868 wrote to memory of 1920	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4868 wrote to memory of 1920	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4868 wrote to memory of 992	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4868 wrote to memory of 992	4868	2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_d755320ef3a26e6f9ae2196200853cbf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System\kFevWqj.exe
  C:\Windows\System\kFevWqj.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\RhyVEum.exe
  C:\Windows\System\RhyVEum.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\gjVkfVl.exe
  C:\Windows\System\gjVkfVl.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\AnvJvfU.exe
  C:\Windows\System\AnvJvfU.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\hGXSGIJ.exe
  C:\Windows\System\hGXSGIJ.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\ZDJDPLn.exe
  C:\Windows\System\ZDJDPLn.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\kQEJSOa.exe
  C:\Windows\System\kQEJSOa.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\qPPfknF.exe
  C:\Windows\System\qPPfknF.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\naxaDRE.exe
  C:\Windows\System\naxaDRE.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\LdxWkkG.exe
  C:\Windows\System\LdxWkkG.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\ZLucQPf.exe
  C:\Windows\System\ZLucQPf.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\DStiZiQ.exe
  C:\Windows\System\DStiZiQ.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\RfbhubI.exe
  C:\Windows\System\RfbhubI.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\ioNrwQz.exe
  C:\Windows\System\ioNrwQz.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\xoBvEmT.exe
  C:\Windows\System\xoBvEmT.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\qGfmUtG.exe
  C:\Windows\System\qGfmUtG.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\KsEIKHS.exe
  C:\Windows\System\KsEIKHS.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\DmpMYzR.exe
  C:\Windows\System\DmpMYzR.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\plgyQRE.exe
  C:\Windows\System\plgyQRE.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\GyFMigJ.exe
  C:\Windows\System\GyFMigJ.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\jRPTBgX.exe
  C:\Windows\System\jRPTBgX.exe
  2⤵
  - Executes dropped EXE
  PID:992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AnvJvfU.exe

Filesize
5.2MB

MD5
84cd25cb1f181f5f5d4df7be222376c5

SHA1
817387eb4f8e2aab3789c42369c2e3573494133b

SHA256
989a8956dc1b5f8a5c2a2e2e0096dc771bfef5e7a7ede8e21ae35d3c483774fc

SHA512
8709cbea6da1622da4fe8b48e981b00b95c043220ac1fd1d846303be536f93c9bfc31f5eb9e67eceb3b7dc3b7b2bfd05578ec85591d4a6d79535d37a0fea967a

Download Submit
C:\Windows\System\DStiZiQ.exe

Filesize
5.2MB

MD5
0185bd841e6a7a0b7a2e67994f691371

SHA1
226d4ee7c578b4b81d5fbfbe524b0e0fdbeaf645

SHA256
d647eb80a7cd2552955573a93ae0a3d8b6350bf09212423551a06a439c857b80

SHA512
cb789f2c4b13e68ea8fcbb3d50bcb5d0945b5df9cb6e7f8615e796f9cf57d2a5413a69658ca78609e6510f34dd4d1b932648a4a0d4e713ff46ef87d55ed63a29

Download Submit
C:\Windows\System\DmpMYzR.exe

Filesize
5.2MB

MD5
0ab551858fe6cc28253a4eb86b1e488b

SHA1
ce9c73c5eee85be730a66ca5bcb9757c13fe8e9a

SHA256
9354afd4fc8a083f445fd969d304a3b5f587474d85af5343f041dfff9f36b7b3

SHA512
b063b4d119302d9646766197b4499030f31ed94cccc429bc50734166c5ef443f320f0c2f1d75e4c98fc418dc1ef5c0431f8680d54982d0c02f0f12b6236346f2

Download Submit
C:\Windows\System\GyFMigJ.exe

Filesize
5.2MB

MD5
d8ca940260c9d23e6ac80855f204e626

SHA1
8bc65474e348315d549c6b61afcf6d6c8e652183

SHA256
ba8376c7ea1d440ee22c6d8f646a8542e9e2c7fa60e7fa4a0fcf57851d148700

SHA512
1e7fccc5d82c583b97801701f0b04a2736b996f00faaa24b4b49f233ad19911fb258e4acf4ca6717983a22ffb6d7dfb46a2bc4422b75bee07c61f1c2bb7e3030

Download Submit
C:\Windows\System\KsEIKHS.exe

Filesize
5.2MB

MD5
3674f70655244764f299eebde2411dc1

SHA1
6d4a232b86d7e3d631bf69ea931afca749cf65e4

SHA256
0a101118a1b5ec840ef990a4aeb4c7e95e27027a5051a46268406320e0d11b03

SHA512
29f1e6843615ca142f84b5241bf7aeaa7c9876506c4850974a4002cecf987c74c56e88ad15853cdb233c9593c286366c24495a0c93ffff2ddba3cf20e800bd59

Download Submit
C:\Windows\System\LdxWkkG.exe

Filesize
5.2MB

MD5
63bdb0b44771e481dbd3de810e54de5b

SHA1
9fa54ad099bc3c1811bf3cd54a19132137f756f3

SHA256
a1110069029579416180882486c3ffc75d63580af08d49776567bcf15fa4991b

SHA512
96ee83a0b7a2e00fb1bc7d5ad7e41eab24bd51a375742af71f64cfc3af22a02682a211143ad72b26926636da20626258f3ecde3e42cf115eee33bc3cc3fa33fc

Download Submit
C:\Windows\System\RfbhubI.exe

Filesize
5.2MB

MD5
423217984ff52dcf7c13f2afcbc66a70

SHA1
8ba4089b33d4e245ade90ea5294491d9c89140e2

SHA256
17275f6ba8bd78e5d22166be0314e71559419d6875efb8f5227db7f373a9df2e

SHA512
5fc7df491165062887ef8121cbb725fa256b067ad48858d732921debd7ce6a33c8cba7b7266e4b8b2cd60909a7ada1b0e1ccdfd0e6cdbce51a19701a33401b1e

Download Submit
C:\Windows\System\RhyVEum.exe

Filesize
5.2MB

MD5
b9b0158110ed394da393e62631705959

SHA1
97b0f0b9656cac5b6082bf100f2ac5a5fc21a85d

SHA256
8b0b2700e489ada3cc6f7ed56ef6b3e371e9e442a0e8ec2e0f2a40cba68bc63f

SHA512
ccbfb204664f8d69302d4d6b8a614e639f788d7993db447a0ffbae86b721f051e0a0f756639a7ba0a6e630923da211da4b640910f0a8d9f88406634f03a33842

Download Submit
C:\Windows\System\ZDJDPLn.exe

Filesize
5.2MB

MD5
89b0d7aced277a318c47333506e92660

SHA1
bb73e5f520f76cd67742f9c3996cbc466d78dcb0

SHA256
19130edb99fb01519491b099216dea2dfc125af11ace22e09ca2c313cf6bd95f

SHA512
b238205d514cfdf1870e7127a539457794564212a5383a2c5f498ab67025091f5b850f8e0dfe2e8853f6e62bf89aeafc4b7466337c745148aa801c70fb802720

Download Submit
C:\Windows\System\ZLucQPf.exe

Filesize
5.2MB

MD5
8ab7f66d2c808085c474aa882edfafc4

SHA1
63d83afde797dfdafb208ecb5495f9f192b1e294

SHA256
58cd891068ef9945bd2885da877ffebf99f028000e2ccbe27bd2b628fc0ca172

SHA512
70a9eb2cdd5916fa309d6035c8adc98491c82e4b050d35b36f7b8ce1496bebe60178991ba5840e6983650e390b3f814de57e555d0148c0cbbe9c1d0d2ef44029

Download Submit
C:\Windows\System\gjVkfVl.exe

Filesize
5.2MB

MD5
84c1ed6ba435e6ac39aa3f951d4fdd80

SHA1
761653759fd58a092007f89f8a96c46295fde555

SHA256
cb28cfc38485f0a284a7a8a9ff91636ebc39dec09a3816924f0bdd569cc549c7

SHA512
4d088816a4b5a955e4d089a2d34ca9a5c969817455ffd27ef653b8485208a092b467e4c9eccc1e6af5dc0d437d7585bab733f919033aae7a53c872e1db4281b9

Download Submit
C:\Windows\System\hGXSGIJ.exe

Filesize
5.2MB

MD5
9d616b75a0ab1a7c0543b2dbb03b7b24

SHA1
32e04e077626fe5a88ce9a3fc923580d183ca024

SHA256
7e827f88493732b883c7e6fe8dcc82c15c44ffd65f697677dcabc16fd900e882

SHA512
0f392d6ba0b12003d1eb01db6ff59149018db24345e131eb4fbe5f7241fb6d15ef090b25b404ee74a00cd3b261d35812c0d0b4f68b08b9ad1a38d40e9a9ea697

Download Submit
C:\Windows\System\ioNrwQz.exe

Filesize
5.2MB

MD5
341f9e10e3a5cdb3a4c08755dd5f1904

SHA1
90159e4000526d85a740a17f4a72edbcc3f63710

SHA256
b72b9c3751764be8eb11a3705bc2ff041dd85b4e34347801b569ef4fcd0940d6

SHA512
deeaccacaa272ceaa568f8f613ec687f3cf9748910684ea8ebfdcbb8a3923801ca834813708d6d780e0cb90b95e2c819f50018a4089f4fdc1c96c81c473d1b10

Download Submit
C:\Windows\System\jRPTBgX.exe

Filesize
5.2MB

MD5
3a1ac3ba2ba7b668bdf7d41cfff94574

SHA1
8020d104fffb29ac51c0580eac35a1429e7b6ffd

SHA256
72caf9f4605765d3a8ded6e255d013bad01b9071ad7fb28076360642dc54f2fe

SHA512
14d021bb03b787e1cfbb8cb0854802d6fdff74f282c26a488ecffffb3468ca081e508cb4e437981553ac7e1e5c75265d2c4a0c3bf9cdce03d38d35df46650bd9

Download Submit
C:\Windows\System\kFevWqj.exe

Filesize
5.2MB

MD5
f6bff3ecd27d1bbafd3207641746b301

SHA1
d4cbee7cce9b655780662e883ada87f7f74823ea

SHA256
7f9836315a1c06323bf3da3f13e9d0ecea210ff39c90a316e3a339f0d1fd2a98

SHA512
e69a1489ab405bbeafac6dc558f55da05d95962f5d4a44d3de14fe0ac366f197d86a8fe9bd5fd60b1fb3e7bbeb1b28f36ee579e79123ec38c57cd2aa05d3ae92

Download Submit
C:\Windows\System\kQEJSOa.exe

Filesize
5.2MB

MD5
69ec5355dc44988d82a71c8b593fdf32

SHA1
7cc17b420578a0156cd30d73960a16a2db29b9eb

SHA256
8ae87151fc4672a825852c93536716d32724b167309af4efda56d47b037cdb35

SHA512
91bb00d7149bc09aa576fac696176d6eed5dd99d4bacc0cc85ed023b3563a5fc96c4bc101938d2d4ba89733a8fd8eff26aabb21bf2e2e0d46ccd1efa7c88ea08

Download Submit
C:\Windows\System\naxaDRE.exe

Filesize
5.2MB

MD5
206fc9f4856bf9b145662eda25dae745

SHA1
0ea53791a599ac712cdcfdf22f75b2b1bddbfcb0

SHA256
75c4718283f0f4cdbedf121d0910581621758f935d96382c56102fba37338d66

SHA512
a724c64a921ec97e6320215e2713656b10a4e56dab7aaa9224a8d21bf95b2b01c00b394fb668a99094a6e7e147eb180bb57e19bf2a44d7d705cb2c9c2aedaad3

Download Submit
C:\Windows\System\plgyQRE.exe

Filesize
5.2MB

MD5
ceac302edd6f052c99144bf1247bdaa8

SHA1
8cfd62998c068654ed4ae171895bdb4975b1e666

SHA256
3e7f18f627bf5fb623bd6a755e62b2bfa1f79ae66bc7d091cf37c4f189431421

SHA512
362c4e28834a06f520b1981dd3907456551f830bdd1d0e704059d105fef8dc7812990e97aa9cd174da1dec7790dcb957c25227c89133f92360a14d97bc56c429

Download Submit
C:\Windows\System\qGfmUtG.exe

Filesize
5.2MB

MD5
5fa3f4c1a5c1ede58a2f10ca5005db58

SHA1
f3987d6d680b755c428fd10747fe81734ef84e79

SHA256
68ac6abe1624f9d18998a803a56dc8019e93a8b826df02f7bf195021978d366b

SHA512
125cba674b9a121bbb130fb2f1f3d4a36be14160f8f64502dcb4f1d2ee5b9b52ca57b467a8d1791bf049ddfd3186393464eece13850cb2ab7fe44ae2a8e8d5b3

Download Submit
C:\Windows\System\qPPfknF.exe

Filesize
5.2MB

MD5
7792ff9a19aea9045e38bd5de1e54dfa

SHA1
906f780794e1cd5daf5ee302c98a984bcfdd7efe

SHA256
bdc4d722e0ba3d474b5578a4be2ea134b63512c3ec86d4e1aa167ab2b03f6a0d

SHA512
bba3291f9acd1725c6d1ae7577c977ac773b44b31b59cdef6f04450ae30b45d193345b9a41de135b930e94cd192c7e5be7692ae14b64af4314f2aefd67dfcbd7

Download Submit
C:\Windows\System\xoBvEmT.exe

Filesize
5.2MB

MD5
ceadc6ada9307c93c38dfea4931074dd

SHA1
d0e579f562c95153be9fb717aae3e74d87ed0636

SHA256
5f38408e9c12fc5582261b3b85e0769dbff4cd1af659c6e1fa6c8bac99d4c3ef

SHA512
53d8cba21b2f60aea706e920a9001cbdb2eb5e79de59554f78f551ff7ac2a6be4d83b69380b560f17281ade672603e0e30b121e40f87d2e2ded8b341d889beca

Download Submit
memory/552-91-0x00007FF638370000-0x00007FF6386C1000-memory.dmp

Filesize
3.3MB

Download
memory/552-17-0x00007FF638370000-0x00007FF6386C1000-memory.dmp

Filesize
3.3MB

Download
memory/552-215-0x00007FF638370000-0x00007FF6386C1000-memory.dmp

Filesize
3.3MB

Download
memory/796-255-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp

Filesize
3.3MB

Download
memory/796-153-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp

Filesize
3.3MB

Download
memory/796-112-0x00007FF7BE2F0000-0x00007FF7BE641000-memory.dmp

Filesize
3.3MB

Download
memory/992-127-0x00007FF768CB0000-0x00007FF769001000-memory.dmp

Filesize
3.3MB

Download
memory/992-158-0x00007FF768CB0000-0x00007FF769001000-memory.dmp

Filesize
3.3MB

Download
memory/992-264-0x00007FF768CB0000-0x00007FF769001000-memory.dmp

Filesize
3.3MB

Download
memory/1028-219-0x00007FF747760000-0x00007FF747AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-100-0x00007FF747760000-0x00007FF747AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-18-0x00007FF747760000-0x00007FF747AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-152-0x00007FF661070000-0x00007FF6613C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-99-0x00007FF661070000-0x00007FF6613C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-260-0x00007FF661070000-0x00007FF6613C1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-147-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-237-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-66-0x00007FF7D6B60000-0x00007FF7D6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-257-0x00007FF65B410000-0x00007FF65B761000-memory.dmp

Filesize
3.3MB

Download
memory/1664-121-0x00007FF65B410000-0x00007FF65B761000-memory.dmp

Filesize
3.3MB

Download
memory/1664-156-0x00007FF65B410000-0x00007FF65B761000-memory.dmp

Filesize
3.3MB

Download
memory/1860-35-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-230-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-124-0x00007FF6C0FA0000-0x00007FF6C12F1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-128-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp

Filesize
3.3MB

Download
memory/1920-157-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp

Filesize
3.3MB

Download
memory/1920-266-0x00007FF73B7F0000-0x00007FF73BB41000-memory.dmp

Filesize
3.3MB

Download
memory/2320-151-0x00007FF65B540000-0x00007FF65B891000-memory.dmp

Filesize
3.3MB

Download
memory/2320-92-0x00007FF65B540000-0x00007FF65B891000-memory.dmp

Filesize
3.3MB

Download
memory/2320-253-0x00007FF65B540000-0x00007FF65B891000-memory.dmp

Filesize
3.3MB

Download
memory/2380-12-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp

Filesize
3.3MB

Download
memory/2380-75-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp

Filesize
3.3MB

Download
memory/2380-213-0x00007FF68C6D0000-0x00007FF68CA21000-memory.dmp

Filesize
3.3MB

Download
memory/2428-227-0x00007FF764C10000-0x00007FF764F61000-memory.dmp

Filesize
3.3MB

Download
memory/2428-134-0x00007FF764C10000-0x00007FF764F61000-memory.dmp

Filesize
3.3MB

Download
memory/2428-41-0x00007FF764C10000-0x00007FF764F61000-memory.dmp

Filesize
3.3MB

Download
memory/2936-122-0x00007FF745FA0000-0x00007FF7462F1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-259-0x00007FF745FA0000-0x00007FF7462F1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-144-0x00007FF676E30000-0x00007FF677181000-memory.dmp

Filesize
3.3MB

Download
memory/3048-232-0x00007FF676E30000-0x00007FF677181000-memory.dmp

Filesize
3.3MB

Download
memory/3048-50-0x00007FF676E30000-0x00007FF677181000-memory.dmp

Filesize
3.3MB

Download
memory/3204-218-0x00007FF7D64C0000-0x00007FF7D6811000-memory.dmp

Filesize
3.3MB

Download
memory/3204-33-0x00007FF7D64C0000-0x00007FF7D6811000-memory.dmp

Filesize
3.3MB

Download
memory/3208-155-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/3208-263-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/3208-113-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/3496-125-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp

Filesize
3.3MB

Download
memory/3496-39-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp

Filesize
3.3MB

Download
memory/3496-228-0x00007FF71E0D0000-0x00007FF71E421000-memory.dmp

Filesize
3.3MB

Download
memory/4400-247-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-150-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-84-0x00007FF6D3590000-0x00007FF6D38E1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-135-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp

Filesize
3.3MB

Download
memory/4868-159-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp

Filesize
3.3MB

Download
memory/4868-1-0x0000024912090000-0x00000249120A0000-memory.dmp

Filesize
64KB

Download
memory/4868-0-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp

Filesize
3.3MB

Download
memory/4868-73-0x00007FF6C1720000-0x00007FF6C1A71000-memory.dmp

Filesize
3.3MB

Download
memory/5064-71-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp

Filesize
3.3MB

Download
memory/5064-149-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp

Filesize
3.3MB

Download
memory/5064-250-0x00007FF7A9910000-0x00007FF7A9C61000-memory.dmp

Filesize
3.3MB

Download
memory/5080-61-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-234-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-145-0x00007FF6A6C50000-0x00007FF6A6FA1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-148-0x00007FF665E00000-0x00007FF666151000-memory.dmp

Filesize
3.3MB

Download
memory/5092-80-0x00007FF665E00000-0x00007FF666151000-memory.dmp

Filesize
3.3MB

Download
memory/5092-249-0x00007FF665E00000-0x00007FF666151000-memory.dmp

Filesize
3.3MB

Download