cobaltstrike | 0d1a54f8cc2c1e3acebf4d15124ba0883d218f2eca2168993c6a90234f399dd8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ff6ab9b02c8a911a03a75fabba29743c
SHA1

0d197c331842486829cc4a18a241032820895c63
SHA256

0d1a54f8cc2c1e3acebf4d15124ba0883d218f2eca2168993c6a90234f399dd8
SHA512

12f3bd2ae25b4e7bdb5f5141de527759ef5908f116baea5cd09c0861f9ced167bbe5091cfc1ea077ccdf45fe67eadafa248eed7868d5c2c360f24c07e3ef58df
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibd56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c59-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-30.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c5a-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-139.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/208-46-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp	xmrig
behavioral2/memory/5112-50-0x00007FF6A34D0000-0x00007FF6A3821000-memory.dmp	xmrig
behavioral2/memory/2016-51-0x00007FF722280000-0x00007FF7225D1000-memory.dmp	xmrig
behavioral2/memory/3956-55-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp	xmrig
behavioral2/memory/4564-56-0x00007FF731B40000-0x00007FF731E91000-memory.dmp	xmrig
behavioral2/memory/4192-77-0x00007FF67C8F0000-0x00007FF67CC41000-memory.dmp	xmrig
behavioral2/memory/3948-75-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp	xmrig
behavioral2/memory/4424-67-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp	xmrig
behavioral2/memory/1272-88-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp	xmrig
behavioral2/memory/4980-115-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp	xmrig
behavioral2/memory/3148-114-0x00007FF6014D0000-0x00007FF601821000-memory.dmp	xmrig
behavioral2/memory/208-98-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp	xmrig
behavioral2/memory/5044-83-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp	xmrig
behavioral2/memory/2972-129-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp	xmrig
behavioral2/memory/3104-149-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp	xmrig
behavioral2/memory/3376-150-0x00007FF760850000-0x00007FF760BA1000-memory.dmp	xmrig
behavioral2/memory/1252-155-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	xmrig
behavioral2/memory/1492-156-0x00007FF701570000-0x00007FF7018C1000-memory.dmp	xmrig
behavioral2/memory/4544-157-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp	xmrig
behavioral2/memory/2224-163-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	xmrig
behavioral2/memory/2456-164-0x00007FF75D110000-0x00007FF75D461000-memory.dmp	xmrig
behavioral2/memory/2016-165-0x00007FF722280000-0x00007FF7225D1000-memory.dmp	xmrig
behavioral2/memory/960-171-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp	xmrig
behavioral2/memory/4428-175-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp	xmrig
behavioral2/memory/3956-218-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp	xmrig
behavioral2/memory/4564-220-0x00007FF731B40000-0x00007FF731E91000-memory.dmp	xmrig
behavioral2/memory/4424-222-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp	xmrig
behavioral2/memory/3948-224-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp	xmrig
behavioral2/memory/5044-230-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp	xmrig
behavioral2/memory/1272-232-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp	xmrig
behavioral2/memory/208-236-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp	xmrig
behavioral2/memory/5112-238-0x00007FF6A34D0000-0x00007FF6A3821000-memory.dmp	xmrig
behavioral2/memory/3148-242-0x00007FF6014D0000-0x00007FF601821000-memory.dmp	xmrig
behavioral2/memory/4980-246-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp	xmrig
behavioral2/memory/4192-248-0x00007FF67C8F0000-0x00007FF67CC41000-memory.dmp	xmrig
behavioral2/memory/2972-250-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp	xmrig
behavioral2/memory/3376-255-0x00007FF760850000-0x00007FF760BA1000-memory.dmp	xmrig
behavioral2/memory/3104-257-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp	xmrig
behavioral2/memory/1252-262-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	xmrig
behavioral2/memory/2456-265-0x00007FF75D110000-0x00007FF75D461000-memory.dmp	xmrig
behavioral2/memory/1492-266-0x00007FF701570000-0x00007FF7018C1000-memory.dmp	xmrig
behavioral2/memory/4544-268-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp	xmrig
behavioral2/memory/2224-273-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	xmrig
behavioral2/memory/960-275-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp	xmrig
behavioral2/memory/4428-277-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3956	hKiSoFV.exe
4564	jelECZt.exe
4424	UDqwvos.exe
3948	TmxlzYk.exe
5044	eqBcqNt.exe
1272	EVulrky.exe
208	fSKGITu.exe
5112	hxYQBzC.exe
3148	vtLFuPD.exe
4980	bagAHna.exe
2972	chuMifA.exe
4192	IAaRcuB.exe
3104	YsJJjLE.exe
3376	qchnpnC.exe
1252	neTCDdX.exe
1492	hYhBABw.exe
4544	QnxLnAv.exe
2456	OjaOKNk.exe
2224	uxIGnUs.exe
960	kmkhlEs.exe
4428	MnZEfbS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2016-0-0x00007FF722280000-0x00007FF7225D1000-memory.dmp	upx
behavioral2/files/0x0009000000023c59-5.dat	upx
behavioral2/files/0x0007000000023c65-10.dat	upx
behavioral2/files/0x0007000000023c66-14.dat	upx
behavioral2/memory/4424-21-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-23.dat	upx
behavioral2/memory/3948-24-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp	upx
behavioral2/memory/4564-19-0x00007FF731B40000-0x00007FF731E91000-memory.dmp	upx
behavioral2/memory/3956-9-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c68-30.dat	upx
behavioral2/memory/5044-31-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp	upx
behavioral2/files/0x0009000000023c5a-34.dat	upx
behavioral2/memory/1272-38-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c69-41.dat	upx
behavioral2/memory/208-46-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-48.dat	upx
behavioral2/memory/5112-50-0x00007FF6A34D0000-0x00007FF6A3821000-memory.dmp	upx
behavioral2/memory/2016-51-0x00007FF722280000-0x00007FF7225D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-53.dat	upx
behavioral2/memory/3956-55-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp	upx
behavioral2/memory/3148-58-0x00007FF6014D0000-0x00007FF601821000-memory.dmp	upx
behavioral2/memory/4564-56-0x00007FF731B40000-0x00007FF731E91000-memory.dmp	upx
behavioral2/files/0x0007000000023c6e-66.dat	upx
behavioral2/files/0x0007000000023c6d-70.dat	upx
behavioral2/files/0x0007000000023c6f-74.dat	upx
behavioral2/memory/4192-77-0x00007FF67C8F0000-0x00007FF67CC41000-memory.dmp	upx
behavioral2/memory/3948-75-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp	upx
behavioral2/memory/2972-69-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp	upx
behavioral2/memory/4424-67-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp	upx
behavioral2/memory/4980-64-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-82.dat	upx
behavioral2/memory/1272-88-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c71-90.dat	upx
behavioral2/files/0x0007000000023c72-94.dat	upx
behavioral2/files/0x0007000000023c73-101.dat	upx
behavioral2/files/0x0007000000023c74-107.dat	upx
behavioral2/memory/4544-108-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp	upx
behavioral2/memory/2456-117-0x00007FF75D110000-0x00007FF75D461000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-118.dat	upx
behavioral2/memory/4980-115-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp	upx
behavioral2/memory/3148-114-0x00007FF6014D0000-0x00007FF601821000-memory.dmp	upx
behavioral2/memory/1492-106-0x00007FF701570000-0x00007FF7018C1000-memory.dmp	upx
behavioral2/memory/1252-99-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	upx
behavioral2/memory/208-98-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp	upx
behavioral2/memory/3376-89-0x00007FF760850000-0x00007FF760BA1000-memory.dmp	upx
behavioral2/memory/3104-84-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp	upx
behavioral2/memory/5044-83-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp	upx
behavioral2/memory/2972-129-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-134.dat	upx
behavioral2/files/0x0007000000023c76-135.dat	upx
behavioral2/memory/4428-140-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-139.dat	upx
behavioral2/memory/960-138-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp	upx
behavioral2/memory/2224-136-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	upx
behavioral2/memory/3104-149-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp	upx
behavioral2/memory/3376-150-0x00007FF760850000-0x00007FF760BA1000-memory.dmp	upx
behavioral2/memory/1252-155-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	upx
behavioral2/memory/1492-156-0x00007FF701570000-0x00007FF7018C1000-memory.dmp	upx
behavioral2/memory/4544-157-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp	upx
behavioral2/memory/2224-163-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	upx
behavioral2/memory/2456-164-0x00007FF75D110000-0x00007FF75D461000-memory.dmp	upx
behavioral2/memory/2016-165-0x00007FF722280000-0x00007FF7225D1000-memory.dmp	upx
behavioral2/memory/960-171-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp	upx
behavioral2/memory/4428-175-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TmxlzYk.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YsJJjLE.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QnxLnAv.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmkhlEs.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hKiSoFV.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jelECZt.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVulrky.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSKGITu.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eqBcqNt.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtLFuPD.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAaRcuB.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxIGnUs.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qchnpnC.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\neTCDdX.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYhBABw.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjaOKNk.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDqwvos.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxYQBzC.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bagAHna.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\chuMifA.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnZEfbS.exe	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3956	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2016 wrote to memory of 3956	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2016 wrote to memory of 4564	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2016 wrote to memory of 4564	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2016 wrote to memory of 4424	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2016 wrote to memory of 4424	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2016 wrote to memory of 3948	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2016 wrote to memory of 3948	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2016 wrote to memory of 5044	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2016 wrote to memory of 5044	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2016 wrote to memory of 1272	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2016 wrote to memory of 1272	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2016 wrote to memory of 208	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2016 wrote to memory of 208	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2016 wrote to memory of 5112	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2016 wrote to memory of 5112	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2016 wrote to memory of 3148	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2016 wrote to memory of 3148	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2016 wrote to memory of 4980	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2016 wrote to memory of 4980	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2016 wrote to memory of 2972	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2016 wrote to memory of 2972	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2016 wrote to memory of 4192	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2016 wrote to memory of 4192	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2016 wrote to memory of 3104	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2016 wrote to memory of 3104	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2016 wrote to memory of 3376	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2016 wrote to memory of 3376	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2016 wrote to memory of 1252	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2016 wrote to memory of 1252	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2016 wrote to memory of 1492	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2016 wrote to memory of 1492	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2016 wrote to memory of 4544	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2016 wrote to memory of 4544	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2016 wrote to memory of 2456	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2016 wrote to memory of 2456	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2016 wrote to memory of 2224	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2016 wrote to memory of 2224	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2016 wrote to memory of 960	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2016 wrote to memory of 960	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2016 wrote to memory of 4428	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2016 wrote to memory of 4428	2016	2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_ff6ab9b02c8a911a03a75fabba29743c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System\hKiSoFV.exe
  C:\Windows\System\hKiSoFV.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\jelECZt.exe
  C:\Windows\System\jelECZt.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\UDqwvos.exe
  C:\Windows\System\UDqwvos.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\TmxlzYk.exe
  C:\Windows\System\TmxlzYk.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\eqBcqNt.exe
  C:\Windows\System\eqBcqNt.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\EVulrky.exe
  C:\Windows\System\EVulrky.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\fSKGITu.exe
  C:\Windows\System\fSKGITu.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\hxYQBzC.exe
  C:\Windows\System\hxYQBzC.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\vtLFuPD.exe
  C:\Windows\System\vtLFuPD.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\bagAHna.exe
  C:\Windows\System\bagAHna.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\chuMifA.exe
  C:\Windows\System\chuMifA.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\IAaRcuB.exe
  C:\Windows\System\IAaRcuB.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\YsJJjLE.exe
  C:\Windows\System\YsJJjLE.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\qchnpnC.exe
  C:\Windows\System\qchnpnC.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\neTCDdX.exe
  C:\Windows\System\neTCDdX.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\hYhBABw.exe
  C:\Windows\System\hYhBABw.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\QnxLnAv.exe
  C:\Windows\System\QnxLnAv.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\OjaOKNk.exe
  C:\Windows\System\OjaOKNk.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\uxIGnUs.exe
  C:\Windows\System\uxIGnUs.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\kmkhlEs.exe
  C:\Windows\System\kmkhlEs.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\MnZEfbS.exe
  C:\Windows\System\MnZEfbS.exe
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EVulrky.exe

Filesize
5.2MB

MD5
a8549ec82d61a6e4129a59c584d7e1ff

SHA1
47360eba296c86129f3b04e9b4ad39f03760feda

SHA256
9343c71e5b22355adfc8438d69364f266c4917ce1da55e23ef1f4b82ba39d82a

SHA512
d1f6eb5d69df9f30cb04baa3577a7a6d469755a3933fe2bbdfe6d27cf52b004acfd4b62d411eb4486dd961feb405041604c032710fbaae5b68c7a8cfc6e4e343

Download Submit
C:\Windows\System\IAaRcuB.exe

Filesize
5.2MB

MD5
8a5fab9bd79892aaa6eab6b84cdefe14

SHA1
e9f6c8f35dc1ae149f053d9c775ee31340cbee0d

SHA256
5f74da19461d7a0ad29c19ddb4b3946c64936439f4b19cc5ad5f0259ec663317

SHA512
f54d3bce3bea0785685da7586656aeed6b06de97f405bb61a53ed3cf1f86d338a85199d2bd2675c7b6b8a4e8ee0be0d0816e00d1b7e06accd1b6ce1d797f7c8e

Download Submit
C:\Windows\System\MnZEfbS.exe

Filesize
5.2MB

MD5
8fbb6770889bf89ef8cbaf0ec765d714

SHA1
af5c60ecdcc97be9170a10bb33c2de387e3e5bf8

SHA256
7c85d39e5564d09ee2e5bc6c1d489d4709b8bb157781f60f25d5f8b786baa06e

SHA512
dcab31aed1b00f0cfb9475c013328a991485fbd8443a7ed08e66564904cf3b0a2ddf61287afba9dff43b9ed910520c0ff1edc8a0b1ff10f468457c1762dd8a45

Download Submit
C:\Windows\System\OjaOKNk.exe

Filesize
5.2MB

MD5
7c91a52606558f432357fd4e4ea7256a

SHA1
4469f5b29dacc49f05686fdd549097427c394907

SHA256
904308683ee7dcda82055f3b6d42b2b1fce4c6f61bb5f38a77d3ed3829c3756c

SHA512
3e2d7b5afaf30cab2e273c7d4371f06bb5983d828ca883e3f84105f6f5de783b66f8a05b6aa3f1171cb60940187043d422aafcf1a707477f73f9e82dfdfe52ad

Download Submit
C:\Windows\System\QnxLnAv.exe

Filesize
5.2MB

MD5
a03ec544512cf679ea340044d56035a3

SHA1
2e051f8224de4900907cf6c286770ab4aa62b813

SHA256
964b682f8100844706f27cc59d90b946642a8d65a4afe9d918ec5e918d0b2d12

SHA512
f5d9f0622a6c9f66665bf6303c6445a39a1fcdcf3de2ef6f6aed0ed0e1ed9446364148ac18740e116958a8a9f4171e64a967df4d66778ad0eaa9b68f20b3966f

Download Submit
C:\Windows\System\TmxlzYk.exe

Filesize
5.2MB

MD5
a7ef92a4c15e1c13a5a50fe340964571

SHA1
96f492b316eff7bad304e9fe3eb6c85ba3946ca0

SHA256
ffed5880b1a5f4946d0151d22539b2e50ba361f03332868fdf55d3e7ec40acda

SHA512
3849e128d7239225b15af76de451729a103bb47d60b47113a83aadb67202a1fe60b077399e6438c95f7e50fff864afd75c3ce7d4a3f827d3e61295bd477fd2b0

Download Submit
C:\Windows\System\UDqwvos.exe

Filesize
5.2MB

MD5
dd1373cdfa6b21fa2a3eefbff7c7dfa9

SHA1
b18cc2dca155c0fabcfc4f5607ba1194f8167d5d

SHA256
b939ee97fa25c84a038b3d860e84bd368c5b5fc2a85714c3bd1a5e4355ba234a

SHA512
97bd3d373b3e37e9e0d8a3e9470fee7afe286a9719bbd74efba328da25cea16496f61c454ebdb469041470b77dbde589768c6195b926ff21c9f763445cfec8a1

Download Submit
C:\Windows\System\YsJJjLE.exe

Filesize
5.2MB

MD5
cadadf3c6c074ba6f8762af6442e96ad

SHA1
f1c7db350d18208e74bde1e299793099b732e1c5

SHA256
4cc1d032afd9d7dc6dbe3b3fe76b964b1c1aa5e862d19fd10f77731f5e3f20f1

SHA512
417b33b51d8f1c60e68b3e0f14b2e0618ac195f5c82773be3c4b8d800acb40d1a283a38e3addb051317c4f4e7e9190f9470448b2fb028ba19fe5c33fcee0a14c

Download Submit
C:\Windows\System\bagAHna.exe

Filesize
5.2MB

MD5
88316965792b49b1a0fae3242772817e

SHA1
a8f34ef800c3fa90e962dea6eacf368daaadd24c

SHA256
a3d5fcb9c96dcacdac4ae52a667a6521fae6064ed7f284accfaa919a0ee2ebf2

SHA512
da252370f97cb4b10f1905b95f1d2e603ea8eb09c560a1c2db4d2c2e17e8b827e5b29b129b36eb8df0420c2b240220671cf3be696e619a473b784282885e4e7b

Download Submit
C:\Windows\System\chuMifA.exe

Filesize
5.2MB

MD5
2412d88079abc01c452a3f4bf0dda31e

SHA1
b21ed7305bde543a0dea09abf779e954af964e91

SHA256
f5be58591625676f12bca36ff61cbf1f72abb9dcdea973d674eba9f5e21dbd1d

SHA512
c4b1aa85ddcd57cd0e2a2ea7c76aa98358e1b4ce64b0ed8112aa202d24911c00ce646e93bbc32f601b02c10b8b80e25072a36bfb1c25e00a4efa2dea58fad11e

Download Submit
C:\Windows\System\eqBcqNt.exe

Filesize
5.2MB

MD5
bbd8499084f8f8558465ba02d5b136fd

SHA1
ab1cd476396f854a9d633032ded16966076a0838

SHA256
1c799cebb2138188e0792a39b74f97f5e49ae924786c2b2b05373e6a75543cb4

SHA512
05d103c2095abbcf020ff66176197f42686e5755ff6d8d8ce152939ea476402752b57d1e4673e0dd062148426b5a61facfe5e0b75cb64964c7ae993b2d436322

Download Submit
C:\Windows\System\fSKGITu.exe

Filesize
5.2MB

MD5
cd5b02b149e3476ed60ad7d58f6c8d59

SHA1
3a34bd821d0929e9b1bc64abddec4abeca5eb650

SHA256
b9fa3477d3260003deb5f4f2819d67261cc61994883a6000c18e905fee189af8

SHA512
faf87d6b2166764645e429339667ff953e38508d7758968fa0e961b75a3ff5399dee169831808967c9e4337b901c9dcb41204ced8c9dbdf2643effabcd8938bd

Download Submit
C:\Windows\System\hKiSoFV.exe

Filesize
5.2MB

MD5
8c1a6b4aaf0e160a8ed0b62c42ec7dc6

SHA1
1e09afce7e744bfa09a1aa0c8fdd5ff95e994136

SHA256
26aa5158fbb2dc0ed2b6fda10711070f8f33f9a8b885724db468c03bf1785c10

SHA512
5413029c7382382335393e95239b2b296f2116b087f65131a1bfab765c7682cf11c060556cc2a70d820b41106c51e87e3934660e2799121eb632b01d7e61e109

Download Submit
C:\Windows\System\hYhBABw.exe

Filesize
5.2MB

MD5
32bf246b51bb16a1be40542ab7dfd162

SHA1
0a26645797ee742f4639dcda3c71c20d27a405e6

SHA256
80ad2933f034648002ca275789974bd218c13c9be1c832571759fd882f076fea

SHA512
b9c719d3b5b531bc8791577c126f78042518197eb2699565595302c69f50882975e45300241472f1ef69bab3789bccbfd1a36f88c08d25e62d20347dca859350

Download Submit
C:\Windows\System\hxYQBzC.exe

Filesize
5.2MB

MD5
931db4c08520a09d09565e798cd64bf9

SHA1
912f266c695ccc4575e180030b4810b085866830

SHA256
3dbad89ef480b1b6935d3d933aa2516d20092faf24fbee9c3ca65f5c31df6cb5

SHA512
589a002d2e4e67b93e7e5c3700e0b20a1de65b3291f267c507b0ca685416fb6cd876da6da72b9bafdaad2836933013a7280613f320929c958e0c1906de778fe7

Download Submit
C:\Windows\System\jelECZt.exe

Filesize
5.2MB

MD5
df49fbe4fb1646485323920cf4eb2160

SHA1
0f79f9de094ccc6e858cc4a314184ef7f2bbbd54

SHA256
21121dc662426aafc59b32b4e01fbbcb06f1a00ddd5c878b47085345edc72551

SHA512
eb532f64f8d21fa30712a0875eaa7a7854906366a23b298136aebe0dec10294055a5c97987e26ccf8164f24e68994315ca9ffcbe24ae15a109638b9a1a6c38a5

Download Submit
C:\Windows\System\kmkhlEs.exe

Filesize
5.2MB

MD5
dac2bed1e9888c3c14d179e2667e9dd7

SHA1
87fba1bc24e2038dd5dca0d4d9f037611411ec58

SHA256
1658b8b924c765da75f669608eb9687cb0b21d05e2a2568e2033448558514a49

SHA512
65c58129afdba788dfb27da94f9cbd15ffa40097b361b10fc9bd38261e7260febcea29487d180bbe123c3056f16da5e07cc09c80d1e1fb62643d427bd90c8d66

Download Submit
C:\Windows\System\neTCDdX.exe

Filesize
5.2MB

MD5
22650721a2c418abc66bfdf350a74d41

SHA1
ea0c0bb37f47c956326d34bfc22e580751a45026

SHA256
efc46a8282626a90b685315d289295b5f694915677d546a2407a0b736b0ede0b

SHA512
3513b1312e44cb0a288c215d7dfac7d491c96fb20e710572d4343fe7dc31c350bbb1ed46682847bc86e4ecab0d095f881d6d9580155a8c32d13726c6dc8bf007

Download Submit
C:\Windows\System\qchnpnC.exe

Filesize
5.2MB

MD5
0ff08ba033409860ef1eea2f407cc529

SHA1
9a57c5e73666a0ddff5be0808154e1df043f5560

SHA256
1a7e4af7e6ac80b5192b4bd4fbe40d5e1d92fe9b1cad9d670d69173bff1d4a29

SHA512
590f0ed568366a808762bfc6bc2e151ee70b4f06056ed3c1ea03dde0437ae14ad6cf153ccbc3b747db15076c15b5e57c264c886357a0bd4907ff18e20919f33b

Download Submit
C:\Windows\System\uxIGnUs.exe

Filesize
5.2MB

MD5
4f0c616eced4daf83cc63cdf181d7f77

SHA1
a95608e994db34f0525650b03b880b5cc473c717

SHA256
26ebf45d9e80939db9e00f3fa81de3ae68d6bbaff9505c73af10c8f69bff43c2

SHA512
3c75cd324e2390e8bdc01f14fb60fd123ac2ded664129b043f20649aaef9a21caff0e6e189c5f70fd1052b913a3e29cf1fba7f2e7d0906f6d3ba7a3cc56f02a6

Download Submit
C:\Windows\System\vtLFuPD.exe

Filesize
5.2MB

MD5
bf8fcaa0ae98c470dec00c928bb4fae3

SHA1
82c8d3f2c5d8285f38287283491150f031d44df3

SHA256
ed2cc3f9066541ce9344db3ff252a2b5366ba806221c3fc89987553379958491

SHA512
c243993c3740e3aab1c2b752110524c9a52982e9badd9b2156598a5f219ee4e01bd0f55456c472309a2e10f633c8ccac5ed5a3c72be47d1775db9a45c9c8a1d8

Download Submit
memory/208-46-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp

Filesize
3.3MB

Download
memory/208-98-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp

Filesize
3.3MB

Download
memory/208-236-0x00007FF7FF500000-0x00007FF7FF851000-memory.dmp

Filesize
3.3MB

Download
memory/960-138-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp

Filesize
3.3MB

Download
memory/960-171-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp

Filesize
3.3MB

Download
memory/960-275-0x00007FF7F68B0000-0x00007FF7F6C01000-memory.dmp

Filesize
3.3MB

Download
memory/1252-155-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp

Filesize
3.3MB

Download
memory/1252-99-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp

Filesize
3.3MB

Download
memory/1252-262-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp

Filesize
3.3MB

Download
memory/1272-38-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-88-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-232-0x00007FF6E3490000-0x00007FF6E37E1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-106-0x00007FF701570000-0x00007FF7018C1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-156-0x00007FF701570000-0x00007FF7018C1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-266-0x00007FF701570000-0x00007FF7018C1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-165-0x00007FF722280000-0x00007FF7225D1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1-0x0000028848740000-0x0000028848750000-memory.dmp

Filesize
64KB

Download
memory/2016-51-0x00007FF722280000-0x00007FF7225D1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-0-0x00007FF722280000-0x00007FF7225D1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-273-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/2224-136-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/2224-163-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/2456-164-0x00007FF75D110000-0x00007FF75D461000-memory.dmp

Filesize
3.3MB

Download
memory/2456-117-0x00007FF75D110000-0x00007FF75D461000-memory.dmp

Filesize
3.3MB

Download
memory/2456-265-0x00007FF75D110000-0x00007FF75D461000-memory.dmp

Filesize
3.3MB

Download
memory/2972-69-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp

Filesize
3.3MB

Download
memory/2972-129-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp

Filesize
3.3MB

Download
memory/2972-250-0x00007FF612AB0000-0x00007FF612E01000-memory.dmp

Filesize
3.3MB

Download
memory/3104-84-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp

Filesize
3.3MB

Download
memory/3104-257-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp

Filesize
3.3MB

Download
memory/3104-149-0x00007FF64D800000-0x00007FF64DB51000-memory.dmp

Filesize
3.3MB

Download
memory/3148-242-0x00007FF6014D0000-0x00007FF601821000-memory.dmp

Filesize
3.3MB

Download
memory/3148-114-0x00007FF6014D0000-0x00007FF601821000-memory.dmp

Filesize
3.3MB

Download
memory/3148-58-0x00007FF6014D0000-0x00007FF601821000-memory.dmp

Filesize
3.3MB

Download
memory/3376-89-0x00007FF760850000-0x00007FF760BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-150-0x00007FF760850000-0x00007FF760BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-255-0x00007FF760850000-0x00007FF760BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-24-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-75-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-224-0x00007FF68AE90000-0x00007FF68B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-55-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-9-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-218-0x00007FF6D3B50000-0x00007FF6D3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-77-0x00007FF67C8F0000-0x00007FF67CC41000-memory.dmp

Filesize
3.3MB

Download
memory/4192-248-0x00007FF67C8F0000-0x00007FF67CC41000-memory.dmp

Filesize
3.3MB

Download
memory/4424-222-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp

Filesize
3.3MB

Download
memory/4424-21-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp

Filesize
3.3MB

Download
memory/4424-67-0x00007FF7AA900000-0x00007FF7AAC51000-memory.dmp

Filesize
3.3MB

Download
memory/4428-140-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp

Filesize
3.3MB

Download
memory/4428-175-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp

Filesize
3.3MB

Download
memory/4428-277-0x00007FF74ED30000-0x00007FF74F081000-memory.dmp

Filesize
3.3MB

Download
memory/4544-108-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp

Filesize
3.3MB

Download
memory/4544-268-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp

Filesize
3.3MB

Download
memory/4544-157-0x00007FF7A2B00000-0x00007FF7A2E51000-memory.dmp

Filesize
3.3MB

Download
memory/4564-19-0x00007FF731B40000-0x00007FF731E91000-memory.dmp

Filesize
3.3MB

Download
memory/4564-56-0x00007FF731B40000-0x00007FF731E91000-memory.dmp

Filesize
3.3MB

Download
memory/4564-220-0x00007FF731B40000-0x00007FF731E91000-memory.dmp

Filesize
3.3MB

Download
memory/4980-246-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-64-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-115-0x00007FF6DAA90000-0x00007FF6DADE1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-83-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-230-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-31-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-238-0x00007FF6A34D0000-0x00007FF6A3821000-memory.dmp

Filesize
3.3MB

Download
memory/5112-50-0x00007FF6A34D0000-0x00007FF6A3821000-memory.dmp

Filesize
3.3MB

Download