cobaltstrike | 4cf2be4d6cca5d69cf45ef41db66bc8f4d9fe5e4ceca9cf43ef62fe33567d43a

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

172e32e4add15b5aaeda4b2ed772cb88
SHA1

5f28c6dbab72f8c41991c5dd262c4d9bfa580bb7
SHA256

4cf2be4d6cca5d69cf45ef41db66bc8f4d9fe5e4ceca9cf43ef62fe33567d43a
SHA512

a30b32a1e61c2bd046e8e116d213f416813d0bf632e3c0791cf93082f52c10dbcfa5166321b542b5aad93a0185a15383aed885e655ebb54e1bf5180a0cd3dec9
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibd56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c8f-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c90-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/356-25-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp	xmrig
behavioral2/memory/5048-84-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	xmrig
behavioral2/memory/1556-93-0x00007FF6824E0000-0x00007FF682831000-memory.dmp	xmrig
behavioral2/memory/2032-97-0x00007FF76BE70000-0x00007FF76C1C1000-memory.dmp	xmrig
behavioral2/memory/3180-94-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp	xmrig
behavioral2/memory/4508-92-0x00007FF6547B0000-0x00007FF654B01000-memory.dmp	xmrig
behavioral2/memory/4776-90-0x00007FF706050000-0x00007FF7063A1000-memory.dmp	xmrig
behavioral2/memory/3248-58-0x00007FF7B3360000-0x00007FF7B36B1000-memory.dmp	xmrig
behavioral2/memory/4480-101-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp	xmrig
behavioral2/memory/1780-102-0x00007FF608410000-0x00007FF608761000-memory.dmp	xmrig
behavioral2/memory/1560-127-0x00007FF606750000-0x00007FF606AA1000-memory.dmp	xmrig
behavioral2/memory/4408-115-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp	xmrig
behavioral2/memory/356-114-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp	xmrig
behavioral2/memory/2780-136-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp	xmrig
behavioral2/memory/2396-135-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp	xmrig
behavioral2/memory/424-137-0x00007FF724830000-0x00007FF724B81000-memory.dmp	xmrig
behavioral2/memory/4312-138-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp	xmrig
behavioral2/memory/756-145-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp	xmrig
behavioral2/memory/5048-139-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	xmrig
behavioral2/memory/2776-157-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp	xmrig
behavioral2/memory/2288-158-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp	xmrig
behavioral2/memory/4268-159-0x00007FF664470000-0x00007FF6647C1000-memory.dmp	xmrig
behavioral2/memory/2504-160-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	xmrig
behavioral2/memory/1592-165-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp	xmrig
behavioral2/memory/5048-166-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	xmrig
behavioral2/memory/3180-220-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp	xmrig
behavioral2/memory/4480-222-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp	xmrig
behavioral2/memory/1780-224-0x00007FF608410000-0x00007FF608761000-memory.dmp	xmrig
behavioral2/memory/356-226-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp	xmrig
behavioral2/memory/4408-228-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp	xmrig
behavioral2/memory/1560-230-0x00007FF606750000-0x00007FF606AA1000-memory.dmp	xmrig
behavioral2/memory/2396-241-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp	xmrig
behavioral2/memory/3248-243-0x00007FF7B3360000-0x00007FF7B36B1000-memory.dmp	xmrig
behavioral2/memory/4312-245-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp	xmrig
behavioral2/memory/2780-247-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp	xmrig
behavioral2/memory/4776-251-0x00007FF706050000-0x00007FF7063A1000-memory.dmp	xmrig
behavioral2/memory/424-253-0x00007FF724830000-0x00007FF724B81000-memory.dmp	xmrig
behavioral2/memory/4508-255-0x00007FF6547B0000-0x00007FF654B01000-memory.dmp	xmrig
behavioral2/memory/1556-250-0x00007FF6824E0000-0x00007FF682831000-memory.dmp	xmrig
behavioral2/memory/2032-257-0x00007FF76BE70000-0x00007FF76C1C1000-memory.dmp	xmrig
behavioral2/memory/756-259-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp	xmrig
behavioral2/memory/2776-265-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp	xmrig
behavioral2/memory/2288-267-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp	xmrig
behavioral2/memory/2504-269-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	xmrig
behavioral2/memory/4268-271-0x00007FF664470000-0x00007FF6647C1000-memory.dmp	xmrig
behavioral2/memory/1592-273-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3180	yONJKqm.exe
4480	VYAyFMq.exe
1780	HfWpjFB.exe
356	MAUhpGI.exe
4408	tUFXGgH.exe
1560	dGezVpx.exe
2396	XNlUMvf.exe
3248	YvlGbvz.exe
2780	kfspeKd.exe
4312	zHqGfcg.exe
424	RmcSwTg.exe
4776	vBttENB.exe
1556	uTjSnnR.exe
4508	TfxeSGK.exe
2032	cKbkoWG.exe
756	IeNJiSl.exe
2776	KdLQytr.exe
2288	ADgtVGO.exe
2504	imSVldM.exe
4268	ttXsrwq.exe
1592	qhcNcOW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5048-0-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c8f-6.dat	upx
behavioral2/files/0x0007000000023c93-10.dat	upx
behavioral2/memory/3180-8-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-11.dat	upx
behavioral2/memory/356-25-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp	upx
behavioral2/memory/1780-24-0x00007FF608410000-0x00007FF608761000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-21.dat	upx
behavioral2/memory/4480-16-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-30.dat	upx
behavioral2/files/0x0007000000023c97-35.dat	upx
behavioral2/files/0x0007000000023c98-41.dat	upx
behavioral2/files/0x0007000000023c9b-55.dat	upx
behavioral2/memory/2780-60-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-65.dat	upx
behavioral2/files/0x0007000000023c9d-77.dat	upx
behavioral2/memory/5048-84-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-87.dat	upx
behavioral2/memory/1556-93-0x00007FF6824E0000-0x00007FF682831000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-99.dat	upx
behavioral2/memory/756-98-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp	upx
behavioral2/memory/2032-97-0x00007FF76BE70000-0x00007FF76C1C1000-memory.dmp	upx
behavioral2/memory/3180-94-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp	upx
behavioral2/memory/4508-92-0x00007FF6547B0000-0x00007FF654B01000-memory.dmp	upx
behavioral2/memory/4776-90-0x00007FF706050000-0x00007FF7063A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c90-82.dat	upx
behavioral2/files/0x0007000000023c9e-76.dat	upx
behavioral2/files/0x0007000000023c9c-74.dat	upx
behavioral2/memory/424-71-0x00007FF724830000-0x00007FF724B81000-memory.dmp	upx
behavioral2/memory/4312-61-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp	upx
behavioral2/memory/3248-58-0x00007FF7B3360000-0x00007FF7B36B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-53.dat	upx
behavioral2/memory/2396-44-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp	upx
behavioral2/memory/1560-36-0x00007FF606750000-0x00007FF606AA1000-memory.dmp	upx
behavioral2/memory/4408-32-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp	upx
behavioral2/memory/4480-101-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-105.dat	upx
behavioral2/memory/2776-106-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp	upx
behavioral2/memory/1780-102-0x00007FF608410000-0x00007FF608761000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-110.dat	upx
behavioral2/memory/2288-122-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-128.dat	upx
behavioral2/memory/1592-133-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-132.dat	upx
behavioral2/files/0x0007000000023ca5-129.dat	upx
behavioral2/memory/1560-127-0x00007FF606750000-0x00007FF606AA1000-memory.dmp	upx
behavioral2/memory/2504-126-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	upx
behavioral2/memory/4268-123-0x00007FF664470000-0x00007FF6647C1000-memory.dmp	upx
behavioral2/memory/4408-115-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp	upx
behavioral2/memory/356-114-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp	upx
behavioral2/memory/2780-136-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp	upx
behavioral2/memory/2396-135-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp	upx
behavioral2/memory/424-137-0x00007FF724830000-0x00007FF724B81000-memory.dmp	upx
behavioral2/memory/4312-138-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp	upx
behavioral2/memory/756-145-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp	upx
behavioral2/memory/5048-139-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	upx
behavioral2/memory/2776-157-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp	upx
behavioral2/memory/2288-158-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp	upx
behavioral2/memory/4268-159-0x00007FF664470000-0x00007FF6647C1000-memory.dmp	upx
behavioral2/memory/2504-160-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	upx
behavioral2/memory/1592-165-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp	upx
behavioral2/memory/5048-166-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp	upx
behavioral2/memory/3180-220-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp	upx
behavioral2/memory/4480-222-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MAUhpGI.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUFXGgH.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dGezVpx.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XNlUMvf.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHqGfcg.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HfWpjFB.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvlGbvz.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RmcSwTg.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cKbkoWG.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IeNJiSl.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yONJKqm.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfspeKd.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vBttENB.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TfxeSGK.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ttXsrwq.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VYAyFMq.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdLQytr.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADgtVGO.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\imSVldM.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhcNcOW.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTjSnnR.exe	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3180	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5048 wrote to memory of 3180	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5048 wrote to memory of 4480	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5048 wrote to memory of 4480	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5048 wrote to memory of 1780	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5048 wrote to memory of 1780	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5048 wrote to memory of 356	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5048 wrote to memory of 356	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5048 wrote to memory of 4408	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5048 wrote to memory of 4408	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5048 wrote to memory of 1560	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5048 wrote to memory of 1560	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5048 wrote to memory of 2396	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5048 wrote to memory of 2396	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5048 wrote to memory of 3248	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5048 wrote to memory of 3248	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5048 wrote to memory of 2780	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5048 wrote to memory of 2780	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5048 wrote to memory of 4312	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5048 wrote to memory of 4312	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5048 wrote to memory of 424	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5048 wrote to memory of 424	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5048 wrote to memory of 4776	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5048 wrote to memory of 4776	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5048 wrote to memory of 1556	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5048 wrote to memory of 1556	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5048 wrote to memory of 4508	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5048 wrote to memory of 4508	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5048 wrote to memory of 2032	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5048 wrote to memory of 2032	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5048 wrote to memory of 756	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5048 wrote to memory of 756	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5048 wrote to memory of 2776	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5048 wrote to memory of 2776	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5048 wrote to memory of 2288	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5048 wrote to memory of 2288	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5048 wrote to memory of 2504	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5048 wrote to memory of 2504	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5048 wrote to memory of 4268	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5048 wrote to memory of 4268	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5048 wrote to memory of 1592	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5048 wrote to memory of 1592	5048	2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_172e32e4add15b5aaeda4b2ed772cb88_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\System\yONJKqm.exe
  C:\Windows\System\yONJKqm.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\VYAyFMq.exe
  C:\Windows\System\VYAyFMq.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\HfWpjFB.exe
  C:\Windows\System\HfWpjFB.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\MAUhpGI.exe
  C:\Windows\System\MAUhpGI.exe
  2⤵
  - Executes dropped EXE
  PID:356
- C:\Windows\System\tUFXGgH.exe
  C:\Windows\System\tUFXGgH.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\dGezVpx.exe
  C:\Windows\System\dGezVpx.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\XNlUMvf.exe
  C:\Windows\System\XNlUMvf.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\YvlGbvz.exe
  C:\Windows\System\YvlGbvz.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\kfspeKd.exe
  C:\Windows\System\kfspeKd.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\zHqGfcg.exe
  C:\Windows\System\zHqGfcg.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\RmcSwTg.exe
  C:\Windows\System\RmcSwTg.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System\vBttENB.exe
  C:\Windows\System\vBttENB.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\uTjSnnR.exe
  C:\Windows\System\uTjSnnR.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\TfxeSGK.exe
  C:\Windows\System\TfxeSGK.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\cKbkoWG.exe
  C:\Windows\System\cKbkoWG.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\IeNJiSl.exe
  C:\Windows\System\IeNJiSl.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\KdLQytr.exe
  C:\Windows\System\KdLQytr.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\ADgtVGO.exe
  C:\Windows\System\ADgtVGO.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\imSVldM.exe
  C:\Windows\System\imSVldM.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\ttXsrwq.exe
  C:\Windows\System\ttXsrwq.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\qhcNcOW.exe
  C:\Windows\System\qhcNcOW.exe
  2⤵
  - Executes dropped EXE
  PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADgtVGO.exe

Filesize
5.2MB

MD5
9e0c3106ae36cc8be731072f6254d187

SHA1
82d004bcc2e7a520c5a121c3751ba30ccaa7c691

SHA256
26a486154dc53224bec3f2705780408e8b5c6c24eb50288cd284da46fde56496

SHA512
439d9ec59db49343d09d3c8ada0a07507789b33e03df66142d1087378c4d18d782330ecf842cf18839139d2658dffd1124e38a962acd8c2b9522449e81db90ac

Download Submit
C:\Windows\System\HfWpjFB.exe

Filesize
5.2MB

MD5
110d9c87d7331c835760ca154b1ff6af

SHA1
6ddaeb6c99bde51062a5f84e04eca738ecdfb57a

SHA256
07fea44c81988894cc7859f0c8e65a4afdb02a403610d05c850b714ef054b2ed

SHA512
cb5c5c30abfa376dd532ba61702a354383e883c6454d27090942228918543f575af9b2aa9b9ec6cb18297bcb7af5c5c92c87a9fe54180750a15a04bc6d493ca1

Download Submit
C:\Windows\System\IeNJiSl.exe

Filesize
5.2MB

MD5
4e6e1185c4630037c56463ed76aff1b8

SHA1
acf65fcd9da541859a69c68ae647139bdc0c871f

SHA256
11124c00b55754fdf7f0e12dea29881ae82116d3cb43c7d64d81685a635b6d14

SHA512
24536da2f00c12191fbb54c62748ab383807a2fa3909fb07aee4ea99da1c00ed01b2f50551669c8e62960d799789691d01e5017210b208a273942b78f381c8b6

Download Submit
C:\Windows\System\KdLQytr.exe

Filesize
5.2MB

MD5
ec40c1f401945d7061fd6c6b082f09ad

SHA1
294445961c4f341c0dcfe4a6f7b2e499195827a8

SHA256
8169f4bc208b9414d4dcb07965529c0ec42ca313e0ba1fd31bfa6d45d56813e8

SHA512
26c6c2470e2f4b7474e894592f3dbf3e8c17039c29054522078e941cb6e26189cd05e22273dee0a0524aa19cb8c08f7ece7f5d3625babd0adf96c0e05fe23a20

Download Submit
C:\Windows\System\MAUhpGI.exe

Filesize
5.2MB

MD5
9177541e6def26a79e262a3a701d5dec

SHA1
b6e3acc891137deeebd360acdd6bb67167af5a28

SHA256
54e26eb30210b5868b5e4b6630a1656fd334cee1d767eafc0102ebf49e1dd0ff

SHA512
39b464a1693b55a33fcf456918580c9ec0c07ca0ec550eb9d4e3a7936d2d5846a1501ef10d07f1d5ab247ed4bd69e7e00549bf7a2466bb9bf686a5031c46d01c

Download Submit
C:\Windows\System\RmcSwTg.exe

Filesize
5.2MB

MD5
fbaec4a10e332335583e882cec5faa0d

SHA1
7685b4f35524e58501eb190bf68ca9461e1406aa

SHA256
75efaae4b0c97e2892f4376996e075ab1a70004b3d615ce33dc9a420fa0f8af1

SHA512
127331fdea7a6fb0c79cb16ac0c54cf6805f3e3ec2608eda086161597d3d82a174e23eb5b966ad51712942431b02c380b181e39dd3b8a928daeb2606448be49b

Download Submit
C:\Windows\System\TfxeSGK.exe

Filesize
5.2MB

MD5
222005af1e81db0febaba1ab7a586bf8

SHA1
82451beecf42d34058067c21f535669109131da3

SHA256
51b9c7d27f009ab01ad80000649ea5e97ffd34b075db8f9c716d138d3c430c21

SHA512
9e59d3993f799a3c15ceb3b80389a065cfb8e0d35dc963e0f0ccf94936bd6e5a253ad5c940e66f524710225c1fd96697e0db878ebfc872736ce008d3ad4c9383

Download Submit
C:\Windows\System\VYAyFMq.exe

Filesize
5.2MB

MD5
3ce4420e2443f45be59e0221b0cb8de3

SHA1
f901e4e71fe4d5842ce3736f14d57f4a063831a5

SHA256
76dd4d69db3373829bb8adb1e6d4f55bf9da14c75354e7971a8a6cffdae960b4

SHA512
bdbac89a916f887288ea26d7428cd8a2ca9bbad6047fca2d88a45a57b57ff120b043661bba61b92a8a117210d8246f91b11a9818c80fdf0b375be5a54762bdf9

Download Submit
C:\Windows\System\XNlUMvf.exe

Filesize
5.2MB

MD5
ea1dd003bef9bde69b083765e1817c8e

SHA1
10c44605d626ca652f825978b43b05099eabc2bc

SHA256
e7fafed0cda7dd117d2b97966459cf3724e0554a6b68e377cf1169d5b93ee4f7

SHA512
d0cb4763b70f426f94170ee0c78c9a76d61e0da421abf182b594da361e9d8f9c60ccd7700ff164752c37dc0eb40011cb897f24064b806a813d51c81176e79913

Download Submit
C:\Windows\System\YvlGbvz.exe

Filesize
5.2MB

MD5
9cf9831a3b2e9981c4c224a6dc28ce8c

SHA1
6ec7eea739fd43893cdc4f1c1bbf062a7d5ca95d

SHA256
56827db60bec5cb2e1779facdc631f6effce44ac03663a21514c7978b21e3c71

SHA512
9ad9dc205874e5887a4892fc0fb42d1b9542f31e67dfd370b21db4991cdafb77a0325d0698f5a3c86f84c6f9220ac21beecba4393fe526c5311eea74ce3c2e17

Download Submit
C:\Windows\System\cKbkoWG.exe

Filesize
5.2MB

MD5
f5f2f46f2b9ce7d956d48a5b2a0cec09

SHA1
d9ea3626f17c2eb5a9e5704effe1710c264cafe2

SHA256
50c55aa055881bddd650514ada1c6dc59b35317ccd98017b9a439b94af0aaffd

SHA512
6683e636c3a83b594ac8e9bbd99b1374fccaceedd820fac3126ae25a26a37e5d362112e33676b08f86bdd0c2b6c4f9ea056f71013084bd923130a7e691781314

Download Submit
C:\Windows\System\dGezVpx.exe

Filesize
5.2MB

MD5
4039c1485e60dd32f5b9311349aeca5d

SHA1
bde1e0c16776bd971631d5bf161889e92763634d

SHA256
203a3b71f6b8a02738a989d4a34c53784ee41566ea6cc3d659a0a2a1607a8f28

SHA512
7ce49cdb7965d76e8de88ab19d1edf768ae65eff8b70bbc75793f6448befe24d6ffa8235d03b6be2b13b95d1340ab8257eba23a9753b6ff0ef6283a09ab2409c

Download Submit
C:\Windows\System\imSVldM.exe

Filesize
5.2MB

MD5
96c6ddc172b865c2b19e753437c15d58

SHA1
e7160a58541ff96dfb5af2778c0c00de0bf1351b

SHA256
578c4ceabea8a462eb36a5826164a28cf7194651d4e402c5882b79a0ec6cf913

SHA512
1b4b8d3e42588908b031545a18ae36a5994bafb1bf7107d254496a9c594791fec0049175c81eb946775d3dbc3e65c3933f8399772199a83ab452214aa5796a8e

Download Submit
C:\Windows\System\kfspeKd.exe

Filesize
5.2MB

MD5
d235436f4f174deac5d4682d5e7e3254

SHA1
99788024586ec036fca3a5f9fdd61c0cb3e152fa

SHA256
d58fae4c8f7c9b9b0b63170eb15c2c34acaa1b8ec2cb53571c844d7fec28ff66

SHA512
ecb71b5337d606d22f8a66dc8d8cefa2b04c76440ad642fc97ef180c04a4ae0b51b72319b7a7956b9cd27506058b6c228e42bf266dd177045f17ec03fda3ca67

Download Submit
C:\Windows\System\qhcNcOW.exe

Filesize
5.2MB

MD5
2a189065f2ee8d19f5b7419ef4eb19df

SHA1
5932ef9ad37b956e1892a84134c0d08e9ad55978

SHA256
2963c331bd86ce893ef395f44bc76018054183405dabfd178d6b537ae09fe70f

SHA512
2186b2687f2e52ddc3362c57d24b092ba6565ddcee7ba060134062520b8678062abfca90ac3fe23fc45f5705820da9701927a39a8c9ef1aea378e1156b180c6c

Download Submit
C:\Windows\System\tUFXGgH.exe

Filesize
5.2MB

MD5
b50de2b1efdf26929998e2c1413d2f09

SHA1
fd26b357310235bc85630287217a0f74007c64dd

SHA256
7274c75575b6c43388c22b6c91ba6f67dd854c845da86c5dda695dc94eff6f82

SHA512
579dd2c8d01c7527cd0fb47529a97db31c735c1717af72f3206f075c3b4558905adadd0740c3d9bdf7065955c7b188e5ddc247666e430b2be2526c1a97a8a5bf

Download Submit
C:\Windows\System\ttXsrwq.exe

Filesize
5.2MB

MD5
5a2106ba8283d4e4b4610c6a53b15f96

SHA1
255ad8ebfdd60b40acfb222ec00f257835ce97df

SHA256
bd988e6b3cc2fd7e87f15524c693bf568eb8781293910b317ef6f669620b2cfb

SHA512
53bf63b2871312bf83f9ab9c7e3dc4bb94971656ab73c050473dd503bc1b9f2269a93aaae4440510a919de757549a86725a4b7a6ebbee54f51d4244acf1d42a3

Download Submit
C:\Windows\System\uTjSnnR.exe

Filesize
5.2MB

MD5
f263677927e4f36571d8a6c3f9ce123a

SHA1
31ab39b63c12f5497eb7a9302cce1322f2a37fd4

SHA256
8151f67e07240bf7920635e5af4a28d41401d8b034488303e5bcbd713fb93e1b

SHA512
d44dbab5b440c0fa6a989c25406e1c6d04a3a3a5928888d494e7972878576cfbf30049e387e5826f567566b96baf4089c6870b101a8aca18dde8bcc665c15e37

Download Submit
C:\Windows\System\vBttENB.exe

Filesize
5.2MB

MD5
92a61a1d8a513b4d7bbeb08271b9a8ef

SHA1
4fa25f29ef6860d71022466cfcea4440e55952d7

SHA256
73b79639ad4b45bd0a1ecd43fcda4cbace0d5dba7d2669cd0faa29c3d182dd5c

SHA512
0de0d2f5509200de0f4f484a58341921ec50329442041976d01305b85a2b376d20bc9b995e3e5beba7549e57209ad20f7d5b373f7951ee13790ae39aa51c5e36

Download Submit
C:\Windows\System\yONJKqm.exe

Filesize
5.2MB

MD5
6600a8d98029fdba21965719683526c2

SHA1
2a07a0ef60dffda667e0232ef4d71c009e33e52e

SHA256
4e3930126b5c9bd038b055515919f5eeb65d32d1f5fe27fa9a37395b546f2a44

SHA512
b2119b93d742288ff8a87a0a94246d6231d5e37ebb62c691c1bc44c0444257767bfd1a9b9f141e40c25e77135c3c5f46ecf1bdab7ab34ac026154ea04c30179c

Download Submit
C:\Windows\System\zHqGfcg.exe

Filesize
5.2MB

MD5
86e8337ad340922e0e459a0bc406af15

SHA1
80d6e3153d3c4649c0b6efebab123d7506a8c2d6

SHA256
151d64f9d84f27097f85f9971e5f460192f5e1cc4691ceee5ea190b43e881752

SHA512
2fc941e7ca70e78cdcacd8f2b204a53fdfe3b5470e7233faa5eba2047ba9871bab9a9b26d5b911f9dfd99f7dbdae9402092bc48fd32005d0b316d569b5860ba4

Download Submit
memory/356-25-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp

Filesize
3.3MB

Download
memory/356-114-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp

Filesize
3.3MB

Download
memory/356-226-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp

Filesize
3.3MB

Download
memory/424-137-0x00007FF724830000-0x00007FF724B81000-memory.dmp

Filesize
3.3MB

Download
memory/424-253-0x00007FF724830000-0x00007FF724B81000-memory.dmp

Filesize
3.3MB

Download
memory/424-71-0x00007FF724830000-0x00007FF724B81000-memory.dmp

Filesize
3.3MB

Download
memory/756-145-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp

Filesize
3.3MB

Download
memory/756-98-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp

Filesize
3.3MB

Download
memory/756-259-0x00007FF7B3D00000-0x00007FF7B4051000-memory.dmp

Filesize
3.3MB

Download
memory/1556-250-0x00007FF6824E0000-0x00007FF682831000-memory.dmp

Filesize
3.3MB

Download
memory/1556-93-0x00007FF6824E0000-0x00007FF682831000-memory.dmp

Filesize
3.3MB

Download
memory/1560-230-0x00007FF606750000-0x00007FF606AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-127-0x00007FF606750000-0x00007FF606AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-36-0x00007FF606750000-0x00007FF606AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-133-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp

Filesize
3.3MB

Download
memory/1592-273-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp

Filesize
3.3MB

Download
memory/1592-165-0x00007FF61EB20000-0x00007FF61EE71000-memory.dmp

Filesize
3.3MB

Download
memory/1780-24-0x00007FF608410000-0x00007FF608761000-memory.dmp

Filesize
3.3MB

Download
memory/1780-102-0x00007FF608410000-0x00007FF608761000-memory.dmp

Filesize
3.3MB

Download
memory/1780-224-0x00007FF608410000-0x00007FF608761000-memory.dmp

Filesize
3.3MB

Download
memory/2032-97-0x00007FF76BE70000-0x00007FF76C1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-257-0x00007FF76BE70000-0x00007FF76C1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-158-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-122-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-267-0x00007FF62B880000-0x00007FF62BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-241-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp

Filesize
3.3MB

Download
memory/2396-135-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp

Filesize
3.3MB

Download
memory/2396-44-0x00007FF69B940000-0x00007FF69BC91000-memory.dmp

Filesize
3.3MB

Download
memory/2504-126-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2504-269-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2504-160-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2776-157-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp

Filesize
3.3MB

Download
memory/2776-265-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp

Filesize
3.3MB

Download
memory/2776-106-0x00007FF6487E0000-0x00007FF648B31000-memory.dmp

Filesize
3.3MB

Download
memory/2780-247-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-60-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-136-0x00007FF7EE490000-0x00007FF7EE7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-94-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp

Filesize
3.3MB

Download
memory/3180-8-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp

Filesize
3.3MB

Download
memory/3180-220-0x00007FF6809C0000-0x00007FF680D11000-memory.dmp

Filesize
3.3MB

Download
memory/3248-243-0x00007FF7B3360000-0x00007FF7B36B1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-58-0x00007FF7B3360000-0x00007FF7B36B1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-159-0x00007FF664470000-0x00007FF6647C1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-271-0x00007FF664470000-0x00007FF6647C1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-123-0x00007FF664470000-0x00007FF6647C1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-61-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-138-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-245-0x00007FF6D3650000-0x00007FF6D39A1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-32-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp

Filesize
3.3MB

Download
memory/4408-115-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp

Filesize
3.3MB

Download
memory/4408-228-0x00007FF7418E0000-0x00007FF741C31000-memory.dmp

Filesize
3.3MB

Download
memory/4480-101-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-16-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-222-0x00007FF69D050000-0x00007FF69D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-92-0x00007FF6547B0000-0x00007FF654B01000-memory.dmp

Filesize
3.3MB

Download
memory/4508-255-0x00007FF6547B0000-0x00007FF654B01000-memory.dmp

Filesize
3.3MB

Download
memory/4776-251-0x00007FF706050000-0x00007FF7063A1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-90-0x00007FF706050000-0x00007FF7063A1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-84-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-1-0x000001D212500000-0x000001D212510000-memory.dmp

Filesize
64KB

Download
memory/5048-166-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-0-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-139-0x00007FF67B8A0000-0x00007FF67BBF1000-memory.dmp

Filesize
3.3MB

Download