cobaltstrike | 9e920071279e7f7ccad01d5f5dd8cf6510abe3f5d201cbc9a4bcc925af288765

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2366e25cc3b72fd0fcbcb5d68bcb1714
SHA1

7c208e87036fe535787062891b7efd73cda59e6f
SHA256

9e920071279e7f7ccad01d5f5dd8cf6510abe3f5d201cbc9a4bcc925af288765
SHA512

8374d76912c3db321b2d7363f522aeb042ba326063e45c4af7e7cb51d57dfcc5899803e2392e72c3d379fa67fc9e37942cceca61974b299687b94f75267e55c0
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUC

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000400000001e432-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b96-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-78.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b94-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-128.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4924-121-0x00007FF722640000-0x00007FF722991000-memory.dmp	xmrig
behavioral2/memory/1880-118-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp	xmrig
behavioral2/memory/2628-117-0x00007FF6715B0000-0x00007FF671901000-memory.dmp	xmrig
behavioral2/memory/2000-110-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	xmrig
behavioral2/memory/1636-105-0x00007FF6B49B0000-0x00007FF6B4D01000-memory.dmp	xmrig
behavioral2/memory/2652-87-0x00007FF7723F0000-0x00007FF772741000-memory.dmp	xmrig
behavioral2/memory/1924-68-0x00007FF7D3160000-0x00007FF7D34B1000-memory.dmp	xmrig
behavioral2/memory/3120-56-0x00007FF6104B0000-0x00007FF610801000-memory.dmp	xmrig
behavioral2/memory/2644-132-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp	xmrig
behavioral2/memory/1108-133-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp	xmrig
behavioral2/memory/1912-134-0x00007FF794640000-0x00007FF794991000-memory.dmp	xmrig
behavioral2/memory/4292-135-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp	xmrig
behavioral2/memory/2852-136-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp	xmrig
behavioral2/memory/3356-138-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp	xmrig
behavioral2/memory/3684-137-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	xmrig
behavioral2/memory/1072-139-0x00007FF776520000-0x00007FF776871000-memory.dmp	xmrig
behavioral2/memory/2072-140-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp	xmrig
behavioral2/memory/2000-141-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	xmrig
behavioral2/memory/2032-152-0x00007FF688630000-0x00007FF688981000-memory.dmp	xmrig
behavioral2/memory/2328-161-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp	xmrig
behavioral2/memory/1640-163-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp	xmrig
behavioral2/memory/4604-164-0x00007FF70F540000-0x00007FF70F891000-memory.dmp	xmrig
behavioral2/memory/4020-162-0x00007FF617360000-0x00007FF6176B1000-memory.dmp	xmrig
behavioral2/memory/2000-165-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	xmrig
behavioral2/memory/2628-225-0x00007FF6715B0000-0x00007FF671901000-memory.dmp	xmrig
behavioral2/memory/1880-227-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp	xmrig
behavioral2/memory/4924-229-0x00007FF722640000-0x00007FF722991000-memory.dmp	xmrig
behavioral2/memory/2644-231-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp	xmrig
behavioral2/memory/1912-233-0x00007FF794640000-0x00007FF794991000-memory.dmp	xmrig
behavioral2/memory/1108-235-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp	xmrig
behavioral2/memory/3120-237-0x00007FF6104B0000-0x00007FF610801000-memory.dmp	xmrig
behavioral2/memory/1924-239-0x00007FF7D3160000-0x00007FF7D34B1000-memory.dmp	xmrig
behavioral2/memory/2852-241-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp	xmrig
behavioral2/memory/4292-252-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp	xmrig
behavioral2/memory/3684-250-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	xmrig
behavioral2/memory/2652-255-0x00007FF7723F0000-0x00007FF772741000-memory.dmp	xmrig
behavioral2/memory/3356-256-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp	xmrig
behavioral2/memory/1636-260-0x00007FF6B49B0000-0x00007FF6B4D01000-memory.dmp	xmrig
behavioral2/memory/1072-259-0x00007FF776520000-0x00007FF776871000-memory.dmp	xmrig
behavioral2/memory/2032-263-0x00007FF688630000-0x00007FF688981000-memory.dmp	xmrig
behavioral2/memory/2072-264-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp	xmrig
behavioral2/memory/4604-266-0x00007FF70F540000-0x00007FF70F891000-memory.dmp	xmrig
behavioral2/memory/2328-268-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp	xmrig
behavioral2/memory/4020-270-0x00007FF617360000-0x00007FF6176B1000-memory.dmp	xmrig
behavioral2/memory/1640-272-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2628	QoMpNle.exe
1880	iOkRPJp.exe
4924	caNkcLn.exe
2644	ArKufeG.exe
1912	XTDMCPW.exe
1108	aTfOYBe.exe
3120	DxLYwty.exe
2852	OpzjKfx.exe
3684	CzTGPtf.exe
4292	KTeVTaM.exe
1924	nogcWYi.exe
3356	LuXoFwz.exe
2652	KYjHsal.exe
1072	dbTqDNk.exe
1636	qBCfIIY.exe
2032	nFUOKyj.exe
2072	PXZNpBS.exe
4604	IzFEQVz.exe
2328	mDuExOM.exe
4020	XwfVjIg.exe
1640	JFMJoKp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2000-0-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	upx
behavioral2/files/0x000400000001e432-5.dat	upx
behavioral2/files/0x000b000000023b96-10.dat	upx
behavioral2/files/0x000a000000023b97-9.dat	upx
behavioral2/memory/1880-14-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp	upx
behavioral2/memory/2628-7-0x00007FF6715B0000-0x00007FF671901000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-41.dat	upx
behavioral2/memory/1912-40-0x00007FF794640000-0x00007FF794991000-memory.dmp	upx
behavioral2/memory/4292-67-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-72.dat	upx
behavioral2/files/0x000a000000023ba1-78.dat	upx
behavioral2/files/0x000b000000023b94-93.dat	upx
behavioral2/files/0x000a000000023ba4-98.dat	upx
behavioral2/files/0x000a000000023ba5-107.dat	upx
behavioral2/memory/4604-116-0x00007FF70F540000-0x00007FF70F891000-memory.dmp	upx
behavioral2/memory/4020-124-0x00007FF617360000-0x00007FF6176B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-128.dat	upx
behavioral2/memory/1640-129-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-125.dat	upx
behavioral2/files/0x000a000000023ba6-122.dat	upx
behavioral2/memory/4924-121-0x00007FF722640000-0x00007FF722991000-memory.dmp	upx
behavioral2/memory/2328-120-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp	upx
behavioral2/memory/1880-118-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp	upx
behavioral2/memory/2628-117-0x00007FF6715B0000-0x00007FF671901000-memory.dmp	upx
behavioral2/memory/2000-110-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	upx
behavioral2/memory/1636-105-0x00007FF6B49B0000-0x00007FF6B4D01000-memory.dmp	upx
behavioral2/memory/2072-100-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp	upx
behavioral2/memory/2032-97-0x00007FF688630000-0x00007FF688981000-memory.dmp	upx
behavioral2/memory/1072-96-0x00007FF776520000-0x00007FF776871000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-94.dat	upx
behavioral2/files/0x000a000000023ba2-91.dat	upx
behavioral2/memory/2652-87-0x00007FF7723F0000-0x00007FF772741000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-81.dat	upx
behavioral2/memory/3684-74-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-69.dat	upx
behavioral2/memory/3356-77-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp	upx
behavioral2/memory/1924-68-0x00007FF7D3160000-0x00007FF7D34B1000-memory.dmp	upx
behavioral2/memory/2852-60-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-58.dat	upx
behavioral2/memory/3120-56-0x00007FF6104B0000-0x00007FF610801000-memory.dmp	upx
behavioral2/memory/1108-51-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-48.dat	upx
behavioral2/files/0x000a000000023b9a-39.dat	upx
behavioral2/files/0x000a000000023b99-38.dat	upx
behavioral2/files/0x000a000000023b98-33.dat	upx
behavioral2/memory/2644-27-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp	upx
behavioral2/memory/4924-25-0x00007FF722640000-0x00007FF722991000-memory.dmp	upx
behavioral2/memory/2644-132-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp	upx
behavioral2/memory/1108-133-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp	upx
behavioral2/memory/1912-134-0x00007FF794640000-0x00007FF794991000-memory.dmp	upx
behavioral2/memory/4292-135-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp	upx
behavioral2/memory/2852-136-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp	upx
behavioral2/memory/3356-138-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp	upx
behavioral2/memory/3684-137-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	upx
behavioral2/memory/1072-139-0x00007FF776520000-0x00007FF776871000-memory.dmp	upx
behavioral2/memory/2072-140-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp	upx
behavioral2/memory/2000-141-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	upx
behavioral2/memory/2032-152-0x00007FF688630000-0x00007FF688981000-memory.dmp	upx
behavioral2/memory/2328-161-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp	upx
behavioral2/memory/1640-163-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp	upx
behavioral2/memory/4604-164-0x00007FF70F540000-0x00007FF70F891000-memory.dmp	upx
behavioral2/memory/4020-162-0x00007FF617360000-0x00007FF6176B1000-memory.dmp	upx
behavioral2/memory/2000-165-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp	upx
behavioral2/memory/2628-225-0x00007FF6715B0000-0x00007FF671901000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KYjHsal.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzFEQVz.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\caNkcLn.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTDMCPW.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzTGPtf.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nFUOKyj.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PXZNpBS.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwfVjIg.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JFMJoKp.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iOkRPJp.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nogcWYi.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBCfIIY.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mDuExOM.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxLYwty.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpzjKfx.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LuXoFwz.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KTeVTaM.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbTqDNk.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QoMpNle.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArKufeG.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTfOYBe.exe	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2628	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2000 wrote to memory of 2628	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2000 wrote to memory of 1880	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2000 wrote to memory of 1880	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2000 wrote to memory of 4924	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2000 wrote to memory of 4924	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2000 wrote to memory of 2644	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2000 wrote to memory of 2644	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2000 wrote to memory of 1912	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2000 wrote to memory of 1912	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2000 wrote to memory of 1108	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2000 wrote to memory of 1108	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2000 wrote to memory of 3120	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2000 wrote to memory of 3120	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2000 wrote to memory of 2852	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2000 wrote to memory of 2852	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2000 wrote to memory of 1924	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2000 wrote to memory of 1924	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2000 wrote to memory of 3684	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2000 wrote to memory of 3684	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2000 wrote to memory of 4292	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2000 wrote to memory of 4292	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2000 wrote to memory of 3356	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2000 wrote to memory of 3356	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2000 wrote to memory of 2652	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2000 wrote to memory of 2652	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2000 wrote to memory of 1072	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2000 wrote to memory of 1072	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2000 wrote to memory of 1636	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2000 wrote to memory of 1636	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2000 wrote to memory of 2032	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2000 wrote to memory of 2032	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2000 wrote to memory of 2072	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2000 wrote to memory of 2072	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2000 wrote to memory of 4604	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2000 wrote to memory of 4604	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2000 wrote to memory of 2328	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2000 wrote to memory of 2328	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2000 wrote to memory of 4020	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2000 wrote to memory of 4020	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2000 wrote to memory of 1640	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2000 wrote to memory of 1640	2000	2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_2366e25cc3b72fd0fcbcb5d68bcb1714_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System\QoMpNle.exe
  C:\Windows\System\QoMpNle.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\iOkRPJp.exe
  C:\Windows\System\iOkRPJp.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\caNkcLn.exe
  C:\Windows\System\caNkcLn.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\ArKufeG.exe
  C:\Windows\System\ArKufeG.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\XTDMCPW.exe
  C:\Windows\System\XTDMCPW.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\aTfOYBe.exe
  C:\Windows\System\aTfOYBe.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\DxLYwty.exe
  C:\Windows\System\DxLYwty.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\OpzjKfx.exe
  C:\Windows\System\OpzjKfx.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\nogcWYi.exe
  C:\Windows\System\nogcWYi.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\CzTGPtf.exe
  C:\Windows\System\CzTGPtf.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\KTeVTaM.exe
  C:\Windows\System\KTeVTaM.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\LuXoFwz.exe
  C:\Windows\System\LuXoFwz.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\KYjHsal.exe
  C:\Windows\System\KYjHsal.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\dbTqDNk.exe
  C:\Windows\System\dbTqDNk.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\qBCfIIY.exe
  C:\Windows\System\qBCfIIY.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\nFUOKyj.exe
  C:\Windows\System\nFUOKyj.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\PXZNpBS.exe
  C:\Windows\System\PXZNpBS.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\IzFEQVz.exe
  C:\Windows\System\IzFEQVz.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\mDuExOM.exe
  C:\Windows\System\mDuExOM.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\XwfVjIg.exe
  C:\Windows\System\XwfVjIg.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\JFMJoKp.exe
  C:\Windows\System\JFMJoKp.exe
  2⤵
  - Executes dropped EXE
  PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArKufeG.exe

Filesize
5.2MB

MD5
2f7a737ca63cb5e125715c38fa1a3fee

SHA1
c4e3435a025c0bd21195b394ce58f0c4f14c272f

SHA256
f75902f04aff063d894885962cf9cb52321273bed280a9a710d73c9216047f1d

SHA512
40bbbff330bc11583705b18a30787ba04cfd96b2ba58f5f8efe39e314deedc93f1ef2cde45bbf607d80c6b7030e505feb8b392956ee74b9e110b3fd137350da7

Download Submit
C:\Windows\System\CzTGPtf.exe

Filesize
5.2MB

MD5
1faf971569c23bdcff7d1362429d3b92

SHA1
76a0e9e0ddd678297ccfccf28958631d89ee6cfd

SHA256
7fa55fc61b5ea6efab5a9f01f6c27904456c4efcaf31a3de0c3cca4c68892259

SHA512
c5e00c503e32f18193f8a972859892b8f9f1b5d536b18d753a925c8f642d82304c65c2512a480242a66f97a8b5edcd633d6fb7990a2731bc20fbe0c7a62588f1

Download Submit
C:\Windows\System\DxLYwty.exe

Filesize
5.2MB

MD5
bc852137ac689b5b6ca972f256ef87ed

SHA1
b66e8791f1f0dc385306f847c4c52b291d7a17a7

SHA256
292cd3985c7e367c6bcae1e4c93a25349bcdf5336ed470638aa5aa041e9d231b

SHA512
f4dc5daa356fee10b260658d1b81a3ce73dbf27fbbba5f3e266b094ef388f13c3d90bf4e1c408f8525d16027f0d58e01be3b49f3ca605951e425646386c3e100

Download Submit
C:\Windows\System\IzFEQVz.exe

Filesize
5.2MB

MD5
ddc8168944c5bbe819518f96036f489a

SHA1
0d8ee6dbf8e681a1e85333952d05ad4f6708d935

SHA256
67f73869e2ba9acfd350181e3b99395adba7e683f4bc6c9fb3a4fcc1bd70d1cb

SHA512
fb490ce5c0e59d435afd52a2501ad169afde69c998ddcb20215bae9e5944816fee6a0648dcf85a7400a4f0935e522ce209aeeb8b998c769bf3dd3237f561a8bf

Download Submit
C:\Windows\System\JFMJoKp.exe

Filesize
5.2MB

MD5
a1a12d62273484d797dc7addd8e167b7

SHA1
9d08276418a12fab1dc38ba87e43ff76e0e1983b

SHA256
1e57bc4cba52003102fc39b51947fb2641bae8146a72fa33f751a6e09fea07a8

SHA512
c2b6d925f368b15ae27507533b664b123b1e09ce103a5b1432de2d276560c0a3c536121b94e168fe22defaca4dedcba4a31caccc84a7a27bff9bb708beb01117

Download Submit
C:\Windows\System\KTeVTaM.exe

Filesize
5.2MB

MD5
31db62372f0fcb5c050352710308fd30

SHA1
0e99847bb1ba7ff9c402eb87a4e155183518acee

SHA256
5f15f40c85cf9070d74d85c91305ff8e42cfd97c3791058ea2115694368ed04e

SHA512
2270b7ca52fcd54b0bb055a821e8291707a39db1b8bfc290bc666c01e6a7eea0e193a3230ddf06e76b050fc2010f614392938f7d13fcd71aa92155bbb2ab1a31

Download Submit
C:\Windows\System\KYjHsal.exe

Filesize
5.2MB

MD5
aa7be91a9f723425f9b7e1de857ea8d0

SHA1
de1e0facf7b1628bfcd0f44f3661af9e8b9f3aaf

SHA256
5ea93d729a19d67b66b3e22f3eae381e1ec900c8cf7daeabf122d8034fcfe407

SHA512
904260f5d9733d0a5e8bce1db8fed51083abe2479f363c031759020bcdaa61e2ef0c4820564d136408baa08d07cfcd6559be6afae28cdf873e6188e14ad5b13d

Download Submit
C:\Windows\System\LuXoFwz.exe

Filesize
5.2MB

MD5
ae77af4913793d8deeb1cf2b83fa38dd

SHA1
6d8bb7b15407b9ab0b059b131bbb9b074de73e65

SHA256
92e718aaa1dedde38f33944d768b99af4bb2acb0d6de246bd11f3a4f2e5397eb

SHA512
b0821d0e4eeeac881bca5fb9ce8230bec379383c184831d68e57cebd49a404b3647adb135a6481d86f8fb8474c0a7bde4365bc55140c3d7ddcd88e1ca20c752c

Download Submit
C:\Windows\System\OpzjKfx.exe

Filesize
5.2MB

MD5
2e88f89cf30ee0ae7e997217c6cca5e5

SHA1
3b864d243c67b08588afe6611ac9a210f5466d39

SHA256
aff7ed037aadf42c56e312be2f9e324f5fa9dca5f1f200f64b6bcf92d1e2b8b8

SHA512
b2392e900a439925fc46eb6841db821c68c7282fc13f289849c16a9fe2a9b6f6af920b91ea6ad2b7720f9ec92355fac3ea0405a9114d396034741c42287b1969

Download Submit
C:\Windows\System\PXZNpBS.exe

Filesize
5.2MB

MD5
1e80383b7353361fd0c76721c0f07464

SHA1
9f351647fca0dae0b7e0a10ce022f515fdebe98f

SHA256
987de340587a07453a257f965bde92ce1898ae8b254b4d954af1b5b1804c5fcf

SHA512
40e031053f0ca99b01d2b7e5a052aad9c3494c97a82370bba2a3f104f96b05e74f7840cac95421cc4c6dddfabeca7b978cd16a5e4508446acf62f520916513cc

Download Submit
C:\Windows\System\QoMpNle.exe

Filesize
5.2MB

MD5
e58084ead964ee83690c306d638e841c

SHA1
3501ca35cc9fd21906ae9e2a9e279705570be128

SHA256
4d9ed5a5f7daee17c026cb55ef8eeda7603c4d17daaea9aa37228bdd5a99cb83

SHA512
d75f97a3724a5d9f164c154ae8ca887306497724241ac2e0ca400e34d381cf9964ffa59bee7c0be13fff1ff102b4430b9f199fad7427ef8f97eb819bf2bad0da

Download Submit
C:\Windows\System\XTDMCPW.exe

Filesize
5.2MB

MD5
add93f651cd263ff4842eb356ddb8230

SHA1
2ef1f41215ad0d80adfec1bbfa673b4e52d2d621

SHA256
42e807a8833dc74bed8295d5dd79a10dd2b8e208ff0feeedfb572f4408634832

SHA512
65d2a330f48c58e53361ec442386c5373771db407d7d0d0b02c1535824f3b9344e26dd8dcf36f179626b6902c038ab5e2858132efd089576d18a0430f6aafa2d

Download Submit
C:\Windows\System\XwfVjIg.exe

Filesize
5.2MB

MD5
afdacad232ed4e88cf47eb7f4d34e443

SHA1
7a083506716af1ac290e0e4f4f0057c6db2e819d

SHA256
fac143e492b1f16a1650f90ac1140d699c525258b8366b2e29416b8f097d0a5b

SHA512
1b618a417be9061cc8dc03f872b250db9b13dd0c471ec517760acefbe9656041e9c99cc437c38a7827ab2d78e59d2836b37556ab968d1ed10c4ae4ff457020d0

Download Submit
C:\Windows\System\aTfOYBe.exe

Filesize
5.2MB

MD5
1f32b6b156e94d9e083daac543a886da

SHA1
a14f84bb74f6df50e5a762afd08bbad0e31feee0

SHA256
6e2717a3278ce8986ab4c611516dfc1d05103f0eac1bcdc0cfc82962530d1ace

SHA512
0b58fa0db3dc55ed6bab4125e81a6077c173ffd3db60e5b46afc73ff618579a4245c205dda40e9adcf972088736ab5267dd42989afde9c6cd0d5083bfd89c1c2

Download Submit
C:\Windows\System\caNkcLn.exe

Filesize
5.2MB

MD5
4f27282cbeb7a1ce782e1f438410ba63

SHA1
97372cf6854ece4cf3298db902075a20d23049a8

SHA256
080272a012a11c9c4347248a8af4859afa1d59f8b6d33fea6c86cae008fb50b3

SHA512
6f386fd36a49d5c3e76ebdf2ce0e96f9d93d3f2544e2c3b1eb4a389e356995ddf021a69057803c331415d905415a1438353713522e6bcae0a4cab8e7201e562c

Download Submit
C:\Windows\System\dbTqDNk.exe

Filesize
5.2MB

MD5
90850da8c0eeb8277e39d260045c286b

SHA1
aaf3901386a9df9eb4cb85b2b57153af19cafe5f

SHA256
91fb8ecff8bf4cf34e43c2bab5203e2eb546e85811fbf1914bf3505b14b891f0

SHA512
6a5dbf37559ed2f639a84ba3a10ede87b449c5330987c6dd538f8a67c4dece935eba9c957db874cef6ef15d5b396e9c15e3830f69be0d9562a39c6cec49d6b76

Download Submit
C:\Windows\System\iOkRPJp.exe

Filesize
5.2MB

MD5
6e0fec5bf696525da5ad953e0e890ec3

SHA1
80057ef9c2c6f7a245eb55f0fd69380a524b6ea2

SHA256
1c4ff1d3f081bd5204a3610a0705bcb70aa355a15792b17ecb25dfc7bbe89255

SHA512
195063492c7a02db3ed24e374b2fabd17d3cabe4f864010b6654282d23e589645ddcdf5df7879882c64469ecf41a5c4925d16a164737e475b4cd9c7322ca45c9

Download Submit
C:\Windows\System\mDuExOM.exe

Filesize
5.2MB

MD5
b99ac2d1a95f7c4b360478d394a96c63

SHA1
a1feac42fc6ae183ec23c98785124cab38c64645

SHA256
821f967666a8e403f9117cc1bc905fe8390188888298b048cff7b75f1f2dfa0d

SHA512
7d830ac967a3a50d633ee2e142e068d7570b03390e6fed8edfc46e10081634130523d64c146edb1ca47cebff33168bbb96b4ccd44a5c1b3e0068a6a7ab32a17a

Download Submit
C:\Windows\System\nFUOKyj.exe

Filesize
5.2MB

MD5
765adc6efe1fbaad54d2bfc100272cb2

SHA1
1e6283655047bd5f0f56adf0b7e7fb2ea16e559f

SHA256
581da097e3098710eeb06aca35a18dd23a0365b719d55c1afcf0d15afee8224f

SHA512
837a51820afdfe7fd20ca28adce3cc438ef03bdc5fc67805afe46dbbc7723b17145df48a43ff9f14fbb431100e357c765e15d8b2ee2d3d913c5042dab0980dc1

Download Submit
C:\Windows\System\nogcWYi.exe

Filesize
5.2MB

MD5
7d7707c6aac29c31a13725820b6fe603

SHA1
6ff892ffdc4957c37d12456de5e900ce697941a3

SHA256
69f177a9b203f3dbdcac48b9c73ea280647216f91c9e60fb5bf479162a398ef7

SHA512
658b5988d96458a1480434b6ac165541c21d65b9d49969d5e67f369c8ed0073ef451bb770074364c824af5e596db18a5fdc404297a802a87eb335018ea342832

Download Submit
C:\Windows\System\qBCfIIY.exe

Filesize
5.2MB

MD5
198a1ccc984e3e707399192edb82780d

SHA1
2fd9c52144dde69151f09b609b73f04388aa4c13

SHA256
62def417d0623b9f44bfb005299b692e4069cff90856433fc5b021d04c4a1f40

SHA512
786534aecf8b0da9f2041bfbc43fdaad9f2c71d5defbaa17a9b23c14a5880061dad2a54cdf284f4c548f4a30cf089c031175e339f0f61378eb7b36e27e5a4a8d

Download Submit
memory/1072-139-0x00007FF776520000-0x00007FF776871000-memory.dmp

Filesize
3.3MB

Download
memory/1072-259-0x00007FF776520000-0x00007FF776871000-memory.dmp

Filesize
3.3MB

Download
memory/1072-96-0x00007FF776520000-0x00007FF776871000-memory.dmp

Filesize
3.3MB

Download
memory/1108-51-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-235-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-133-0x00007FF68B870000-0x00007FF68BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-260-0x00007FF6B49B0000-0x00007FF6B4D01000-memory.dmp

Filesize
3.3MB

Download
memory/1636-105-0x00007FF6B49B0000-0x00007FF6B4D01000-memory.dmp

Filesize
3.3MB

Download
memory/1640-129-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp

Filesize
3.3MB

Download
memory/1640-163-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp

Filesize
3.3MB

Download
memory/1640-272-0x00007FF6789E0000-0x00007FF678D31000-memory.dmp

Filesize
3.3MB

Download
memory/1880-227-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp

Filesize
3.3MB

Download
memory/1880-118-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp

Filesize
3.3MB

Download
memory/1880-14-0x00007FF7EA5E0000-0x00007FF7EA931000-memory.dmp

Filesize
3.3MB

Download
memory/1912-233-0x00007FF794640000-0x00007FF794991000-memory.dmp

Filesize
3.3MB

Download
memory/1912-134-0x00007FF794640000-0x00007FF794991000-memory.dmp

Filesize
3.3MB

Download
memory/1912-40-0x00007FF794640000-0x00007FF794991000-memory.dmp

Filesize
3.3MB

Download
memory/1924-68-0x00007FF7D3160000-0x00007FF7D34B1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-239-0x00007FF7D3160000-0x00007FF7D34B1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-165-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-0-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-110-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-141-0x00007FF6D6390000-0x00007FF6D66E1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-1-0x000001F9AD650000-0x000001F9AD660000-memory.dmp

Filesize
64KB

Download
memory/2032-263-0x00007FF688630000-0x00007FF688981000-memory.dmp

Filesize
3.3MB

Download
memory/2032-97-0x00007FF688630000-0x00007FF688981000-memory.dmp

Filesize
3.3MB

Download
memory/2032-152-0x00007FF688630000-0x00007FF688981000-memory.dmp

Filesize
3.3MB

Download
memory/2072-264-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp

Filesize
3.3MB

Download
memory/2072-140-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp

Filesize
3.3MB

Download
memory/2072-100-0x00007FF6D33E0000-0x00007FF6D3731000-memory.dmp

Filesize
3.3MB

Download
memory/2328-120-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-268-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-161-0x00007FF601BA0000-0x00007FF601EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-117-0x00007FF6715B0000-0x00007FF671901000-memory.dmp

Filesize
3.3MB

Download
memory/2628-7-0x00007FF6715B0000-0x00007FF671901000-memory.dmp

Filesize
3.3MB

Download
memory/2628-225-0x00007FF6715B0000-0x00007FF671901000-memory.dmp

Filesize
3.3MB

Download
memory/2644-231-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-132-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-27-0x00007FF7F0160000-0x00007FF7F04B1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-255-0x00007FF7723F0000-0x00007FF772741000-memory.dmp

Filesize
3.3MB

Download
memory/2652-87-0x00007FF7723F0000-0x00007FF772741000-memory.dmp

Filesize
3.3MB

Download
memory/2852-136-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp

Filesize
3.3MB

Download
memory/2852-60-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp

Filesize
3.3MB

Download
memory/2852-241-0x00007FF6D6030000-0x00007FF6D6381000-memory.dmp

Filesize
3.3MB

Download
memory/3120-237-0x00007FF6104B0000-0x00007FF610801000-memory.dmp

Filesize
3.3MB

Download
memory/3120-56-0x00007FF6104B0000-0x00007FF610801000-memory.dmp

Filesize
3.3MB

Download
memory/3356-256-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp

Filesize
3.3MB

Download
memory/3356-138-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp

Filesize
3.3MB

Download
memory/3356-77-0x00007FF7A38B0000-0x00007FF7A3C01000-memory.dmp

Filesize
3.3MB

Download
memory/3684-137-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/3684-250-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/3684-74-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/4020-124-0x00007FF617360000-0x00007FF6176B1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-162-0x00007FF617360000-0x00007FF6176B1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-270-0x00007FF617360000-0x00007FF6176B1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-67-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-135-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-252-0x00007FF71FA50000-0x00007FF71FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-116-0x00007FF70F540000-0x00007FF70F891000-memory.dmp

Filesize
3.3MB

Download
memory/4604-266-0x00007FF70F540000-0x00007FF70F891000-memory.dmp

Filesize
3.3MB

Download
memory/4604-164-0x00007FF70F540000-0x00007FF70F891000-memory.dmp

Filesize
3.3MB

Download
memory/4924-121-0x00007FF722640000-0x00007FF722991000-memory.dmp

Filesize
3.3MB

Download
memory/4924-25-0x00007FF722640000-0x00007FF722991000-memory.dmp

Filesize
3.3MB

Download
memory/4924-229-0x00007FF722640000-0x00007FF722991000-memory.dmp

Filesize
3.3MB

Download