cobaltstrike | 3b93341ef93ca522f712dac237d70887f4c315227c7c4ff28eda54034ab69747

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

aa9466aa73aceeab83d5ca2fafd78901
SHA1

48a27176146b874d5aec6953681197606099f630
SHA256

3b93341ef93ca522f712dac237d70887f4c315227c7c4ff28eda54034ab69747
SHA512

d66fee4d87dc25c40ebd265ac5a56bef15886fc4d29e93486891b259fe55918cc40c0ba6a7bc15f543c07b594ee9fe6e0777e4e3c818acf2d9df45746e2aa9b7
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibd56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b92-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-28.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9d-35.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b96-43.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-51.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9e-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-58.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbc-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb7-69.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-88.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc2-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc4-104.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc9-119.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf9-135.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-125.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc7-123.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1308-61-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp	xmrig
behavioral2/memory/4852-98-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp	xmrig
behavioral2/memory/4116-101-0x00007FF788140000-0x00007FF788491000-memory.dmp	xmrig
behavioral2/memory/3252-85-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp	xmrig
behavioral2/memory/4856-82-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp	xmrig
behavioral2/memory/3244-77-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp	xmrig
behavioral2/memory/4860-60-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	xmrig
behavioral2/memory/760-106-0x00007FF617690000-0x00007FF6179E1000-memory.dmp	xmrig
behavioral2/memory/1016-107-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp	xmrig
behavioral2/memory/960-131-0x00007FF6C1F30000-0x00007FF6C2281000-memory.dmp	xmrig
behavioral2/memory/1444-130-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	xmrig
behavioral2/memory/5100-115-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp	xmrig
behavioral2/memory/212-140-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp	xmrig
behavioral2/memory/2128-139-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp	xmrig
behavioral2/memory/2992-141-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp	xmrig
behavioral2/memory/4860-142-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	xmrig
behavioral2/memory/3060-148-0x00007FF625320000-0x00007FF625671000-memory.dmp	xmrig
behavioral2/memory/4320-155-0x00007FF612930000-0x00007FF612C81000-memory.dmp	xmrig
behavioral2/memory/4636-154-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp	xmrig
behavioral2/memory/5024-162-0x00007FF757300000-0x00007FF757651000-memory.dmp	xmrig
behavioral2/memory/4312-163-0x00007FF637250000-0x00007FF6375A1000-memory.dmp	xmrig
behavioral2/memory/3960-167-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp	xmrig
behavioral2/memory/2148-168-0x00007FF729800000-0x00007FF729B51000-memory.dmp	xmrig
behavioral2/memory/4860-169-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	xmrig
behavioral2/memory/1308-220-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp	xmrig
behavioral2/memory/3244-222-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp	xmrig
behavioral2/memory/4856-224-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp	xmrig
behavioral2/memory/3252-226-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp	xmrig
behavioral2/memory/4852-233-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp	xmrig
behavioral2/memory/4116-235-0x00007FF788140000-0x00007FF788491000-memory.dmp	xmrig
behavioral2/memory/760-237-0x00007FF617690000-0x00007FF6179E1000-memory.dmp	xmrig
behavioral2/memory/1016-239-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp	xmrig
behavioral2/memory/5100-241-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp	xmrig
behavioral2/memory/1444-250-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	xmrig
behavioral2/memory/2128-252-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp	xmrig
behavioral2/memory/212-254-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp	xmrig
behavioral2/memory/3060-256-0x00007FF625320000-0x00007FF625671000-memory.dmp	xmrig
behavioral2/memory/2992-258-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp	xmrig
behavioral2/memory/4636-261-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp	xmrig
behavioral2/memory/4320-262-0x00007FF612930000-0x00007FF612C81000-memory.dmp	xmrig
behavioral2/memory/5024-268-0x00007FF757300000-0x00007FF757651000-memory.dmp	xmrig
behavioral2/memory/960-270-0x00007FF6C1F30000-0x00007FF6C2281000-memory.dmp	xmrig
behavioral2/memory/2148-273-0x00007FF729800000-0x00007FF729B51000-memory.dmp	xmrig
behavioral2/memory/3960-275-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp	xmrig
behavioral2/memory/4312-276-0x00007FF637250000-0x00007FF6375A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1308	ozLcann.exe
3244	mARjOOG.exe
4856	ypvrGSK.exe
3252	JhzwoDT.exe
4852	qoNbNGX.exe
4116	KHUgrjz.exe
760	oLeTgRr.exe
1016	aOrFyCl.exe
5100	cNsovYy.exe
1444	bHwaWZr.exe
2128	DMSGrWr.exe
212	bjcVSLw.exe
2992	HBhqFgW.exe
3060	UDtjpff.exe
4636	tlbivsI.exe
4320	ZidUtck.exe
5024	bzGotWh.exe
960	jyoOqnO.exe
4312	NsbywvO.exe
2148	qWHgpJq.exe
3960	HJJgsTa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4860-0-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	upx
behavioral2/files/0x000c000000023b92-4.dat	upx
behavioral2/files/0x000a000000023b99-11.dat	upx
behavioral2/files/0x000a000000023b9a-10.dat	upx
behavioral2/memory/3244-13-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-25.dat	upx
behavioral2/memory/3252-24-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp	upx
behavioral2/memory/4856-23-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp	upx
behavioral2/memory/1308-8-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-28.dat	upx
behavioral2/memory/4852-33-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp	upx
behavioral2/files/0x000b000000023b9d-35.dat	upx
behavioral2/files/0x000c000000023b96-43.dat	upx
behavioral2/files/0x000b000000023b9f-51.dat	upx
behavioral2/files/0x000b000000023b9e-52.dat	upx
behavioral2/memory/5100-54-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp	upx
behavioral2/memory/1016-50-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp	upx
behavioral2/memory/760-42-0x00007FF617690000-0x00007FF6179E1000-memory.dmp	upx
behavioral2/memory/4116-36-0x00007FF788140000-0x00007FF788491000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-58.dat	upx
behavioral2/memory/1308-61-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp	upx
behavioral2/files/0x0009000000023bbc-70.dat	upx
behavioral2/files/0x0008000000023bb7-69.dat	upx
behavioral2/memory/3060-86-0x00007FF625320000-0x00007FF625671000-memory.dmp	upx
behavioral2/files/0x0009000000023bbe-88.dat	upx
behavioral2/memory/4852-98-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp	upx
behavioral2/files/0x000e000000023bc2-102.dat	upx
behavioral2/files/0x0008000000023bc4-104.dat	upx
behavioral2/memory/4116-101-0x00007FF788140000-0x00007FF788491000-memory.dmp	upx
behavioral2/memory/4320-100-0x00007FF612930000-0x00007FF612C81000-memory.dmp	upx
behavioral2/memory/4636-99-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp	upx
behavioral2/files/0x0009000000023bbd-87.dat	upx
behavioral2/memory/3252-85-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp	upx
behavioral2/memory/2992-83-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp	upx
behavioral2/memory/4856-82-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp	upx
behavioral2/memory/3244-77-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp	upx
behavioral2/memory/212-74-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp	upx
behavioral2/memory/2128-71-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp	upx
behavioral2/memory/1444-66-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	upx
behavioral2/memory/4860-60-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	upx
behavioral2/memory/760-106-0x00007FF617690000-0x00007FF6179E1000-memory.dmp	upx
behavioral2/memory/1016-107-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-119.dat	upx
behavioral2/files/0x0008000000023bca-122.dat	upx
behavioral2/memory/2148-136-0x00007FF729800000-0x00007FF729B51000-memory.dmp	upx
behavioral2/files/0x0008000000023bf9-135.dat	upx
behavioral2/memory/960-131-0x00007FF6C1F30000-0x00007FF6C2281000-memory.dmp	upx
behavioral2/memory/1444-130-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	upx
behavioral2/memory/4312-126-0x00007FF637250000-0x00007FF6375A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bc8-125.dat	upx
behavioral2/files/0x0008000000023bc7-123.dat	upx
behavioral2/memory/5024-120-0x00007FF757300000-0x00007FF757651000-memory.dmp	upx
behavioral2/memory/5100-115-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp	upx
behavioral2/memory/3960-138-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp	upx
behavioral2/memory/212-140-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp	upx
behavioral2/memory/2128-139-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp	upx
behavioral2/memory/2992-141-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp	upx
behavioral2/memory/4860-142-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp	upx
behavioral2/memory/3060-148-0x00007FF625320000-0x00007FF625671000-memory.dmp	upx
behavioral2/memory/4320-155-0x00007FF612930000-0x00007FF612C81000-memory.dmp	upx
behavioral2/memory/4636-154-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp	upx
behavioral2/memory/5024-162-0x00007FF757300000-0x00007FF757651000-memory.dmp	upx
behavioral2/memory/4312-163-0x00007FF637250000-0x00007FF6375A1000-memory.dmp	upx
behavioral2/memory/3960-167-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ypvrGSK.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JhzwoDT.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bjcVSLw.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZidUtck.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzGotWh.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWHgpJq.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ozLcann.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mARjOOG.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cNsovYy.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jyoOqnO.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJJgsTa.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NsbywvO.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoNbNGX.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KHUgrjz.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLeTgRr.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DMSGrWr.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HBhqFgW.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDtjpff.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tlbivsI.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOrFyCl.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bHwaWZr.exe	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1308	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4860 wrote to memory of 1308	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4860 wrote to memory of 3244	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4860 wrote to memory of 3244	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4860 wrote to memory of 4856	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4860 wrote to memory of 4856	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4860 wrote to memory of 3252	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4860 wrote to memory of 3252	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4860 wrote to memory of 4852	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4860 wrote to memory of 4852	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4860 wrote to memory of 4116	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4860 wrote to memory of 4116	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4860 wrote to memory of 760	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4860 wrote to memory of 760	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4860 wrote to memory of 1016	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4860 wrote to memory of 1016	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4860 wrote to memory of 5100	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4860 wrote to memory of 5100	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4860 wrote to memory of 1444	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4860 wrote to memory of 1444	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4860 wrote to memory of 2128	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4860 wrote to memory of 2128	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4860 wrote to memory of 212	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4860 wrote to memory of 212	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4860 wrote to memory of 2992	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4860 wrote to memory of 2992	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4860 wrote to memory of 3060	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4860 wrote to memory of 3060	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4860 wrote to memory of 4636	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4860 wrote to memory of 4636	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4860 wrote to memory of 4320	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4860 wrote to memory of 4320	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4860 wrote to memory of 5024	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4860 wrote to memory of 5024	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4860 wrote to memory of 960	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4860 wrote to memory of 960	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4860 wrote to memory of 4312	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4860 wrote to memory of 4312	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4860 wrote to memory of 2148	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4860 wrote to memory of 2148	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4860 wrote to memory of 3960	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4860 wrote to memory of 3960	4860	2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_aa9466aa73aceeab83d5ca2fafd78901_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\System\ozLcann.exe
  C:\Windows\System\ozLcann.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\mARjOOG.exe
  C:\Windows\System\mARjOOG.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\ypvrGSK.exe
  C:\Windows\System\ypvrGSK.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\JhzwoDT.exe
  C:\Windows\System\JhzwoDT.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\qoNbNGX.exe
  C:\Windows\System\qoNbNGX.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\KHUgrjz.exe
  C:\Windows\System\KHUgrjz.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\oLeTgRr.exe
  C:\Windows\System\oLeTgRr.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\aOrFyCl.exe
  C:\Windows\System\aOrFyCl.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\cNsovYy.exe
  C:\Windows\System\cNsovYy.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\bHwaWZr.exe
  C:\Windows\System\bHwaWZr.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\DMSGrWr.exe
  C:\Windows\System\DMSGrWr.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\bjcVSLw.exe
  C:\Windows\System\bjcVSLw.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\HBhqFgW.exe
  C:\Windows\System\HBhqFgW.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\UDtjpff.exe
  C:\Windows\System\UDtjpff.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\tlbivsI.exe
  C:\Windows\System\tlbivsI.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\ZidUtck.exe
  C:\Windows\System\ZidUtck.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\bzGotWh.exe
  C:\Windows\System\bzGotWh.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\jyoOqnO.exe
  C:\Windows\System\jyoOqnO.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\NsbywvO.exe
  C:\Windows\System\NsbywvO.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\qWHgpJq.exe
  C:\Windows\System\qWHgpJq.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\HJJgsTa.exe
  C:\Windows\System\HJJgsTa.exe
  2⤵
  - Executes dropped EXE
  PID:3960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DMSGrWr.exe

Filesize
5.2MB

MD5
653e335cf05e690e25096bfac55b1c80

SHA1
ad618bc8682c26ca0b790624736af6093cf3a51f

SHA256
a4015db0a90eca61629b70f1613b255462d07b085562058b9b304f439921723e

SHA512
b8159aab7afd1b55c451a1d6dff61b6e703d26591297b658048a4c6809268b70979ea10c2fd2474b9f7906909f8bd80017b3fddec569eedc2befa13d2f44cd1f

Download Submit
C:\Windows\System\HBhqFgW.exe

Filesize
5.2MB

MD5
8ed3f22fb9e50c53d6f6b373639c3f95

SHA1
3b284e756d3f607025e1ec10dddfe9f9ef4523ca

SHA256
2bb0f7b1ed6fa47b01329466f5a69e79ade7de4ce3b5bd0e8bff2e80fc9f11cb

SHA512
802512ed8a0cb9dd26d7ee8ec9dd17efd74a9eb8a43bbea82c179fef749020393caa2a1948fd7e57900cb938307f8bea31a4820d1dfec3462aedbc077712868a

Download Submit
C:\Windows\System\HJJgsTa.exe

Filesize
5.2MB

MD5
f8a764fe455fcb0080dcd710d15791e9

SHA1
4ac58867bfb563cefef0e8b492f02a2303d5bfa5

SHA256
0d546e3032830ce102b59d46741662474ebb1675c3046fb816488f1108233d67

SHA512
16e37b7f00235d6f7e10df31648e296353ca455e5f586ea2d90a7fa63f6b432deed25874774c551e4fefebfe270b612163d91303b8e383489bca829fa8778370

Download Submit
C:\Windows\System\JhzwoDT.exe

Filesize
5.2MB

MD5
719eaf9c33884d1fe52e9839765a35a3

SHA1
016d9d3f98fb9f876fed20e1a3e7383d1e445a05

SHA256
9da04135134d99223a1204fa4f429712cda167bd9042e9427ead230c25d514cc

SHA512
994e57599e6bd885658d0bc3579b3e63d5c7cc67d9b05fcc70174c58253f3db28d96a9f2f01f3283a956b91e4bb3b6b1c663d36f1873cc0de40c2cd884a6431e

Download Submit
C:\Windows\System\KHUgrjz.exe

Filesize
5.2MB

MD5
43537eb3f2395d0c6bcd1eacb323a4fd

SHA1
66547ae18ff3d8319ed25390e1763339998cb7b0

SHA256
90836b4a2327fc96102876cc6ddd9fc164e258dd983364b2a1f051641ab5eb75

SHA512
3abe138b743e3a759bc125484caf6c055fa4706d618d18332673092451a9e4408847326adcb1d2b799456918c19c36e281030025f81996ccea40548a56e4cd39

Download Submit
C:\Windows\System\NsbywvO.exe

Filesize
5.2MB

MD5
887569b13d1f96fb23a875be5f76477b

SHA1
bc5052914f7f5d05feadbe048b995f58a0f19b22

SHA256
b65bd85b26aa7c6c3421f65c677387c6f5b03ca860f2139cd719bf797361e050

SHA512
4b59464f73e98f4daf3d923ce4725d7337c0f700b5024505d27f148b45f5f090a330c27e03cff104445c8c1a1d5d734de5cc18d3c348dabb92567b13c6c9dadc

Download Submit
C:\Windows\System\UDtjpff.exe

Filesize
5.2MB

MD5
aef79637a73e2d29f9be82d07ea966d5

SHA1
cee528701cdbe4be69745ed9237ca4a41f6a7740

SHA256
2eed8234af5f2ef5c77f5e1bef571272729c2f585790b9559332f28bdea0b820

SHA512
5bce437243278e82757eea1e191a3a831255fb19862a6e915a0df17c45450c715b74aab976239f8262968560c61d37d86c03ce23878ec749459ace309208727f

Download Submit
C:\Windows\System\ZidUtck.exe

Filesize
5.2MB

MD5
33ae595e22fe71df3aa5cde6d5378c30

SHA1
b2804dc24f2a0a1268d63ffcc03416bcc961b2c8

SHA256
5210634bd41b2c0e3c5502e825b636782e33242e614e19ac2072bddc1d2d3a44

SHA512
08704aef061849696a8ac58ccdab7b10bcce029b7bd539fc4d40d50d2f1686313d35de39abf01850ba287d92e16aa600821d6cd6e1075538c889cec926fa8340

Download Submit
C:\Windows\System\aOrFyCl.exe

Filesize
5.2MB

MD5
c887bf6e55175b241d743c587374169b

SHA1
814fa84f18ff5c0efe9c43ac9775e8ca2c245d60

SHA256
cf4380006d2549c53e05111010a8fd47309e10dd59313f1958b225a52975b118

SHA512
094c5b89868fde99a952b6afdc3f79e83b2824bf1b2078d96496ab8e6310c00c5bc39d24cdcde7aa56093a553dcb0b80e4fdbe653eb2bdfe713ad0e29277ecb3

Download Submit
C:\Windows\System\bHwaWZr.exe

Filesize
5.2MB

MD5
01ed6e8474aa5b2581c6a65b29d016fd

SHA1
ad5a280292b475cf2c8e1bc1476f0260c9881a74

SHA256
1070bbf2c57d18ca9d9bcd1a45eb620fce77c5fb22020661ef08acdc2b23ed51

SHA512
a185e7f7af432432e4381043ec4f10fe490d4bd88aa575cd26831ac3900a8908774ec3593b52b150bfff13400b09a0cc1007a22f44d67cf9370f50c7900f71ec

Download Submit
C:\Windows\System\bjcVSLw.exe

Filesize
5.2MB

MD5
aed9982c373058999eeeac92e190c773

SHA1
320fde5bdd805531b21ec9adcc64ca3ea543b63d

SHA256
c29dae1fba12f4d9faa0f217d3853a40921ce7f0b02c97d6d253ed89a17bc0de

SHA512
1c508950190b96a9d9c37d758979b1295c8feb0213b86626d5707fc5801504684f4f089f733049a7ac4af90e289153c451759c48b803a4a9b7a756377fa959a3

Download Submit
C:\Windows\System\bzGotWh.exe

Filesize
5.2MB

MD5
e4fd99afbd95084734620ddd0a42de13

SHA1
4cd3ffa007f2a6b241b930de49cfaea5a1aced49

SHA256
520c5b3d3dc72bf2b9bd26d9a7f15facc1cc1273817f9edecf3a353cfb3ee0a7

SHA512
df297e86aa2cf2bc4353da898676eb97d52517dc129aad21f91c7b70f2ce4f7d49074581778697ba36587a2d27f1f9ae0466ee320adc4486a9fb0d2380804397

Download Submit
C:\Windows\System\cNsovYy.exe

Filesize
5.2MB

MD5
faced6a3c5619b7a784440e330e3b132

SHA1
e4f545d4040c41d1f946dabc1dab0adf06d82643

SHA256
3676b72594b60410dcf0a5de16ea5f55a82808ecafb050db635f219bff71a5a1

SHA512
a05f8689e3b0652869630ba57d3521fd8307685f0a1eece9e1ce4a3d63da08487d1e715a820fe5fef8106aea93655c5565a946b8bafcf8c45a2851254b625064

Download Submit
C:\Windows\System\jyoOqnO.exe

Filesize
5.2MB

MD5
6a2a0fdefbf580b9a0e3186374fd0ebc

SHA1
f5c1dda2ab74607592a6a9fa5323b0b48d828086

SHA256
42bcaa793e2c92ebbcf9c2cb5667785934819c2d88142947dbc385da14c0e642

SHA512
aaa35acabe1b61e912e1e5c282d1098ccf978e641662b0211af0170cc6983c4c124aabc1190a5fecfa270fb10403cbf2290c2941fe98e6ef68047054300be707

Download Submit
C:\Windows\System\mARjOOG.exe

Filesize
5.2MB

MD5
1c06d6b75352b6e698984012d0f4cb0e

SHA1
406452b5f68410ee4defecb29f86a87e61b3b3a2

SHA256
014d2af515be10363e5190c59b3edb7d3340811d9b7dba7d963527a6293c6f04

SHA512
02f37aa8fe2385bec55fdd7d197cacfc735ec2367cae7cd13f9e75499eca687213c0d0e8c0a2e1acf5fe755026466c33afa98e03e6b71aa62ced9735226103cb

Download Submit
C:\Windows\System\oLeTgRr.exe

Filesize
5.2MB

MD5
caa689546328df823134a6a547e9bf10

SHA1
427d2c249b19c0c7e765f8a7bff92ed83a0f1d25

SHA256
0cab8e2e5b28c8066a5829c1fea32824972fad971a66d8432581cd9ad0c6f619

SHA512
0b05f9a615cfd813c90582339895f7f81221f628082755635949c060bb3a537f548c4ac491397e94a8b1f2a6c1d196ecd5b4105068bd3fc68290c2efd9dbdfaa

Download Submit
C:\Windows\System\ozLcann.exe

Filesize
5.2MB

MD5
ba05831615a374d33a5c31ecab84c566

SHA1
0f49a3dbe1dc3de0f85e1b96fe0748b377c70196

SHA256
d00fe1dafe0a2f14704773967c6524e303b0b7cd1b915de82ce95b46e17083ea

SHA512
b9322f0ccc8ae5214a4d0dbf9ea924165193b0b75082723296a0bd8764a444ec625c181bb72b40804a26485401774e14216082cf86d937bbe748693186d928d8

Download Submit
C:\Windows\System\qWHgpJq.exe

Filesize
5.2MB

MD5
7bb6e083af52f3e55b5966bbc9930e62

SHA1
96b7f5a4da7eed17add7f7b69360a6653fe4e2a2

SHA256
caf968abd92dc3a1ce671f9a815030fa0f79cc326e0d1ab50d00587f510d59b4

SHA512
402593670b50012d4d6ab3b111e350f3336af318dfe1900953a10f39645057eb982270a4c60944015b8a5b077b09343ce8f7420d574d73f3bea53f9aa9f2a101

Download Submit
C:\Windows\System\qoNbNGX.exe

Filesize
5.2MB

MD5
27e9c6774e916ef1fe87605ad6fc2d63

SHA1
51a573ff42de76a085e10cc6600cbeacc60ba381

SHA256
ea34a974c507215866226ec97832f14da21d121d3baf23d93a372fa79b2fba0b

SHA512
e495f6cae3c87bf73d15e99793ea3af3e5ca1046fadd0250a5c75d4e67bc6a8f9b126bc19c56320b23bcf73153b934e8db9db0225c4d670f11b2ea8b80c17b02

Download Submit
C:\Windows\System\tlbivsI.exe

Filesize
5.2MB

MD5
3b44da47d63724f9c294454c1295a6c6

SHA1
5c72d0d59a77c42741c33cf48a22257efefc6a28

SHA256
c7be5342df4720514cadf27c13ce86e749341195526bf7b50af26d9a49b28a89

SHA512
6dde91eb4e6fe1c100f811a209ec99b380355d72688a5e0bbe7ee6b375be30ff889dd2c57c1dbe0b191c6bd8726301e86b09722ccafee4f0e3c477270c21bf3e

Download Submit
C:\Windows\System\ypvrGSK.exe

Filesize
5.2MB

MD5
105178eeb2aea0f76f152a91a4b999a4

SHA1
6d8c0a46608ef8a376abb5534117dd080eed70de

SHA256
eab5cce5928cbf5dfb8f5eb28cea2cfcfec58a79851dc88d0a063e1215c178e2

SHA512
9996853c2b5c282155d307216cfdc08e560860abff9e7557122f56b65494367548cab72d7dcfcf2a3b3b89eb68546188db319561f7f7dc1010b8dd3f54939d98

Download Submit
memory/212-74-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp

Filesize
3.3MB

Download
memory/212-140-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp

Filesize
3.3MB

Download
memory/212-254-0x00007FF6EDA10000-0x00007FF6EDD61000-memory.dmp

Filesize
3.3MB

Download
memory/760-106-0x00007FF617690000-0x00007FF6179E1000-memory.dmp

Filesize
3.3MB

Download
memory/760-42-0x00007FF617690000-0x00007FF6179E1000-memory.dmp

Filesize
3.3MB

Download
memory/760-237-0x00007FF617690000-0x00007FF6179E1000-memory.dmp

Filesize
3.3MB

Download
memory/960-131-0x00007FF6C1F30000-0x00007FF6C2281000-memory.dmp

Filesize
3.3MB

Download
memory/960-270-0x00007FF6C1F30000-0x00007FF6C2281000-memory.dmp

Filesize
3.3MB

Download
memory/1016-50-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp

Filesize
3.3MB

Download
memory/1016-239-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp

Filesize
3.3MB

Download
memory/1016-107-0x00007FF7349B0000-0x00007FF734D01000-memory.dmp

Filesize
3.3MB

Download
memory/1308-61-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp

Filesize
3.3MB

Download
memory/1308-8-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp

Filesize
3.3MB

Download
memory/1308-220-0x00007FF7ABEB0000-0x00007FF7AC201000-memory.dmp

Filesize
3.3MB

Download
memory/1444-250-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-130-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-66-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-252-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2128-139-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2128-71-0x00007FF6ED7E0000-0x00007FF6EDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2148-168-0x00007FF729800000-0x00007FF729B51000-memory.dmp

Filesize
3.3MB

Download
memory/2148-273-0x00007FF729800000-0x00007FF729B51000-memory.dmp

Filesize
3.3MB

Download
memory/2148-136-0x00007FF729800000-0x00007FF729B51000-memory.dmp

Filesize
3.3MB

Download
memory/2992-83-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-141-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-258-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-256-0x00007FF625320000-0x00007FF625671000-memory.dmp

Filesize
3.3MB

Download
memory/3060-148-0x00007FF625320000-0x00007FF625671000-memory.dmp

Filesize
3.3MB

Download
memory/3060-86-0x00007FF625320000-0x00007FF625671000-memory.dmp

Filesize
3.3MB

Download
memory/3244-222-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp

Filesize
3.3MB

Download
memory/3244-13-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp

Filesize
3.3MB

Download
memory/3244-77-0x00007FF7CC7B0000-0x00007FF7CCB01000-memory.dmp

Filesize
3.3MB

Download
memory/3252-226-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-85-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-24-0x00007FF7CF5A0000-0x00007FF7CF8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-167-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-275-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-138-0x00007FF6E9A50000-0x00007FF6E9DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4116-36-0x00007FF788140000-0x00007FF788491000-memory.dmp

Filesize
3.3MB

Download
memory/4116-235-0x00007FF788140000-0x00007FF788491000-memory.dmp

Filesize
3.3MB

Download
memory/4116-101-0x00007FF788140000-0x00007FF788491000-memory.dmp

Filesize
3.3MB

Download
memory/4312-126-0x00007FF637250000-0x00007FF6375A1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-163-0x00007FF637250000-0x00007FF6375A1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-276-0x00007FF637250000-0x00007FF6375A1000-memory.dmp

Filesize
3.3MB

Download
memory/4320-155-0x00007FF612930000-0x00007FF612C81000-memory.dmp

Filesize
3.3MB

Download
memory/4320-100-0x00007FF612930000-0x00007FF612C81000-memory.dmp

Filesize
3.3MB

Download
memory/4320-262-0x00007FF612930000-0x00007FF612C81000-memory.dmp

Filesize
3.3MB

Download
memory/4636-261-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-154-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-99-0x00007FF6FBC50000-0x00007FF6FBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-33-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp

Filesize
3.3MB

Download
memory/4852-98-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp

Filesize
3.3MB

Download
memory/4852-233-0x00007FF63BEF0000-0x00007FF63C241000-memory.dmp

Filesize
3.3MB

Download
memory/4856-82-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-23-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-224-0x00007FF7D7E70000-0x00007FF7D81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-142-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-60-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-169-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-0-0x00007FF75CE90000-0x00007FF75D1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-1-0x000001A2E5140000-0x000001A2E5150000-memory.dmp

Filesize
64KB

Download
memory/5024-162-0x00007FF757300000-0x00007FF757651000-memory.dmp

Filesize
3.3MB

Download
memory/5024-268-0x00007FF757300000-0x00007FF757651000-memory.dmp

Filesize
3.3MB

Download
memory/5024-120-0x00007FF757300000-0x00007FF757651000-memory.dmp

Filesize
3.3MB

Download
memory/5100-54-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-241-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-115-0x00007FF72F370000-0x00007FF72F6C1000-memory.dmp

Filesize
3.3MB

Download