cobaltstrike | 68247b8c9c7d210489c91382f131c4c4fac64d9d72dc2f83ff08ac5669fa4bfe

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6fabe8fa37373ceea870dbb7b8f07447
SHA1

5d9705daa2851b80d172875e55c7713a379ad242
SHA256

68247b8c9c7d210489c91382f131c4c4fac64d9d72dc2f83ff08ac5669fa4bfe
SHA512

28714b392b88bb2afe882783465dcb53bc740114014476b504446466a092a7880973d45487b75493fed7ca9c5d599505a684d2a47ad948914aae023f5978fe7c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b21-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-98.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b86-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-117.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b73-113.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b84-111.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b85-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-11.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/228-122-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp	xmrig
behavioral2/memory/4472-127-0x00007FF6784B0000-0x00007FF678801000-memory.dmp	xmrig
behavioral2/memory/3140-126-0x00007FF663F50000-0x00007FF6642A1000-memory.dmp	xmrig
behavioral2/memory/4480-125-0x00007FF739230000-0x00007FF739581000-memory.dmp	xmrig
behavioral2/memory/3812-124-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp	xmrig
behavioral2/memory/3340-123-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp	xmrig
behavioral2/memory/5092-121-0x00007FF7C5670000-0x00007FF7C59C1000-memory.dmp	xmrig
behavioral2/memory/4892-119-0x00007FF7B3660000-0x00007FF7B39B1000-memory.dmp	xmrig
behavioral2/memory/3560-118-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp	xmrig
behavioral2/memory/3500-115-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp	xmrig
behavioral2/memory/4732-104-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp	xmrig
behavioral2/memory/3396-101-0x00007FF692FF0000-0x00007FF693341000-memory.dmp	xmrig
behavioral2/memory/4264-90-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	xmrig
behavioral2/memory/3876-87-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp	xmrig
behavioral2/memory/232-65-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp	xmrig
behavioral2/memory/1864-41-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp	xmrig
behavioral2/memory/4028-23-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	xmrig
behavioral2/memory/3544-32-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp	xmrig
behavioral2/memory/4072-129-0x00007FF701FD0000-0x00007FF702321000-memory.dmp	xmrig
behavioral2/memory/3532-142-0x00007FF771440000-0x00007FF771791000-memory.dmp	xmrig
behavioral2/memory/4784-131-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp	xmrig
behavioral2/memory/4028-130-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	xmrig
behavioral2/memory/3336-128-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	xmrig
behavioral2/memory/3336-150-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	xmrig
behavioral2/memory/3336-151-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	xmrig
behavioral2/memory/4072-216-0x00007FF701FD0000-0x00007FF702321000-memory.dmp	xmrig
behavioral2/memory/4028-218-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	xmrig
behavioral2/memory/3544-220-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp	xmrig
behavioral2/memory/1864-222-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp	xmrig
behavioral2/memory/4784-228-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp	xmrig
behavioral2/memory/232-226-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp	xmrig
behavioral2/memory/3340-225-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp	xmrig
behavioral2/memory/3812-232-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp	xmrig
behavioral2/memory/228-231-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp	xmrig
behavioral2/memory/4264-236-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	xmrig
behavioral2/memory/3876-234-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp	xmrig
behavioral2/memory/3560-249-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp	xmrig
behavioral2/memory/3500-247-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp	xmrig
behavioral2/memory/4480-256-0x00007FF739230000-0x00007FF739581000-memory.dmp	xmrig
behavioral2/memory/4472-258-0x00007FF6784B0000-0x00007FF678801000-memory.dmp	xmrig
behavioral2/memory/3532-254-0x00007FF771440000-0x00007FF771791000-memory.dmp	xmrig
behavioral2/memory/5092-253-0x00007FF7C5670000-0x00007FF7C59C1000-memory.dmp	xmrig
behavioral2/memory/4892-251-0x00007FF7B3660000-0x00007FF7B39B1000-memory.dmp	xmrig
behavioral2/memory/3140-245-0x00007FF663F50000-0x00007FF6642A1000-memory.dmp	xmrig
behavioral2/memory/4732-243-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp	xmrig
behavioral2/memory/3396-241-0x00007FF692FF0000-0x00007FF693341000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4072	BCyATry.exe
4028	tzVnEzp.exe
4784	BVaGmDU.exe
3544	KoxGjAr.exe
1864	PgaDYrM.exe
228	ssnFrpi.exe
232	LxDRxiy.exe
3340	JSXgewP.exe
3876	DnMlKvt.exe
3812	vzOqALZ.exe
4264	etqlZvJ.exe
3396	MPEnZoK.exe
4480	hIZxNgx.exe
3532	sXrAqbO.exe
4732	zDFYgsU.exe
3140	jFTMRzZ.exe
3500	nQrlwwk.exe
3560	RUDXZxe.exe
4892	AhZICHl.exe
5092	yfsCEAz.exe
4472	naLdgXZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3336-0-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	upx
behavioral2/files/0x000c000000023b21-5.dat	upx
behavioral2/files/0x000a000000023b77-9.dat	upx
behavioral2/files/0x000a000000023b78-22.dat	upx
behavioral2/files/0x000a000000023b79-27.dat	upx
behavioral2/files/0x000a000000023b7b-36.dat	upx
behavioral2/files/0x000a000000023b7d-50.dat	upx
behavioral2/files/0x000a000000023b80-61.dat	upx
behavioral2/files/0x000a000000023b82-68.dat	upx
behavioral2/files/0x000a000000023b7f-74.dat	upx
behavioral2/files/0x000a000000023b87-98.dat	upx
behavioral2/files/0x0031000000023b86-107.dat	upx
behavioral2/files/0x000a000000023b88-117.dat	upx
behavioral2/memory/228-122-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp	upx
behavioral2/memory/4472-127-0x00007FF6784B0000-0x00007FF678801000-memory.dmp	upx
behavioral2/memory/3140-126-0x00007FF663F50000-0x00007FF6642A1000-memory.dmp	upx
behavioral2/memory/4480-125-0x00007FF739230000-0x00007FF739581000-memory.dmp	upx
behavioral2/memory/3812-124-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp	upx
behavioral2/memory/3340-123-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp	upx
behavioral2/memory/5092-121-0x00007FF7C5670000-0x00007FF7C59C1000-memory.dmp	upx
behavioral2/memory/4892-119-0x00007FF7B3660000-0x00007FF7B39B1000-memory.dmp	upx
behavioral2/memory/3560-118-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp	upx
behavioral2/memory/3500-115-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp	upx
behavioral2/files/0x000b000000023b73-113.dat	upx
behavioral2/files/0x0031000000023b84-111.dat	upx
behavioral2/files/0x0031000000023b85-105.dat	upx
behavioral2/memory/4732-104-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp	upx
behavioral2/memory/3396-101-0x00007FF692FF0000-0x00007FF693341000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-96.dat	upx
behavioral2/memory/4264-90-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	upx
behavioral2/memory/3532-103-0x00007FF771440000-0x00007FF771791000-memory.dmp	upx
behavioral2/memory/3876-87-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-70.dat	upx
behavioral2/files/0x000a000000023b81-81.dat	upx
behavioral2/memory/232-65-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-55.dat	upx
behavioral2/files/0x000a000000023b7c-45.dat	upx
behavioral2/memory/1864-41-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp	upx
behavioral2/memory/4784-39-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp	upx
behavioral2/memory/4028-23-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	upx
behavioral2/memory/3544-32-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp	upx
behavioral2/memory/4072-12-0x00007FF701FD0000-0x00007FF702321000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-11.dat	upx
behavioral2/memory/4072-129-0x00007FF701FD0000-0x00007FF702321000-memory.dmp	upx
behavioral2/memory/3532-142-0x00007FF771440000-0x00007FF771791000-memory.dmp	upx
behavioral2/memory/4784-131-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp	upx
behavioral2/memory/4028-130-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	upx
behavioral2/memory/3336-128-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	upx
behavioral2/memory/3336-150-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	upx
behavioral2/memory/3336-151-0x00007FF7845E0000-0x00007FF784931000-memory.dmp	upx
behavioral2/memory/4072-216-0x00007FF701FD0000-0x00007FF702321000-memory.dmp	upx
behavioral2/memory/4028-218-0x00007FF742670000-0x00007FF7429C1000-memory.dmp	upx
behavioral2/memory/3544-220-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp	upx
behavioral2/memory/1864-222-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp	upx
behavioral2/memory/4784-228-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp	upx
behavioral2/memory/232-226-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp	upx
behavioral2/memory/3340-225-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp	upx
behavioral2/memory/3812-232-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp	upx
behavioral2/memory/228-231-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp	upx
behavioral2/memory/4264-236-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	upx
behavioral2/memory/3876-234-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp	upx
behavioral2/memory/3560-249-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp	upx
behavioral2/memory/3500-247-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp	upx
behavioral2/memory/4480-256-0x00007FF739230000-0x00007FF739581000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LxDRxiy.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JSXgewP.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naLdgXZ.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tzVnEzp.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgaDYrM.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnMlKvt.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MPEnZoK.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfsCEAz.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BCyATry.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KoxGjAr.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vzOqALZ.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hIZxNgx.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUDXZxe.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhZICHl.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFTMRzZ.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQrlwwk.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVaGmDU.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ssnFrpi.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\etqlZvJ.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sXrAqbO.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zDFYgsU.exe	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4072	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3336 wrote to memory of 4072	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3336 wrote to memory of 4028	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3336 wrote to memory of 4028	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3336 wrote to memory of 4784	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3336 wrote to memory of 4784	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3336 wrote to memory of 3544	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3336 wrote to memory of 3544	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3336 wrote to memory of 1864	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3336 wrote to memory of 1864	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3336 wrote to memory of 228	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3336 wrote to memory of 228	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3336 wrote to memory of 232	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3336 wrote to memory of 232	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3336 wrote to memory of 3340	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3336 wrote to memory of 3340	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3336 wrote to memory of 3876	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3336 wrote to memory of 3876	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3336 wrote to memory of 3812	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3336 wrote to memory of 3812	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3336 wrote to memory of 4264	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3336 wrote to memory of 4264	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3336 wrote to memory of 3396	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3336 wrote to memory of 3396	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3336 wrote to memory of 4480	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3336 wrote to memory of 4480	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3336 wrote to memory of 3532	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3336 wrote to memory of 3532	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3336 wrote to memory of 4732	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3336 wrote to memory of 4732	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3336 wrote to memory of 4892	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3336 wrote to memory of 4892	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3336 wrote to memory of 3140	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3336 wrote to memory of 3140	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3336 wrote to memory of 3500	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3336 wrote to memory of 3500	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3336 wrote to memory of 3560	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3336 wrote to memory of 3560	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3336 wrote to memory of 5092	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3336 wrote to memory of 5092	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3336 wrote to memory of 4472	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3336 wrote to memory of 4472	3336	2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_6fabe8fa37373ceea870dbb7b8f07447_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\System\BCyATry.exe
  C:\Windows\System\BCyATry.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\tzVnEzp.exe
  C:\Windows\System\tzVnEzp.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\BVaGmDU.exe
  C:\Windows\System\BVaGmDU.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\KoxGjAr.exe
  C:\Windows\System\KoxGjAr.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\PgaDYrM.exe
  C:\Windows\System\PgaDYrM.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\ssnFrpi.exe
  C:\Windows\System\ssnFrpi.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\LxDRxiy.exe
  C:\Windows\System\LxDRxiy.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\JSXgewP.exe
  C:\Windows\System\JSXgewP.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\DnMlKvt.exe
  C:\Windows\System\DnMlKvt.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\vzOqALZ.exe
  C:\Windows\System\vzOqALZ.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\etqlZvJ.exe
  C:\Windows\System\etqlZvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\MPEnZoK.exe
  C:\Windows\System\MPEnZoK.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\hIZxNgx.exe
  C:\Windows\System\hIZxNgx.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\sXrAqbO.exe
  C:\Windows\System\sXrAqbO.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\zDFYgsU.exe
  C:\Windows\System\zDFYgsU.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\AhZICHl.exe
  C:\Windows\System\AhZICHl.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\jFTMRzZ.exe
  C:\Windows\System\jFTMRzZ.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\nQrlwwk.exe
  C:\Windows\System\nQrlwwk.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\RUDXZxe.exe
  C:\Windows\System\RUDXZxe.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\yfsCEAz.exe
  C:\Windows\System\yfsCEAz.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\naLdgXZ.exe
  C:\Windows\System\naLdgXZ.exe
  2⤵
  - Executes dropped EXE
  PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AhZICHl.exe

Filesize
5.2MB

MD5
2bcf5a9d479ed2fd5398d3b29bdb85c3

SHA1
61a610f963dd80f39f316462193131040f08953d

SHA256
2f9db6ea9c3197a924a16f21a1087ffd0552ccafd413027b2f2c9b641196429f

SHA512
9ffdbc0c4bb201180fb4a40c23a17ec335dbff8ea044b0822c528a0565d0e5049c6152283569fb965274a6fdafe3a81634b374aa7c7f3b91bfdca3eaac873d71

Download Submit
C:\Windows\System\BCyATry.exe

Filesize
5.2MB

MD5
bfbc05ff1e38ac408b5d169f184e494b

SHA1
53b86ef2c51b79f705f72401876358b368262396

SHA256
cb622517ec2c13a36523228116e3db43391747a45ce6637523ac7f2cf8d3d124

SHA512
1172669d60b0a7a48feca06da7c1d1d91c61eb3d5c940c71ef0237331816168b7908f0622bea19c9c86ae25e2cdcb06a4d220a4f4025db576eac2475adf261ce

Download Submit
C:\Windows\System\BVaGmDU.exe

Filesize
5.2MB

MD5
a782596ed89b82789aa634a65fc19cd2

SHA1
810b3e489df271b96ef6ad6f86d4dccabcbd096f

SHA256
09aa878abb0232b2e89a4cdeb3505e2bfd82b52fb9273ffeaebac6387db14809

SHA512
3568e0a39a9534fe7063bb67daccf9fdf22afccaa16af1ebe13d38646d878211a5011e6a971f544887f599334a4229112419063eda0c755ec996ad75f85559ef

Download Submit
C:\Windows\System\DnMlKvt.exe

Filesize
5.2MB

MD5
05d26b0a5b6ecb5e7f1f7939e8bf9761

SHA1
fe9c2923049e167b50bd89ac06b4df41117fb9ed

SHA256
3fbb2aff5a72dbca7e89269a794d1ee5d3d6e92a94b4b9728dd040407528384d

SHA512
291e6a7f4c3a6d2aec9f66e632741c84ea9710cf2b09ed108797a699c72c788237fea00f38126123c1c74795d17b39ff1b4ce24d5ebeac96913aa0ebeb568ddb

Download Submit
C:\Windows\System\JSXgewP.exe

Filesize
5.2MB

MD5
676a9c41aaf7f95592fa7f8479faf73d

SHA1
c8fc2dc81f5ea4d50d88244bc7fae3bb5be81baf

SHA256
44ebd5c0d9ed50af5a0a5c298f50d4e3fa31627891db7374e8179751f6dd307a

SHA512
b30fffdedc327003c7deed106087e820a66bdaf95e4c983f5207cbc590f5d0d310017c776fb80e3c06ff47328285e51a22c07ab718ed4596b5ecac2a8b9017ac

Download Submit
C:\Windows\System\KoxGjAr.exe

Filesize
5.2MB

MD5
ce8eccc91a27d52cc5787715c1ef5b9a

SHA1
37d5529144b5bdc25bbc49d278d8f62ca4f999ea

SHA256
fe3d8002585a4ab645e3c20d3602d74bcab86e58174e327889f59e317c4759bd

SHA512
4e03f028c07532e6839a5d07398aa5a7c09d02abf2d35aa27bd6b0064bcdf8d9552807da5100bef2b1f296441b8a18737bda747b0a0b09b418051b00f640b535

Download Submit
C:\Windows\System\LxDRxiy.exe

Filesize
5.2MB

MD5
a09dd15ee7833c627d40e1f105961ace

SHA1
d4584ee9c8c13aa7ca0297a9146da85a61109117

SHA256
6c478b9c86c0182d9efbd13a6f751ab27076af6627d5c81b60edc9e6f907bb96

SHA512
aba4fa1b166b19b4d5b8ea02608281e9aaf24925feff92304d7bb87ed945894a93a3ba7ae3375e5fec25421eb43b3b1a958a3412bfdbfa28a2de892e48829ac4

Download Submit
C:\Windows\System\MPEnZoK.exe

Filesize
5.2MB

MD5
35e8a6a601131647c4931c985cf919df

SHA1
b9f461accfb61bead4e80ac06a7ad4eb6542f29a

SHA256
d090cf6f9ec289a3418262b2cf0aafa7bc9bf0f2ca97ae967f2124eed66ece9c

SHA512
3fb8bdf43ce5b9c429994409c2009072ce8fbcda0f0b25fee981933a3689a6ae6e3b417ca756b1d49f214cf0c3c42841ab9a4fd945ee6aac5dfefa4981a2ae94

Download Submit
C:\Windows\System\PgaDYrM.exe

Filesize
5.2MB

MD5
b6d2292536ae32a1e7e1d548bfb266a1

SHA1
1a1b8e14724be96928dacf3979d3b66071b522af

SHA256
102233f040c766d8036319c520bb4582bdd11a5d4f9fc82c13a1c365434496b4

SHA512
63f03653cb39be1cfa71b1b2d42b206efc8b7de57401aa74c6133b124c7105b9d403a9d39111e7f6003b4fc011b790c805558a92fd77d09e0669940f931d32c6

Download Submit
C:\Windows\System\RUDXZxe.exe

Filesize
5.2MB

MD5
c0f164bfceccc662f3362bf05178b9f4

SHA1
832a49669a8984593392ecf6a1b30d761f9a3cd8

SHA256
6223edb28ac65be64d064581a7eca34dd72ace4da540ce9a729da6207210dba6

SHA512
ea4b4e12c704ecae7384482f21d931a23772f2e967d64c140233e0f3bed1e2f6067d0bdc0fa22b038d4255c4d567c251683f934661c6c470ea6dca108fa7ce12

Download Submit
C:\Windows\System\etqlZvJ.exe

Filesize
5.2MB

MD5
79a7bb63b884a6747e18ec68caf91499

SHA1
862246abe7ef58e766eb07dfa8b9279e31a592a4

SHA256
7ab138eff4713b96a23ca69249305126806049079a65ce0544b968f9843679bd

SHA512
c4a0bc0e8295e1d3a7b6d2a41863630119d7c26cb7abe40f48b0d7d7d0c73cb3f94ad81438d15f022cf6445059acac48b86a6c10fc9113054a7f9864dee9fc5a

Download Submit
C:\Windows\System\hIZxNgx.exe

Filesize
5.2MB

MD5
179cf27706984dc6246585f6e4431a85

SHA1
4dcdd566689cc57b2252efa0e7cce8ba2cbd174f

SHA256
c01a61b02e7cc47310c9459adca7c357177bbe652fb932467677e94a66db7829

SHA512
af86edef662e1e77f96f76ad9ebeafe256c5aa278a3661c12f7f97d3f90d9c5531ec698ea786f22082ed848898bce5648c3fc959a94564833dee406331f91e01

Download Submit
C:\Windows\System\jFTMRzZ.exe

Filesize
5.2MB

MD5
bf38edd98c8786aecb443368c6af8eba

SHA1
de0c82633f689ec84d5fd7299aead64c7749057f

SHA256
8d8d9826a22bb8ae6fc2013c84c6893ac28b6380e38c2c258acdba07f104c1b5

SHA512
6691017fcee5d3bd741b3cebefc56e0690479e3a5b0faf036443824087c9ea912e2107f8081ae7eb8f3b4a01938436deb468e870c94abde9af8bede9b5a31516

Download Submit
C:\Windows\System\nQrlwwk.exe

Filesize
5.2MB

MD5
08eb7a79b1d145114a8516d8dfaeefb6

SHA1
836f6f1b06301c889257a6221c2e37ed1c428f9d

SHA256
9323172349b775264d5fde30289f0d3af3fc440c015b03366aa61505f5d21a51

SHA512
33825b5bad17ff4b4ce93070c842e2f6181423c508fc6fd9011b058f9d91fce07175f41d5083c64c1915effa1f87ae7beb1c2d8c4539f1e4c2a23a67b9b651a4

Download Submit
C:\Windows\System\naLdgXZ.exe

Filesize
5.2MB

MD5
6b4ac45aeef2228765dcf07ef19e235e

SHA1
8ddfcf845d0bbb284e9192b42b2e31bb0ca03331

SHA256
9fdeb84905372ea5aa890a35051d8bdfbd5e7e69e1d9d7ab6ec87dc067a924b8

SHA512
ffa21fddc0f8d49a40ad88a1643c6b8695dfd64be034dd3ebef7b77accd5d0dde1df0b6e6081b5d8917021cbaf13c414c0615d9a3ce2981f8e230ad53b9b5485

Download Submit
C:\Windows\System\sXrAqbO.exe

Filesize
5.2MB

MD5
54325396a4b44025333da3fc373101b1

SHA1
887152c059dcef9c2e12c0e7769e4afd22232a22

SHA256
c3f3900afc6fbec478ed879b231bfea3d3287eeb023abe29156bf73a7410229a

SHA512
6f0a7c00c64a5f2b5d330a3cc8728b324db7aa20f9966bf0368af12c661a54ffc57bae78bd4c4a0c34c2a1db46875f4de043c0e37b0de5687e91061c296cb595

Download Submit
C:\Windows\System\ssnFrpi.exe

Filesize
5.2MB

MD5
67ee4220ffb61c4d3865685b9d60e8f9

SHA1
4b2df902d3c8e09da4f2c4b7c0ed172ca10d9b99

SHA256
90019cddd048d2eb06d94ce7ec11f341497caabde00a6df6ce8b71d4dc7320df

SHA512
54a2acce89614f349c866057376742867f2037a6fdd9c63be74aa092bc04da6f382d97a4f626acbf5cd4b2dfdc41431299d4f6657d629dd7323fd6112719fd0a

Download Submit
C:\Windows\System\tzVnEzp.exe

Filesize
5.2MB

MD5
caa47165fbcea2dd5e8450838208ee05

SHA1
99628ca7b19e2932d550033275934d54ea4d45f1

SHA256
823e4a104ebcfc83fddb7a54ad8c0be98dc3cd68c69a8af4e6a24e38572025ac

SHA512
16147001ff6f542ef2ec02abc0bd8ae78cf9b7badb95a36a4cf5fb469a11b2707e0bc777e5e085905499d0fc84785d5efba3de84ed91765b7a69beee8327a53c

Download Submit
C:\Windows\System\vzOqALZ.exe

Filesize
5.2MB

MD5
95217ddcb93e5d5f96f440598167b24f

SHA1
d674032e3e0528c2c67ca58f0107494a02681d24

SHA256
a6b1c6e14b5539322d6e460b175fd85e2373088f46f21b7f9cdde7640f970598

SHA512
88b2b1ade8d83b67d46e97280258a6b7eb590f639df682736e5433bac0509b36a0239da6cfa74f28a98667298b49eb8c7efaa9941c6247784526ead9c1689046

Download Submit
C:\Windows\System\yfsCEAz.exe

Filesize
5.2MB

MD5
ec0786980bc3a3933edf345d6101bf3e

SHA1
2d8efc94009bb8342a99f5da399bc80297ef9614

SHA256
50c519ea1bd039e580538f583e090464cb2f21f8c5817824db06769d84c56326

SHA512
267647165e2060bdfbf92ebf445ba188287ae7a7ddc020b572bd23c556288046bd10b39d99036072fad8c7cc36c39265c7def387847813c56f025bc17188f48a

Download Submit
C:\Windows\System\zDFYgsU.exe

Filesize
5.2MB

MD5
f7567d463b849ab92a141617ba27a6d0

SHA1
5ad3e77388ffb826645bacb328eda966a032755f

SHA256
615d7b9b80dcf81ad67154420a8030a19e2c047cb9aba52bd6179effce59e827

SHA512
74e5bab365cf21b4d88375bc0d19b3214f4e6700967f9af66e4596eec9acae46f9d3ef2be0fe57a7017c0b59648f7243aa3681ed7aa5404d17a39beecc137e51

Download Submit
memory/228-122-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp

Filesize
3.3MB

Download
memory/228-231-0x00007FF6FFCF0000-0x00007FF700041000-memory.dmp

Filesize
3.3MB

Download
memory/232-65-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp

Filesize
3.3MB

Download
memory/232-226-0x00007FF63B2D0000-0x00007FF63B621000-memory.dmp

Filesize
3.3MB

Download
memory/1864-222-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp

Filesize
3.3MB

Download
memory/1864-41-0x00007FF76D5E0000-0x00007FF76D931000-memory.dmp

Filesize
3.3MB

Download
memory/3140-245-0x00007FF663F50000-0x00007FF6642A1000-memory.dmp

Filesize
3.3MB

Download
memory/3140-126-0x00007FF663F50000-0x00007FF6642A1000-memory.dmp

Filesize
3.3MB

Download
memory/3336-1-0x00000216FA6F0000-0x00000216FA700000-memory.dmp

Filesize
64KB

Download
memory/3336-128-0x00007FF7845E0000-0x00007FF784931000-memory.dmp

Filesize
3.3MB

Download
memory/3336-0-0x00007FF7845E0000-0x00007FF784931000-memory.dmp

Filesize
3.3MB

Download
memory/3336-150-0x00007FF7845E0000-0x00007FF784931000-memory.dmp

Filesize
3.3MB

Download
memory/3336-151-0x00007FF7845E0000-0x00007FF784931000-memory.dmp

Filesize
3.3MB

Download
memory/3340-225-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp

Filesize
3.3MB

Download
memory/3340-123-0x00007FF7D98E0000-0x00007FF7D9C31000-memory.dmp

Filesize
3.3MB

Download
memory/3396-101-0x00007FF692FF0000-0x00007FF693341000-memory.dmp

Filesize
3.3MB

Download
memory/3396-241-0x00007FF692FF0000-0x00007FF693341000-memory.dmp

Filesize
3.3MB

Download
memory/3500-115-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp

Filesize
3.3MB

Download
memory/3500-247-0x00007FF6AF9D0000-0x00007FF6AFD21000-memory.dmp

Filesize
3.3MB

Download
memory/3532-103-0x00007FF771440000-0x00007FF771791000-memory.dmp

Filesize
3.3MB

Download
memory/3532-254-0x00007FF771440000-0x00007FF771791000-memory.dmp

Filesize
3.3MB

Download
memory/3532-142-0x00007FF771440000-0x00007FF771791000-memory.dmp

Filesize
3.3MB

Download
memory/3544-220-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3544-32-0x00007FF7C07A0000-0x00007FF7C0AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-118-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp

Filesize
3.3MB

Download
memory/3560-249-0x00007FF7B84B0000-0x00007FF7B8801000-memory.dmp

Filesize
3.3MB

Download
memory/3812-124-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp

Filesize
3.3MB

Download
memory/3812-232-0x00007FF702EA0000-0x00007FF7031F1000-memory.dmp

Filesize
3.3MB

Download
memory/3876-234-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp

Filesize
3.3MB

Download
memory/3876-87-0x00007FF7398F0000-0x00007FF739C41000-memory.dmp

Filesize
3.3MB

Download
memory/4028-130-0x00007FF742670000-0x00007FF7429C1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-23-0x00007FF742670000-0x00007FF7429C1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-218-0x00007FF742670000-0x00007FF7429C1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-216-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

Filesize
3.3MB

Download
memory/4072-129-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

Filesize
3.3MB

Download
memory/4072-12-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

Filesize
3.3MB

Download
memory/4264-90-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

Filesize
3.3MB

Download
memory/4264-236-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

Filesize
3.3MB

Download
memory/4472-258-0x00007FF6784B0000-0x00007FF678801000-memory.dmp

Filesize
3.3MB

Download
memory/4472-127-0x00007FF6784B0000-0x00007FF678801000-memory.dmp

Filesize
3.3MB

Download
memory/4480-256-0x00007FF739230000-0x00007FF739581000-memory.dmp

Filesize
3.3MB

Download
memory/4480-125-0x00007FF739230000-0x00007FF739581000-memory.dmp

Filesize
3.3MB

Download
memory/4732-243-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp

Filesize
3.3MB

Download
memory/4732-104-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp

Filesize
3.3MB

Download
memory/4784-131-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp

Filesize
3.3MB

Download
memory/4784-228-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp

Filesize
3.3MB

Download
memory/4784-39-0x00007FF6A1FD0000-0x00007FF6A2321000-memory.dmp

Filesize
3.3MB

Download
memory/4892-119-0x00007FF7B3660000-0x00007FF7B39B1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-251-0x00007FF7B3660000-0x00007FF7B39B1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-121-0x00007FF7C5670000-0x00007FF7C59C1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-253-0x00007FF7C5670000-0x00007FF7C59C1000-memory.dmp

Filesize
3.3MB

Download