cobaltstrike | 4db7dd25dd8e7aaad4618f8d999a4a7c8ff3f8dfc58e6767158e702cebb24bd6

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5604c35b637b236f68f691c601256ef7
SHA1

ccc5944080146c2fcf2fdc8035fc72f88d177790
SHA256

4db7dd25dd8e7aaad4618f8d999a4a7c8ff3f8dfc58e6767158e702cebb24bd6
SHA512

95fa0297f2d5369e93c1adbe4e1ea2fa97f86f5288317ab41454992c69496af68402a79500d8ac6f27f2c33a03def8544aabe4c4baeeabcb9f26413a53cf9576
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cbb-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cbc-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-58.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3940-14-0x00007FF736430000-0x00007FF736781000-memory.dmp	xmrig
behavioral2/memory/32-113-0x00007FF6FED20000-0x00007FF6FF071000-memory.dmp	xmrig
behavioral2/memory/4408-120-0x00007FF6A25C0000-0x00007FF6A2911000-memory.dmp	xmrig
behavioral2/memory/4000-126-0x00007FF7B4B60000-0x00007FF7B4EB1000-memory.dmp	xmrig
behavioral2/memory/4216-129-0x00007FF748480000-0x00007FF7487D1000-memory.dmp	xmrig
behavioral2/memory/2308-131-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	xmrig
behavioral2/memory/3544-130-0x00007FF7A54C0000-0x00007FF7A5811000-memory.dmp	xmrig
behavioral2/memory/1440-124-0x00007FF673FA0000-0x00007FF6742F1000-memory.dmp	xmrig
behavioral2/memory/432-119-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	xmrig
behavioral2/memory/3436-109-0x00007FF7964E0000-0x00007FF796831000-memory.dmp	xmrig
behavioral2/memory/3940-105-0x00007FF736430000-0x00007FF736781000-memory.dmp	xmrig
behavioral2/memory/3332-86-0x00007FF6E46D0000-0x00007FF6E4A21000-memory.dmp	xmrig
behavioral2/memory/4616-78-0x00007FF747540000-0x00007FF747891000-memory.dmp	xmrig
behavioral2/memory/4376-55-0x00007FF684300000-0x00007FF684651000-memory.dmp	xmrig
behavioral2/memory/2196-53-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	xmrig
behavioral2/memory/1768-132-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp	xmrig
behavioral2/memory/2196-133-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	xmrig
behavioral2/memory/1692-138-0x00007FF7590F0000-0x00007FF759441000-memory.dmp	xmrig
behavioral2/memory/4656-139-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	xmrig
behavioral2/memory/2772-140-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp	xmrig
behavioral2/memory/548-142-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp	xmrig
behavioral2/memory/4616-144-0x00007FF747540000-0x00007FF747891000-memory.dmp	xmrig
behavioral2/memory/3132-143-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp	xmrig
behavioral2/memory/3100-149-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp	xmrig
behavioral2/memory/2804-146-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp	xmrig
behavioral2/memory/2196-156-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	xmrig
behavioral2/memory/4376-207-0x00007FF684300000-0x00007FF684651000-memory.dmp	xmrig
behavioral2/memory/3940-209-0x00007FF736430000-0x00007FF736781000-memory.dmp	xmrig
behavioral2/memory/4216-211-0x00007FF748480000-0x00007FF7487D1000-memory.dmp	xmrig
behavioral2/memory/1768-213-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp	xmrig
behavioral2/memory/1692-228-0x00007FF7590F0000-0x00007FF759441000-memory.dmp	xmrig
behavioral2/memory/4656-230-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	xmrig
behavioral2/memory/2772-232-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp	xmrig
behavioral2/memory/3132-234-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp	xmrig
behavioral2/memory/3332-236-0x00007FF6E46D0000-0x00007FF6E4A21000-memory.dmp	xmrig
behavioral2/memory/4616-238-0x00007FF747540000-0x00007FF747891000-memory.dmp	xmrig
behavioral2/memory/548-240-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp	xmrig
behavioral2/memory/3436-242-0x00007FF7964E0000-0x00007FF796831000-memory.dmp	xmrig
behavioral2/memory/432-247-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	xmrig
behavioral2/memory/32-249-0x00007FF6FED20000-0x00007FF6FF071000-memory.dmp	xmrig
behavioral2/memory/2804-251-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp	xmrig
behavioral2/memory/2308-253-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	xmrig
behavioral2/memory/4408-261-0x00007FF6A25C0000-0x00007FF6A2911000-memory.dmp	xmrig
behavioral2/memory/3544-263-0x00007FF7A54C0000-0x00007FF7A5811000-memory.dmp	xmrig
behavioral2/memory/4000-259-0x00007FF7B4B60000-0x00007FF7B4EB1000-memory.dmp	xmrig
behavioral2/memory/3100-257-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp	xmrig
behavioral2/memory/1440-255-0x00007FF673FA0000-0x00007FF6742F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4376	GjVxeqE.exe
3940	RXaqunN.exe
4216	QSHMFui.exe
1768	AZOzBAR.exe
1692	zUWgvtG.exe
4656	yHgDndv.exe
2772	JrxyksD.exe
3132	nqndWAg.exe
548	YAWMxJX.exe
4616	lvarXJY.exe
3332	XnJjkkf.exe
3436	RLwHEep.exe
32	VJpzZcE.exe
2804	VumidLy.exe
3100	PKoTqdL.exe
432	EQSExkw.exe
4408	hhtCMlZ.exe
4000	ttHnFFt.exe
1440	ugwTvTd.exe
3544	syzjidx.exe
2308	LFFxnop.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2196-0-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	upx
behavioral2/files/0x0008000000023cbb-4.dat	upx
behavioral2/files/0x0007000000023cbf-9.dat	upx
behavioral2/memory/3940-14-0x00007FF736430000-0x00007FF736781000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-16.dat	upx
behavioral2/memory/4216-18-0x00007FF748480000-0x00007FF7487D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-25.dat	upx
behavioral2/memory/1768-24-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp	upx
behavioral2/memory/4376-11-0x00007FF684300000-0x00007FF684651000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-29.dat	upx
behavioral2/memory/1692-31-0x00007FF7590F0000-0x00007FF759441000-memory.dmp	upx
behavioral2/files/0x0008000000023cbc-39.dat	upx
behavioral2/files/0x0007000000023cc3-43.dat	upx
behavioral2/memory/2772-45-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-50.dat	upx
behavioral2/files/0x0007000000023cc4-56.dat	upx
behavioral2/files/0x0007000000023cca-81.dat	upx
behavioral2/files/0x0007000000023ccc-87.dat	upx
behavioral2/memory/32-113-0x00007FF6FED20000-0x00007FF6FF071000-memory.dmp	upx
behavioral2/memory/4408-120-0x00007FF6A25C0000-0x00007FF6A2911000-memory.dmp	upx
behavioral2/memory/4000-126-0x00007FF7B4B60000-0x00007FF7B4EB1000-memory.dmp	upx
behavioral2/memory/4216-129-0x00007FF748480000-0x00007FF7487D1000-memory.dmp	upx
behavioral2/memory/2308-131-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	upx
behavioral2/memory/3544-130-0x00007FF7A54C0000-0x00007FF7A5811000-memory.dmp	upx
behavioral2/files/0x0007000000023cd1-125.dat	upx
behavioral2/memory/1440-124-0x00007FF673FA0000-0x00007FF6742F1000-memory.dmp	upx
behavioral2/memory/432-119-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-117.dat	upx
behavioral2/files/0x0007000000023cd0-122.dat	upx
behavioral2/files/0x0007000000023cce-114.dat	upx
behavioral2/memory/3436-109-0x00007FF7964E0000-0x00007FF796831000-memory.dmp	upx
behavioral2/memory/3940-105-0x00007FF736430000-0x00007FF736781000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-110.dat	upx
behavioral2/files/0x0007000000023ccb-101.dat	upx
behavioral2/files/0x0007000000023cc8-99.dat	upx
behavioral2/memory/3100-97-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp	upx
behavioral2/memory/2804-88-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp	upx
behavioral2/memory/3332-86-0x00007FF6E46D0000-0x00007FF6E4A21000-memory.dmp	upx
behavioral2/memory/4616-78-0x00007FF747540000-0x00007FF747891000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-76.dat	upx
behavioral2/files/0x0007000000023cc7-67.dat	upx
behavioral2/memory/548-66-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-58.dat	upx
behavioral2/memory/4376-55-0x00007FF684300000-0x00007FF684651000-memory.dmp	upx
behavioral2/memory/2196-53-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	upx
behavioral2/memory/3132-46-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp	upx
behavioral2/memory/4656-38-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	upx
behavioral2/memory/1768-132-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp	upx
behavioral2/memory/2196-133-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	upx
behavioral2/memory/1692-138-0x00007FF7590F0000-0x00007FF759441000-memory.dmp	upx
behavioral2/memory/4656-139-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	upx
behavioral2/memory/2772-140-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp	upx
behavioral2/memory/548-142-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp	upx
behavioral2/memory/4616-144-0x00007FF747540000-0x00007FF747891000-memory.dmp	upx
behavioral2/memory/3132-143-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp	upx
behavioral2/memory/3100-149-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp	upx
behavioral2/memory/2804-146-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp	upx
behavioral2/memory/2196-156-0x00007FF728460000-0x00007FF7287B1000-memory.dmp	upx
behavioral2/memory/4376-207-0x00007FF684300000-0x00007FF684651000-memory.dmp	upx
behavioral2/memory/3940-209-0x00007FF736430000-0x00007FF736781000-memory.dmp	upx
behavioral2/memory/4216-211-0x00007FF748480000-0x00007FF7487D1000-memory.dmp	upx
behavioral2/memory/1768-213-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp	upx
behavioral2/memory/1692-228-0x00007FF7590F0000-0x00007FF759441000-memory.dmp	upx
behavioral2/memory/4656-230-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RLwHEep.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PKoTqdL.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQSExkw.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhtCMlZ.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugwTvTd.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RXaqunN.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUWgvtG.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvarXJY.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\syzjidx.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFFxnop.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QSHMFui.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqndWAg.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ttHnFFt.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VumidLy.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AZOzBAR.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JrxyksD.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YAWMxJX.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJpzZcE.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GjVxeqE.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yHgDndv.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XnJjkkf.exe	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4376	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2196 wrote to memory of 4376	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2196 wrote to memory of 3940	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2196 wrote to memory of 3940	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2196 wrote to memory of 4216	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2196 wrote to memory of 4216	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2196 wrote to memory of 1768	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2196 wrote to memory of 1768	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2196 wrote to memory of 1692	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2196 wrote to memory of 1692	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2196 wrote to memory of 4656	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2196 wrote to memory of 4656	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2196 wrote to memory of 2772	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2196 wrote to memory of 2772	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2196 wrote to memory of 3132	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2196 wrote to memory of 3132	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2196 wrote to memory of 548	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2196 wrote to memory of 548	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2196 wrote to memory of 4616	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2196 wrote to memory of 4616	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2196 wrote to memory of 3332	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2196 wrote to memory of 3332	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2196 wrote to memory of 2804	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2196 wrote to memory of 2804	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2196 wrote to memory of 3436	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2196 wrote to memory of 3436	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2196 wrote to memory of 32	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2196 wrote to memory of 32	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2196 wrote to memory of 3100	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2196 wrote to memory of 3100	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2196 wrote to memory of 432	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2196 wrote to memory of 432	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2196 wrote to memory of 4408	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2196 wrote to memory of 4408	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2196 wrote to memory of 4000	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2196 wrote to memory of 4000	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2196 wrote to memory of 1440	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2196 wrote to memory of 1440	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2196 wrote to memory of 3544	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2196 wrote to memory of 3544	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2196 wrote to memory of 2308	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2196 wrote to memory of 2308	2196	2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_5604c35b637b236f68f691c601256ef7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System\GjVxeqE.exe
  C:\Windows\System\GjVxeqE.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\RXaqunN.exe
  C:\Windows\System\RXaqunN.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\QSHMFui.exe
  C:\Windows\System\QSHMFui.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\AZOzBAR.exe
  C:\Windows\System\AZOzBAR.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\zUWgvtG.exe
  C:\Windows\System\zUWgvtG.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\yHgDndv.exe
  C:\Windows\System\yHgDndv.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\JrxyksD.exe
  C:\Windows\System\JrxyksD.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\nqndWAg.exe
  C:\Windows\System\nqndWAg.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\YAWMxJX.exe
  C:\Windows\System\YAWMxJX.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\lvarXJY.exe
  C:\Windows\System\lvarXJY.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\XnJjkkf.exe
  C:\Windows\System\XnJjkkf.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\VumidLy.exe
  C:\Windows\System\VumidLy.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\RLwHEep.exe
  C:\Windows\System\RLwHEep.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\VJpzZcE.exe
  C:\Windows\System\VJpzZcE.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\PKoTqdL.exe
  C:\Windows\System\PKoTqdL.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\EQSExkw.exe
  C:\Windows\System\EQSExkw.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\hhtCMlZ.exe
  C:\Windows\System\hhtCMlZ.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\ttHnFFt.exe
  C:\Windows\System\ttHnFFt.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\ugwTvTd.exe
  C:\Windows\System\ugwTvTd.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\syzjidx.exe
  C:\Windows\System\syzjidx.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\LFFxnop.exe
  C:\Windows\System\LFFxnop.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZOzBAR.exe

Filesize
5.2MB

MD5
5dad2c8174f7ffe4506537ff9f9dda3c

SHA1
5586f79c7bc52db95c11f0d5a2536b746d98818d

SHA256
19acf6e11a1104151b3c977198ad76547bb9497aec7f592eb9e3484361708491

SHA512
06bd42284e7b5ff9ab0e96b63257851c2d19a6a94842bb05d38753f1292fc2b92d9192176e453275621ae12005824f126d9a060b15850514292932c465d9873c

Download Submit
C:\Windows\System\EQSExkw.exe

Filesize
5.2MB

MD5
7a07e47f5b6400fc1af2c6379ad844d3

SHA1
d8a36bf22ef3ddebe9c7a8a93f84f098aca012ac

SHA256
97d5736bbee196e18e6910696b49ed2ca7afbbef37f5656c87d7a2961c4f7150

SHA512
2a41f57115f7c66b0c5b1b826339c75d9fb5638df707a32f8c50334ed73e4df7212481105fe1e422602e545b92cffb2d6dae3076e66a913871a77315e25313c8

Download Submit
C:\Windows\System\GjVxeqE.exe

Filesize
5.2MB

MD5
1505834a28c69ac8d12f6900c4481f54

SHA1
014cb0e4d4cab880c0520607557c161797462eda

SHA256
ab90ce5b1da5dfd8231646d42c222961e8a1bcfddba86005847c1360ce48f24d

SHA512
a5a6f7af3e2c0d4e652fb351c7a896f5f626e036c0656dce24302f0806ec3483333c696c7c425145377ba7d2812a148ca1a9f1d12e961b1321cd81006ea11049

Download Submit
C:\Windows\System\JrxyksD.exe

Filesize
5.2MB

MD5
3eeae91ad323e39f09a89f091965cd90

SHA1
66ead44391bbb5c1ba6b1c5ef5881990cf61206e

SHA256
7fa837a7a4561ce8034484639da538d4f0c9a36b684eac8dc560527cf0da63b4

SHA512
d32e86b0da997fc77e81b835514a4f3147bd94e20b9f6161e7d8762d81d2b6c629ba0d5440d7bc015ae8c0e2f4a94c64c243d78c143f06f9a90471add600b677

Download Submit
C:\Windows\System\LFFxnop.exe

Filesize
5.2MB

MD5
c0b1de65323d76a58ca9944f26c09b99

SHA1
a33f3dcfe2edd00c88dc0a257747c5e348ce366b

SHA256
772bfe11e9e169ebae0b00395314f8dbd90d4d9ea4c303ef6421df4f391c5562

SHA512
c8adac2df646f073b313ead18539d1346352264fb5d4ad22e561647deac9f2396a10295d26e7b240a3286f3e22873e19f5219dad0c514bf49c27f343c9406598

Download Submit
C:\Windows\System\PKoTqdL.exe

Filesize
5.2MB

MD5
84a0f23d6f449c28850fca337b3de583

SHA1
fb385346df0c1be8d358d98f13e064817398dce9

SHA256
5fb553c18bbe9ea9b37b840e0222c0ca118d5716d5a9a99d71624549d4e4f9bf

SHA512
39c26a42fb544e65691f00d166d9e94d77de19b649affbea44407e78e5e75e55e437f744c0824168dfdfa4d0b17cf0295541a8997cdccb097fc9178f75f658e2

Download Submit
C:\Windows\System\QSHMFui.exe

Filesize
5.2MB

MD5
81e087791be5baa99dc717e792fc0280

SHA1
1d5990e0eb372c784242777ae1e9a8f2717828ad

SHA256
09557705a2f948f57bb28dc5bd399dd024296bb73a1dab35a9d9c1cb61fc96a3

SHA512
4d224af6706df772d9c74c21b9b713c47a1be2189e01c2424300d6fd5cb42f2ef88b9471699614461f183a4cc5ee9892a9486e8abb01699d2115634ef6311ced

Download Submit
C:\Windows\System\RLwHEep.exe

Filesize
5.2MB

MD5
59cbcace84ccc05d1a03bc8b9629423b

SHA1
72912a5c61e69141502e38cb573e8e9f6fe7e1ae

SHA256
8fcda0e196281610e9a29b86a10812ae0ca24dce7df7e7b65b00c0532d27ff23

SHA512
dec58ada6ae9da23ee53900848afe4c38c710416cf6a9a618297b44d8846793d6a4c1df661fcc99d4060f59bdba733b6340c9ac7bf4cd077b16ba6db63908e8f

Download Submit
C:\Windows\System\RXaqunN.exe

Filesize
5.2MB

MD5
e70849f1dd65ae9b82a5225e6b2c3bec

SHA1
bc7fb1567ee8b5af14983d67a870b17cbabc1a3c

SHA256
6ebacdd323169187b011632476c5df266acaf0fa42461a6630caa223b3b07bc8

SHA512
75ba0d73afc1c714eb238d6530e8514d27a3ad67ffdfc4ea233649b64bd45ec8f4af80618c4f04e09a314a6a01436e8385f6326d7e2fde91c129b545acfaaa12

Download Submit
C:\Windows\System\VJpzZcE.exe

Filesize
5.2MB

MD5
d36ff3c93ef9f3f2e96fdd6819dc5905

SHA1
b46488a4291cb784aa3fc8b8469d22a4755510bd

SHA256
51522acf7e6596c5c4fbb5418aba71beb3531984c76dd42885574d0b811e4994

SHA512
2ce9308875ac913c065714e64eb448ca2a4cbbaab008d369f1a89e84d342d278e34cbfbd8b91a8651d45c4901fa243f6fab7d2315fad19305bc9da94b65e6ffa

Download Submit
C:\Windows\System\VumidLy.exe

Filesize
5.2MB

MD5
965e00ca1b5f657fe66bd1d9ae3a4f2d

SHA1
5b822c31ba443e5d64a403483758d373edc06fed

SHA256
65edfcc9919c800a7b9f52850afe0a0c7ed94ae26787423c3e522c14549da474

SHA512
fe9a9ee0f917fe784b80bc8f30730fb247ed8af52220b5015e8c1d6131996bec28343be8eb2b33e9314fdb515619319d61de90299dbc4d0766018689b833015b

Download Submit
C:\Windows\System\XnJjkkf.exe

Filesize
5.2MB

MD5
14ea18cc36a36fc0d60900b74fc1ad66

SHA1
eabb3611661e7da6358465948d8bbc83e37c29f7

SHA256
45704ca0ccd6bdd0be5f7b27e49b74c6fc7d2cca738e8bb3d3046f49a1725431

SHA512
5d5b93ecdf22910bf4204a7b1189b5561b97200509df2ffc301c1551b651b0de0f34d6d6af3758f1d2c952b0ae05c406bd6d1263f120fd703d6b118f964760a3

Download Submit
C:\Windows\System\YAWMxJX.exe

Filesize
5.2MB

MD5
4c444cdee3b45cf5439fbb4a81c59a6b

SHA1
7a8d632766db0d82b7fb0d8fc84443ffc2aa27db

SHA256
079757a86f13cc9ce3149902c56042581836531583864ea84065b470e77f7904

SHA512
dc8a58a6123fd55e3a4f6b220152022acaf486c045ae1036e1e483228f48e97ed6a63d62b595330939dbec63e8238e7bbb8227da8c824fd1d64504da2fe0920a

Download Submit
C:\Windows\System\hhtCMlZ.exe

Filesize
5.2MB

MD5
d4a6310080ee3fb0aed64ebacc99b82d

SHA1
2aea3171a4f3646004e067ba888d48cb6f61db18

SHA256
37cd1739fa9c0b4e6d5cbd20d71cf779404ecc43fbebd74f117b035c2b5ea0ea

SHA512
3eae0a028bdb6cab4760b4d5deae7a33e093d48f78938811bf2564c0e5e147611a4709d591dfb137289593a5034fe4fe34e2f46fb88ea12f7d4d9eb4f30e5fee

Download Submit
C:\Windows\System\lvarXJY.exe

Filesize
5.2MB

MD5
a8bfa4fa3d777efb38f4789c599799c6

SHA1
043954ae3b6496dae18cb9e7a137a85f8c37398e

SHA256
1f80f4db112e6d9a8d68552f4396c468631921a61084d372811ebdd5fefe011b

SHA512
7ef15f9e877cd70764a32bec7207fe4dcad52cc75e5f859be6d9476cd298c0d58dcbac7581b026ab23d63668dd958b310d3a664b6193ebb28c37ce8900dc2d22

Download Submit
C:\Windows\System\nqndWAg.exe

Filesize
5.2MB

MD5
92496073045efa01476103b7a1bd22c9

SHA1
1cc6dd7257cf518fd1fa0ef5c78fabd33a6c2733

SHA256
7c5a317f5735f36198dd4f7e35de7bcda52d53f5595d0e85487396bb15bf55f8

SHA512
35cfffe0f4c1046f4a55f30e52b0ec36afe3778353378dc694967a2242420ba2c47a0fa4701aafd3c00124300b91bf912a53d6a3f9c51fa389df00a54cf44cd9

Download Submit
C:\Windows\System\syzjidx.exe

Filesize
5.2MB

MD5
c1369bcee680be3fba803b3cfb5a0ff9

SHA1
e14d6e3af870d9402e6096f43e71814686653f3c

SHA256
db27334133a4effa490b505445c37030e6f1dc81b341a415849ff86664eb9160

SHA512
ba10a3de02c4a42d9d633fbd7b8918af0bbf0a058c96d8d99004aa4d6128750227cd5fce541a5580fbd541991c17ceb72ab7cffcbb0c15aa1d78ec6112ed21d8

Download Submit
C:\Windows\System\ttHnFFt.exe

Filesize
5.2MB

MD5
86e18b62c20f9a89f1a3d9cff10b6805

SHA1
17f95cc82fd75e6fdda8d0e574940820b714f8c4

SHA256
dc4fbaa395023969209ce46f80b22abeb8cae7a0b2f69a8dc90d7b0c25a75a3f

SHA512
f480e029b4b034a003774c53b6e447e88bfbc098fb9bc3263fff24098e956ae1cd3a051e0a5e1af9bc7223b0a84f4565373c78dfad389796b3abde739d1efe4a

Download Submit
C:\Windows\System\ugwTvTd.exe

Filesize
5.2MB

MD5
e122b9e49e15f823f8440b4141dc73f5

SHA1
ac5f1a78f6224c5727bbc4e4692b651ae7c7329b

SHA256
80d7369c459615c3f54ef22980c2313b3ff028ec4f28e882dd1951b3d0748b39

SHA512
51a56d4d2eebc7515fd753e69a20242233c3f7cd5b8e5906ee6e76cddf98396c5fed82682f4f13436b953c775ca2d5a1c9179c05be38ddfd80d41802d55edd50

Download Submit
C:\Windows\System\yHgDndv.exe

Filesize
5.2MB

MD5
f83333d1bd9cfa17d12c801ca1c7090d

SHA1
ba1fe7de8bdfb859de616edaa5156b573954feda

SHA256
8735fb9b6c9992c9abcd30a66d5f2f88352b5c8d67eeb92b8d592775da1707b1

SHA512
c318229733a90f6ac21e31688c7e635a411297a05e4abdae7920869ca657388eca0ca75f8d52fec1d4c0544acbdf4ba13fc45cf7624306dcb9d83a6f0d70c9ec

Download Submit
C:\Windows\System\zUWgvtG.exe

Filesize
5.2MB

MD5
c5a4316c92927cea8d14f509786121ec

SHA1
414828e15e13282d584c973f6ae94e75edf05d17

SHA256
af0db5b201cd20bfa6b2271c9128ddfb73600d77f3a3262211671519b5a95d46

SHA512
1b4c096a2db96d32a015bf98741240e8b6ff4203fdf470681b2bb7828db3aa47c1c6f891b15d621635345fbaa56fd2949445237ad50259ebb543ff186f5fabeb

Download Submit
memory/32-249-0x00007FF6FED20000-0x00007FF6FF071000-memory.dmp

Filesize
3.3MB

Download
memory/32-113-0x00007FF6FED20000-0x00007FF6FF071000-memory.dmp

Filesize
3.3MB

Download
memory/432-119-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp

Filesize
3.3MB

Download
memory/432-247-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp

Filesize
3.3MB

Download
memory/548-66-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp

Filesize
3.3MB

Download
memory/548-142-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp

Filesize
3.3MB

Download
memory/548-240-0x00007FF6C3180000-0x00007FF6C34D1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-255-0x00007FF673FA0000-0x00007FF6742F1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-124-0x00007FF673FA0000-0x00007FF6742F1000-memory.dmp

Filesize
3.3MB

Download
memory/1692-138-0x00007FF7590F0000-0x00007FF759441000-memory.dmp

Filesize
3.3MB

Download
memory/1692-31-0x00007FF7590F0000-0x00007FF759441000-memory.dmp

Filesize
3.3MB

Download
memory/1692-228-0x00007FF7590F0000-0x00007FF759441000-memory.dmp

Filesize
3.3MB

Download
memory/1768-132-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp

Filesize
3.3MB

Download
memory/1768-213-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp

Filesize
3.3MB

Download
memory/1768-24-0x00007FF6888B0000-0x00007FF688C01000-memory.dmp

Filesize
3.3MB

Download
memory/2196-0-0x00007FF728460000-0x00007FF7287B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-1-0x00000200D0660000-0x00000200D0670000-memory.dmp

Filesize
64KB

Download
memory/2196-156-0x00007FF728460000-0x00007FF7287B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-133-0x00007FF728460000-0x00007FF7287B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-53-0x00007FF728460000-0x00007FF7287B1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-131-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp

Filesize
3.3MB

Download
memory/2308-253-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp

Filesize
3.3MB

Download
memory/2772-232-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp

Filesize
3.3MB

Download
memory/2772-45-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp

Filesize
3.3MB

Download
memory/2772-140-0x00007FF71ADD0000-0x00007FF71B121000-memory.dmp

Filesize
3.3MB

Download
memory/2804-251-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2804-88-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2804-146-0x00007FF63A9C0000-0x00007FF63AD11000-memory.dmp

Filesize
3.3MB

Download
memory/3100-97-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp

Filesize
3.3MB

Download
memory/3100-257-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp

Filesize
3.3MB

Download
memory/3100-149-0x00007FF7E6AC0000-0x00007FF7E6E11000-memory.dmp

Filesize
3.3MB

Download
memory/3132-143-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp

Filesize
3.3MB

Download
memory/3132-46-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp

Filesize
3.3MB

Download
memory/3132-234-0x00007FF6D8BE0000-0x00007FF6D8F31000-memory.dmp

Filesize
3.3MB

Download
memory/3332-236-0x00007FF6E46D0000-0x00007FF6E4A21000-memory.dmp

Filesize
3.3MB

Download
memory/3332-86-0x00007FF6E46D0000-0x00007FF6E4A21000-memory.dmp

Filesize
3.3MB

Download
memory/3436-242-0x00007FF7964E0000-0x00007FF796831000-memory.dmp

Filesize
3.3MB

Download
memory/3436-109-0x00007FF7964E0000-0x00007FF796831000-memory.dmp

Filesize
3.3MB

Download
memory/3544-263-0x00007FF7A54C0000-0x00007FF7A5811000-memory.dmp

Filesize
3.3MB

Download
memory/3544-130-0x00007FF7A54C0000-0x00007FF7A5811000-memory.dmp

Filesize
3.3MB

Download
memory/3940-14-0x00007FF736430000-0x00007FF736781000-memory.dmp

Filesize
3.3MB

Download
memory/3940-209-0x00007FF736430000-0x00007FF736781000-memory.dmp

Filesize
3.3MB

Download
memory/3940-105-0x00007FF736430000-0x00007FF736781000-memory.dmp

Filesize
3.3MB

Download
memory/4000-126-0x00007FF7B4B60000-0x00007FF7B4EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-259-0x00007FF7B4B60000-0x00007FF7B4EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-129-0x00007FF748480000-0x00007FF7487D1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-211-0x00007FF748480000-0x00007FF7487D1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-18-0x00007FF748480000-0x00007FF7487D1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-207-0x00007FF684300000-0x00007FF684651000-memory.dmp

Filesize
3.3MB

Download
memory/4376-11-0x00007FF684300000-0x00007FF684651000-memory.dmp

Filesize
3.3MB

Download
memory/4376-55-0x00007FF684300000-0x00007FF684651000-memory.dmp

Filesize
3.3MB

Download
memory/4408-120-0x00007FF6A25C0000-0x00007FF6A2911000-memory.dmp

Filesize
3.3MB

Download
memory/4408-261-0x00007FF6A25C0000-0x00007FF6A2911000-memory.dmp

Filesize
3.3MB

Download
memory/4616-238-0x00007FF747540000-0x00007FF747891000-memory.dmp

Filesize
3.3MB

Download
memory/4616-78-0x00007FF747540000-0x00007FF747891000-memory.dmp

Filesize
3.3MB

Download
memory/4616-144-0x00007FF747540000-0x00007FF747891000-memory.dmp

Filesize
3.3MB

Download
memory/4656-38-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download
memory/4656-139-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download
memory/4656-230-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download