cobaltstrike | 3082e3a62c7d86815094493d7958d8c739f7a02770ba06e0dab7998fc4261eb5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

affb5ab11ba8331f8dcaee2929210cca
SHA1

605e08735c9cd2c38cb653ebe0369c1a6c5e5ebb
SHA256

3082e3a62c7d86815094493d7958d8c739f7a02770ba06e0dab7998fc4261eb5
SHA512

5cd43c81432bc69a5a002c8d693a3fb201c27554f3f63969890aa8d663686442a6e3c70b0113d2fcd24a3e1fb6fb5861def0a1255217ddf473ff2a489934bf67
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBib+56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b6c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-9.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c59-10.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c5a-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-97.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4520-14-0x00007FF789500000-0x00007FF789851000-memory.dmp	xmrig
behavioral2/memory/2840-46-0x00007FF6A46B0000-0x00007FF6A4A01000-memory.dmp	xmrig
behavioral2/memory/2232-59-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	xmrig
behavioral2/memory/2172-60-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp	xmrig
behavioral2/memory/4520-65-0x00007FF789500000-0x00007FF789851000-memory.dmp	xmrig
behavioral2/memory/456-123-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp	xmrig
behavioral2/memory/5112-116-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp	xmrig
behavioral2/memory/1160-115-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp	xmrig
behavioral2/memory/1216-92-0x00007FF761560000-0x00007FF7618B1000-memory.dmp	xmrig
behavioral2/memory/4292-91-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	xmrig
behavioral2/memory/2084-82-0x00007FF706EE0000-0x00007FF707231000-memory.dmp	xmrig
behavioral2/memory/4424-75-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp	xmrig
behavioral2/memory/1668-73-0x00007FF78AC80000-0x00007FF78AFD1000-memory.dmp	xmrig
behavioral2/memory/2232-138-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	xmrig
behavioral2/memory/1792-150-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	xmrig
behavioral2/memory/1416-151-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp	xmrig
behavioral2/memory/3376-152-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp	xmrig
behavioral2/memory/1580-153-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp	xmrig
behavioral2/memory/4088-162-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp	xmrig
behavioral2/memory/3532-161-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp	xmrig
behavioral2/memory/1328-160-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp	xmrig
behavioral2/memory/2308-163-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp	xmrig
behavioral2/memory/2096-165-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp	xmrig
behavioral2/memory/1640-164-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp	xmrig
behavioral2/memory/2232-166-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	xmrig
behavioral2/memory/2172-215-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp	xmrig
behavioral2/memory/4520-217-0x00007FF789500000-0x00007FF789851000-memory.dmp	xmrig
behavioral2/memory/4424-227-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp	xmrig
behavioral2/memory/2084-229-0x00007FF706EE0000-0x00007FF707231000-memory.dmp	xmrig
behavioral2/memory/4292-231-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	xmrig
behavioral2/memory/2840-234-0x00007FF6A46B0000-0x00007FF6A4A01000-memory.dmp	xmrig
behavioral2/memory/1216-235-0x00007FF761560000-0x00007FF7618B1000-memory.dmp	xmrig
behavioral2/memory/456-237-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp	xmrig
behavioral2/memory/5112-241-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp	xmrig
behavioral2/memory/1160-240-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp	xmrig
behavioral2/memory/1668-253-0x00007FF78AC80000-0x00007FF78AFD1000-memory.dmp	xmrig
behavioral2/memory/1792-255-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	xmrig
behavioral2/memory/1416-257-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp	xmrig
behavioral2/memory/3376-259-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp	xmrig
behavioral2/memory/3532-263-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp	xmrig
behavioral2/memory/1580-261-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp	xmrig
behavioral2/memory/4088-265-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp	xmrig
behavioral2/memory/1328-270-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp	xmrig
behavioral2/memory/1640-273-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp	xmrig
behavioral2/memory/2096-272-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp	xmrig
behavioral2/memory/2308-268-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2172	FGVeJWo.exe
4520	GQoMkXG.exe
4424	HuCfkFb.exe
2084	dqIsTrh.exe
4292	sfFXsJJ.exe
1216	OlgkoGT.exe
2840	IlnrkKb.exe
1160	snHwFiy.exe
5112	ReIQHSF.exe
456	LhxrohS.exe
1668	XPtRZRd.exe
1792	sqFnJdj.exe
1416	YYSFkAq.exe
3376	euKoUnh.exe
1580	JfVGhkl.exe
3532	cHkCQrr.exe
4088	EajpVRl.exe
1328	lCtyvFU.exe
2308	cGPwRzQ.exe
1640	mrPMWqG.exe
2096	XgoyvWn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2232-0-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	upx
behavioral2/files/0x000c000000023b6c-5.dat	upx
behavioral2/files/0x0007000000023c65-9.dat	upx
behavioral2/files/0x0009000000023c59-10.dat	upx
behavioral2/memory/2172-12-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp	upx
behavioral2/memory/4520-14-0x00007FF789500000-0x00007FF789851000-memory.dmp	upx
behavioral2/memory/4424-19-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp	upx
behavioral2/files/0x0009000000023c5a-24.dat	upx
behavioral2/files/0x0007000000023c66-30.dat	upx
behavioral2/files/0x0007000000023c67-34.dat	upx
behavioral2/files/0x0007000000023c68-41.dat	upx
behavioral2/memory/2840-46-0x00007FF6A46B0000-0x00007FF6A4A01000-memory.dmp	upx
behavioral2/files/0x0007000000023c69-49.dat	upx
behavioral2/memory/2232-59-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	upx
behavioral2/memory/456-61-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-63.dat	upx
behavioral2/memory/2172-60-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-56.dat	upx
behavioral2/memory/5112-53-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp	upx
behavioral2/memory/1160-51-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp	upx
behavioral2/memory/1216-45-0x00007FF761560000-0x00007FF7618B1000-memory.dmp	upx
behavioral2/memory/4292-33-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	upx
behavioral2/memory/2084-26-0x00007FF706EE0000-0x00007FF707231000-memory.dmp	upx
behavioral2/memory/4520-65-0x00007FF789500000-0x00007FF789851000-memory.dmp	upx
behavioral2/files/0x0007000000023c6c-68.dat	upx
behavioral2/files/0x0007000000023c6f-74.dat	upx
behavioral2/memory/1416-83-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-84.dat	upx
behavioral2/files/0x0007000000023c72-93.dat	upx
behavioral2/files/0x0007000000023c74-103.dat	upx
behavioral2/memory/4088-111-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-118.dat	upx
behavioral2/memory/2308-124-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-129.dat	upx
behavioral2/files/0x0007000000023c78-136.dat	upx
behavioral2/memory/2096-135-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp	upx
behavioral2/memory/1640-131-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-127.dat	upx
behavioral2/memory/456-123-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp	upx
behavioral2/memory/1328-117-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp	upx
behavioral2/memory/5112-116-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp	upx
behavioral2/memory/1160-115-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp	upx
behavioral2/memory/3532-104-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-106.dat	upx
behavioral2/memory/1580-98-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c71-97.dat	upx
behavioral2/memory/3376-96-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp	upx
behavioral2/memory/1216-92-0x00007FF761560000-0x00007FF7618B1000-memory.dmp	upx
behavioral2/memory/4292-91-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	upx
behavioral2/memory/2084-82-0x00007FF706EE0000-0x00007FF707231000-memory.dmp	upx
behavioral2/memory/1792-76-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	upx
behavioral2/memory/4424-75-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp	upx
behavioral2/memory/1668-73-0x00007FF78AC80000-0x00007FF78AFD1000-memory.dmp	upx
behavioral2/memory/2232-138-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp	upx
behavioral2/memory/1792-150-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	upx
behavioral2/memory/1416-151-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp	upx
behavioral2/memory/3376-152-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp	upx
behavioral2/memory/1580-153-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp	upx
behavioral2/memory/4088-162-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp	upx
behavioral2/memory/3532-161-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp	upx
behavioral2/memory/1328-160-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp	upx
behavioral2/memory/2308-163-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp	upx
behavioral2/memory/2096-165-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp	upx
behavioral2/memory/1640-164-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sfFXsJJ.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\snHwFiy.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LhxrohS.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfVGhkl.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cGPwRzQ.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OlgkoGT.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\euKoUnh.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cHkCQrr.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EajpVRl.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCtyvFU.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GQoMkXG.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IlnrkKb.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqFnJdj.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YYSFkAq.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGVeJWo.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HuCfkFb.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dqIsTrh.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ReIQHSF.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XPtRZRd.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrPMWqG.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XgoyvWn.exe	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2172	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2232 wrote to memory of 2172	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2232 wrote to memory of 4520	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2232 wrote to memory of 4520	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2232 wrote to memory of 4424	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2232 wrote to memory of 4424	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2232 wrote to memory of 2084	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2232 wrote to memory of 2084	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2232 wrote to memory of 4292	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2232 wrote to memory of 4292	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2232 wrote to memory of 1216	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2232 wrote to memory of 1216	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2232 wrote to memory of 2840	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2232 wrote to memory of 2840	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2232 wrote to memory of 1160	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2232 wrote to memory of 1160	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2232 wrote to memory of 5112	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2232 wrote to memory of 5112	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2232 wrote to memory of 456	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2232 wrote to memory of 456	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2232 wrote to memory of 1668	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2232 wrote to memory of 1668	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2232 wrote to memory of 1792	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2232 wrote to memory of 1792	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2232 wrote to memory of 1416	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2232 wrote to memory of 1416	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2232 wrote to memory of 3376	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2232 wrote to memory of 3376	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2232 wrote to memory of 1580	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2232 wrote to memory of 1580	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2232 wrote to memory of 3532	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2232 wrote to memory of 3532	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2232 wrote to memory of 4088	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2232 wrote to memory of 4088	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2232 wrote to memory of 1328	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2232 wrote to memory of 1328	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2232 wrote to memory of 2308	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2232 wrote to memory of 2308	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2232 wrote to memory of 1640	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2232 wrote to memory of 1640	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2232 wrote to memory of 2096	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2232 wrote to memory of 2096	2232	2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_affb5ab11ba8331f8dcaee2929210cca_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System\FGVeJWo.exe
  C:\Windows\System\FGVeJWo.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\GQoMkXG.exe
  C:\Windows\System\GQoMkXG.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\HuCfkFb.exe
  C:\Windows\System\HuCfkFb.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\dqIsTrh.exe
  C:\Windows\System\dqIsTrh.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\sfFXsJJ.exe
  C:\Windows\System\sfFXsJJ.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\OlgkoGT.exe
  C:\Windows\System\OlgkoGT.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\IlnrkKb.exe
  C:\Windows\System\IlnrkKb.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\snHwFiy.exe
  C:\Windows\System\snHwFiy.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\ReIQHSF.exe
  C:\Windows\System\ReIQHSF.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\LhxrohS.exe
  C:\Windows\System\LhxrohS.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\XPtRZRd.exe
  C:\Windows\System\XPtRZRd.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\sqFnJdj.exe
  C:\Windows\System\sqFnJdj.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\YYSFkAq.exe
  C:\Windows\System\YYSFkAq.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\euKoUnh.exe
  C:\Windows\System\euKoUnh.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\JfVGhkl.exe
  C:\Windows\System\JfVGhkl.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\cHkCQrr.exe
  C:\Windows\System\cHkCQrr.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\EajpVRl.exe
  C:\Windows\System\EajpVRl.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\lCtyvFU.exe
  C:\Windows\System\lCtyvFU.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\cGPwRzQ.exe
  C:\Windows\System\cGPwRzQ.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\mrPMWqG.exe
  C:\Windows\System\mrPMWqG.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\XgoyvWn.exe
  C:\Windows\System\XgoyvWn.exe
  2⤵
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EajpVRl.exe

Filesize
5.2MB

MD5
933e25b1cc151fb60c8aae7e10f6db2a

SHA1
edda8b80901ee497ade3ee03a1503ec560d3bc4c

SHA256
2430db63e45b74cef5e84eb50110219a83639ed1ebdbb1b3a3d520fecdd0bbc6

SHA512
65264c95faaa268d2d72b84d92527a95aa55a488974c9dace0c66289cf7b587c0973537cbe87497a4b85c6bdfc1c8a7264c77da49d45bb4e4c8ad2edbe5f9c93

Download Submit
C:\Windows\System\FGVeJWo.exe

Filesize
5.2MB

MD5
df7e131b499ccd43129597ccf82a96d2

SHA1
95aaf3c41c0f9f4efc40f237317ca8fdc0c1feef

SHA256
415bd10baa7127727f9ed7cdd80bf9da4053cddda42d9c859203cd6eb28769ac

SHA512
b06b32c7a1e334282180a7f642cf5e37eb9ce9fd37263a816298e1d41ba0a07cc7de4dcefa4a7277976bf746b925ea39ed80330c34fdf82881885b2b82f6bbab

Download Submit
C:\Windows\System\GQoMkXG.exe

Filesize
5.2MB

MD5
8f2e32eb871f578374694d8dc852bd5e

SHA1
cc8c906ff4164c9da4931bd145ff44a3f5e23a6e

SHA256
99baac049178f67e831c99a7c2c97b58315e18f508af9bf55d093758d93d1a42

SHA512
81b471c07e1fbdfb2ff4115b32a22b012e5935ed28ca69582f4fa0ca0a4b23e4e36680270c944baca1f3cb613328ff468a967c9114f95c13b1ab966a930fca09

Download Submit
C:\Windows\System\HuCfkFb.exe

Filesize
5.2MB

MD5
a039d05dbb1d67e516598cf2c5585164

SHA1
3177bfcc1789641743c05539520ccf2296f09ee7

SHA256
7c390e68c8dbd29425ebe90b38864a5f2a414740db4b4497d8a26f911a4c2ab9

SHA512
73d550958e70adf6bcf1c48364991dd993bdbbd0d95efb5dcd9ef8f8310e3ef6acd54bfbe36329d28a976924fd0922d9998462244409414b4fca83885ca25430

Download Submit
C:\Windows\System\IlnrkKb.exe

Filesize
5.2MB

MD5
f34e6f4ac1894ec0fbbcf2f873be76db

SHA1
879168b38dc2685dd1978e2bbc358a275f40f84e

SHA256
5281a72df3984e71991148215aee7d0dedd4566dcaa50b5dd731c827ad40139b

SHA512
25872093776601705f987516a075b2ab3acf31d34e1027a463782d6c5c8ea553413a26c0b6cff3ad0043c17c7f85e098380d8abbb4a283fa45a9c71a3edb9789

Download Submit
C:\Windows\System\JfVGhkl.exe

Filesize
5.2MB

MD5
d320edd705f27b687352bffa30d41400

SHA1
a5584875d7f08add430aa60a7fdc4b7e27081e5f

SHA256
576bcd60b15f0ec011f9ba2369cad7c1f83fa58c018abd8810054ea29862a5c4

SHA512
75226d87a571c240150f7cd4980e9b1751a39dfae741c9a1406071fc1df8e98a42a7b4b19e46c20608263d80a6d904c16de95e531ad1852daf14d271a6fa6f26

Download Submit
C:\Windows\System\LhxrohS.exe

Filesize
5.2MB

MD5
d775a694eea98b10b1c56ad9f6f4d2fc

SHA1
c5083d07c2dc76789afb015c74ac3d70ae849796

SHA256
c7556bb74431bad3e12cf648103bce5941c79e8a640185469643998c7e032385

SHA512
2673ebf62d27ee7127de4c16494d652aaea33d3c84f397dd0a75c2dbdeef8b83a1419904e497a8416b0cbfdaa473f1efb10017b41432ba75a9333ff22337e47e

Download Submit
C:\Windows\System\OlgkoGT.exe

Filesize
5.2MB

MD5
0367617e32fc2a6c015c2bcbb194576a

SHA1
abb58e7b24fdc7c9eb3fb5ff553ebf5db6b4f8ba

SHA256
5c7c69490d5d2d681427cf419ffaae53f1dbc4d3c877c657b218d4d3415ae236

SHA512
5ba6c1e8c9544f1e2b1807ed217b7d425f7d3cc8689c46a8b4f4921921c5e41055ba674b7e38f39b3eb43a4d05c0cbb34561ab476bd9c4083a94e0d156866d24

Download Submit
C:\Windows\System\ReIQHSF.exe

Filesize
5.2MB

MD5
d11f91c847e99668c659916d7f59c24c

SHA1
577be8a53666249ca5897fdea8c4a99f22da7bdf

SHA256
90d3c00d70df13009352cebf0ef81720f9f1e2e2f83d318aed31e4d866f539f1

SHA512
d9c4c97abad9e5e8cfc7ba3c19aba37dc0b9d96acd0b9f4964161d9d4ce6dcc3aa2148e0f3eec032833183d04321d9f9169e56ec25d4abfd4ec17ce259a691e2

Download Submit
C:\Windows\System\XPtRZRd.exe

Filesize
5.2MB

MD5
4be966f3f021325c05d0e61e80d9730b

SHA1
ad7074a0db299ac4e50766372e373324ddc06c90

SHA256
025f11a77865e35e2f2a4f283fe11600f3808821a1cbc4a285a604b7f79a1d50

SHA512
a1b3fb929aae747fc95fb7fe6e5b760a97f09da91a11ac149dc070421cc52e7090548636ed5ae88e45850b97561abfe78cd32a91844d6310fb32011f5c928759

Download Submit
C:\Windows\System\XgoyvWn.exe

Filesize
5.2MB

MD5
d92228b5217255192c475098fdb98c78

SHA1
c1f8173b85cbee16723c4ab5d2946895935cd03e

SHA256
03f6a21bc90b381984d5d72939ef1dee81638b4deabd2e001593f5c88294399d

SHA512
beee59dd3d2467faeea5f65a58ab9be43fc90fe81dc8823336e5283bf2e3c04b19604edd29e06951bdde03d620f44b6e1a8620719579eb3bd2568648c93f5e16

Download Submit
C:\Windows\System\YYSFkAq.exe

Filesize
5.2MB

MD5
7f3afe266f9a1bc7af31a4da952430e8

SHA1
acf1060ecc8b86e591e8d9cccf3cd51aa7c849a6

SHA256
6063609dbe2708e0901842276cb612cfbd21afe5f7f884f1f1384be3a4488a01

SHA512
c4366e2dfe12d03cb1b3d134197ff4f4ea7534f504112f641565ee3af77aa677c7636117d6fc71e3938eabb29814b6ccf0686c0ff04f693f14c6d1fecd992550

Download Submit
C:\Windows\System\cGPwRzQ.exe

Filesize
5.2MB

MD5
b25ff83282ccb335aad8ebd226a2d27e

SHA1
c570c0f470774c991ba52d29acc1762a15a7c7d9

SHA256
3a7af4d10640c1203d4fe67eef7b7d5dbc5529089e8f95bba7d7ca6ed3a6e32d

SHA512
9253a6523b0a61a05a2f6a0dc35a430c7aab9aa7650b02c414ffd511669d8870fd75ab9ac7394c66c30b8bf3595d9950539efed58a418eba58c819534f771553

Download Submit
C:\Windows\System\cHkCQrr.exe

Filesize
5.2MB

MD5
4140f2dfc4d2005f9e063c96fa7920d6

SHA1
9a3a1cde6e279fa7b047b6726bea5cdec196cf86

SHA256
e1edd3fe4c96dbf16a303dfead1f0ef625153ba25f9164e2f6ab7f2ea1b6d384

SHA512
9f7ff08b8a5210e51f98358d83bff6a6e362745a2b22453d00b60c39d120059be6b782f9a00e2f6b3c24f4ccec8252818c5cb13f33cfc999ddf6e948a030d296

Download Submit
C:\Windows\System\dqIsTrh.exe

Filesize
5.2MB

MD5
d2371d7e0b89d3dd261a394c00240b47

SHA1
bd0cf702a3ae59ab342a207aaed0527fa1c3429d

SHA256
c27e787e82b57f2c76c7eacb3b21dea369ad4d15f598c4cd3fa5ab0afd4811bc

SHA512
b6a3f18755a83fe4a5f0db48f171c68939b1ff03a4310823d5b826f50e23d0b236ed661d63d4b367bdbf67e31ed50cbe4b27510c86678eae14f899ac81f7b8f5

Download Submit
C:\Windows\System\euKoUnh.exe

Filesize
5.2MB

MD5
9805dd268645d9de39b88dc36245c579

SHA1
3d77328bc34a0337cd3436e9452040cc7e3bd129

SHA256
b0eefda998e7fb0818b1366cc7a5dee97a64de80ad845abe985a797f7ae6580d

SHA512
2b23d620a5b641be2bbc2e6fb29566e66d18df3eec832c7b753d7f0f58b48176c25b6d242381eab777c589257720f358e0c7203bb7fd7c882a13c85576a24d22

Download Submit
C:\Windows\System\lCtyvFU.exe

Filesize
5.2MB

MD5
318690abc9d55b05b2522f6885d70bac

SHA1
8d731c8c689911a746758925efccc08767048ddc

SHA256
63f453c356b1339b8703f0f5dbf77cadae3f0e7bee2e2128d77d4fb837901dcb

SHA512
f69bc60fd840f20980c0d113e8baaa49eed5ac5d6145032c3219d053f099e2142a6423d14f109517af88452d6fbad2311a3c746670fcbb4b35950719d3d94ab1

Download Submit
C:\Windows\System\mrPMWqG.exe

Filesize
5.2MB

MD5
320eebf22023379a111ebf065e53b9b5

SHA1
eae70d116231186179f95f8a30b1cbe9a1ee15a0

SHA256
b6481ea6805407f4f8be7229311f1ef0b2c7e901b673b8fb9f3108470a65f862

SHA512
1cf779b7822d921026edcd6f71f0296ff1a25e7a7b8c41c5a3006f40f97b9a2a0d5bb28b8eea002b4e5de182e0b310d5887819cbed4a6d5c7d9fd3f8accf1f8d

Download Submit
C:\Windows\System\sfFXsJJ.exe

Filesize
5.2MB

MD5
4d5578f5ab05029ebdcba3ef888eb986

SHA1
2e8949155e944278df9553a36477e835ade8d86c

SHA256
e13cc50770513fcb2d89d3978c90636572a522940177321c3b6a191fb9f5a2fc

SHA512
da59fc3c374b0563c93043b743771fc854d768564dca8826410648e0baba6fa87c32ec6d87842011f23f4da37a309ba70e8c62796e0c72c4b65f84372682f6a7

Download Submit
C:\Windows\System\snHwFiy.exe

Filesize
5.2MB

MD5
e9cf5a0eab997054c47afc9fb96910fa

SHA1
9cd30f8d41719a55ca6d63169d88b4f5147520ab

SHA256
a55d391584bd55768a17ec110b42e3deaa55d9084a23cb1c28a687ca85d4009a

SHA512
544ed15f7c327e6f9b1680db2024da28909f57b0d295a03f5fa4496dbfa6415c9b2a0ed19a7305d93cf0e085d61c68f55bafd6328f9bc13e6924f2ff616e49ea

Download Submit
C:\Windows\System\sqFnJdj.exe

Filesize
5.2MB

MD5
4e94589eb09d94cd9aee3bf7bd6632f0

SHA1
adb0cdd1b63c3658630542ebc69e9ad21d480c11

SHA256
7b3868c93ea1e59dfbce79a8e55f66e94b0ca6a04d7f4082c47e4c219ef86088

SHA512
fe9ff5070fe903913ba53b9fe822bc66f1789fc9cbd10fb4cc1750b0fa9ed60e3368d1ea325afc099e06ca8969cbca617aa67a90077169092d045de3b3d44600

Download Submit
memory/456-123-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp

Filesize
3.3MB

Download
memory/456-61-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp

Filesize
3.3MB

Download
memory/456-237-0x00007FF6F20A0000-0x00007FF6F23F1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-240-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-115-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-51-0x00007FF7B5880000-0x00007FF7B5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-92-0x00007FF761560000-0x00007FF7618B1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-235-0x00007FF761560000-0x00007FF7618B1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-45-0x00007FF761560000-0x00007FF7618B1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-160-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp

Filesize
3.3MB

Download
memory/1328-117-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp

Filesize
3.3MB

Download
memory/1328-270-0x00007FF76B9B0000-0x00007FF76BD01000-memory.dmp

Filesize
3.3MB

Download
memory/1416-151-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp

Filesize
3.3MB

Download
memory/1416-257-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp

Filesize
3.3MB

Download
memory/1416-83-0x00007FF62E5B0000-0x00007FF62E901000-memory.dmp

Filesize
3.3MB

Download
memory/1580-153-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-98-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-261-0x00007FF7D1460000-0x00007FF7D17B1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-273-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp

Filesize
3.3MB

Download
memory/1640-164-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp

Filesize
3.3MB

Download
memory/1640-131-0x00007FF60C1D0000-0x00007FF60C521000-memory.dmp

Filesize
3.3MB

Download
memory/1668-73-0x00007FF78AC80000-0x00007FF78AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-253-0x00007FF78AC80000-0x00007FF78AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-150-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/1792-255-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/1792-76-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/2084-26-0x00007FF706EE0000-0x00007FF707231000-memory.dmp

Filesize
3.3MB

Download
memory/2084-229-0x00007FF706EE0000-0x00007FF707231000-memory.dmp

Filesize
3.3MB

Download
memory/2084-82-0x00007FF706EE0000-0x00007FF707231000-memory.dmp

Filesize
3.3MB

Download
memory/2096-165-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp

Filesize
3.3MB

Download
memory/2096-272-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp

Filesize
3.3MB

Download
memory/2096-135-0x00007FF6B1E20000-0x00007FF6B2171000-memory.dmp

Filesize
3.3MB

Download
memory/2172-12-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-60-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-215-0x00007FF6FFC30000-0x00007FF6FFF81000-memory.dmp

Filesize
3.3MB

Download
memory/2232-138-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-59-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-1-0x0000016E8B960000-0x0000016E8B970000-memory.dmp

Filesize
64KB

Download
memory/2232-166-0x00007FF769C70000-0x00007FF769FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-268-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp

Filesize
3.3MB

Download
memory/2308-124-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp

Filesize
3.3MB

Download
memory/2308-163-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp

Filesize
3.3MB

Download
memory/2840-46-0x00007FF6A46B0000-0x00007FF6A4A01000-memory.dmp

Filesize
3.3MB

Download
memory/2840-234-0x00007FF6A46B0000-0x00007FF6A4A01000-memory.dmp

Filesize
3.3MB

Download
memory/3376-152-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-259-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-96-0x00007FF7ED180000-0x00007FF7ED4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-161-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-263-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-104-0x00007FF6AEE90000-0x00007FF6AF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-111-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp

Filesize
3.3MB

Download
memory/4088-265-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp

Filesize
3.3MB

Download
memory/4088-162-0x00007FF7CA7E0000-0x00007FF7CAB31000-memory.dmp

Filesize
3.3MB

Download
memory/4292-231-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-33-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-91-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-19-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-227-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-75-0x00007FF72EDA0000-0x00007FF72F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-14-0x00007FF789500000-0x00007FF789851000-memory.dmp

Filesize
3.3MB

Download
memory/4520-65-0x00007FF789500000-0x00007FF789851000-memory.dmp

Filesize
3.3MB

Download
memory/4520-217-0x00007FF789500000-0x00007FF789851000-memory.dmp

Filesize
3.3MB

Download
memory/5112-241-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp

Filesize
3.3MB

Download
memory/5112-53-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp

Filesize
3.3MB

Download
memory/5112-116-0x00007FF7C5A00000-0x00007FF7C5D51000-memory.dmp

Filesize
3.3MB

Download