cobaltstrike | 5ad056eec7cd77089a95f73a6a2cdfbaae92241907a995cd776d06498a9178f3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

04fbbd1877a49fcce7ace3cbafa9b7d2
SHA1

6360ebc9dbf194c2fd4bb30e179fef0e0b849b8a
SHA256

5ad056eec7cd77089a95f73a6a2cdfbaae92241907a995cd776d06498a9178f3
SHA512

a083da61f73bf95a100f075a8dfc69778849451fea795878f2d7d79f1314cb26ac3aef8a521df34386267fb9550f0e052ba848f48e995dc0202c62c7086855d3
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBib+56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b8e-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-85.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b93-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-99.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1284-68-0x00007FF622CE0000-0x00007FF623031000-memory.dmp	xmrig
behavioral2/memory/1136-65-0x00007FF712FB0000-0x00007FF713301000-memory.dmp	xmrig
behavioral2/memory/3848-58-0x00007FF769B70000-0x00007FF769EC1000-memory.dmp	xmrig
behavioral2/memory/32-51-0x00007FF634DB0000-0x00007FF635101000-memory.dmp	xmrig
behavioral2/memory/4656-48-0x00007FF790EB0000-0x00007FF791201000-memory.dmp	xmrig
behavioral2/memory/1092-74-0x00007FF662370000-0x00007FF6626C1000-memory.dmp	xmrig
behavioral2/memory/4916-80-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp	xmrig
behavioral2/memory/2872-120-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp	xmrig
behavioral2/memory/700-114-0x00007FF73BE10000-0x00007FF73C161000-memory.dmp	xmrig
behavioral2/memory/4564-113-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp	xmrig
behavioral2/memory/2368-106-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp	xmrig
behavioral2/memory/64-105-0x00007FF724980000-0x00007FF724CD1000-memory.dmp	xmrig
behavioral2/memory/4376-98-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	xmrig
behavioral2/memory/4376-130-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	xmrig
behavioral2/memory/744-139-0x00007FF6873D0000-0x00007FF687721000-memory.dmp	xmrig
behavioral2/memory/960-140-0x00007FF725B50000-0x00007FF725EA1000-memory.dmp	xmrig
behavioral2/memory/1256-145-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	xmrig
behavioral2/memory/4532-144-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp	xmrig
behavioral2/memory/2164-142-0x00007FF688860000-0x00007FF688BB1000-memory.dmp	xmrig
behavioral2/memory/4916-147-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp	xmrig
behavioral2/memory/3956-148-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp	xmrig
behavioral2/memory/220-149-0x00007FF73A600000-0x00007FF73A951000-memory.dmp	xmrig
behavioral2/memory/392-150-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	xmrig
behavioral2/memory/1152-156-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp	xmrig
behavioral2/memory/4376-160-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	xmrig
behavioral2/memory/64-218-0x00007FF724980000-0x00007FF724CD1000-memory.dmp	xmrig
behavioral2/memory/2368-220-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp	xmrig
behavioral2/memory/4656-222-0x00007FF790EB0000-0x00007FF791201000-memory.dmp	xmrig
behavioral2/memory/2872-224-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp	xmrig
behavioral2/memory/4564-229-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp	xmrig
behavioral2/memory/1136-232-0x00007FF712FB0000-0x00007FF713301000-memory.dmp	xmrig
behavioral2/memory/744-234-0x00007FF6873D0000-0x00007FF687721000-memory.dmp	xmrig
behavioral2/memory/32-230-0x00007FF634DB0000-0x00007FF635101000-memory.dmp	xmrig
behavioral2/memory/3848-227-0x00007FF769B70000-0x00007FF769EC1000-memory.dmp	xmrig
behavioral2/memory/4532-238-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp	xmrig
behavioral2/memory/1284-237-0x00007FF622CE0000-0x00007FF623031000-memory.dmp	xmrig
behavioral2/memory/1092-243-0x00007FF662370000-0x00007FF6626C1000-memory.dmp	xmrig
behavioral2/memory/4916-246-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp	xmrig
behavioral2/memory/3956-247-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp	xmrig
behavioral2/memory/220-255-0x00007FF73A600000-0x00007FF73A951000-memory.dmp	xmrig
behavioral2/memory/392-257-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	xmrig
behavioral2/memory/700-259-0x00007FF73BE10000-0x00007FF73C161000-memory.dmp	xmrig
behavioral2/memory/1152-263-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp	xmrig
behavioral2/memory/960-262-0x00007FF725B50000-0x00007FF725EA1000-memory.dmp	xmrig
behavioral2/memory/2164-265-0x00007FF688860000-0x00007FF688BB1000-memory.dmp	xmrig
behavioral2/memory/1256-267-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
64	IlzcWVt.exe
2368	aoJssng.exe
4656	CxqCPoh.exe
2872	dWbrdXv.exe
4564	gzTYCMn.exe
32	uTrzCKX.exe
1136	bFUYHuG.exe
3848	sRofOwF.exe
744	KlWztgN.exe
1284	jFSbVXW.exe
4532	oidKuVB.exe
1092	eiuPMLr.exe
4916	ybXkyOZ.exe
3956	NxynOLh.exe
220	PaPVUDT.exe
392	iVOknCk.exe
700	VJGnkCN.exe
1152	vKbcLRT.exe
960	zVRCrFQ.exe
2164	gXxjRjs.exe
1256	dmYtAgE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4376-0-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	upx
behavioral2/files/0x000d000000023b8e-4.dat	upx
behavioral2/files/0x000a000000023b97-10.dat	upx
behavioral2/files/0x000a000000023b96-11.dat	upx
behavioral2/files/0x000a000000023b99-22.dat	upx
behavioral2/files/0x000a000000023b9c-37.dat	upx
behavioral2/files/0x000a000000023b9a-43.dat	upx
behavioral2/files/0x000a000000023b9d-59.dat	upx
behavioral2/files/0x000a000000023b9e-63.dat	upx
behavioral2/files/0x000a000000023b9f-66.dat	upx
behavioral2/memory/1284-68-0x00007FF622CE0000-0x00007FF623031000-memory.dmp	upx
behavioral2/memory/1136-65-0x00007FF712FB0000-0x00007FF713301000-memory.dmp	upx
behavioral2/memory/4532-62-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp	upx
behavioral2/memory/744-61-0x00007FF6873D0000-0x00007FF687721000-memory.dmp	upx
behavioral2/memory/3848-58-0x00007FF769B70000-0x00007FF769EC1000-memory.dmp	upx
behavioral2/memory/32-51-0x00007FF634DB0000-0x00007FF635101000-memory.dmp	upx
behavioral2/memory/4656-48-0x00007FF790EB0000-0x00007FF791201000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-42.dat	upx
behavioral2/memory/4564-34-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-30.dat	upx
behavioral2/memory/2872-25-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp	upx
behavioral2/memory/2368-20-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp	upx
behavioral2/memory/64-8-0x00007FF724980000-0x00007FF724CD1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-70.dat	upx
behavioral2/memory/1092-74-0x00007FF662370000-0x00007FF6626C1000-memory.dmp	upx
behavioral2/memory/4916-80-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp	upx
behavioral2/memory/3956-84-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-85.dat	upx
behavioral2/files/0x000b000000023b93-78.dat	upx
behavioral2/files/0x000a000000023ba2-89.dat	upx
behavioral2/files/0x000a000000023ba5-100.dat	upx
behavioral2/files/0x000a000000023ba6-104.dat	upx
behavioral2/files/0x000a000000023ba7-122.dat	upx
behavioral2/files/0x000a000000023ba9-127.dat	upx
behavioral2/files/0x000a000000023ba8-125.dat	upx
behavioral2/memory/2872-120-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp	upx
behavioral2/memory/1152-119-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp	upx
behavioral2/memory/700-114-0x00007FF73BE10000-0x00007FF73C161000-memory.dmp	upx
behavioral2/memory/4564-113-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp	upx
behavioral2/memory/2368-106-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp	upx
behavioral2/memory/64-105-0x00007FF724980000-0x00007FF724CD1000-memory.dmp	upx
behavioral2/memory/392-102-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-99.dat	upx
behavioral2/memory/4376-98-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	upx
behavioral2/memory/220-94-0x00007FF73A600000-0x00007FF73A951000-memory.dmp	upx
behavioral2/memory/4376-130-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	upx
behavioral2/memory/744-139-0x00007FF6873D0000-0x00007FF687721000-memory.dmp	upx
behavioral2/memory/960-140-0x00007FF725B50000-0x00007FF725EA1000-memory.dmp	upx
behavioral2/memory/1256-145-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	upx
behavioral2/memory/4532-144-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp	upx
behavioral2/memory/2164-142-0x00007FF688860000-0x00007FF688BB1000-memory.dmp	upx
behavioral2/memory/4916-147-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp	upx
behavioral2/memory/3956-148-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp	upx
behavioral2/memory/220-149-0x00007FF73A600000-0x00007FF73A951000-memory.dmp	upx
behavioral2/memory/392-150-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	upx
behavioral2/memory/1152-156-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp	upx
behavioral2/memory/4376-160-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp	upx
behavioral2/memory/64-218-0x00007FF724980000-0x00007FF724CD1000-memory.dmp	upx
behavioral2/memory/2368-220-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp	upx
behavioral2/memory/4656-222-0x00007FF790EB0000-0x00007FF791201000-memory.dmp	upx
behavioral2/memory/2872-224-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp	upx
behavioral2/memory/4564-229-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp	upx
behavioral2/memory/1136-232-0x00007FF712FB0000-0x00007FF713301000-memory.dmp	upx
behavioral2/memory/744-234-0x00007FF6873D0000-0x00007FF687721000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IlzcWVt.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTrzCKX.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFSbVXW.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybXkyOZ.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVRCrFQ.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzTYCMn.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eiuPMLr.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PaPVUDT.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vKbcLRT.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dmYtAgE.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aoJssng.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWbrdXv.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRofOwF.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oidKuVB.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NxynOLh.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CxqCPoh.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bFUYHuG.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KlWztgN.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVOknCk.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJGnkCN.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gXxjRjs.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 64	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4376 wrote to memory of 64	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4376 wrote to memory of 2368	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4376 wrote to memory of 2368	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4376 wrote to memory of 4656	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4376 wrote to memory of 4656	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4376 wrote to memory of 2872	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4376 wrote to memory of 2872	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4376 wrote to memory of 4564	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4376 wrote to memory of 4564	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4376 wrote to memory of 32	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4376 wrote to memory of 32	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4376 wrote to memory of 3848	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4376 wrote to memory of 3848	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4376 wrote to memory of 1136	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4376 wrote to memory of 1136	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4376 wrote to memory of 744	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4376 wrote to memory of 744	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4376 wrote to memory of 1284	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4376 wrote to memory of 1284	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4376 wrote to memory of 4532	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4376 wrote to memory of 4532	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4376 wrote to memory of 1092	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4376 wrote to memory of 1092	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4376 wrote to memory of 4916	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4376 wrote to memory of 4916	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4376 wrote to memory of 3956	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4376 wrote to memory of 3956	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4376 wrote to memory of 220	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4376 wrote to memory of 220	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4376 wrote to memory of 392	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4376 wrote to memory of 392	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4376 wrote to memory of 700	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4376 wrote to memory of 700	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4376 wrote to memory of 1152	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4376 wrote to memory of 1152	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4376 wrote to memory of 960	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4376 wrote to memory of 960	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4376 wrote to memory of 2164	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4376 wrote to memory of 2164	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4376 wrote to memory of 1256	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4376 wrote to memory of 1256	4376	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\System\IlzcWVt.exe
  C:\Windows\System\IlzcWVt.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\aoJssng.exe
  C:\Windows\System\aoJssng.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\CxqCPoh.exe
  C:\Windows\System\CxqCPoh.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\dWbrdXv.exe
  C:\Windows\System\dWbrdXv.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\gzTYCMn.exe
  C:\Windows\System\gzTYCMn.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\uTrzCKX.exe
  C:\Windows\System\uTrzCKX.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\sRofOwF.exe
  C:\Windows\System\sRofOwF.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\bFUYHuG.exe
  C:\Windows\System\bFUYHuG.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\KlWztgN.exe
  C:\Windows\System\KlWztgN.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\jFSbVXW.exe
  C:\Windows\System\jFSbVXW.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\oidKuVB.exe
  C:\Windows\System\oidKuVB.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\eiuPMLr.exe
  C:\Windows\System\eiuPMLr.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\ybXkyOZ.exe
  C:\Windows\System\ybXkyOZ.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\NxynOLh.exe
  C:\Windows\System\NxynOLh.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\PaPVUDT.exe
  C:\Windows\System\PaPVUDT.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\iVOknCk.exe
  C:\Windows\System\iVOknCk.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\VJGnkCN.exe
  C:\Windows\System\VJGnkCN.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\vKbcLRT.exe
  C:\Windows\System\vKbcLRT.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\zVRCrFQ.exe
  C:\Windows\System\zVRCrFQ.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\gXxjRjs.exe
  C:\Windows\System\gXxjRjs.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\dmYtAgE.exe
  C:\Windows\System\dmYtAgE.exe
  2⤵
  - Executes dropped EXE
  PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CxqCPoh.exe

Filesize
5.2MB

MD5
dd16b5b71fe9cb9047305657e9159cee

SHA1
eb88d0df496702a7d824dce63828526fa53f0fec

SHA256
7c0c274f53f6a5a7df1f1d3f1ad80066cf85d5e31d568aaef53e6b1d7422f70c

SHA512
2d0b9f787ddc587798392c4ea134c4e6b19a962ff8373425459e629d2b3abd9a18e2f7fc7df7fa2df8e0c01c5f812234157ae2bc3cb01e3ce6e29b47be3bcfa0

Download Submit
C:\Windows\System\IlzcWVt.exe

Filesize
5.2MB

MD5
879236ca667a3448a9c264868d2bffd8

SHA1
60408310654a6e5f10f1c2635d19216ae49ac844

SHA256
cfea0e2bc83dc2e6a2cd463c264519704a7c6cc8afa9384c1afc835f9da76367

SHA512
1de993cd3b43048d50dffbf685febc7f63d3eee400b484bab3585fa2f91a1f0c1efdf14e90c6c879549a0e529980e1b1a1f71f761b95981eba8fcabaf14178b9

Download Submit
C:\Windows\System\KlWztgN.exe

Filesize
5.2MB

MD5
005499b5a0c3b61582f5fe0b6dec6956

SHA1
64bf92b1f51fa4353538e5bf6fe4fab202900254

SHA256
e4e4bde964933b7cee3e13af9df7052c32a1e25bb9ba81fcb11596251d3fa68c

SHA512
19a2896733e0d18fd32380f0f2faf897030ddffff4560bfae31bf106914103e762159abc915cea6be6ef3e3e2aab0b44add9ddb325bc2305b7d4c43263ce89a8

Download Submit
C:\Windows\System\NxynOLh.exe

Filesize
5.2MB

MD5
09aaac1ff4efe40c4464c1d21b538b06

SHA1
05d3e6ceedfdf5d4fc454d31036ff9e86d6878be

SHA256
0eb86fc25adb26e429681384bdd53c0c281e6f65bc584d0c21ce3d70c264d83a

SHA512
ae9fb35623c7cbd6b1208dc61cd98b70e7db4fee52b048c02a7cfa283b08a7a4d1249df19b4f53a464d7815cc41104492c4366cff1c3744927507dbcd7a0982d

Download Submit
C:\Windows\System\PaPVUDT.exe

Filesize
5.2MB

MD5
a8f7b57ff62086df7f99a18936b2b10e

SHA1
fb58e1aab0c915454caef964f549b030ab97d066

SHA256
a666dc8402c2b4a700a65abdb6584d19f4cb8d95cb32681e6eca81ee88d7bc13

SHA512
660118d87fe3448efd670ec017f7e04139e90c01427aba403c360b58f6dee7a77913c4fe1cf86716e735ecc9325d86ca004a25dbb4891d482995cb78f5f3afe5

Download Submit
C:\Windows\System\VJGnkCN.exe

Filesize
5.2MB

MD5
d9f7942cc7821a5d340971fcd8225311

SHA1
103444ae28445214c27b65353758b70f100e8be5

SHA256
b6e2cf72c558be253f3314a84acc58915f29429cba07b94936e72e946fb3a22e

SHA512
8c7d8462fe7b0f7deb7f05d742be011d0631db5e609d27bf129a8d7cef06bc34a93fc463b2434fae2c17138bcfc8aea5108b9bd1fccf3e86f99876240f123ca7

Download Submit
C:\Windows\System\aoJssng.exe

Filesize
5.2MB

MD5
845479fa4b753de794b79ad017b20d95

SHA1
26d152f104591c247650100563fd94c4feab8d4b

SHA256
13bf9baf3f08ee96522ab78d1e32dc5fd0ebb1fb4b088291a665f091e5aa7161

SHA512
17ce6890f5ec77e7bc3e3d45b342eb46c4f84d9739df04d96ab38ab80819601af01f0f4951513449e41b5824554d914e67699597a3cb7e9b5b38e4edeefba939

Download Submit
C:\Windows\System\bFUYHuG.exe

Filesize
5.2MB

MD5
c6a2cca4489948f803bc3670bd58e286

SHA1
968f12059fc6743db8294b32e72f84d79a377ad8

SHA256
b39c5d9bdac48974ab3b747a624707728e4b7e958a5ea0adf6c0281fa5576cd8

SHA512
bbba585823997b017efa0df813e6ef075b3c8bf76a8998fbb062b0fd7871898e82dcd5cdf179ffc5a0bb86ff22ffa8729ba132f9646cd7c3e29485a17be36717

Download Submit
C:\Windows\System\dWbrdXv.exe

Filesize
5.2MB

MD5
ab2ea4583624ddf176a7e3e498b971ca

SHA1
39b84c938a66f71c5f62e979c0ca958953fa28fb

SHA256
d654d1f17614c659d004b98edd0fb46aa3a00b97a79f8ba830a0fb4bd15f7a9b

SHA512
09197081dbe9cd4d78bd963c392b61169eef91eaaf8df5cb3d46aed2a032c6ee8ef2a21f0bfc32bfe4f011daab7895228d64810ebf73c38739cfa449ee3cdfd5

Download Submit
C:\Windows\System\dmYtAgE.exe

Filesize
5.2MB

MD5
b5035e53b207398599e9210cbc1a68c4

SHA1
186adf16e6158217ddf79cedec6713ef38508311

SHA256
22e0350d2cba676b53fde360299ac7bce850524848d5ad6fecb76202d469bf4e

SHA512
3d242198b617815db20becaef60d0197c0fd6a4c4ef9990f5632cbd1d4588dfcbc6f88a5e10ae168a23f1ba070269b9df16e59b5ec708f33596a4255ba8ec17a

Download Submit
C:\Windows\System\eiuPMLr.exe

Filesize
5.2MB

MD5
04396b4659c2adc6d354c38887b8df7a

SHA1
0461a18122fe4cde4c965b8917ced0d41779d63f

SHA256
655db0d73ce64741ffd113338c9f9e7de86148bb750de9822f1e101c06a2af41

SHA512
f4c6eab72ac295d27b6aefe48392435507042cfeb8b2c03100b16ffac8c0be34e2ee284c0c14934478e8517802e874e16b419aca0b1fe65d1ff12c433660a974

Download Submit
C:\Windows\System\gXxjRjs.exe

Filesize
5.2MB

MD5
ad5eb799f8542c8be9c8409a88d444a3

SHA1
94b7b2cf8e9d2533c1efdd6f037ff9ed2428cb6c

SHA256
4c3cb47b24b23b3fd1d6278dee36d18866edbd121031c1164f973ea1b5234b72

SHA512
d270551e0a94fb9837b974b4e7147f06867fdd48c961e8efb1b6bca54dfeb41adbc5b157543d1dcb72a9d4983a8156e7b3b2a1210d590a714f6625fefc09df3e

Download Submit
C:\Windows\System\gzTYCMn.exe

Filesize
5.2MB

MD5
8b188596cc8307dfb51123f451f9e0f4

SHA1
e69ec38028ecbbccc79e4177db5beb7fe4f10496

SHA256
3e3145f2d7ad3ca7abb6d347fffd7b5805e231f1476ec30e422bdbf8a4400b12

SHA512
d7dd9bdda349c76088ccad580ed3094e700731e13e250d8d77bc19643668234f7ac14c496a3dd7784640861eea44ff8ec18ce715f499231375b4caa8a676768d

Download Submit
C:\Windows\System\iVOknCk.exe

Filesize
5.2MB

MD5
16563520e9fb32d1953254433fd9cea7

SHA1
5ab101f77c58c70e5a2b506a1c31d3edd3bc7a87

SHA256
9960a7156aecd2ee15f811013f39d9aecf49ab0c9eeb4a0a83210ee716cd3df3

SHA512
a294e25793759ba5bb06f4fedcc4111882eb320dc21954274320d0b7780553a52ef0774ec5b46ca3ea81875f6e35ebfc9ae442b79331757e3fadfeb1bc8f3555

Download Submit
C:\Windows\System\jFSbVXW.exe

Filesize
5.2MB

MD5
9cfc1fec5509e7cf492d0051c44e5da9

SHA1
0d76048b75c0ad4b6298ffabca5d76f9555617ac

SHA256
7cc5b5439fc0997c414db7460dd222bc0f536d69fca9ac121d23bc7a64581ce0

SHA512
206be9270fe66ce3e374dde7bf8a4ef93d4b915235058edfae8ab04259b195df43eafc94c8fc3481a07267b8a3a3e92e2f581ccb14e41d4025db28ac4861861d

Download Submit
C:\Windows\System\oidKuVB.exe

Filesize
5.2MB

MD5
7f2e9ef60b62d1889f7a888dc2b02a22

SHA1
c7ca6f1560c1daf920c33aeb5250c1ecf564255b

SHA256
9e43c9d37c7d39f0439ef24fc527800994eef8e0dc51d246acd6050b4cc00ce2

SHA512
48f0fd2e6854cea94ebe4051b8877928dd467e8a787ff66ab398067e00ca853c843eab7c88ea5ede4808a5b3db5db6c913949d7528934dbf94728626e49e42e4

Download Submit
C:\Windows\System\sRofOwF.exe

Filesize
5.2MB

MD5
8dbba02755aa3d8c0bf95e33ac6199ab

SHA1
6ae79c61d792647da76d2f2c2f9603127a0bc93f

SHA256
9ceaf5d6bae07d6632c64dadadec63ff425ffd130cb974e1d8bd37c978105a15

SHA512
e8c7bbdd184542fdb1773f6553ba99a9c9f08a868aad29d5bbfc70edbe4d400e4c2a4a842ff51aae523cb4641001b1cac6a1e1076a6d2983ae2393f78490fdc5

Download Submit
C:\Windows\System\uTrzCKX.exe

Filesize
5.2MB

MD5
42729493efd4f522c4d10125ecd050f7

SHA1
374553579f3cb012747d4556f0bfc7c9cd05092c

SHA256
ffccd4ab1cb4703491a4246580a16fa98b4bc1fa6a61d9a91ae0cbd128715ae9

SHA512
f0639fa880bb982fad0b8e1ddcf4d83f7b13ed8b78547469fff1ae08b3bdae3bbe4467b4eaa60329f30da9421054f76a3d4c097ea0109f1496473f3dc51653ba

Download Submit
C:\Windows\System\vKbcLRT.exe

Filesize
5.2MB

MD5
5dfaaf0c0f402e97b6d382ea93b79640

SHA1
776d5e043be3292438349295a5cca037abe58845

SHA256
fde4adba64c0e0e0bd85efeeb7928e839736395b147d6b17fbb300e31fd4bb82

SHA512
4174ae48a627b72d7152da1d134a7ca3f13d613075e9e3eb5b97706bb5b7348a2e33340f3080f3f5e315b0d1902657113c7471bf83ea051745b5f903c6768f08

Download Submit
C:\Windows\System\ybXkyOZ.exe

Filesize
5.2MB

MD5
c75edf9b0afb9c6ffd362a268cae5e5c

SHA1
d220d7ceb3a8aff4acba657974463318161b9742

SHA256
86be5b759302d0fad58090fd3a14bd8680157f7fe2246c8d2e430dba919eaefa

SHA512
516defb629bd23b1d89aafa0a2acffcd9c56b24eabc9c36b505c6b1bcd5de401c009cb76858c3e0b36d31c2d11e57639da8e758e2aee0a075cc9e51a4bb35432

Download Submit
C:\Windows\System\zVRCrFQ.exe

Filesize
5.2MB

MD5
8d6e995eb297591950f666bf1b3dcf0f

SHA1
cd8065ebb27d4cb5b6524da22fc6412654270ea1

SHA256
baff89a126db5f837d26f664594f8787ee220a5dc7819a18b7b2efa85e9ac084

SHA512
155217564159095e7c96edbd9d5d9e1c250d2b61eae3aad33af4b4ee53d32e4117d13fa9c678d756787a7b14b8db0638afd28cd888198699b9f93eed76ced51a

Download Submit
memory/32-51-0x00007FF634DB0000-0x00007FF635101000-memory.dmp

Filesize
3.3MB

Download
memory/32-230-0x00007FF634DB0000-0x00007FF635101000-memory.dmp

Filesize
3.3MB

Download
memory/64-218-0x00007FF724980000-0x00007FF724CD1000-memory.dmp

Filesize
3.3MB

Download
memory/64-8-0x00007FF724980000-0x00007FF724CD1000-memory.dmp

Filesize
3.3MB

Download
memory/64-105-0x00007FF724980000-0x00007FF724CD1000-memory.dmp

Filesize
3.3MB

Download
memory/220-255-0x00007FF73A600000-0x00007FF73A951000-memory.dmp

Filesize
3.3MB

Download
memory/220-94-0x00007FF73A600000-0x00007FF73A951000-memory.dmp

Filesize
3.3MB

Download
memory/220-149-0x00007FF73A600000-0x00007FF73A951000-memory.dmp

Filesize
3.3MB

Download
memory/392-150-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/392-257-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/392-102-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/700-259-0x00007FF73BE10000-0x00007FF73C161000-memory.dmp

Filesize
3.3MB

Download
memory/700-114-0x00007FF73BE10000-0x00007FF73C161000-memory.dmp

Filesize
3.3MB

Download
memory/744-139-0x00007FF6873D0000-0x00007FF687721000-memory.dmp

Filesize
3.3MB

Download
memory/744-234-0x00007FF6873D0000-0x00007FF687721000-memory.dmp

Filesize
3.3MB

Download
memory/744-61-0x00007FF6873D0000-0x00007FF687721000-memory.dmp

Filesize
3.3MB

Download
memory/960-262-0x00007FF725B50000-0x00007FF725EA1000-memory.dmp

Filesize
3.3MB

Download
memory/960-140-0x00007FF725B50000-0x00007FF725EA1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-243-0x00007FF662370000-0x00007FF6626C1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-74-0x00007FF662370000-0x00007FF6626C1000-memory.dmp

Filesize
3.3MB

Download
memory/1136-232-0x00007FF712FB0000-0x00007FF713301000-memory.dmp

Filesize
3.3MB

Download
memory/1136-65-0x00007FF712FB0000-0x00007FF713301000-memory.dmp

Filesize
3.3MB

Download
memory/1152-119-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp

Filesize
3.3MB

Download
memory/1152-263-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp

Filesize
3.3MB

Download
memory/1152-156-0x00007FF7B0520000-0x00007FF7B0871000-memory.dmp

Filesize
3.3MB

Download
memory/1256-267-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-145-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1284-237-0x00007FF622CE0000-0x00007FF623031000-memory.dmp

Filesize
3.3MB

Download
memory/1284-68-0x00007FF622CE0000-0x00007FF623031000-memory.dmp

Filesize
3.3MB

Download
memory/2164-265-0x00007FF688860000-0x00007FF688BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-142-0x00007FF688860000-0x00007FF688BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-220-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-106-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-20-0x00007FF65C580000-0x00007FF65C8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-120-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-25-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-224-0x00007FF736A80000-0x00007FF736DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-227-0x00007FF769B70000-0x00007FF769EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-58-0x00007FF769B70000-0x00007FF769EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-247-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-84-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-148-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-98-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp

Filesize
3.3MB

Download
memory/4376-160-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp

Filesize
3.3MB

Download
memory/4376-0-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp

Filesize
3.3MB

Download
memory/4376-130-0x00007FF75F1E0000-0x00007FF75F531000-memory.dmp

Filesize
3.3MB

Download
memory/4376-1-0x000002EE9B950000-0x000002EE9B960000-memory.dmp

Filesize
64KB

Download
memory/4532-62-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-238-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-144-0x00007FF785C60000-0x00007FF785FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-229-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp

Filesize
3.3MB

Download
memory/4564-34-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp

Filesize
3.3MB

Download
memory/4564-113-0x00007FF6F04B0000-0x00007FF6F0801000-memory.dmp

Filesize
3.3MB

Download
memory/4656-222-0x00007FF790EB0000-0x00007FF791201000-memory.dmp

Filesize
3.3MB

Download
memory/4656-48-0x00007FF790EB0000-0x00007FF791201000-memory.dmp

Filesize
3.3MB

Download
memory/4916-246-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-80-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-147-0x00007FF67DC80000-0x00007FF67DFD1000-memory.dmp

Filesize
3.3MB

Download