cobaltstrike | 6d98a3859a3629a55d679bcb922b2a824df293cba6f02cd436d251eec152930b

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cea1352d9437e158c82ace75d5ebe4bb
SHA1

361888f55a2276c8f895d9d6c0d05a87cee6acd7
SHA256

6d98a3859a3629a55d679bcb922b2a824df293cba6f02cd436d251eec152930b
SHA512

f7b9802833adb75fd14c23cad086e4dd37367794088a01c84d554747a95e4e50c4e5cb3c647c7e81e35b52ba64e0f1ca1e6ad64aad5841b43a3d2cdc5d873e01
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBib+56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b70-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-53.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b74-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-130.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-138.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3020-47-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	xmrig
behavioral2/memory/2228-60-0x00007FF635240000-0x00007FF635591000-memory.dmp	xmrig
behavioral2/memory/3296-69-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp	xmrig
behavioral2/memory/3708-71-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp	xmrig
behavioral2/memory/2432-54-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	xmrig
behavioral2/memory/4212-74-0x00007FF702CD0000-0x00007FF703021000-memory.dmp	xmrig
behavioral2/memory/4544-82-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp	xmrig
behavioral2/memory/4476-106-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp	xmrig
behavioral2/memory/2276-90-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp	xmrig
behavioral2/memory/1612-76-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp	xmrig
behavioral2/memory/3720-117-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp	xmrig
behavioral2/memory/4956-115-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp	xmrig
behavioral2/memory/1700-136-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp	xmrig
behavioral2/memory/3708-124-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp	xmrig
behavioral2/memory/2360-142-0x00007FF624630000-0x00007FF624981000-memory.dmp	xmrig
behavioral2/memory/2432-140-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	xmrig
behavioral2/memory/628-150-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp	xmrig
behavioral2/memory/3056-155-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp	xmrig
behavioral2/memory/388-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp	xmrig
behavioral2/memory/2972-156-0x00007FF694990000-0x00007FF694CE1000-memory.dmp	xmrig
behavioral2/memory/3768-163-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp	xmrig
behavioral2/memory/4380-164-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	xmrig
behavioral2/memory/3096-166-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp	xmrig
behavioral2/memory/4668-169-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp	xmrig
behavioral2/memory/2432-170-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	xmrig
behavioral2/memory/2228-221-0x00007FF635240000-0x00007FF635591000-memory.dmp	xmrig
behavioral2/memory/3296-223-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp	xmrig
behavioral2/memory/4212-225-0x00007FF702CD0000-0x00007FF703021000-memory.dmp	xmrig
behavioral2/memory/1612-230-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp	xmrig
behavioral2/memory/2276-232-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp	xmrig
behavioral2/memory/4544-234-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp	xmrig
behavioral2/memory/3020-236-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	xmrig
behavioral2/memory/4476-238-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp	xmrig
behavioral2/memory/4956-244-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp	xmrig
behavioral2/memory/3720-246-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp	xmrig
behavioral2/memory/3708-248-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp	xmrig
behavioral2/memory/1700-253-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp	xmrig
behavioral2/memory/2360-255-0x00007FF624630000-0x00007FF624981000-memory.dmp	xmrig
behavioral2/memory/628-260-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp	xmrig
behavioral2/memory/3056-262-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp	xmrig
behavioral2/memory/2972-264-0x00007FF694990000-0x00007FF694CE1000-memory.dmp	xmrig
behavioral2/memory/388-266-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp	xmrig
behavioral2/memory/3768-269-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp	xmrig
behavioral2/memory/4380-274-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	xmrig
behavioral2/memory/3096-276-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp	xmrig
behavioral2/memory/4668-278-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2228	ERSIIkh.exe
3296	UJgXEVg.exe
4212	IVWsOVR.exe
1612	WOOLGsH.exe
4544	eiyjvSl.exe
2276	lAUWDGN.exe
3020	nFXIsUa.exe
4476	fqRAQpv.exe
4956	QGMxAEb.exe
3720	PrPmsoP.exe
3708	yUHhBYL.exe
1700	MQNTAOZ.exe
2360	mKOfyQZ.exe
628	eqSmTko.exe
3056	HxnMYdP.exe
2972	KZVvOCV.exe
388	vBgUImf.exe
3768	aslmiZu.exe
4380	rSJaCOh.exe
3096	sKSVVSU.exe
4668	yVZYdCg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2432-0-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	upx
behavioral2/files/0x000c000000023b70-5.dat	upx
behavioral2/memory/2228-6-0x00007FF635240000-0x00007FF635591000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-10.dat	upx
behavioral2/files/0x000a000000023b7b-11.dat	upx
behavioral2/memory/4212-18-0x00007FF702CD0000-0x00007FF703021000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-23.dat	upx
behavioral2/memory/4544-29-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-33.dat	upx
behavioral2/files/0x000a000000023b7f-34.dat	upx
behavioral2/memory/3020-47-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-49.dat	upx
behavioral2/memory/4476-48-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-39.dat	upx
behavioral2/memory/2276-37-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp	upx
behavioral2/memory/1612-24-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp	upx
behavioral2/memory/3296-12-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-53.dat	upx
behavioral2/memory/4956-56-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp	upx
behavioral2/memory/2228-60-0x00007FF635240000-0x00007FF635591000-memory.dmp	upx
behavioral2/files/0x000c000000023b74-59.dat	upx
behavioral2/files/0x000a000000023b83-66.dat	upx
behavioral2/memory/3296-69-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp	upx
behavioral2/memory/3708-71-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp	upx
behavioral2/memory/3720-61-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp	upx
behavioral2/memory/2432-54-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-75.dat	upx
behavioral2/memory/4212-74-0x00007FF702CD0000-0x00007FF703021000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-81.dat	upx
behavioral2/memory/4544-82-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp	upx
behavioral2/memory/2360-86-0x00007FF624630000-0x00007FF624981000-memory.dmp	upx
behavioral2/memory/628-93-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp	upx
behavioral2/memory/3056-99-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-109.dat	upx
behavioral2/files/0x000a000000023b89-111.dat	upx
behavioral2/memory/388-108-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp	upx
behavioral2/memory/2972-107-0x00007FF694990000-0x00007FF694CE1000-memory.dmp	upx
behavioral2/memory/4476-106-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-102.dat	upx
behavioral2/files/0x000a000000023b87-94.dat	upx
behavioral2/memory/2276-90-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp	upx
behavioral2/memory/1700-78-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp	upx
behavioral2/memory/1612-76-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-116.dat	upx
behavioral2/memory/3768-118-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp	upx
behavioral2/memory/3720-117-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp	upx
behavioral2/memory/4956-115-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-123.dat	upx
behavioral2/files/0x000a000000023b8d-130.dat	upx
behavioral2/files/0x000a000000023b8e-138.dat	upx
behavioral2/memory/4668-137-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp	upx
behavioral2/memory/1700-136-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp	upx
behavioral2/memory/3096-131-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp	upx
behavioral2/memory/4380-125-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	upx
behavioral2/memory/3708-124-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp	upx
behavioral2/memory/2360-142-0x00007FF624630000-0x00007FF624981000-memory.dmp	upx
behavioral2/memory/2432-140-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp	upx
behavioral2/memory/628-150-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp	upx
behavioral2/memory/3056-155-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp	upx
behavioral2/memory/388-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp	upx
behavioral2/memory/2972-156-0x00007FF694990000-0x00007FF694CE1000-memory.dmp	upx
behavioral2/memory/3768-163-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp	upx
behavioral2/memory/4380-164-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	upx
behavioral2/memory/3096-166-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IVWsOVR.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nFXIsUa.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKOfyQZ.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HxnMYdP.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqRAQpv.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PrPmsoP.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yUHhBYL.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQNTAOZ.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aslmiZu.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eiyjvSl.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QGMxAEb.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eqSmTko.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KZVvOCV.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vBgUImf.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rSJaCOh.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKSVVSU.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yVZYdCg.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ERSIIkh.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UJgXEVg.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOOLGsH.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lAUWDGN.exe	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2228	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2432 wrote to memory of 2228	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2432 wrote to memory of 3296	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2432 wrote to memory of 3296	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2432 wrote to memory of 4212	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2432 wrote to memory of 4212	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2432 wrote to memory of 1612	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2432 wrote to memory of 1612	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2432 wrote to memory of 4544	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2432 wrote to memory of 4544	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2432 wrote to memory of 2276	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2432 wrote to memory of 2276	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2432 wrote to memory of 3020	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2432 wrote to memory of 3020	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2432 wrote to memory of 4476	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2432 wrote to memory of 4476	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2432 wrote to memory of 4956	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2432 wrote to memory of 4956	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2432 wrote to memory of 3720	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2432 wrote to memory of 3720	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2432 wrote to memory of 3708	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2432 wrote to memory of 3708	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2432 wrote to memory of 1700	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2432 wrote to memory of 1700	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2432 wrote to memory of 2360	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2432 wrote to memory of 2360	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2432 wrote to memory of 628	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2432 wrote to memory of 628	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2432 wrote to memory of 3056	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2432 wrote to memory of 3056	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2432 wrote to memory of 388	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2432 wrote to memory of 388	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2432 wrote to memory of 2972	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2432 wrote to memory of 2972	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2432 wrote to memory of 3768	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2432 wrote to memory of 3768	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2432 wrote to memory of 4380	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2432 wrote to memory of 4380	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2432 wrote to memory of 3096	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2432 wrote to memory of 3096	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2432 wrote to memory of 4668	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2432 wrote to memory of 4668	2432	2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_cea1352d9437e158c82ace75d5ebe4bb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System\ERSIIkh.exe
  C:\Windows\System\ERSIIkh.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\UJgXEVg.exe
  C:\Windows\System\UJgXEVg.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\IVWsOVR.exe
  C:\Windows\System\IVWsOVR.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\WOOLGsH.exe
  C:\Windows\System\WOOLGsH.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\eiyjvSl.exe
  C:\Windows\System\eiyjvSl.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\lAUWDGN.exe
  C:\Windows\System\lAUWDGN.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\nFXIsUa.exe
  C:\Windows\System\nFXIsUa.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\fqRAQpv.exe
  C:\Windows\System\fqRAQpv.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\QGMxAEb.exe
  C:\Windows\System\QGMxAEb.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\PrPmsoP.exe
  C:\Windows\System\PrPmsoP.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\yUHhBYL.exe
  C:\Windows\System\yUHhBYL.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\MQNTAOZ.exe
  C:\Windows\System\MQNTAOZ.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\mKOfyQZ.exe
  C:\Windows\System\mKOfyQZ.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\eqSmTko.exe
  C:\Windows\System\eqSmTko.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\HxnMYdP.exe
  C:\Windows\System\HxnMYdP.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\vBgUImf.exe
  C:\Windows\System\vBgUImf.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\KZVvOCV.exe
  C:\Windows\System\KZVvOCV.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\aslmiZu.exe
  C:\Windows\System\aslmiZu.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\rSJaCOh.exe
  C:\Windows\System\rSJaCOh.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\sKSVVSU.exe
  C:\Windows\System\sKSVVSU.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\yVZYdCg.exe
  C:\Windows\System\yVZYdCg.exe
  2⤵
  - Executes dropped EXE
  PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ERSIIkh.exe

Filesize
5.2MB

MD5
72bd68d4ebbbcb65b7fe23439ddd2ab3

SHA1
cd04e9a4ea17033bb956d0ce0ed4ba9dc12ae7af

SHA256
ff41b9fe06657ccc79a6647a0721ef94f5b80aaa9b4b1511840bfd95ce6c6559

SHA512
ab7bad42f7d5172d0c87756d63661a7243956426fb78bf532d79a3f969d00e0d4b360fb4a57e8889e3d296b8d0e48b3a3ba0245fe3f9e86d6fdc2998d2438ba6

Download Submit
C:\Windows\System\HxnMYdP.exe

Filesize
5.2MB

MD5
a7380d651020a30e93b181c1e38cb481

SHA1
8bdc8be0db06b6d7aebececf62b2c3ac198e863e

SHA256
f45bc1a86f041abd0ea4d632060214995fba7c8ae0a798c9673e13aa6134fc14

SHA512
65409bee05bfb9971476412971338408bb7f9b249fb2fea5995c4de954fb5c71e1cefafecdfca92d07230bb2d698a76cba073f99ff4f1f1b963fd1eedb3ebe4f

Download Submit
C:\Windows\System\IVWsOVR.exe

Filesize
5.2MB

MD5
d3bace077fc185d7cf60f2fe97109e7c

SHA1
858b0f12f856a8de00f6cba84ab27f69339aa10e

SHA256
0966042000098e4baddffedb5bbc3c5f0e71593960d6527feb9ebd531b979975

SHA512
0abd7f8a792288036bb342324a022ccf2ccca51df10863f7bbca8888c92ba56b146add21c03fdbe82b5753629a684bb40c609be5a738a61ec09ae778c4d12162

Download Submit
C:\Windows\System\KZVvOCV.exe

Filesize
5.2MB

MD5
65fdbb5dc1ffb5ac2f56da19f11cd0b8

SHA1
a4063cf387036a6517308720c8afec0d3ccf29ea

SHA256
66b1c0182e2701a8bb76844d6d0e5e5efc310865ff16ba11ad897d15ce1131a7

SHA512
9294df0a7368ad24094b6338c984ef34a9e40a00ee3b86bbd4aeddb0735e3dd0b94e0c8cc93b35bf83f3c9ff650932daecaae715334accab51c7c919491f24c3

Download Submit
C:\Windows\System\MQNTAOZ.exe

Filesize
5.2MB

MD5
2bd8b783e97491db9869cd66fbb06d16

SHA1
63cfffb499ffb5ba1f6383cc94cb802db1d3a55f

SHA256
c26b6d89571f801c09b050c1f03e2de22e46ced421930b19c8ee4130d4488081

SHA512
b709be67589800f23f890f4a8c681bb2aa57406a74ee36d1321e2900fb63f3ae8044aeccc80e270f98aa007c0d8e10c36fea8c4599871141ec501b41bcb1cccb

Download Submit
C:\Windows\System\PrPmsoP.exe

Filesize
5.2MB

MD5
7898646cd54a63d25defbba2c81256b8

SHA1
bc292108b4222e01857efe5ba19be56caec1bd0b

SHA256
ee45d106644c1d46de493fce095d94826168e83161e21e4a715cb1835ea534d3

SHA512
9f93fe3293fe52864572fba8377c90688678e6f8dce93a622a51c0b5d5118cf0cb7c738f942a36730f1db403e3721aa527dc5b0bb24fcf69f9910c57fff049ec

Download Submit
C:\Windows\System\QGMxAEb.exe

Filesize
5.2MB

MD5
52e9c6c9e19dfe7be4585f77aaf5a2e7

SHA1
dad37e3e0aca7cf92d8e6dcc00f16bd0cef0beec

SHA256
a67536db5849a6a1cb945ebbf3184a355550cb92edfd93f15edbe1e8d76c2ad9

SHA512
3b9359613f98c65b98530a5187999db4af5722e9834d6ae9ab287b977c97c850d72b38377f5d83c0513addcba92486e6d9cf71eb86caa0d260437c85875c75e1

Download Submit
C:\Windows\System\UJgXEVg.exe

Filesize
5.2MB

MD5
34f42ef9d28bc5f942a800469d83b569

SHA1
0c060f8ef719a8c4f28d93aadaaf8adfb33524eb

SHA256
a348f9e88015373dc9d4dab4e8b3c1e4f5a105eac96e2d55646a8e999e933444

SHA512
c45d4c2107d4865b003ecdced729ce65684740216d7f48164a3c4800d7de418a6226910e432b7f52cdbc6154424124af05baed5f91662a57fdc0910fb2296865

Download Submit
C:\Windows\System\WOOLGsH.exe

Filesize
5.2MB

MD5
878165186842676272b4308dcc5d01d8

SHA1
e2e8de414d0db355f6471d8003fab16f8950d7ef

SHA256
6d0777984f5a230b497b5483c3cadb02db7a2d86f4f3ac57c21efff14460756f

SHA512
ca7b6cc8e68f68d4f495c5c50a84b6620ecc366581536b82b42ba8fb97c488f244b16954304cfe1568e7175df119745f87cc5bf5f1629cc59c91180ab01306c6

Download Submit
C:\Windows\System\aslmiZu.exe

Filesize
5.2MB

MD5
50a742006b27052ede0c368d5f3c2c4d

SHA1
35a326ada7eed556225e3638bc5eacca6a44073e

SHA256
74101b219cf2b03203af767d3580bbb4ea0acc366162c596087fc6c7c101da05

SHA512
33dc150e83d364e7a1207c02bb245e3699f34f3fe825e9767b6cec6711e3a9c8e556cf1e4dff04b1e44d11f2ad5def56ce8da354c0d6bc323410434f8731c979

Download Submit
C:\Windows\System\eiyjvSl.exe

Filesize
5.2MB

MD5
c002e8ee861dbccb7ff4b0a77ee1b3a5

SHA1
10b17ca47db39a3d053d077a1e1df768a542c7d5

SHA256
e9194b6915bdbe3c88335cb37b2de93b4a168126d72792d23716bf61e7cae744

SHA512
c4a8ee3178ebfef70b404c8d7c41751b99b80cadc17eb0e62318e0de2c5882649cbf7a2617d846328cd81489cc10308e2b7344b6eda75d4b72eb6a72377f3832

Download Submit
C:\Windows\System\eqSmTko.exe

Filesize
5.2MB

MD5
5bfd05da14ced8bebcc563184e5b5bf0

SHA1
1b5f3c639df1d3eaaffaae57d66b43637ccde43b

SHA256
532be1928e734c98100c95853b075b3f473055ce9b0718e05c7a8ddc1ab8a945

SHA512
1defd1aa87ee0ac5933273594217d1016dea83c584147dcdceaf71b78fb81bd404a302c5252db14652a799893340eadae5d212fb2b9a54c282fd464f759bdbe1

Download Submit
C:\Windows\System\fqRAQpv.exe

Filesize
5.2MB

MD5
7758221b332164ced3e06687aef1c2bf

SHA1
7fc026058e8910c89e6d1e2bff4d70c55d27c585

SHA256
ebd6a8f1c6964cee39a10051cd4c2c8ad47186dffa59974ae788d8a938f85495

SHA512
01d4ba44c8cb6149b402fbc4a87467070db851aa0c22349108b0aef777e14b7e53c748f8722f4a330d5f3b760bf9eb27ec0953df7075e2719397c2d20c3d0416

Download Submit
C:\Windows\System\lAUWDGN.exe

Filesize
5.2MB

MD5
d005868635f5bf34543f03bd0f6a8c8e

SHA1
5ed4b572b8513ed065eba71477ccf3f468dfd737

SHA256
2e4046d994a9a116eb8a56606549abdd3a790fa0a902d41e5b9fd2e3b3292673

SHA512
ca84bf96ca9a0c8381d177a3ccc07853ef282ddce864815b498e81aaad792f84fcf360bd93939c9ee365690b544f2f5c316f2db961317e518c652f69e24d896c

Download Submit
C:\Windows\System\mKOfyQZ.exe

Filesize
5.2MB

MD5
5c3f477f87bb9c12d3ceea7cfb137325

SHA1
5fbd1592dbc063e8b1999e8030f91d93b03fe154

SHA256
9ff25afa91dda3b1c50eb78b6ac84220b3b4d8522b9b1639bf3747b0606cf848

SHA512
3a071f823f23dec4a2224cfe9b633381d3722d3b141f85a2c3f0d380c08bfb143a924527d522bfbf6c3394521342738dff0ce884b7808e2abd4a2f237d50b520

Download Submit
C:\Windows\System\nFXIsUa.exe

Filesize
5.2MB

MD5
d1a1c0e68127877ab6e9f2c4e082fade

SHA1
ede466c24fd17de8f03e40d03bd2078f092e6656

SHA256
190f2334a12077e82bc498b5aa5602fb4ff9af9d025c889b349d4b456d850a45

SHA512
bad65c2d0d800232b48bd5cf4990b32b33441e5bb2654c9d98199c9e8b81a5a0f290cee45cd9ed99d7794c95785747de3d68dd304cc78cfaf85679b40afa299a

Download Submit
C:\Windows\System\rSJaCOh.exe

Filesize
5.2MB

MD5
b40ee74e0ee640ee67e37ee61ff227f3

SHA1
e6f8020a104451975b69d5e6a593384fc59f3315

SHA256
f490461195bd52f26321d65b51d7741b9fdbc2018649428c46f63441a6186b1c

SHA512
3f9e1828114f8ec4a7e04121bebfc89cf878c933159c38138527b8176d5d5f8b61c61edb98a4b264caef3d6b20cdb72c555c0ea1fba824da2e2663134bd5c71c

Download Submit
C:\Windows\System\sKSVVSU.exe

Filesize
5.2MB

MD5
a180c181ab32531b0ca7313d8f3db73f

SHA1
6dd8afbe66f4dca8331eb720d6e984d3550d329e

SHA256
8cb81e3031aaa3183bcd37d2d04147d9d584829a764b1cd5479275723facdff4

SHA512
2c1aaddec725d990b57614bfdff4bc408232cb449aee19daf88841251ac4d66da5d976df6d0f5dfb5cb042cf3bcaa1d44b69761629dd32ce1b012ccf931ac397

Download Submit
C:\Windows\System\vBgUImf.exe

Filesize
5.2MB

MD5
5db3d8429f26d99c49fb9fe934fc5259

SHA1
28ef4b1946e55d4e2b3bab01c37e572726243456

SHA256
0f9096a21bf6c143eea132058d75b0b61b59e1e40cdd51c5d3ca5b54a34a095d

SHA512
b6c04e6dfd62f9e2453d7f3cd980da94da672977f977e4a12356bd62a5817d6a098531508a1d04ff6718a23d8cb95df76a91d399004de20e3bc77028a232994a

Download Submit
C:\Windows\System\yUHhBYL.exe

Filesize
5.2MB

MD5
f17222d3ffcc8c05a4518a804e669e00

SHA1
11772dc6feeb9bad8fcedee007f3db58b21fe6de

SHA256
612cedb7af8953890bc21f60a1bb0fbf2530349a3135bfd83f2999440681b237

SHA512
a7bb98c4627cd08fc20b6aac52ebc69c95fc94e4c96a390df03216c8d7cb5e419534f019cbc0ab595932563889b0ce863c6f93b26fd47214699bc387122f5e76

Download Submit
C:\Windows\System\yVZYdCg.exe

Filesize
5.2MB

MD5
5066d85ee1eab15a62a786defd4dc0aa

SHA1
7a7c4a8717d16f5331e32fd8b3c1fde480145a60

SHA256
f35a96dcaaebecf0c07e758a67672671d133a925178d395483962b8ca4536307

SHA512
26644838cf65100efdf9b8d5c2e7cae88230e7700645768b095cb063c2e3db0b3ee57d6b91c7ddb4616dfbe5b62f597bc6c9d3d73b190fc3cc8be4a286a1411f

Download Submit
memory/388-108-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

Filesize
3.3MB

Download
memory/388-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

Filesize
3.3MB

Download
memory/388-266-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

Filesize
3.3MB

Download
memory/628-260-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-93-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-150-0x00007FF74A470000-0x00007FF74A7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-76-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-24-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-230-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-78-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-136-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-253-0x00007FF7909D0000-0x00007FF790D21000-memory.dmp

Filesize
3.3MB

Download
memory/2228-221-0x00007FF635240000-0x00007FF635591000-memory.dmp

Filesize
3.3MB

Download
memory/2228-6-0x00007FF635240000-0x00007FF635591000-memory.dmp

Filesize
3.3MB

Download
memory/2228-60-0x00007FF635240000-0x00007FF635591000-memory.dmp

Filesize
3.3MB

Download
memory/2276-232-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-37-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-90-0x00007FF6FEF90000-0x00007FF6FF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-255-0x00007FF624630000-0x00007FF624981000-memory.dmp

Filesize
3.3MB

Download
memory/2360-86-0x00007FF624630000-0x00007FF624981000-memory.dmp

Filesize
3.3MB

Download
memory/2360-142-0x00007FF624630000-0x00007FF624981000-memory.dmp

Filesize
3.3MB

Download
memory/2432-0-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-1-0x0000019DF8DB0000-0x0000019DF8DC0000-memory.dmp

Filesize
64KB

Download
memory/2432-170-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-54-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-140-0x00007FF6314A0000-0x00007FF6317F1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-107-0x00007FF694990000-0x00007FF694CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-264-0x00007FF694990000-0x00007FF694CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-156-0x00007FF694990000-0x00007FF694CE1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-236-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp

Filesize
3.3MB

Download
memory/3020-47-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp

Filesize
3.3MB

Download
memory/3056-155-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp

Filesize
3.3MB

Download
memory/3056-262-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp

Filesize
3.3MB

Download
memory/3056-99-0x00007FF6A5120000-0x00007FF6A5471000-memory.dmp

Filesize
3.3MB

Download
memory/3096-166-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-276-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-131-0x00007FF6C36A0000-0x00007FF6C39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-12-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-69-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-223-0x00007FF7D7D50000-0x00007FF7D80A1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-124-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-71-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-248-0x00007FF633D50000-0x00007FF6340A1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-61-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp

Filesize
3.3MB

Download
memory/3720-246-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp

Filesize
3.3MB

Download
memory/3720-117-0x00007FF78C6E0000-0x00007FF78CA31000-memory.dmp

Filesize
3.3MB

Download
memory/3768-118-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-163-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-269-0x00007FF7F0260000-0x00007FF7F05B1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-225-0x00007FF702CD0000-0x00007FF703021000-memory.dmp

Filesize
3.3MB

Download
memory/4212-18-0x00007FF702CD0000-0x00007FF703021000-memory.dmp

Filesize
3.3MB

Download
memory/4212-74-0x00007FF702CD0000-0x00007FF703021000-memory.dmp

Filesize
3.3MB

Download
memory/4380-125-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-274-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-164-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-106-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-238-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-48-0x00007FF67A870000-0x00007FF67ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-82-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-29-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-234-0x00007FF76F9A0000-0x00007FF76FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-169-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-137-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-278-0x00007FF6B78A0000-0x00007FF6B7BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-115-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp

Filesize
3.3MB

Download
memory/4956-56-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp

Filesize
3.3MB

Download
memory/4956-244-0x00007FF6D6B00000-0x00007FF6D6E51000-memory.dmp

Filesize
3.3MB

Download