cobaltstrike | 033898614610168626e825638b8b42f5446c39736b4c084192b5f2c2865336de

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

525a1409c4ca2627c47eced46629d1ea
SHA1

591117ec6979701fc26c97ff89914781c9ef9558
SHA256

033898614610168626e825638b8b42f5446c39736b4c084192b5f2c2865336de
SHA512

08734caf1f8565db3b3956fd04c28ef9f776b097e16dccb2afbd91f4cb991ec8af1365f2188003fce43baa81cebfaa6b30027e543c72741a4e1cf2e4061e8ff8
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBib+56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023ba0-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-41.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023baf-63.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bb0-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-83.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-95.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcf-103.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd3-123.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd8-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-119.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bce-115.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcd-110.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bbf-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb8-69.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bae-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-36.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4868-122-0x00007FF648930000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/3628-121-0x00007FF719820000-0x00007FF719B71000-memory.dmp	xmrig
behavioral2/memory/380-107-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	xmrig
behavioral2/memory/2372-85-0x00007FF73E260000-0x00007FF73E5B1000-memory.dmp	xmrig
behavioral2/memory/2024-79-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	xmrig
behavioral2/memory/536-72-0x00007FF7B50C0000-0x00007FF7B5411000-memory.dmp	xmrig
behavioral2/memory/212-147-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp	xmrig
behavioral2/memory/5040-148-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp	xmrig
behavioral2/memory/3864-151-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp	xmrig
behavioral2/memory/1436-150-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	xmrig
behavioral2/memory/4768-149-0x00007FF714620000-0x00007FF714971000-memory.dmp	xmrig
behavioral2/memory/1700-146-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp	xmrig
behavioral2/memory/4976-152-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp	xmrig
behavioral2/memory/3492-145-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp	xmrig
behavioral2/memory/3380-142-0x00007FF7054E0000-0x00007FF705831000-memory.dmp	xmrig
behavioral2/memory/1972-140-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp	xmrig
behavioral2/memory/232-138-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp	xmrig
behavioral2/memory/60-137-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp	xmrig
behavioral2/memory/1964-136-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp	xmrig
behavioral2/memory/1724-135-0x00007FF712F30000-0x00007FF713281000-memory.dmp	xmrig
behavioral2/memory/380-131-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	xmrig
behavioral2/memory/1320-139-0x00007FF648660000-0x00007FF6489B1000-memory.dmp	xmrig
behavioral2/memory/2848-134-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp	xmrig
behavioral2/memory/380-153-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	xmrig
behavioral2/memory/3628-205-0x00007FF719820000-0x00007FF719B71000-memory.dmp	xmrig
behavioral2/memory/4868-207-0x00007FF648930000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/2848-209-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp	xmrig
behavioral2/memory/1724-225-0x00007FF712F30000-0x00007FF713281000-memory.dmp	xmrig
behavioral2/memory/1964-227-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp	xmrig
behavioral2/memory/60-229-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp	xmrig
behavioral2/memory/1320-231-0x00007FF648660000-0x00007FF6489B1000-memory.dmp	xmrig
behavioral2/memory/3380-239-0x00007FF7054E0000-0x00007FF705831000-memory.dmp	xmrig
behavioral2/memory/232-241-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp	xmrig
behavioral2/memory/2372-243-0x00007FF73E260000-0x00007FF73E5B1000-memory.dmp	xmrig
behavioral2/memory/536-237-0x00007FF7B50C0000-0x00007FF7B5411000-memory.dmp	xmrig
behavioral2/memory/2024-234-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	xmrig
behavioral2/memory/1972-236-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp	xmrig
behavioral2/memory/212-247-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp	xmrig
behavioral2/memory/1700-248-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp	xmrig
behavioral2/memory/3492-250-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp	xmrig
behavioral2/memory/4976-252-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp	xmrig
behavioral2/memory/3864-256-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp	xmrig
behavioral2/memory/1436-255-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	xmrig
behavioral2/memory/5040-260-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp	xmrig
behavioral2/memory/4768-258-0x00007FF714620000-0x00007FF714971000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3628	tIcjPjk.exe
4868	EhpnrWz.exe
2848	ZVhoUVa.exe
1724	ktLrbOA.exe
1964	xgcnZaH.exe
60	lPIfPHS.exe
1320	MBYpzWq.exe
232	JTRCDWD.exe
1972	IPfNgJs.exe
536	ZaxuLUj.exe
3380	uvdGjpl.exe
2024	FuyVETu.exe
2372	GSbZyQM.exe
3492	llKRjlW.exe
1700	FEMsiuz.exe
212	rBsgHZP.exe
5040	bXwIUTT.exe
4768	kjxqpVb.exe
3864	wbvzfCR.exe
4976	gNhiROV.exe
1436	oSZezNo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/380-0-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx
behavioral2/files/0x000c000000023ba0-5.dat	upx
behavioral2/files/0x000b000000023ba4-12.dat	upx
behavioral2/files/0x000a000000023ba9-20.dat	upx
behavioral2/files/0x000a000000023ba8-23.dat	upx
behavioral2/memory/1964-32-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-41.dat	upx
behavioral2/files/0x000b000000023baf-63.dat	upx
behavioral2/files/0x000b000000023bb0-77.dat	upx
behavioral2/files/0x0008000000023bc8-83.dat	upx
behavioral2/files/0x000b000000023ba5-95.dat	upx
behavioral2/files/0x0009000000023bcf-103.dat	upx
behavioral2/memory/5040-113-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp	upx
behavioral2/files/0x000e000000023bd3-123.dat	upx
behavioral2/memory/1436-125-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/memory/3864-124-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp	upx
behavioral2/memory/4868-122-0x00007FF648930000-0x00007FF648C81000-memory.dmp	upx
behavioral2/memory/3628-121-0x00007FF719820000-0x00007FF719B71000-memory.dmp	upx
behavioral2/files/0x0008000000023bd8-120.dat	upx
behavioral2/files/0x0008000000023bd5-119.dat	upx
behavioral2/memory/4976-118-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp	upx
behavioral2/memory/4768-117-0x00007FF714620000-0x00007FF714971000-memory.dmp	upx
behavioral2/files/0x0009000000023bce-115.dat	upx
behavioral2/memory/212-112-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp	upx
behavioral2/files/0x0009000000023bcd-110.dat	upx
behavioral2/memory/380-107-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx
behavioral2/memory/1700-93-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp	upx
behavioral2/memory/3492-87-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp	upx
behavioral2/memory/2372-85-0x00007FF73E260000-0x00007FF73E5B1000-memory.dmp	upx
behavioral2/files/0x000e000000023bbf-80.dat	upx
behavioral2/memory/2024-79-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp	upx
behavioral2/memory/536-72-0x00007FF7B50C0000-0x00007FF7B5411000-memory.dmp	upx
behavioral2/memory/3380-71-0x00007FF7054E0000-0x00007FF705831000-memory.dmp	upx
behavioral2/files/0x000a000000023bb8-69.dat	upx
behavioral2/memory/1972-61-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp	upx
behavioral2/files/0x000b000000023bae-67.dat	upx
behavioral2/files/0x000a000000023bad-55.dat	upx
behavioral2/memory/1320-53-0x00007FF648660000-0x00007FF6489B1000-memory.dmp	upx
behavioral2/memory/232-52-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp	upx
behavioral2/memory/60-44-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-45.dat	upx
behavioral2/files/0x000a000000023baa-36.dat	upx
behavioral2/memory/2848-22-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp	upx
behavioral2/memory/1724-21-0x00007FF712F30000-0x00007FF713281000-memory.dmp	upx
behavioral2/memory/4868-16-0x00007FF648930000-0x00007FF648C81000-memory.dmp	upx
behavioral2/memory/3628-8-0x00007FF719820000-0x00007FF719B71000-memory.dmp	upx
behavioral2/memory/212-147-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp	upx
behavioral2/memory/5040-148-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp	upx
behavioral2/memory/3864-151-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp	upx
behavioral2/memory/1436-150-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/memory/4768-149-0x00007FF714620000-0x00007FF714971000-memory.dmp	upx
behavioral2/memory/1700-146-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp	upx
behavioral2/memory/4976-152-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp	upx
behavioral2/memory/3492-145-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp	upx
behavioral2/memory/3380-142-0x00007FF7054E0000-0x00007FF705831000-memory.dmp	upx
behavioral2/memory/1972-140-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp	upx
behavioral2/memory/232-138-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp	upx
behavioral2/memory/60-137-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp	upx
behavioral2/memory/1964-136-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp	upx
behavioral2/memory/1724-135-0x00007FF712F30000-0x00007FF713281000-memory.dmp	upx
behavioral2/memory/380-131-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx
behavioral2/memory/1320-139-0x00007FF648660000-0x00007FF6489B1000-memory.dmp	upx
behavioral2/memory/2848-134-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp	upx
behavioral2/memory/380-153-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kjxqpVb.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVhoUVa.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ktLrbOA.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPIfPHS.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPfNgJs.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBsgHZP.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhpnrWz.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTRCDWD.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZaxuLUj.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uvdGjpl.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llKRjlW.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBYpzWq.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuyVETu.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSbZyQM.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FEMsiuz.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSZezNo.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tIcjPjk.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgcnZaH.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXwIUTT.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbvzfCR.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gNhiROV.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 3628	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 380 wrote to memory of 3628	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 380 wrote to memory of 4868	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 380 wrote to memory of 4868	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 380 wrote to memory of 2848	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 380 wrote to memory of 2848	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 380 wrote to memory of 1724	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 380 wrote to memory of 1724	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 380 wrote to memory of 1964	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 380 wrote to memory of 1964	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 380 wrote to memory of 60	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 380 wrote to memory of 60	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 380 wrote to memory of 232	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 380 wrote to memory of 232	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 380 wrote to memory of 1320	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 380 wrote to memory of 1320	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 380 wrote to memory of 1972	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 380 wrote to memory of 1972	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 380 wrote to memory of 536	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 380 wrote to memory of 536	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 380 wrote to memory of 3380	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 380 wrote to memory of 3380	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 380 wrote to memory of 2024	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 380 wrote to memory of 2024	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 380 wrote to memory of 2372	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 380 wrote to memory of 2372	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 380 wrote to memory of 3492	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 380 wrote to memory of 3492	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 380 wrote to memory of 1700	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 380 wrote to memory of 1700	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 380 wrote to memory of 212	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 380 wrote to memory of 212	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 380 wrote to memory of 5040	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 380 wrote to memory of 5040	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 380 wrote to memory of 4768	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 380 wrote to memory of 4768	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 380 wrote to memory of 1436	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 380 wrote to memory of 1436	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 380 wrote to memory of 3864	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 380 wrote to memory of 3864	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 380 wrote to memory of 4976	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 380 wrote to memory of 4976	380	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\System\tIcjPjk.exe
  C:\Windows\System\tIcjPjk.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\EhpnrWz.exe
  C:\Windows\System\EhpnrWz.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\ZVhoUVa.exe
  C:\Windows\System\ZVhoUVa.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\ktLrbOA.exe
  C:\Windows\System\ktLrbOA.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\xgcnZaH.exe
  C:\Windows\System\xgcnZaH.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\lPIfPHS.exe
  C:\Windows\System\lPIfPHS.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\JTRCDWD.exe
  C:\Windows\System\JTRCDWD.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\MBYpzWq.exe
  C:\Windows\System\MBYpzWq.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\IPfNgJs.exe
  C:\Windows\System\IPfNgJs.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\ZaxuLUj.exe
  C:\Windows\System\ZaxuLUj.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\uvdGjpl.exe
  C:\Windows\System\uvdGjpl.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\FuyVETu.exe
  C:\Windows\System\FuyVETu.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\GSbZyQM.exe
  C:\Windows\System\GSbZyQM.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\llKRjlW.exe
  C:\Windows\System\llKRjlW.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\FEMsiuz.exe
  C:\Windows\System\FEMsiuz.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\rBsgHZP.exe
  C:\Windows\System\rBsgHZP.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\bXwIUTT.exe
  C:\Windows\System\bXwIUTT.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\kjxqpVb.exe
  C:\Windows\System\kjxqpVb.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\oSZezNo.exe
  C:\Windows\System\oSZezNo.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\wbvzfCR.exe
  C:\Windows\System\wbvzfCR.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\gNhiROV.exe
  C:\Windows\System\gNhiROV.exe
  2⤵
  - Executes dropped EXE
  PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EhpnrWz.exe

Filesize
5.2MB

MD5
731cc1713ef21f3a22402237597e2948

SHA1
8de0e692b9d35d3ca1c80185e93fd142682ed5b2

SHA256
97d3e6409d22596c5e12b1e2f72f6ba93a12c272490ab3f336f068da9ec88c95

SHA512
91b15125a97a7de23b2989f017d7a7a867e26e89d3cdd132ec7e269b248a12ee87835ef402c857cb309071c186aa6721a2f279389ccfe9cec5c22f206081d974

Download Submit
C:\Windows\System\FEMsiuz.exe

Filesize
5.2MB

MD5
29c78513dea399081e542ba32c41cefa

SHA1
a0072d18d9ecc630b707300a8f87b9a04f8e4579

SHA256
6bc9198883e7b1813816243c905137315b9e9811ebd6878c9323bc9455ba5462

SHA512
71d07377a9be0877a7e550f80b25b7ec006b06382565a22f5375ce3fa5910c74bfebff1b627c8c25cdba8d34a182f33da0f5e9b3ff0f450797dc772424918d20

Download Submit
C:\Windows\System\FuyVETu.exe

Filesize
5.2MB

MD5
3b51a88b5224cd5fa63bec297e6446be

SHA1
8ed16aca1da911c0ccd6c84c28760c463fff9498

SHA256
76ea89d13066115567673f4323e8e179bb68b5bb54487f6650981483a18116e8

SHA512
228d59542a44595ae4d5cc98e0527ae853f8033a49fd7a3c1d16f30b9c1781a7a6afc4292ecf8043f54ed1ad01fc6462ee081085b04e2523f390fb426e5eea4d

Download Submit
C:\Windows\System\GSbZyQM.exe

Filesize
5.2MB

MD5
137404d922145d0340dec9e3d882f3db

SHA1
3cf7dfd4b553fdf581e4dd9be6fb389e92b839fb

SHA256
e7f214ef58d6103d54be1587fe0307c08ec883b3a29769b2d1f01ba1a15ed3a8

SHA512
06ba06c454f8ff2d83f0c414dbf8ab60688c7f5660c871022070ce47189967abc3a21c0e19b6a550cb5509d2db7e3046c6e3bca1740b1f3f940749fb31fb6894

Download Submit
C:\Windows\System\IPfNgJs.exe

Filesize
5.2MB

MD5
d984e0958230b179b2e6309af9781e8f

SHA1
a675d08a52114217b2fc40b76a623d152f76f13e

SHA256
4c1ca9ab4eca0b21fdf5db0de8c8b146c375bc1f20b146273c09e88d2ac5f1bf

SHA512
ff7f3593dc023bf58c8ad50bfdf1b878074ebbbb547d893e825c31de72dbfd7906e11b87175cc3eb4bf69c1ad98015ff3cb3fd8dd13e88073b40066a62e9669a

Download Submit
C:\Windows\System\JTRCDWD.exe

Filesize
5.2MB

MD5
3e4702d524a1a3941cab4e70d76368ff

SHA1
d31d2a0b007dcbe38e55dae3f0178502a16215da

SHA256
32c1f5b9a6603085fcb4945878656d034c0d5418cff5a1947eef72a1651dcac7

SHA512
53102d1a3248f9d5283dec65575b843f5c047699f3d4692309ec1d43b770403c9c9ba7d6ff2612771a2ff9b8cf8f938c956efb6343bc7d9c90147cb22f5266af

Download Submit
C:\Windows\System\MBYpzWq.exe

Filesize
5.2MB

MD5
33bc2d794a7eb31e9d5c13063e98e1af

SHA1
d37f3d6bbc3fb4195cb1b69e4d4d65f4eb23d866

SHA256
129d5415e70f5010ce9678c369127e711002a210450f31f961a1c7d1f195304e

SHA512
b8330e02cb47bbcc0da29516ddff10cf748ae2f7de4f03b80bbc2b36e25f86ddfd03fb3a0bb1e858e7a8d196598ec8d12fd723af51306de84d33e26b12138231

Download Submit
C:\Windows\System\ZVhoUVa.exe

Filesize
5.2MB

MD5
a72e564737b8757c574d4036b1724f4e

SHA1
d0ec461717ccf4ea1943a8ec262c9ff35af96c16

SHA256
a1501b105a98269d0ef73508bef1e313398be8326764ffc72d8e501b2cb0c4ac

SHA512
39e0d4c7af008e26eba49a2a2ab0792b0301123edb5691a169ad547b5af734f03bd31eb6e4f9c6d535e8af8bba714d9d751811acb9e51c7fcd4c2a238a48582b

Download Submit
C:\Windows\System\ZaxuLUj.exe

Filesize
5.2MB

MD5
821741aafab65791dc7513d31a2bc249

SHA1
8f583821ec55af68da083dde3391c368b44f4f30

SHA256
1ef28ece565a1090098dca06465eb376ea174f6c7e35f714bc162c422f1a4e08

SHA512
ad1db0405b1405568d5c6e582fa09dca909f9b7ce15cdce1a31a185d1480cbc817d5e355cd7bb6373afaae030070f9322b82731e4bcc04dec17e115b9c2ccf8d

Download Submit
C:\Windows\System\bXwIUTT.exe

Filesize
5.2MB

MD5
14eb638bbb62031621a42517999aa192

SHA1
805c09aa80245cb753630070f625244945cd0998

SHA256
847268b5b6fb4fd25fae88ec742eda19cfa7c2c83f69db5d0c8ae25eb8a39f18

SHA512
0357882cce7c005a9ccb00df121b7fd6f34e276941ffbbfbce52e8740e2d782ef2c938b68798a3067a23e8bf31131a63bc2376a820a3280144820e01c4ab70d8

Download Submit
C:\Windows\System\gNhiROV.exe

Filesize
5.2MB

MD5
b6fe1c90e8d7c8f3fdbc32efa594cbaa

SHA1
7e79ada91872428414cb30f4e8a790bb184c8c15

SHA256
87adef19f26330fdc239e9488ef1d5766cd50fd9e3451ffd9abf09a534d11810

SHA512
1960614f2c647dc10dc347615c5dfafcaefbe737b794eb669e7fa0870149a8fbf652eb7f1cb76c66f17e642ba54ebdbc6f5610f26abe5aee94482ab366779171

Download Submit
C:\Windows\System\kjxqpVb.exe

Filesize
5.2MB

MD5
626e8a7649f01900d127cb2b0361f6da

SHA1
25b5d1af5801047e32d22f249c31d02aa929819a

SHA256
881f62c55faa238d5c2371d6471b6933645e1098354d3c306a563d92b78b06fe

SHA512
6363a11b0229592496232cfcd954ac365f06b52fa390065a59318eb518177fd59348fef25473ac7d11e410a98ae91249f61cd38786f3082d7e0a0bd5fab2acd9

Download Submit
C:\Windows\System\ktLrbOA.exe

Filesize
5.2MB

MD5
f9b142e3732b2a6723aef327c941606b

SHA1
de5263ef2a7740dca636ad111ed7efb8c6a42d39

SHA256
0ddc9d1fc751d7332fff7166a35d59eef816098a6a8111c2bb9bd4a817ccae9f

SHA512
e0afbe3bbc2cdb6f10af5286743875d110f87767ca9729d703a55dbf13811604bc0feceda23892de280befb6f41303dca8b97942722554c73227824ba55bc81f

Download Submit
C:\Windows\System\lPIfPHS.exe

Filesize
5.2MB

MD5
13042d10cbdc90d79760b5b6987261e9

SHA1
d96d54a44c6f7a2ed943646084e745d66ffca458

SHA256
5e2f7112e25c60ee0c3a1f6a518bcef7077f8f137fd3e886e235dd979a9ba0f5

SHA512
8b9edf6ff3d557e6a6b30c62c212f7061c0c143d66c10dcef760f1028ae51d86548eb7c48574b8857518c5384ba8144731a30c08ba6741849537643260a313d1

Download Submit
C:\Windows\System\llKRjlW.exe

Filesize
5.2MB

MD5
fbfa98ce9b6c0046e736cc2ba7eef80b

SHA1
1abc25cf0b430fe595978fb423c9d1070ccadb93

SHA256
174a02d024dbaf2f28f764fe2af2273b91479f4014c9217dff79d5c7a5c3ff1c

SHA512
e68039988f406aed8b84db5e43d12607532627d9984168d7b91a81724327c2c3e7d92c0d76d138a3ff539a22e5787dbafddcf5ec590cab70ef88dbc9fc8375e7

Download Submit
C:\Windows\System\oSZezNo.exe

Filesize
5.2MB

MD5
d004b6410c345e423dc0b0d36b32681e

SHA1
993727ef80b6e5cc7a8d7b5cc61d0797d77ca468

SHA256
741423f31d0e0cae7e4ff9a76dc9408c7d1663e3fe65f0fa9935b87a47cf61dd

SHA512
a1aaebfd092ebeca7bd0d669d8464e831f287c530c038b98524cf7594eb4b9bf0033983c86e2355ba34debc06fb2fd297e7836c00ee2af40869c78b0697019b3

Download Submit
C:\Windows\System\rBsgHZP.exe

Filesize
5.2MB

MD5
c34d2d92a2870f32bbdca8d07b6f561c

SHA1
9eba59ce6e1cf975acbee293b69ac5bdef306936

SHA256
6db1893c71b37e864e8aa779602ad8842da4a744045de9b791368fd58c0d14b7

SHA512
d3134065b5760deb1cee312a5ad639302e31cf30e85eae6ab21ba1e1df25c402fbba62f6c2a3bfb3512e265419a59211208fd167e7ce0328864b07a674409a28

Download Submit
C:\Windows\System\tIcjPjk.exe

Filesize
5.2MB

MD5
908024527cd61d45747d7dcc9f1e3f46

SHA1
6ca24425696ef1d37f5055c553716f7ab1f8a419

SHA256
1fcc0a127ee08aa0950d6f9c94d681d7a09967e5aaca871515e1fcbd57bef4a8

SHA512
13fc997ddc8b0b9efe467b929692df23a02e35aa917879d8595e5f6c61cef30d0d5c3ea1d1c85d2755bbcb960915cd0539eb278e697da3fde4f736675e114a3f

Download Submit
C:\Windows\System\uvdGjpl.exe

Filesize
5.2MB

MD5
fff5125c1d2fcc6f07b6642e9ff5e78d

SHA1
2b89d41775ded481273c1cf0a7a42486eac978a9

SHA256
d83b87f8f501ddf19f1d303fa4ddcfcc9d5f53192ae3231bc397bee7bdee1bbc

SHA512
7c2fa74715963fa767c769e62f23c94de7d6a7062ba17730bd094af61090b2a1b71da3dd70824ac5941fdeda85d15b5b08266cf10e8f088aede9e8000b8c5623

Download Submit
C:\Windows\System\wbvzfCR.exe

Filesize
5.2MB

MD5
0997962bd3a12159822298d5521980bf

SHA1
f9caa3b3f220229f0a4a02f2dc369eefca7128c9

SHA256
8e3557abfc4926755cc11114cb6bb4b90eebc0e868e306e46c8f76371c91b96a

SHA512
085f1b53c1c46ccc3a0133c60091d51d97b78d55664b8a03e4375c9d4481e95263cf786072c5f3ea29488045105f95858affecb7c131262b5fb3e14e72ab60ba

Download Submit
C:\Windows\System\xgcnZaH.exe

Filesize
5.2MB

MD5
44be558084061f20835d645e1b218c90

SHA1
83b0e901bdb96a20ee7a533edb5773edb9840cd8

SHA256
5535753322dab8d3a5236a5ae5d77ad06ce6bc5df5a5014b9eaa489272df2452

SHA512
e4b633a983e0ec73356c708b011915f92bd01d9c8142590d0bbe5e8251bcdfba1c5d17565a6e4d6d2de683c4fde3e33d66fddb75025227bfc95af51412d78dd7

Download Submit
memory/60-44-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp

Filesize
3.3MB

Download
memory/60-137-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp

Filesize
3.3MB

Download
memory/60-229-0x00007FF66C1C0000-0x00007FF66C511000-memory.dmp

Filesize
3.3MB

Download
memory/212-247-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp

Filesize
3.3MB

Download
memory/212-112-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp

Filesize
3.3MB

Download
memory/212-147-0x00007FF7B76C0000-0x00007FF7B7A11000-memory.dmp

Filesize
3.3MB

Download
memory/232-138-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp

Filesize
3.3MB

Download
memory/232-241-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp

Filesize
3.3MB

Download
memory/232-52-0x00007FF6EA590000-0x00007FF6EA8E1000-memory.dmp

Filesize
3.3MB

Download
memory/380-107-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/380-131-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/380-0-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/380-153-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/380-1-0x000001E5FCE10000-0x000001E5FCE20000-memory.dmp

Filesize
64KB

Download
memory/536-72-0x00007FF7B50C0000-0x00007FF7B5411000-memory.dmp

Filesize
3.3MB

Download
memory/536-237-0x00007FF7B50C0000-0x00007FF7B5411000-memory.dmp

Filesize
3.3MB

Download
memory/1320-139-0x00007FF648660000-0x00007FF6489B1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-53-0x00007FF648660000-0x00007FF6489B1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-231-0x00007FF648660000-0x00007FF6489B1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-150-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-255-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-125-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-248-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-146-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-93-0x00007FF637AD0000-0x00007FF637E21000-memory.dmp

Filesize
3.3MB

Download
memory/1724-135-0x00007FF712F30000-0x00007FF713281000-memory.dmp

Filesize
3.3MB

Download
memory/1724-225-0x00007FF712F30000-0x00007FF713281000-memory.dmp

Filesize
3.3MB

Download
memory/1724-21-0x00007FF712F30000-0x00007FF713281000-memory.dmp

Filesize
3.3MB

Download
memory/1964-32-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp

Filesize
3.3MB

Download
memory/1964-227-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp

Filesize
3.3MB

Download
memory/1964-136-0x00007FF78B1C0000-0x00007FF78B511000-memory.dmp

Filesize
3.3MB

Download
memory/1972-61-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1972-236-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1972-140-0x00007FF71FC10000-0x00007FF71FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2024-79-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp

Filesize
3.3MB

Download
memory/2024-234-0x00007FF6CB210000-0x00007FF6CB561000-memory.dmp

Filesize
3.3MB

Download
memory/2372-243-0x00007FF73E260000-0x00007FF73E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-85-0x00007FF73E260000-0x00007FF73E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-134-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp

Filesize
3.3MB

Download
memory/2848-22-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp

Filesize
3.3MB

Download
memory/2848-209-0x00007FF6CC2D0000-0x00007FF6CC621000-memory.dmp

Filesize
3.3MB

Download
memory/3380-239-0x00007FF7054E0000-0x00007FF705831000-memory.dmp

Filesize
3.3MB

Download
memory/3380-71-0x00007FF7054E0000-0x00007FF705831000-memory.dmp

Filesize
3.3MB

Download
memory/3380-142-0x00007FF7054E0000-0x00007FF705831000-memory.dmp

Filesize
3.3MB

Download
memory/3492-145-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-250-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-87-0x00007FF7A7970000-0x00007FF7A7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-205-0x00007FF719820000-0x00007FF719B71000-memory.dmp

Filesize
3.3MB

Download
memory/3628-8-0x00007FF719820000-0x00007FF719B71000-memory.dmp

Filesize
3.3MB

Download
memory/3628-121-0x00007FF719820000-0x00007FF719B71000-memory.dmp

Filesize
3.3MB

Download
memory/3864-256-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-151-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-124-0x00007FF6DAB70000-0x00007FF6DAEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-117-0x00007FF714620000-0x00007FF714971000-memory.dmp

Filesize
3.3MB

Download
memory/4768-149-0x00007FF714620000-0x00007FF714971000-memory.dmp

Filesize
3.3MB

Download
memory/4768-258-0x00007FF714620000-0x00007FF714971000-memory.dmp

Filesize
3.3MB

Download
memory/4868-16-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/4868-207-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/4868-122-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/4976-152-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-252-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-118-0x00007FF75DC50000-0x00007FF75DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-113-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-148-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-260-0x00007FF667B80000-0x00007FF667ED1000-memory.dmp

Filesize
3.3MB

Download