cobaltstrike | 8537847ed705acd6e0297a1475c063685ad2bf020d4433ae6b4bfddb8d1f217a

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3418a214d377330a8f5ceb9410e81f3b
SHA1

835f6ad94c427e2f63e9cb8abf81afc3af79d0c5
SHA256

8537847ed705acd6e0297a1475c063685ad2bf020d4433ae6b4bfddb8d1f217a
SHA512

409f4412f6624a7ce292b8a7645c9f8729098455652e3935627898bdede7f4646cf192d00b030b47941892b776b3e471a29c2f3e19614f61d16812ccea34bf98
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibd56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b08-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-8.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b67-14.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-55.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b68-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2372-111-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp	xmrig
behavioral2/memory/4700-107-0x00007FF7C98A0000-0x00007FF7C9BF1000-memory.dmp	xmrig
behavioral2/memory/1472-106-0x00007FF642410000-0x00007FF642761000-memory.dmp	xmrig
behavioral2/memory/1568-104-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	xmrig
behavioral2/memory/5044-88-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	xmrig
behavioral2/memory/2172-69-0x00007FF633D60000-0x00007FF6340B1000-memory.dmp	xmrig
behavioral2/memory/2768-115-0x00007FF770360000-0x00007FF7706B1000-memory.dmp	xmrig
behavioral2/memory/2732-114-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp	xmrig
behavioral2/memory/3848-132-0x00007FF777E40000-0x00007FF778191000-memory.dmp	xmrig
behavioral2/memory/3128-130-0x00007FF691230000-0x00007FF691581000-memory.dmp	xmrig
behavioral2/memory/5048-126-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp	xmrig
behavioral2/memory/3000-123-0x00007FF7655F0000-0x00007FF765941000-memory.dmp	xmrig
behavioral2/memory/244-136-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp	xmrig
behavioral2/memory/4016-139-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp	xmrig
behavioral2/memory/2056-138-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp	xmrig
behavioral2/memory/856-137-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp	xmrig
behavioral2/memory/3132-140-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp	xmrig
behavioral2/memory/5044-141-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	xmrig
behavioral2/memory/3664-147-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp	xmrig
behavioral2/memory/5072-146-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp	xmrig
behavioral2/memory/1232-161-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	xmrig
behavioral2/memory/4272-163-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp	xmrig
behavioral2/memory/2696-166-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	xmrig
behavioral2/memory/5044-167-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	xmrig
behavioral2/memory/1472-223-0x00007FF642410000-0x00007FF642761000-memory.dmp	xmrig
behavioral2/memory/2372-226-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp	xmrig
behavioral2/memory/2732-227-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp	xmrig
behavioral2/memory/2768-229-0x00007FF770360000-0x00007FF7706B1000-memory.dmp	xmrig
behavioral2/memory/5048-231-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp	xmrig
behavioral2/memory/3128-233-0x00007FF691230000-0x00007FF691581000-memory.dmp	xmrig
behavioral2/memory/3848-244-0x00007FF777E40000-0x00007FF778191000-memory.dmp	xmrig
behavioral2/memory/856-246-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp	xmrig
behavioral2/memory/2172-248-0x00007FF633D60000-0x00007FF6340B1000-memory.dmp	xmrig
behavioral2/memory/244-252-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp	xmrig
behavioral2/memory/4016-251-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp	xmrig
behavioral2/memory/2056-254-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp	xmrig
behavioral2/memory/5072-256-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp	xmrig
behavioral2/memory/3132-258-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp	xmrig
behavioral2/memory/4700-260-0x00007FF7C98A0000-0x00007FF7C9BF1000-memory.dmp	xmrig
behavioral2/memory/1568-262-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	xmrig
behavioral2/memory/3664-264-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp	xmrig
behavioral2/memory/1232-266-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	xmrig
behavioral2/memory/3000-270-0x00007FF7655F0000-0x00007FF765941000-memory.dmp	xmrig
behavioral2/memory/4272-272-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp	xmrig
behavioral2/memory/2696-274-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1472	rwESqDk.exe
2372	vaXeLpP.exe
2732	ySUnBjQ.exe
2768	ooJuJiO.exe
5048	VZEkOOy.exe
3128	UOGlNnI.exe
3848	kRfrIEM.exe
856	WzfYGrN.exe
2172	slwdCqY.exe
244	rJJqEIj.exe
4016	qtqyLnA.exe
2056	akpriNr.exe
5072	QypAVFP.exe
1568	aOScjdf.exe
3132	IlbxFRQ.exe
4700	stAUFek.exe
3664	nvTKGje.exe
1232	MaPtSkA.exe
3000	HsaUuLq.exe
4272	vMYzTcN.exe
2696	QwApMCf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5044-0-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	upx
behavioral2/files/0x000c000000023b08-4.dat	upx
behavioral2/files/0x000a000000023b6b-8.dat	upx
behavioral2/memory/1472-9-0x00007FF642410000-0x00007FF642761000-memory.dmp	upx
behavioral2/memory/2372-15-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp	upx
behavioral2/memory/2732-18-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp	upx
behavioral2/files/0x000b000000023b67-14.dat	upx
behavioral2/files/0x000a000000023b6c-22.dat	upx
behavioral2/memory/2768-25-0x00007FF770360000-0x00007FF7706B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-28.dat	upx
behavioral2/memory/5048-31-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp	upx
behavioral2/memory/3128-36-0x00007FF691230000-0x00007FF691581000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-40.dat	upx
behavioral2/files/0x000a000000023b73-55.dat	upx
behavioral2/files/0x000b000000023b68-62.dat	upx
behavioral2/memory/2056-68-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-76.dat	upx
behavioral2/files/0x000a000000023b76-98.dat	upx
behavioral2/files/0x000a000000023b79-108.dat	upx
behavioral2/files/0x000a000000023b7a-112.dat	upx
behavioral2/memory/2372-111-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp	upx
behavioral2/memory/1232-110-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	upx
behavioral2/memory/4700-107-0x00007FF7C98A0000-0x00007FF7C9BF1000-memory.dmp	upx
behavioral2/memory/1472-106-0x00007FF642410000-0x00007FF642761000-memory.dmp	upx
behavioral2/memory/1568-104-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	upx
behavioral2/memory/3664-103-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-97.dat	upx
behavioral2/memory/3132-96-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-93.dat	upx
behavioral2/memory/5072-89-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp	upx
behavioral2/memory/5044-88-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-70.dat	upx
behavioral2/memory/4016-80-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp	upx
behavioral2/memory/2172-69-0x00007FF633D60000-0x00007FF6340B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-64.dat	upx
behavioral2/memory/244-63-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp	upx
behavioral2/memory/856-57-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-56.dat	upx
behavioral2/files/0x000a000000023b70-50.dat	upx
behavioral2/memory/3848-47-0x00007FF777E40000-0x00007FF778191000-memory.dmp	upx
behavioral2/memory/2768-115-0x00007FF770360000-0x00007FF7706B1000-memory.dmp	upx
behavioral2/memory/2732-114-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-118.dat	upx
behavioral2/files/0x000a000000023b7c-125.dat	upx
behavioral2/memory/3848-132-0x00007FF777E40000-0x00007FF778191000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-133.dat	upx
behavioral2/memory/2696-134-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	upx
behavioral2/memory/3128-130-0x00007FF691230000-0x00007FF691581000-memory.dmp	upx
behavioral2/memory/4272-129-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp	upx
behavioral2/memory/5048-126-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp	upx
behavioral2/memory/3000-123-0x00007FF7655F0000-0x00007FF765941000-memory.dmp	upx
behavioral2/memory/244-136-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp	upx
behavioral2/memory/4016-139-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp	upx
behavioral2/memory/2056-138-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp	upx
behavioral2/memory/856-137-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp	upx
behavioral2/memory/3132-140-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp	upx
behavioral2/memory/5044-141-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	upx
behavioral2/memory/3664-147-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp	upx
behavioral2/memory/5072-146-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp	upx
behavioral2/memory/1232-161-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	upx
behavioral2/memory/4272-163-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp	upx
behavioral2/memory/2696-166-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	upx
behavioral2/memory/5044-167-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp	upx
behavioral2/memory/1472-223-0x00007FF642410000-0x00007FF642761000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rwESqDk.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vaXeLpP.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UOGlNnI.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\slwdCqY.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rJJqEIj.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qtqyLnA.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MaPtSkA.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HsaUuLq.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMYzTcN.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akpriNr.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QypAVFP.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ySUnBjQ.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ooJuJiO.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VZEkOOy.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOScjdf.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IlbxFRQ.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\stAUFek.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nvTKGje.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kRfrIEM.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzfYGrN.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QwApMCf.exe	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1472	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5044 wrote to memory of 1472	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5044 wrote to memory of 2372	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5044 wrote to memory of 2372	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5044 wrote to memory of 2732	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5044 wrote to memory of 2732	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5044 wrote to memory of 2768	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5044 wrote to memory of 2768	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5044 wrote to memory of 5048	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5044 wrote to memory of 5048	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5044 wrote to memory of 3128	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5044 wrote to memory of 3128	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5044 wrote to memory of 3848	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5044 wrote to memory of 3848	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5044 wrote to memory of 856	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5044 wrote to memory of 856	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5044 wrote to memory of 2172	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5044 wrote to memory of 2172	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5044 wrote to memory of 244	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5044 wrote to memory of 244	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5044 wrote to memory of 4016	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5044 wrote to memory of 4016	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5044 wrote to memory of 2056	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5044 wrote to memory of 2056	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5044 wrote to memory of 5072	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5044 wrote to memory of 5072	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5044 wrote to memory of 1568	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5044 wrote to memory of 1568	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5044 wrote to memory of 3132	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5044 wrote to memory of 3132	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5044 wrote to memory of 4700	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5044 wrote to memory of 4700	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5044 wrote to memory of 3664	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5044 wrote to memory of 3664	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5044 wrote to memory of 1232	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5044 wrote to memory of 1232	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5044 wrote to memory of 3000	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5044 wrote to memory of 3000	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5044 wrote to memory of 4272	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5044 wrote to memory of 4272	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5044 wrote to memory of 2696	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5044 wrote to memory of 2696	5044	2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_3418a214d377330a8f5ceb9410e81f3b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\System\rwESqDk.exe
  C:\Windows\System\rwESqDk.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\vaXeLpP.exe
  C:\Windows\System\vaXeLpP.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\ySUnBjQ.exe
  C:\Windows\System\ySUnBjQ.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\ooJuJiO.exe
  C:\Windows\System\ooJuJiO.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\VZEkOOy.exe
  C:\Windows\System\VZEkOOy.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\UOGlNnI.exe
  C:\Windows\System\UOGlNnI.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\kRfrIEM.exe
  C:\Windows\System\kRfrIEM.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\WzfYGrN.exe
  C:\Windows\System\WzfYGrN.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\slwdCqY.exe
  C:\Windows\System\slwdCqY.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\rJJqEIj.exe
  C:\Windows\System\rJJqEIj.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System\qtqyLnA.exe
  C:\Windows\System\qtqyLnA.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\akpriNr.exe
  C:\Windows\System\akpriNr.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\QypAVFP.exe
  C:\Windows\System\QypAVFP.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\aOScjdf.exe
  C:\Windows\System\aOScjdf.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\IlbxFRQ.exe
  C:\Windows\System\IlbxFRQ.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\stAUFek.exe
  C:\Windows\System\stAUFek.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\nvTKGje.exe
  C:\Windows\System\nvTKGje.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\MaPtSkA.exe
  C:\Windows\System\MaPtSkA.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\HsaUuLq.exe
  C:\Windows\System\HsaUuLq.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\vMYzTcN.exe
  C:\Windows\System\vMYzTcN.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\QwApMCf.exe
  C:\Windows\System\QwApMCf.exe
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HsaUuLq.exe

Filesize
5.2MB

MD5
60864a8e3c95d93d28becc211d4a7582

SHA1
ce04dbb7e7feaf54249cabdcc827e62da0911906

SHA256
1e55a50069557ba3cef4ec1c3a82069d714dc6ae9f0eb4bd1ffb95cb0c0d5e41

SHA512
7d9a8d9a8bd18b63ca31d763f59fbcac4400022c73ebed2e2308391402e076258d967ab0cca46b4e6d199f6875eb34eb18081f992f740c3559c4d0b2a81824ae

Download Submit
C:\Windows\System\IlbxFRQ.exe

Filesize
5.2MB

MD5
8b2257f85bef2b12946ba0a7845d9e7f

SHA1
e702efd9b1d6e1f793a05bef7ec6815ea86240a1

SHA256
bc9f789753934f7fecbfd105b969748e31f2c3f07196b204e2f556cd12289e88

SHA512
1f225dd04a7c9df78c73dc34291e0519ec17b79329f1fdbd306cd347dbf954533341a2d5d9a9697a389ee5cadf49b5aae2ae0b4382f9e48a248b6775a39b1262

Download Submit
C:\Windows\System\MaPtSkA.exe

Filesize
5.2MB

MD5
edea818e4d686309882fa356761d71e6

SHA1
b8e24aa7afe65f3e6af65fb22b5803751a4e5e37

SHA256
81c773015e149fdaac35a48eb6163147c1f0febd22dc41b5877d641c901a6991

SHA512
5f6e08d00d744d5159cc9f5f2328914182b6d05c40cd671d6ec39632814de2223107f26784969d14adb504ac6da9c411465d205cb5d8bc17e83a50d72d93c454

Download Submit
C:\Windows\System\QwApMCf.exe

Filesize
5.2MB

MD5
af4e683c333b90e1f5594298fc5b5f04

SHA1
09bc7340720aa9818b8df0cf9334897f5d8e0ce3

SHA256
5285839fdb99c1f3f889fa53d4d9016eb229ecd86a8a9a73677e2b57e158f2a8

SHA512
5958169c6a62a7bce47821fabacc0a40c0c9cb351c598b1aac83b37d734010e4a91f2738db06454f09dc4c55194ededa7f8e7d3d06bfe6467812e0365b255c25

Download Submit
C:\Windows\System\QypAVFP.exe

Filesize
5.2MB

MD5
148cf78006a682519e5ad4f1b60b4ab8

SHA1
d4cc01d33b8e74db9d2ad35fe24252797a1433d2

SHA256
b4feccc1cfec73ddbe16dcaa6172b630a2679deba96e31a5b31e9f42c7d2ac70

SHA512
39430c4d21f5ae87dea725d85ca59bcf6f5b25492b9a1f0cafe2cd93b415898bb526f2dded1aedc3224d179442a7bea084f2a7a493956883be17e957c32856ad

Download Submit
C:\Windows\System\UOGlNnI.exe

Filesize
5.2MB

MD5
9bf8eaee7beacb3cc9db31e9ba948811

SHA1
ab7ac9096277fe8e1f55d54fc5d92394527ef885

SHA256
fec3201e0bd73abafaa1e7a9eecdb98c489281e2f18883572429561a1f92d58e

SHA512
b4a334ee56333c2b9dfa269ea3f876a1015e8b6daa93560cae09df6553800cbe48ed12466a15e296ecd387ab072fca262bd85cd18e0a42d8c95627254c8b128f

Download Submit
C:\Windows\System\VZEkOOy.exe

Filesize
5.2MB

MD5
cf0c4bd27ce2652a9bf223c15e707641

SHA1
c2de2d59f83bfe28a6e9fe391432a1c1baf0bbc1

SHA256
16e7fb9613fd5c46729833a6149519504628c97d433e5d13ccc4410153795ba8

SHA512
3c454799336668343ae37a9f095c8f66345139eef94208cade5bd374237f82fa8104e3fdb9bd8edff27cfa97e2bee765a8e1696363a968e15ad72eca563bc974

Download Submit
C:\Windows\System\WzfYGrN.exe

Filesize
5.2MB

MD5
1c9a620a713d860bfe29dd773627dbad

SHA1
3780a53b8d2c049f0b6ac111374800cd430c0d7f

SHA256
2c8a7b5d0b2f6c2a28a00331216fcff8933afc72f9868165444e249183c6b4df

SHA512
4c5e17d07cb8a18f566df7bf821c1f322f1ad5219847b998a997ae75c68607391b2783d93bb10b58f9aa6552d7ed52c022aa13fd7c985e8b3af1c27fb4c1abfb

Download Submit
C:\Windows\System\aOScjdf.exe

Filesize
5.2MB

MD5
c844a2cf67854cfa0816ecf79f4b10f3

SHA1
6002dc958bc568b0f8ff26b9c36a42649d670936

SHA256
9cb94dfacd33eaf86190b9a2a58bf8aed4e2fa672b4c7def8d30d5f6ba8afcf9

SHA512
ef15283ac40a7a1272a1b858ec89d8d9279fc726a5cad549b64518ec84658e02afb53a30260b4f2b559f2f90d6d6335c818d47604600314af661ea01e43f9859

Download Submit
C:\Windows\System\akpriNr.exe

Filesize
5.2MB

MD5
35510a44c3148b5de697dad25b2d78f2

SHA1
edc841d63462ad7ff5024f00f38dd91e0123e4a6

SHA256
38a37bccbf46e006a77a7e3fcaf978d72243f57b74514ef81439d45361306656

SHA512
da78321351d467ae9eaa09ad7df9c2c9dd1e3463f99da2b6dbbcf0a4841c9540437fe0a499e2a55de372b4b544d2e380f1c6b00e1cc5094c78186a37093d7198

Download Submit
C:\Windows\System\kRfrIEM.exe

Filesize
5.2MB

MD5
97e8fdf506279bdfe0f504fee43e118d

SHA1
5ae9746ccb2d5be5a644fd51241bb5f031cce87f

SHA256
cbe21a9ff137b7c7590ee378ec1674558d7aaf3d89e942c62a1d2f1c6b8f5adc

SHA512
efb25701031741bf9e0c85d6da64900bc86dd05008e35edef59ae71c7774d504e9e9397c5a25bb1361bd675fce69497a3a220bce7ac600108eece9df265a3cc7

Download Submit
C:\Windows\System\nvTKGje.exe

Filesize
5.2MB

MD5
ddfc952bd8a316cdc9169d77e88796e0

SHA1
9c90b0b7664dd3499dd740f8a8da364798a6035a

SHA256
1bcb24c6e99d04376d7df4f96a15b4fdb93b3208595f30f16514ddca3e116e7d

SHA512
3557f26b4c772c99807c8c33ad1b312d261283c16c7ddae93be74828cf6a28b1442906a40945fce8cde81e42e00ac7881f75dac46dd36b36b1ecbc8de7de971b

Download Submit
C:\Windows\System\ooJuJiO.exe

Filesize
5.2MB

MD5
9a7e21ffb2af09724d8175a341d50909

SHA1
b8a69e79db89a966f503b86a4b5c2f2297a4f610

SHA256
70ee6de6c18ac63caf452da9e7dae5c07aedbfbb563629c49679cd57ea21e644

SHA512
4c3c9da4f47a8599ad4dbd4ef65106d719b359bbbbba25c5d4278b62b219e333f94fdadfd631d0af81c045fe8f1979d2c5eb8985ea26ba664a937c600fdfc65b

Download Submit
C:\Windows\System\qtqyLnA.exe

Filesize
5.2MB

MD5
70af4f38ebd4246fccbd30493e89092b

SHA1
d0abc6b2b25b4dbbdbdbdbec4d2e3231f6aa4880

SHA256
638bd83088b8eea6133f753294523011ab586d8247e3aa2385a3b1ddbfb59309

SHA512
544d272e273a4e322903212de08b94be5d380bb778c73142fd42f2d7d006d4e5b1dacd1828181ee704a27951f519a3704a272d1e4e2729e2e1cc2833c975c300

Download Submit
C:\Windows\System\rJJqEIj.exe

Filesize
5.2MB

MD5
47658713c1da392aa739b32a74eea204

SHA1
768588000752b9634c279a8c25d246965c1ddc29

SHA256
f7908b1619b43ce07e95493d6a9d8d3a7a051449f8c59779bc1ba1f8d03c62b8

SHA512
41ec39fa9f34372ba3a5896d8a6bf7ceebfb34068f66855a1b80973fcec44dd963e8753ecdade822d1bc44d2bd3c9be412e3d74ced5f1ede7bc09d4627b9f53f

Download Submit
C:\Windows\System\rwESqDk.exe

Filesize
5.2MB

MD5
aa8bb119d86aaf0c94268be80b7104a4

SHA1
1c9a9634ba041098b2b2d551871d93e4923b3f43

SHA256
8b8b808bad1acfa5678f08206c68caaae3915cddaaf8d1b0a6e6838e4db29d17

SHA512
ccd16c9d11c7cd37ece023b376479ff4a638a2ca153f6af53399446609d0fa49bb7b00e87532b43c7b7d06b8f9572757d22ebb8bc833588c2435cc5532891700

Download Submit
C:\Windows\System\slwdCqY.exe

Filesize
5.2MB

MD5
a3b9f33d3dd808e2df0c88cce819704d

SHA1
cdbbdc13bda3b1c20bc5e6c9a52469b67888f3d5

SHA256
ae5f416ee93853cea40a2586e1c4bfbe90071672e65141f56a43c12801826700

SHA512
0abfa0b99459ebaf794a254e76119856bf2a217cc11ef27dcc2d21ef4cf56590be46c6f2da9aad222eacc664220ba17cfc2829b22e972bab0914b321de97496a

Download Submit
C:\Windows\System\stAUFek.exe

Filesize
5.2MB

MD5
f486375638e2f0a657a572d8c1bef3cf

SHA1
763edc8e203f4792ff3f9913011d39bf4b27b829

SHA256
1ee18106c934ec52034082dcca9cca7fe850881393463b6262c721e1a67f43ac

SHA512
071d37dc7589630f822df8f787a0628b63efb631650e3624e77a9d6107dba1b3fd17291a72fc37b90f00a436de349e383b21c91994a392f9260ccfbee8704cde

Download Submit
C:\Windows\System\vMYzTcN.exe

Filesize
5.2MB

MD5
68c6e5dad9376cc90e21a2d2372929c9

SHA1
c1a0fd9302d15570129f9836e893b413f76024fa

SHA256
dc781954ed775a517cd63a1bce0c2ca43c29003ca9f95d9026744d1a0469cf28

SHA512
83a1f9ec158dc0455f54d44e66b5b9b2e7c6da16eafc51b79ef3a26533e39b0a11a6c7a13916fbe4b018c4eb9a8844dabc6570305cb160718acd1a7feed62afd

Download Submit
C:\Windows\System\vaXeLpP.exe

Filesize
5.2MB

MD5
e7edfd74036bb1958bf8e7c7223d725e

SHA1
07530b269bb1933bab1fdf32fd1536157834b186

SHA256
5b31640a2d774ef324bef4e873917a0574dfed2a01d7e893859f410e28f41ef9

SHA512
e9240d0fdebc910680042de09a13b675998809610ce24ee0cfd3d90f55064b85ad6d666c43fce0e6159aab5e07fa6dc7c26aaa302319014dc3c9bc199d5b4fb3

Download Submit
C:\Windows\System\ySUnBjQ.exe

Filesize
5.2MB

MD5
a03cc4423c548bd8f3f9e3cf33b00413

SHA1
6519d364fa7d2422aa8833e74717a2885bb14246

SHA256
e13d021bad31860d69d12602474b9e046f9bbf8a77a3fe1884385226dc39ab6a

SHA512
a49d8d94e5e83ad74ee27200913a65df310dc3066984002dfa8d87de89ed5bcdeaa149e5ca00e721d6439af5e7882e59ed1fd4c0ac17abc942cfbf75f376d036

Download Submit
memory/244-63-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp

Filesize
3.3MB

Download
memory/244-136-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp

Filesize
3.3MB

Download
memory/244-252-0x00007FF7C1F90000-0x00007FF7C22E1000-memory.dmp

Filesize
3.3MB

Download
memory/856-57-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp

Filesize
3.3MB

Download
memory/856-246-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp

Filesize
3.3MB

Download
memory/856-137-0x00007FF718FA0000-0x00007FF7192F1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-161-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/1232-110-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/1232-266-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/1472-223-0x00007FF642410000-0x00007FF642761000-memory.dmp

Filesize
3.3MB

Download
memory/1472-106-0x00007FF642410000-0x00007FF642761000-memory.dmp

Filesize
3.3MB

Download
memory/1472-9-0x00007FF642410000-0x00007FF642761000-memory.dmp

Filesize
3.3MB

Download
memory/1568-262-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp

Filesize
3.3MB

Download
memory/1568-104-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp

Filesize
3.3MB

Download
memory/2056-68-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp

Filesize
3.3MB

Download
memory/2056-138-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp

Filesize
3.3MB

Download
memory/2056-254-0x00007FF6A2340000-0x00007FF6A2691000-memory.dmp

Filesize
3.3MB

Download
memory/2172-69-0x00007FF633D60000-0x00007FF6340B1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-248-0x00007FF633D60000-0x00007FF6340B1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-226-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp

Filesize
3.3MB

Download
memory/2372-111-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp

Filesize
3.3MB

Download
memory/2372-15-0x00007FF6FB220000-0x00007FF6FB571000-memory.dmp

Filesize
3.3MB

Download
memory/2696-166-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-134-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-274-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-114-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp

Filesize
3.3MB

Download
memory/2732-227-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp

Filesize
3.3MB

Download
memory/2732-18-0x00007FF6D8730000-0x00007FF6D8A81000-memory.dmp

Filesize
3.3MB

Download
memory/2768-25-0x00007FF770360000-0x00007FF7706B1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-229-0x00007FF770360000-0x00007FF7706B1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-115-0x00007FF770360000-0x00007FF7706B1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-123-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

Filesize
3.3MB

Download
memory/3000-270-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

Filesize
3.3MB

Download
memory/3128-36-0x00007FF691230000-0x00007FF691581000-memory.dmp

Filesize
3.3MB

Download
memory/3128-233-0x00007FF691230000-0x00007FF691581000-memory.dmp

Filesize
3.3MB

Download
memory/3128-130-0x00007FF691230000-0x00007FF691581000-memory.dmp

Filesize
3.3MB

Download
memory/3132-96-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-140-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-258-0x00007FF6F1F70000-0x00007FF6F22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-147-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp

Filesize
3.3MB

Download
memory/3664-264-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp

Filesize
3.3MB

Download
memory/3664-103-0x00007FF69D0E0000-0x00007FF69D431000-memory.dmp

Filesize
3.3MB

Download
memory/3848-244-0x00007FF777E40000-0x00007FF778191000-memory.dmp

Filesize
3.3MB

Download
memory/3848-132-0x00007FF777E40000-0x00007FF778191000-memory.dmp

Filesize
3.3MB

Download
memory/3848-47-0x00007FF777E40000-0x00007FF778191000-memory.dmp

Filesize
3.3MB

Download
memory/4016-80-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-251-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-139-0x00007FF61E380000-0x00007FF61E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-129-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp

Filesize
3.3MB

Download
memory/4272-272-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp

Filesize
3.3MB

Download
memory/4272-163-0x00007FF7DC9F0000-0x00007FF7DCD41000-memory.dmp

Filesize
3.3MB

Download
memory/4700-107-0x00007FF7C98A0000-0x00007FF7C9BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-260-0x00007FF7C98A0000-0x00007FF7C9BF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-88-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp

Filesize
3.3MB

Download
memory/5044-141-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp

Filesize
3.3MB

Download
memory/5044-167-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp

Filesize
3.3MB

Download
memory/5044-1-0x0000020298F50000-0x0000020298F60000-memory.dmp

Filesize
64KB

Download
memory/5044-0-0x00007FF7F97E0000-0x00007FF7F9B31000-memory.dmp

Filesize
3.3MB

Download
memory/5048-31-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-126-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-231-0x00007FF62C970000-0x00007FF62CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-146-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp

Filesize
3.3MB

Download
memory/5072-256-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp

Filesize
3.3MB

Download
memory/5072-89-0x00007FF6F31B0000-0x00007FF6F3501000-memory.dmp

Filesize
3.3MB

Download