cobaltstrike | 9c6e72b2e0c5767da5c7fdde052394a7eca3c0793ed2d9d15aa2963ddeb10bf3

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4485d19fa4c6770a92c3f6d2be903bb4
SHA1

2071cb795d55d26a16de981dff59eb8cde55170e
SHA256

9c6e72b2e0c5767da5c7fdde052394a7eca3c0793ed2d9d15aa2963ddeb10bf3
SHA512

3ed4d32852bb4c262e62401ee9b067803daaa7ced94fb8a0412ce14cb989051f9d6dc083299def679145bf0b46ddd6abe1fca3ccbf231bbfff7e37ac7fc701e9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023cad-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-38.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb2-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-62.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1104-46-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	xmrig
behavioral2/memory/3108-85-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp	xmrig
behavioral2/memory/1212-128-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp	xmrig
behavioral2/memory/4996-122-0x00007FF620280000-0x00007FF6205D1000-memory.dmp	xmrig
behavioral2/memory/4452-115-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp	xmrig
behavioral2/memory/4600-104-0x00007FF7970D0000-0x00007FF797421000-memory.dmp	xmrig
behavioral2/memory/4268-89-0x00007FF745A20000-0x00007FF745D71000-memory.dmp	xmrig
behavioral2/memory/3676-76-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp	xmrig
behavioral2/memory/4500-75-0x00007FF71F430000-0x00007FF71F781000-memory.dmp	xmrig
behavioral2/memory/4008-69-0x00007FF6723D0000-0x00007FF672721000-memory.dmp	xmrig
behavioral2/memory/4316-54-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	xmrig
behavioral2/memory/4316-138-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	xmrig
behavioral2/memory/3896-151-0x00007FF66E320000-0x00007FF66E671000-memory.dmp	xmrig
behavioral2/memory/3504-150-0x00007FF7644E0000-0x00007FF764831000-memory.dmp	xmrig
behavioral2/memory/1248-152-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp	xmrig
behavioral2/memory/4396-157-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp	xmrig
behavioral2/memory/2656-160-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp	xmrig
behavioral2/memory/2584-158-0x00007FF74A500000-0x00007FF74A851000-memory.dmp	xmrig
behavioral2/memory/4756-156-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp	xmrig
behavioral2/memory/2608-154-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp	xmrig
behavioral2/memory/4020-153-0x00007FF76D120000-0x00007FF76D471000-memory.dmp	xmrig
behavioral2/memory/2248-155-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp	xmrig
behavioral2/memory/3372-159-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp	xmrig
behavioral2/memory/4316-161-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	xmrig
behavioral2/memory/4008-213-0x00007FF6723D0000-0x00007FF672721000-memory.dmp	xmrig
behavioral2/memory/4500-215-0x00007FF71F430000-0x00007FF71F781000-memory.dmp	xmrig
behavioral2/memory/3676-217-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp	xmrig
behavioral2/memory/3108-219-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp	xmrig
behavioral2/memory/4268-221-0x00007FF745A20000-0x00007FF745D71000-memory.dmp	xmrig
behavioral2/memory/1104-231-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	xmrig
behavioral2/memory/4600-233-0x00007FF7970D0000-0x00007FF797421000-memory.dmp	xmrig
behavioral2/memory/4996-235-0x00007FF620280000-0x00007FF6205D1000-memory.dmp	xmrig
behavioral2/memory/1212-237-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp	xmrig
behavioral2/memory/4452-239-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp	xmrig
behavioral2/memory/1248-241-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp	xmrig
behavioral2/memory/3896-251-0x00007FF66E320000-0x00007FF66E671000-memory.dmp	xmrig
behavioral2/memory/3504-252-0x00007FF7644E0000-0x00007FF764831000-memory.dmp	xmrig
behavioral2/memory/4020-254-0x00007FF76D120000-0x00007FF76D471000-memory.dmp	xmrig
behavioral2/memory/2608-258-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp	xmrig
behavioral2/memory/2248-257-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp	xmrig
behavioral2/memory/2584-264-0x00007FF74A500000-0x00007FF74A851000-memory.dmp	xmrig
behavioral2/memory/4396-267-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp	xmrig
behavioral2/memory/4756-268-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp	xmrig
behavioral2/memory/3372-262-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp	xmrig
behavioral2/memory/2656-260-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4008	urFdVgw.exe
4500	WviABqO.exe
3676	rocJvjT.exe
3108	YqPtewa.exe
4268	pJdpMHj.exe
4600	vgSvxMn.exe
1104	AMHIGLQ.exe
4452	EIExngJ.exe
4996	aZlQMWL.exe
1212	tTKgXmk.exe
1248	YEQIOyI.exe
3504	pGjyUmo.exe
3896	okmjolv.exe
4020	MnmAvFO.exe
2608	NQFHOil.exe
2248	TIYTkUr.exe
4756	bVTdJkf.exe
4396	zfsDXma.exe
2584	tFnVeis.exe
3372	IkMOddk.exe
2656	jLqKQQN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4316-0-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	upx
behavioral2/files/0x000a000000023cad-5.dat	upx
behavioral2/files/0x0007000000023cb5-12.dat	upx
behavioral2/files/0x0007000000023cb7-20.dat	upx
behavioral2/files/0x0007000000023cb8-29.dat	upx
behavioral2/memory/4268-30-0x00007FF745A20000-0x00007FF745D71000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-23.dat	upx
behavioral2/memory/3108-22-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp	upx
behavioral2/memory/3676-21-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp	upx
behavioral2/memory/4500-16-0x00007FF71F430000-0x00007FF71F781000-memory.dmp	upx
behavioral2/memory/4008-6-0x00007FF6723D0000-0x00007FF672721000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-35.dat	upx
behavioral2/files/0x0007000000023cba-38.dat	upx
behavioral2/files/0x0009000000023cb2-44.dat	upx
behavioral2/memory/1104-46-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-50.dat	upx
behavioral2/memory/4996-58-0x00007FF620280000-0x00007FF6205D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-63.dat	upx
behavioral2/files/0x0007000000023cbe-72.dat	upx
behavioral2/memory/3504-79-0x00007FF7644E0000-0x00007FF764831000-memory.dmp	upx
behavioral2/memory/3108-85-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-83.dat	upx
behavioral2/files/0x0007000000023cc1-95.dat	upx
behavioral2/files/0x0007000000023cc2-109.dat	upx
behavioral2/files/0x0007000000023cc5-118.dat	upx
behavioral2/memory/2584-127-0x00007FF74A500000-0x00007FF74A851000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-136.dat	upx
behavioral2/memory/2656-135-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-133.dat	upx
behavioral2/memory/3372-129-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp	upx
behavioral2/memory/1212-128-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-123.dat	upx
behavioral2/memory/4996-122-0x00007FF620280000-0x00007FF6205D1000-memory.dmp	upx
behavioral2/memory/4396-121-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-116.dat	upx
behavioral2/memory/4452-115-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp	upx
behavioral2/memory/4756-114-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp	upx
behavioral2/memory/2248-108-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp	upx
behavioral2/memory/4600-104-0x00007FF7970D0000-0x00007FF797421000-memory.dmp	upx
behavioral2/memory/2608-98-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-93.dat	upx
behavioral2/memory/4020-90-0x00007FF76D120000-0x00007FF76D471000-memory.dmp	upx
behavioral2/memory/4268-89-0x00007FF745A20000-0x00007FF745D71000-memory.dmp	upx
behavioral2/memory/3896-80-0x00007FF66E320000-0x00007FF66E671000-memory.dmp	upx
behavioral2/memory/3676-76-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp	upx
behavioral2/memory/4500-75-0x00007FF71F430000-0x00007FF71F781000-memory.dmp	upx
behavioral2/memory/1248-70-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp	upx
behavioral2/memory/4008-69-0x00007FF6723D0000-0x00007FF672721000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-62.dat	upx
behavioral2/memory/1212-59-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp	upx
behavioral2/memory/4316-54-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	upx
behavioral2/memory/4452-51-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp	upx
behavioral2/memory/4600-43-0x00007FF7970D0000-0x00007FF797421000-memory.dmp	upx
behavioral2/memory/4316-138-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp	upx
behavioral2/memory/3896-151-0x00007FF66E320000-0x00007FF66E671000-memory.dmp	upx
behavioral2/memory/3504-150-0x00007FF7644E0000-0x00007FF764831000-memory.dmp	upx
behavioral2/memory/1248-152-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp	upx
behavioral2/memory/4396-157-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp	upx
behavioral2/memory/2656-160-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp	upx
behavioral2/memory/2584-158-0x00007FF74A500000-0x00007FF74A851000-memory.dmp	upx
behavioral2/memory/4756-156-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp	upx
behavioral2/memory/2608-154-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp	upx
behavioral2/memory/4020-153-0x00007FF76D120000-0x00007FF76D471000-memory.dmp	upx
behavioral2/memory/2248-155-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WviABqO.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rocJvjT.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqPtewa.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZlQMWL.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVTdJkf.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jLqKQQN.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urFdVgw.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\okmjolv.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pJdpMHj.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YEQIOyI.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnmAvFO.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NQFHOil.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TIYTkUr.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkMOddk.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgSvxMn.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AMHIGLQ.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EIExngJ.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTKgXmk.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pGjyUmo.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zfsDXma.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tFnVeis.exe	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4008	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4316 wrote to memory of 4008	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4316 wrote to memory of 4500	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4316 wrote to memory of 4500	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4316 wrote to memory of 3676	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4316 wrote to memory of 3676	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4316 wrote to memory of 3108	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4316 wrote to memory of 3108	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4316 wrote to memory of 4268	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4316 wrote to memory of 4268	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4316 wrote to memory of 4600	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4316 wrote to memory of 4600	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4316 wrote to memory of 1104	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4316 wrote to memory of 1104	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4316 wrote to memory of 4452	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4316 wrote to memory of 4452	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4316 wrote to memory of 4996	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4316 wrote to memory of 4996	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4316 wrote to memory of 1212	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4316 wrote to memory of 1212	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4316 wrote to memory of 1248	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4316 wrote to memory of 1248	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4316 wrote to memory of 3504	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4316 wrote to memory of 3504	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4316 wrote to memory of 3896	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4316 wrote to memory of 3896	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4316 wrote to memory of 4020	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4316 wrote to memory of 4020	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4316 wrote to memory of 2608	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4316 wrote to memory of 2608	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4316 wrote to memory of 2248	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4316 wrote to memory of 2248	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4316 wrote to memory of 4756	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4316 wrote to memory of 4756	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4316 wrote to memory of 4396	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4316 wrote to memory of 4396	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4316 wrote to memory of 2584	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4316 wrote to memory of 2584	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4316 wrote to memory of 3372	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4316 wrote to memory of 3372	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4316 wrote to memory of 2656	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4316 wrote to memory of 2656	4316	2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_4485d19fa4c6770a92c3f6d2be903bb4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\System\urFdVgw.exe
  C:\Windows\System\urFdVgw.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\WviABqO.exe
  C:\Windows\System\WviABqO.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\rocJvjT.exe
  C:\Windows\System\rocJvjT.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\YqPtewa.exe
  C:\Windows\System\YqPtewa.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\pJdpMHj.exe
  C:\Windows\System\pJdpMHj.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\vgSvxMn.exe
  C:\Windows\System\vgSvxMn.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\AMHIGLQ.exe
  C:\Windows\System\AMHIGLQ.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\EIExngJ.exe
  C:\Windows\System\EIExngJ.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\aZlQMWL.exe
  C:\Windows\System\aZlQMWL.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\tTKgXmk.exe
  C:\Windows\System\tTKgXmk.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\YEQIOyI.exe
  C:\Windows\System\YEQIOyI.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\pGjyUmo.exe
  C:\Windows\System\pGjyUmo.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\okmjolv.exe
  C:\Windows\System\okmjolv.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\MnmAvFO.exe
  C:\Windows\System\MnmAvFO.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\NQFHOil.exe
  C:\Windows\System\NQFHOil.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\TIYTkUr.exe
  C:\Windows\System\TIYTkUr.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\bVTdJkf.exe
  C:\Windows\System\bVTdJkf.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\zfsDXma.exe
  C:\Windows\System\zfsDXma.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\tFnVeis.exe
  C:\Windows\System\tFnVeis.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\IkMOddk.exe
  C:\Windows\System\IkMOddk.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\jLqKQQN.exe
  C:\Windows\System\jLqKQQN.exe
  2⤵
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AMHIGLQ.exe

Filesize
5.2MB

MD5
2ad13799b967856ede8e8b32d5bbd8b5

SHA1
494ea287a00561a5e37ce94084f52cf54245f6a2

SHA256
0e2f5fb92e5b3e7e69e808f668f18e1313549664d0cf52ab9e57bcfaffc6da24

SHA512
b5ae22d805a2bf093e9431786b92a0bfffc371785a5b4cee376b3f4d19c4a3ed8a3bbd93bf515c5f2201e97c755a7920d409e3d61e02ee65eb8f9a090047e424

Download Submit
C:\Windows\System\EIExngJ.exe

Filesize
5.2MB

MD5
25f74cbc508434330a3e3404a30e307a

SHA1
959defd17252016844987adb3c3ee0ddca8ad187

SHA256
b1262315dbab67695b3de021870766ba50393bdca82fb2a83a171a82f7f5a9af

SHA512
75f3bd9473265d0da43576bab515f062dcf8aa88f5714c70afc90e80d5e3a9593e6dd0f51aad62737581bf0cf2ee9b19ec4afd519654de943460dbbe1b424f2e

Download Submit
C:\Windows\System\IkMOddk.exe

Filesize
5.2MB

MD5
20627fc5219bc690fca15d79e8e29a90

SHA1
730dcdfd5a1de052201c1304b53afdfadf9e20ab

SHA256
025a041357e64f4c9d94ab47feb651e7e06d575fb95b4962117ccfc61b336fcc

SHA512
1acb940ac3a2afd44c38d702b9d2970264115cafc245b9469e9f2f8e921350e317fc4a68f774561684b78eade1d1f140d2d2dc81563ddc247b8c28a3fc1687a2

Download Submit
C:\Windows\System\MnmAvFO.exe

Filesize
5.2MB

MD5
52ef68f31523272b2add76b07ca4fca5

SHA1
19d7f6e713693d1bb545bc0d22fd89a00ac45c55

SHA256
71e14f35b5baf64a9042e979f2a05121e8a2fe53f73bd9d6315c1b63fc3a776d

SHA512
d24ad57178e51ca44720331379c5d3bffed347ee6b20f5d57ab3447f1a0237a378cd94c25f270ab6624421a5087ff554ea45a009e1c7ef6481e61f2a92258c4b

Download Submit
C:\Windows\System\NQFHOil.exe

Filesize
5.2MB

MD5
1a097d25c5ece4840cf65610449737cd

SHA1
286669a5e97d066cf6a23226400049eec9dad5fe

SHA256
3ed5266924b7fa8146a88d086257a7b0861a03358fc094f3351af4a938c0f836

SHA512
c88455d17419f7cb1076bc107061d33b67c11dc9f4e01cf7afcd7a0870bfb0a9d8fdd670f77632677e90635331d52d0ed0f8a235d38c9e1f9899faa00917f125

Download Submit
C:\Windows\System\TIYTkUr.exe

Filesize
5.2MB

MD5
369d62e6c59ba0d1830cdf06d3dbf851

SHA1
4a8e9b66c0cbaab29248d5a5005e8f8b6d1a97d0

SHA256
07584169fc578e1ad67df94faaf6b316983dd155ca918fc28fea59d416129ea1

SHA512
0ca3b45fe493fa50486348c04e236ca5eaf34553ef0ff60a2758c131b57d598705bda159ba424390672a99f131b9c9a13ce8fdccf831fd3e9e518bb03598197b

Download Submit
C:\Windows\System\WviABqO.exe

Filesize
5.2MB

MD5
177d5d89e6da19eea6f5fc689dce8658

SHA1
8bf6d144de8e7af7a98fc614f701509bf051405b

SHA256
b1ff12ad48ec04fb1461db22dd03c5838353488ff31e923ac328870b6582d25c

SHA512
62cfadec3b4d5e4b4c01e6ce39838e670e862da1402bcc89fa3f49ae093c8081dd10a6523719ae0e81471bd52eb33326a9e1399dd0dddc63d3dd563eafbcf0fe

Download Submit
C:\Windows\System\YEQIOyI.exe

Filesize
5.2MB

MD5
81ddd373728b2948f06546e9586ca3e7

SHA1
9d18f76d2b4deb784c27bf0088b144cd159a86e4

SHA256
ee464619dc7567acd832492d987ec4fd76bbf3edc2843d0cf478510e54eedf3f

SHA512
861b37b100b675791ec3822cd18cb10efb0ba9ffb6a02a50aa5765cdb102046070d8148582ac754648b1201a8e70a0e353c151ca5ab4ae13f05c347e1604d234

Download Submit
C:\Windows\System\YqPtewa.exe

Filesize
5.2MB

MD5
605eb2c10f04cb3b2fee04fb1110b547

SHA1
63e75fc391664ee1e8eb1311fb7fc2343a3bc948

SHA256
86bfe1c9007f44a541910e85565a38100041268adb1d2d7af27360d1b90254c4

SHA512
478b9fcfba594b1acb5a0e8ed0c9ab4f031c612c583f738465641dc0c4145591fee520d36f91c13ff44891e74cac66e345e699c85181f738c9a690c654503494

Download Submit
C:\Windows\System\aZlQMWL.exe

Filesize
5.2MB

MD5
e30a41496c2d8ecd78567e581e8bc118

SHA1
363276a63975b0c56d55b9f8d1909593f7e2af85

SHA256
ab9130b15cc2ee7b6f264a2deb5237e7d962388f8f8d4a86297bca9ff857c2dd

SHA512
479d8b1b4b6deeb21836d17b0a3065940288d2f1adf44b53d0a6b589997b1fc59de8ca209ee4152d808ce44c4fe79ffb7ff93fea45919bc654400e14796c7ae3

Download Submit
C:\Windows\System\bVTdJkf.exe

Filesize
5.2MB

MD5
2e5fce5b893dd0ea67789f6be5992850

SHA1
26f6207da9cd93ed9b311782a27b19310baf20e5

SHA256
c33f67fa484557b2cd8bddec26902df7e49e0b3d1496dc84260794c593324287

SHA512
1e487a0c877470e39a2f9d310933f8b5cf0a6d6a90e566da4b1490405c63e8e1f7b66423ff3fdf35267f0c78a01c58ff0f309c01d5b6c69d7025eb61cbff0412

Download Submit
C:\Windows\System\jLqKQQN.exe

Filesize
5.2MB

MD5
6f32ee4c75e1e0165adcd472db024f1c

SHA1
202e4258c1e1a9a06d4f0b8fe0b2d134ccabeaf9

SHA256
750bf84324116962b5d058e35eb651a29a02abb9dd94d60d994bcef77e05bc3d

SHA512
056a9817c358aaeb5379c64d472a15a639db01e1dafd51d91bdee594a98843d8c850035c2ef41675056403f671d261836547e8358d7521252a39fa37752e1fa8

Download Submit
C:\Windows\System\okmjolv.exe

Filesize
5.2MB

MD5
62e863ac20853c7ab4cf8ae799131342

SHA1
1d8c416ddf98b68a6504324b857e5c5a52576504

SHA256
91ceb6ffd7b4013ae383a8fd4a2a37642fc968b8f1d7d03dca68a796d12e02be

SHA512
e804a390937d3b82a3efaa0872f65494436cf976f6a0c5ff04e1b786836ea2e5e67c86d38fec4167c8ae1ee3a305f8af7dc69b976bed36d9c1eeb540ff4e2e13

Download Submit
C:\Windows\System\pGjyUmo.exe

Filesize
5.2MB

MD5
381f9c0ee829cd65021482e176fa1d20

SHA1
ef1c685e42f7a27a28db5d84fa81a54d9610b0ac

SHA256
3f6f5be97e3dcb03a9bc1572f291ff39fe5d26fd26159c02d59a69f83d9521db

SHA512
9db58db9d446dc7c9ed0767e681b0fd1db6b0138196a6007a4672155373e068bcc0ea43b852cd87f7c357399d129facabffdf5df4805d29bfbb45d9bbf5db198

Download Submit
C:\Windows\System\pJdpMHj.exe

Filesize
5.2MB

MD5
a96b84e5a03ac97fa1df577b09345fe3

SHA1
c3d27564cd49e8886f7686ddc0c468d20636702e

SHA256
5a84094f02589ba0b9e497c0f40474c8a1b3c73a573a4543b46024b6ee8e4c63

SHA512
159c6ca05c04f2eea29aba71e303e5fabadfde33f720e001b3d8376a0ed339fab766f3949cdae09113ae878d14d4b8406406d82c087fad6143e716351672f050

Download Submit
C:\Windows\System\rocJvjT.exe

Filesize
5.2MB

MD5
50274635e7e8d42dd687a370fc7a8b7d

SHA1
93f588cc8b8754faa3fd1c57ff13e937b4ec0433

SHA256
ecd6ff1b9a2980c692c88cbdb6847e1def1c1e8891b8ff2448128efb35e41283

SHA512
c5d5a3c7e8d8186c000882caa4a09bd9a6f5fb054e705add6aa60c459c3e328edd1bb2a381b94b7b8557d0d642d720c5ef1f828590e5ff7be01a23c73eb68c77

Download Submit
C:\Windows\System\tFnVeis.exe

Filesize
5.2MB

MD5
060472a6b658be3ec5ce3cc8c908c0d9

SHA1
0ee0df686bebeef829d7902adf0c93fdc38e58c6

SHA256
9ec55df593e7359fa0328e3a8b0358b41159ef0e358e76d62539615a6448a3f2

SHA512
34188329abc16e32c9e7a989af284ddaab2edfb424227eb520a4604a89503d9e249cbef3dd3b62b7486f380c9b881eaf577922d296bafdcb729cb85a1b4576ef

Download Submit
C:\Windows\System\tTKgXmk.exe

Filesize
5.2MB

MD5
92948363f39b5cc0893b92884a1d8171

SHA1
a51bf08fbd829d2e12a1d09df3b503c0b93ab182

SHA256
6f69d5f52e45d7cdb46cdf07ed750f5c696e43d90305d9e665f1e61ea116bb0e

SHA512
8a5627ab203ef9215439d15c1abd3aa1f72098b211edfd7b253f5c72fbdaec1152286eedbc243978de127ff139b231b756de7e9d2776aa6eea88778be852f2c6

Download Submit
C:\Windows\System\urFdVgw.exe

Filesize
5.2MB

MD5
4a4582d418c05cffb39cb60bab7248c0

SHA1
d15a814676bee5004cfebf359955e83b3f9a11c9

SHA256
01d45da0e70e6a3bc618aeb5cccc14852cffad088bac2b51b2d74bdb19a926cd

SHA512
4b5ea2d0ca23ac0271b8fb8f1aca5dc106da21e7ff7b816ae40964ba095e561dbeb004a6fed67a519aede8b51d41507b5d241e3cf17943b0b6e60c833aa67044

Download Submit
C:\Windows\System\vgSvxMn.exe

Filesize
5.2MB

MD5
99a08e953da0235fbc2d0a675c3f7416

SHA1
175ffa6b33f0f50474b171ca60452096667628b3

SHA256
0165d83f0246b0624e907f59512886b8ad6e52b03199b26a77bbc92d70fbc38e

SHA512
663b7d1aeae607a34f1f2d297b55ae85e0bb38ff1dcffc1bda68819878c00e9f3db38920c3cc6383fa8b6fe48b01e8c353721e059bec0b0b1706939234c67e4d

Download Submit
C:\Windows\System\zfsDXma.exe

Filesize
5.2MB

MD5
c0ab4e3f7dddfd91a2bab47b5c67784a

SHA1
1f9811c627a69c5164c37c2183731b103a351030

SHA256
c22bfc322c87e069de6f118d3a41373957885d4f3be1ff793665d0c3b5c70210

SHA512
72ec203fd0043ebbbd4c165ad9ce24b0f99e6513fd52062d6143d6fbaaf4b9d319e0f707e2d4f6632a1b617ed5a6ae295a80bca4b46e0d009b1526589685815a

Download Submit
memory/1104-46-0x00007FF787DE0000-0x00007FF788131000-memory.dmp

Filesize
3.3MB

Download
memory/1104-231-0x00007FF787DE0000-0x00007FF788131000-memory.dmp

Filesize
3.3MB

Download
memory/1212-128-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp

Filesize
3.3MB

Download
memory/1212-59-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp

Filesize
3.3MB

Download
memory/1212-237-0x00007FF6268F0000-0x00007FF626C41000-memory.dmp

Filesize
3.3MB

Download
memory/1248-152-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp

Filesize
3.3MB

Download
memory/1248-70-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp

Filesize
3.3MB

Download
memory/1248-241-0x00007FF6999B0000-0x00007FF699D01000-memory.dmp

Filesize
3.3MB

Download
memory/2248-155-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp

Filesize
3.3MB

Download
memory/2248-257-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp

Filesize
3.3MB

Download
memory/2248-108-0x00007FF7F74D0000-0x00007FF7F7821000-memory.dmp

Filesize
3.3MB

Download
memory/2584-127-0x00007FF74A500000-0x00007FF74A851000-memory.dmp

Filesize
3.3MB

Download
memory/2584-158-0x00007FF74A500000-0x00007FF74A851000-memory.dmp

Filesize
3.3MB

Download
memory/2584-264-0x00007FF74A500000-0x00007FF74A851000-memory.dmp

Filesize
3.3MB

Download
memory/2608-98-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2608-258-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2608-154-0x00007FF76F940000-0x00007FF76FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2656-135-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-260-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-160-0x00007FF7AF080000-0x00007FF7AF3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3108-85-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp

Filesize
3.3MB

Download
memory/3108-219-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp

Filesize
3.3MB

Download
memory/3108-22-0x00007FF7FA0C0000-0x00007FF7FA411000-memory.dmp

Filesize
3.3MB

Download
memory/3372-129-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-159-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-262-0x00007FF73A780000-0x00007FF73AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-79-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

Filesize
3.3MB

Download
memory/3504-252-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

Filesize
3.3MB

Download
memory/3504-150-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

Filesize
3.3MB

Download
memory/3676-217-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-21-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-76-0x00007FF71AA90000-0x00007FF71ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-80-0x00007FF66E320000-0x00007FF66E671000-memory.dmp

Filesize
3.3MB

Download
memory/3896-151-0x00007FF66E320000-0x00007FF66E671000-memory.dmp

Filesize
3.3MB

Download
memory/3896-251-0x00007FF66E320000-0x00007FF66E671000-memory.dmp

Filesize
3.3MB

Download
memory/4008-6-0x00007FF6723D0000-0x00007FF672721000-memory.dmp

Filesize
3.3MB

Download
memory/4008-69-0x00007FF6723D0000-0x00007FF672721000-memory.dmp

Filesize
3.3MB

Download
memory/4008-213-0x00007FF6723D0000-0x00007FF672721000-memory.dmp

Filesize
3.3MB

Download
memory/4020-254-0x00007FF76D120000-0x00007FF76D471000-memory.dmp

Filesize
3.3MB

Download
memory/4020-90-0x00007FF76D120000-0x00007FF76D471000-memory.dmp

Filesize
3.3MB

Download
memory/4020-153-0x00007FF76D120000-0x00007FF76D471000-memory.dmp

Filesize
3.3MB

Download
memory/4268-89-0x00007FF745A20000-0x00007FF745D71000-memory.dmp

Filesize
3.3MB

Download
memory/4268-221-0x00007FF745A20000-0x00007FF745D71000-memory.dmp

Filesize
3.3MB

Download
memory/4268-30-0x00007FF745A20000-0x00007FF745D71000-memory.dmp

Filesize
3.3MB

Download
memory/4316-54-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-161-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-0-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-138-0x00007FF71A850000-0x00007FF71ABA1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-1-0x000001ECDB2F0000-0x000001ECDB300000-memory.dmp

Filesize
64KB

Download
memory/4396-267-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-157-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-121-0x00007FF63FB80000-0x00007FF63FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-239-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp

Filesize
3.3MB

Download
memory/4452-51-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp

Filesize
3.3MB

Download
memory/4452-115-0x00007FF7D4430000-0x00007FF7D4781000-memory.dmp

Filesize
3.3MB

Download
memory/4500-75-0x00007FF71F430000-0x00007FF71F781000-memory.dmp

Filesize
3.3MB

Download
memory/4500-16-0x00007FF71F430000-0x00007FF71F781000-memory.dmp

Filesize
3.3MB

Download
memory/4500-215-0x00007FF71F430000-0x00007FF71F781000-memory.dmp

Filesize
3.3MB

Download
memory/4600-233-0x00007FF7970D0000-0x00007FF797421000-memory.dmp

Filesize
3.3MB

Download
memory/4600-104-0x00007FF7970D0000-0x00007FF797421000-memory.dmp

Filesize
3.3MB

Download
memory/4600-43-0x00007FF7970D0000-0x00007FF797421000-memory.dmp

Filesize
3.3MB

Download
memory/4756-114-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp

Filesize
3.3MB

Download
memory/4756-268-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp

Filesize
3.3MB

Download
memory/4756-156-0x00007FF7A67F0000-0x00007FF7A6B41000-memory.dmp

Filesize
3.3MB

Download
memory/4996-235-0x00007FF620280000-0x00007FF6205D1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-122-0x00007FF620280000-0x00007FF6205D1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-58-0x00007FF620280000-0x00007FF6205D1000-memory.dmp

Filesize
3.3MB

Download