cobaltstrike | 0c1f1e174f333bc251122b862a26380fbfd12788c70bd384fc8e63870c677658

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

23182c39bb51e36f49427ef5b02c3563
SHA1

e9455f63874e5c8a8f89067a9812e929d3826edc
SHA256

0c1f1e174f333bc251122b862a26380fbfd12788c70bd384fc8e63870c677658
SHA512

0951e2e7569ac1be690fc01bcd6a8853a2b102cfe4fca46cdf28300bbed40887c74d3f5d1cc1db6806436f2d16cb0ef346c66f177433f55f6b3a0bbabac39096
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUf

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c8e-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-76.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1488-58-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	xmrig
behavioral2/memory/3356-81-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp	xmrig
behavioral2/memory/1744-129-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp	xmrig
behavioral2/memory/3076-135-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp	xmrig
behavioral2/memory/3408-125-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp	xmrig
behavioral2/memory/1056-119-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp	xmrig
behavioral2/memory/3772-111-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp	xmrig
behavioral2/memory/3500-103-0x00007FF783B20000-0x00007FF783E71000-memory.dmp	xmrig
behavioral2/memory/4684-96-0x00007FF62FD20000-0x00007FF630071000-memory.dmp	xmrig
behavioral2/memory/4924-87-0x00007FF736420000-0x00007FF736771000-memory.dmp	xmrig
behavioral2/memory/3476-74-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp	xmrig
behavioral2/memory/2360-67-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp	xmrig
behavioral2/memory/3116-139-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp	xmrig
behavioral2/memory/4564-141-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp	xmrig
behavioral2/memory/3564-142-0x00007FF713400000-0x00007FF713751000-memory.dmp	xmrig
behavioral2/memory/2488-144-0x00007FF678A10000-0x00007FF678D61000-memory.dmp	xmrig
behavioral2/memory/1488-143-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	xmrig
behavioral2/memory/1852-153-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp	xmrig
behavioral2/memory/4048-164-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp	xmrig
behavioral2/memory/2232-165-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp	xmrig
behavioral2/memory/1580-163-0x00007FF727B30000-0x00007FF727E81000-memory.dmp	xmrig
behavioral2/memory/3616-166-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp	xmrig
behavioral2/memory/1976-167-0x00007FF641840000-0x00007FF641B91000-memory.dmp	xmrig
behavioral2/memory/1488-168-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	xmrig
behavioral2/memory/2360-217-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp	xmrig
behavioral2/memory/3476-227-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp	xmrig
behavioral2/memory/3356-229-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp	xmrig
behavioral2/memory/4924-231-0x00007FF736420000-0x00007FF736771000-memory.dmp	xmrig
behavioral2/memory/4684-233-0x00007FF62FD20000-0x00007FF630071000-memory.dmp	xmrig
behavioral2/memory/3500-235-0x00007FF783B20000-0x00007FF783E71000-memory.dmp	xmrig
behavioral2/memory/3772-237-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp	xmrig
behavioral2/memory/1056-239-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp	xmrig
behavioral2/memory/3408-251-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp	xmrig
behavioral2/memory/3076-255-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp	xmrig
behavioral2/memory/3116-257-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp	xmrig
behavioral2/memory/1744-253-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp	xmrig
behavioral2/memory/3564-259-0x00007FF713400000-0x00007FF713751000-memory.dmp	xmrig
behavioral2/memory/2488-261-0x00007FF678A10000-0x00007FF678D61000-memory.dmp	xmrig
behavioral2/memory/4564-263-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp	xmrig
behavioral2/memory/1852-265-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp	xmrig
behavioral2/memory/3616-267-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp	xmrig
behavioral2/memory/4048-269-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp	xmrig
behavioral2/memory/2232-271-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp	xmrig
behavioral2/memory/1976-273-0x00007FF641840000-0x00007FF641B91000-memory.dmp	xmrig
behavioral2/memory/1580-275-0x00007FF727B30000-0x00007FF727E81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2360	gAvMPRn.exe
3476	gLfZwcZ.exe
3356	xBXNssp.exe
4924	jQWOvlf.exe
4684	bjApULG.exe
3500	rHyEhSD.exe
3772	sRXwmaW.exe
1056	PFgxJuG.exe
3408	iAlQFKq.exe
1744	jVEBpND.exe
3076	TYnYkwc.exe
3116	cJgrmSE.exe
4564	UurYMxQ.exe
3564	kioyZlf.exe
2488	PCcZvlR.exe
1852	hzBgbtC.exe
3616	VtvlGnB.exe
1580	JQlhtSj.exe
4048	MoOjYNi.exe
2232	KnLEdrh.exe
1976	kPcGYlB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1488-0-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	upx
behavioral2/files/0x0008000000023c8e-4.dat	upx
behavioral2/memory/2360-8-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-11.dat	upx
behavioral2/memory/3476-13-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp	upx
behavioral2/memory/4924-24-0x00007FF736420000-0x00007FF736771000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-26.dat	upx
behavioral2/files/0x0007000000023c95-29.dat	upx
behavioral2/memory/4684-30-0x00007FF62FD20000-0x00007FF630071000-memory.dmp	upx
behavioral2/memory/3356-20-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-12.dat	upx
behavioral2/files/0x0007000000023c96-35.dat	upx
behavioral2/files/0x0007000000023c97-40.dat	upx
behavioral2/memory/3772-43-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp	upx
behavioral2/memory/3500-38-0x00007FF783B20000-0x00007FF783E71000-memory.dmp	upx
behavioral2/memory/1056-48-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-52.dat	upx
behavioral2/files/0x0007000000023c98-51.dat	upx
behavioral2/memory/1488-58-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-65.dat	upx
behavioral2/files/0x0007000000023c9b-69.dat	upx
behavioral2/memory/3116-75-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp	upx
behavioral2/memory/3356-81-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-80.dat	upx
behavioral2/files/0x0007000000023c9f-93.dat	upx
behavioral2/files/0x0007000000023ca2-113.dat	upx
behavioral2/memory/4048-121-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-127.dat	upx
behavioral2/memory/1744-129-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-137.dat	upx
behavioral2/memory/1976-136-0x00007FF641840000-0x00007FF641B91000-memory.dmp	upx
behavioral2/memory/3076-135-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-132.dat	upx
behavioral2/memory/2232-131-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp	upx
behavioral2/memory/3408-125-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp	upx
behavioral2/memory/1580-120-0x00007FF727B30000-0x00007FF727E81000-memory.dmp	upx
behavioral2/memory/1056-119-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-116.dat	upx
behavioral2/memory/3616-112-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp	upx
behavioral2/memory/3772-111-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-109.dat	upx
behavioral2/memory/1852-105-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp	upx
behavioral2/memory/3500-103-0x00007FF783B20000-0x00007FF783E71000-memory.dmp	upx
behavioral2/memory/2488-97-0x00007FF678A10000-0x00007FF678D61000-memory.dmp	upx
behavioral2/memory/4684-96-0x00007FF62FD20000-0x00007FF630071000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-91.dat	upx
behavioral2/memory/3564-88-0x00007FF713400000-0x00007FF713751000-memory.dmp	upx
behavioral2/memory/4924-87-0x00007FF736420000-0x00007FF736771000-memory.dmp	upx
behavioral2/memory/4564-82-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-76.dat	upx
behavioral2/memory/3476-74-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp	upx
behavioral2/memory/3076-68-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp	upx
behavioral2/memory/2360-67-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp	upx
behavioral2/memory/1744-63-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp	upx
behavioral2/memory/3408-56-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp	upx
behavioral2/memory/3116-139-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp	upx
behavioral2/memory/4564-141-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp	upx
behavioral2/memory/3564-142-0x00007FF713400000-0x00007FF713751000-memory.dmp	upx
behavioral2/memory/2488-144-0x00007FF678A10000-0x00007FF678D61000-memory.dmp	upx
behavioral2/memory/1488-143-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp	upx
behavioral2/memory/1852-153-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp	upx
behavioral2/memory/4048-164-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp	upx
behavioral2/memory/2232-165-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp	upx
behavioral2/memory/1580-163-0x00007FF727B30000-0x00007FF727E81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\JQlhtSj.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MoOjYNi.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kPcGYlB.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xBXNssp.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHyEhSD.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kioyZlf.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hzBgbtC.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gAvMPRn.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cJgrmSE.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VtvlGnB.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnLEdrh.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TYnYkwc.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCcZvlR.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jQWOvlf.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRXwmaW.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFgxJuG.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iAlQFKq.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLfZwcZ.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bjApULG.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVEBpND.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UurYMxQ.exe	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2360	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1488 wrote to memory of 2360	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1488 wrote to memory of 3476	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1488 wrote to memory of 3476	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1488 wrote to memory of 3356	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1488 wrote to memory of 3356	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1488 wrote to memory of 4924	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1488 wrote to memory of 4924	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1488 wrote to memory of 4684	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1488 wrote to memory of 4684	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1488 wrote to memory of 3500	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1488 wrote to memory of 3500	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1488 wrote to memory of 3772	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1488 wrote to memory of 3772	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1488 wrote to memory of 1056	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1488 wrote to memory of 1056	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1488 wrote to memory of 3408	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1488 wrote to memory of 3408	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1488 wrote to memory of 1744	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1488 wrote to memory of 1744	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1488 wrote to memory of 3076	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1488 wrote to memory of 3076	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1488 wrote to memory of 3116	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1488 wrote to memory of 3116	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1488 wrote to memory of 4564	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1488 wrote to memory of 4564	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1488 wrote to memory of 3564	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1488 wrote to memory of 3564	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1488 wrote to memory of 2488	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1488 wrote to memory of 2488	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1488 wrote to memory of 1852	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1488 wrote to memory of 1852	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1488 wrote to memory of 3616	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1488 wrote to memory of 3616	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1488 wrote to memory of 1580	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1488 wrote to memory of 1580	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1488 wrote to memory of 4048	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1488 wrote to memory of 4048	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1488 wrote to memory of 2232	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1488 wrote to memory of 2232	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1488 wrote to memory of 1976	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1488 wrote to memory of 1976	1488	2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_23182c39bb51e36f49427ef5b02c3563_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System\gAvMPRn.exe
  C:\Windows\System\gAvMPRn.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\gLfZwcZ.exe
  C:\Windows\System\gLfZwcZ.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\xBXNssp.exe
  C:\Windows\System\xBXNssp.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\jQWOvlf.exe
  C:\Windows\System\jQWOvlf.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\bjApULG.exe
  C:\Windows\System\bjApULG.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\rHyEhSD.exe
  C:\Windows\System\rHyEhSD.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\sRXwmaW.exe
  C:\Windows\System\sRXwmaW.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\PFgxJuG.exe
  C:\Windows\System\PFgxJuG.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\iAlQFKq.exe
  C:\Windows\System\iAlQFKq.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\jVEBpND.exe
  C:\Windows\System\jVEBpND.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\TYnYkwc.exe
  C:\Windows\System\TYnYkwc.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\cJgrmSE.exe
  C:\Windows\System\cJgrmSE.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\UurYMxQ.exe
  C:\Windows\System\UurYMxQ.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\kioyZlf.exe
  C:\Windows\System\kioyZlf.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\PCcZvlR.exe
  C:\Windows\System\PCcZvlR.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\hzBgbtC.exe
  C:\Windows\System\hzBgbtC.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\VtvlGnB.exe
  C:\Windows\System\VtvlGnB.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\JQlhtSj.exe
  C:\Windows\System\JQlhtSj.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\MoOjYNi.exe
  C:\Windows\System\MoOjYNi.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\KnLEdrh.exe
  C:\Windows\System\KnLEdrh.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\kPcGYlB.exe
  C:\Windows\System\kPcGYlB.exe
  2⤵
  - Executes dropped EXE
  PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JQlhtSj.exe

Filesize
5.2MB

MD5
1b272ee7e3d6142da81b2796c8c51530

SHA1
07275e731ce2a31fd90c75a1e74dd71d9003d858

SHA256
820d4ad6e97130c0c2c4e076caea75cb75b609830ff766294c40d88f715c989d

SHA512
924b0ebfba3b9a8536342b90255863866adc64156cf73031e4dfffd26c65064959fd756603f8cccff32c321065882d78bcc417fda942377357f3ba6c22a267f3

Download Submit
C:\Windows\System\KnLEdrh.exe

Filesize
5.2MB

MD5
288d0ba40ae7b2fa462a41a4727adf32

SHA1
c1607c62dfa6bf4cc8de75d701c58ce2a81b29e4

SHA256
e3da5a432fb5d269b43989270f454a56a68a9520ce934ca663b0570e3206d8cf

SHA512
e0d7967d62fcad687ec07612b52a76283038bdf87ab7768ff0a8e94e976fcdac43d5e674f423014b25c0e9c4ae71f7798edc0c7dd60f1ff05f0d1a8b5a277c1c

Download Submit
C:\Windows\System\MoOjYNi.exe

Filesize
5.2MB

MD5
6523e6ef42e4844a1bc0f9ec68601473

SHA1
9c03a1881fb694068f306cd4c56add22b0488c1c

SHA256
aefa9ff81bb49c68d456ce547801b22e721737f26e56d401eea74f397faf982d

SHA512
c0e02013aedeb309d2ea3416b774d5f9ec32e22a062593949a7b3a9d1cd8794781e4d5114ceea9559ae9f6efd92f091bb8ab4c81dbafab21b31fd5251c9e4776

Download Submit
C:\Windows\System\PCcZvlR.exe

Filesize
5.2MB

MD5
e2142a744a5cc9c5600ef3dd607429f3

SHA1
34d56162cc2645243b03172b9dd01f1e4434d5b1

SHA256
be567262e2c71b358bd7e522bacfcbd51329c63072f92c1cf3582b96d6b49845

SHA512
a8c2d84377d351a276a2160b141b7109ee4e4a59691fd9affacd983447cf6709198390a76a117c54d9812fc14689550a31384a1ede857e9b63a9c66c17ab9e60

Download Submit
C:\Windows\System\PFgxJuG.exe

Filesize
5.2MB

MD5
dc4836fa06d648e06dbc66c532eddb40

SHA1
61530797b190d2f275b666e2f1f398df2cc520e7

SHA256
86016118b53a2707c403df0d10d18723b5ccaa098e8cbbf739e4ae7605d21e5b

SHA512
b22ca1624d89c13706b1ebeecbdc72d78d40396f2840ca3f716bfb20c72b2dda18a9834df64036bbaa057ef8081f3e995c82a593e0f2120b72b37e93ba01bc37

Download Submit
C:\Windows\System\TYnYkwc.exe

Filesize
5.2MB

MD5
92ecc7d4b56749ee3bea675d0d99caf4

SHA1
b7d7cb49345feb407a61c503908c765bfc83a121

SHA256
617e379863f6c2d5d591f8fc9758c4dbfa5ead48ce34e2aa4a1251a12a9d3310

SHA512
619303208c7bc27589865da30cc84746477b00f52923bca72ee1d10147f7c207401eed50c5aa287b0e7f2b1343ed82aa2f9bc702164cab47bf151be4f32478ad

Download Submit
C:\Windows\System\UurYMxQ.exe

Filesize
5.2MB

MD5
68de3330972c3847c676f0aa646b0827

SHA1
479c03077140798659c69824a8d843dc51703ae0

SHA256
db120a804622e038f752bbf71e0af52fb35f4ca7bfa912a36d09080b60ecc5fd

SHA512
d0111f83a3e8f9e50f4d018d332db383e70947f734e18f45af458132e93325c3039a2692cc83b17fb9b5fd8efdf15707ed3d1b972a4d8abdb675de42ee44ad3b

Download Submit
C:\Windows\System\VtvlGnB.exe

Filesize
5.2MB

MD5
e02d7ccdca61dd5d166023140dbff3ab

SHA1
b3ea382f22fc73218bdc1a0517320cb672d1b6c8

SHA256
95d4e0f460640d3c9eb78d2a8ec5e61f8a976412bccd222b8625e80527c74152

SHA512
03c648ab214e5cb80ca48eac13e697df29ae0baa2417881547a4d250f771570d05a52f8f05a8406fdb7d53b0e57e913cda8e9a9cb83a495c552866b4e2ff6cfc

Download Submit
C:\Windows\System\bjApULG.exe

Filesize
5.2MB

MD5
43e59efb46f5eae07dabbf2ca76463c9

SHA1
c1bae924e4c11806fce9fc28f98ca7c5dabe5972

SHA256
b85d77694e8d0a78c3bb6f71bf96a98e38d3a3931c66be6ce4656cfcdc61572d

SHA512
c3e693463ebcba6f261e2d2b0303310d1153769d88b218ca7a71b4532adf0aa6f91e4104f35983eb76e50be45b180f5891cd3812250cd27fc1fcb078752a09db

Download Submit
C:\Windows\System\cJgrmSE.exe

Filesize
5.2MB

MD5
078f7f4d2d154788cd9f0fd1b275027f

SHA1
fb046728ca67314e847490433d01b852ffdd4835

SHA256
e5f5fdc29f0990e3514adf67a20949173b28d86d75d084c66be3730fe886d9da

SHA512
20074ad354b8c6027978fc51171d5c18e1e9686ae42b156615c3ef10507fe002057c3878deaece9f99b99c03b557d20490722c8b69d21791998a4420f772bc18

Download Submit
C:\Windows\System\gAvMPRn.exe

Filesize
5.2MB

MD5
828014b094d8d2707774f0b27716f111

SHA1
e40e6700bff59e1cd4f18f546b2297703aa6eef9

SHA256
1845f65dd07b4e32cc090a7950fd283b6010cc668cf5e7fe739975e9f2a28f3b

SHA512
0708519265a2911b93d4a38e8304a9442160793e2da87010df7a37ee33e4cc37fb66a3bd3a9eeb1d5117b60e5d59366822f3ec394b5513689d02fb8a54379424

Download Submit
C:\Windows\System\gLfZwcZ.exe

Filesize
5.2MB

MD5
dee1c5c3052a163eb264a078d5ff678d

SHA1
11d75da3d0f253c57a1cf1220b802473e5c96476

SHA256
eae41d1422d3d2bd87d8d57972c09c63720b853f42bb09813a0012214ffa18d0

SHA512
f093847792944216202d9a81378de93b8dd81e701b6ce92d07676605f09d2af45e7cbb19ddc2cda79626a2d29f269fbb174c5ddcd156d584c17ae8fa29e2f0ea

Download Submit
C:\Windows\System\hzBgbtC.exe

Filesize
5.2MB

MD5
07a2c06e94365be767c93b9a5fb78028

SHA1
ebb45739aec3ba19d8923b208a763f04040a36f0

SHA256
cf5cfb29b5a4ccb6278177d0ab1ca74c4df3202386eff59acd5947fc32a61638

SHA512
750d79023973f473bb6a80c429e045d8e907f6bdbd947b5aa08ba6548ca3bbe6b1bdfd1f5750190e1f2ea028b27e430a108936432661ccde4dcbaecd2ce71855

Download Submit
C:\Windows\System\iAlQFKq.exe

Filesize
5.2MB

MD5
485209caa63bafd71dbfb07d207630fd

SHA1
43ba60317470bd74d9de844a764a47043607a947

SHA256
e22ee51c38b758d148f80afb2231a10ded7b853cd98b66eab7faa38ae5423d84

SHA512
dc0528440e8fb08f9e8aec8dd87b2dc2d96e7c515ca54be844c6e86042000de8e82b593e9698ba3dd89e34545e43325f2439097f4564d599014a89ce0d4a6712

Download Submit
C:\Windows\System\jQWOvlf.exe

Filesize
5.2MB

MD5
9a94dd0cdb4544fc13bf33ab66d84e15

SHA1
806f6c664da5d4a46ddd17a9e8dd2c22a81124d4

SHA256
d9b844b4d5ba056cb4111fe8f81ece926bbc3d9a0bec7d354742f97b45ed0b5f

SHA512
4ff114def4fe90d5ce5ea8f0a49c10de029ac1f8d1ba490576ac4f3da45059819e6b1c503ec07d37d62c26d9a94fdbd4bd57c630cb5e86fd2090590f09d2cc14

Download Submit
C:\Windows\System\jVEBpND.exe

Filesize
5.2MB

MD5
8dfb3b69e32ef34f8a9325f89b5ecba6

SHA1
63829065d15c9e5d37c0ef893836458c6eec24a8

SHA256
32a9ea464220333c4c6ef01cd3343c0845a1379dc34736545e61fd29934b783e

SHA512
5668155f52ac5c12ba98d3f61444b0ee10e53b345f58c6dab05679a62448c19b06721c1e9e2954f764a4ed80446b82a22b152095b8ab3964c7d1f54c892e7db2

Download Submit
C:\Windows\System\kPcGYlB.exe

Filesize
5.2MB

MD5
16f644baf217ccff5d3b24bdc90cc222

SHA1
a301555e7ed1f00274004d4f934e461803cb2805

SHA256
8f540cd15273753bb2abfdf57cada0a64186a4b4e9b7e6e162615dee9ee560b8

SHA512
2f9e8c2823a5ccd3e82c7b22e091c783d49afe78ffb3f6c97c42a6ac93327ae4adf3c7fcf62baa4f6e36e8b1b56bbc9035e645965861f6183de221874fd8598d

Download Submit
C:\Windows\System\kioyZlf.exe

Filesize
5.2MB

MD5
ccf3a41664e07286fc783cf2ec887529

SHA1
bfa83740560d9ec288b6666cf509912c2416dcbc

SHA256
06abedf31e4dfa7e7a333c4958a109dd47b9bd825fbc9c2146a9b44d748bfc22

SHA512
262f8cbb427576a7433239ec92b9d28c39250c95a796973226a65e1abe5168d3438c48ff362dc6141f36dfd8881e81fdc4f6fea254cb7aef0b0ab1d0d5b17c79

Download Submit
C:\Windows\System\rHyEhSD.exe

Filesize
5.2MB

MD5
90d17f3c38d8fdc8199c7abffb658d88

SHA1
463b1b7bdaacbcdaa0f7c955fb16c372f3aaa556

SHA256
fdd90646990ad84caa0706eb57ac10b76f108621b3eda90a7d0ab88201449cd1

SHA512
210c505a286dcbf6e0869c7efc8eb4d0b258da4e8dafe951487ccef951350ae97d64fb94502087ea28a4d01c2f4e72e89ba7db2aadb6f4a290c278cf8f1201c9

Download Submit
C:\Windows\System\sRXwmaW.exe

Filesize
5.2MB

MD5
2c5ecd41f01715a637a49d0fb2b951ff

SHA1
6aac808a5df001431c75f821ccd1ff7b28198e75

SHA256
4216c1a00429193e01533d1535eb690d3c56b85cd110002c6c86c9e0453ba9bc

SHA512
0e102b38cc9b14f8a3ac5238e1e726bd0c223d0a000f8bbc24f80321fe01a08041cdc43e22c98b65c316ae643c9a24e663e9fa41ce8d344947c580bd3da22382

Download Submit
C:\Windows\System\xBXNssp.exe

Filesize
5.2MB

MD5
db519094d20256a180842633897bbe81

SHA1
31c96607b5a325dc2868c4f336929928d7ffc135

SHA256
97cc4250a1c3f268c4e79055fc53d211ee82656bb19acfcded1b5706d0da521d

SHA512
e811340a7390aeda7b63b797c7b9c7e3a93861b79b3633350a662761876d71db55dca635ab7089b4fac1a307a8f429975f1fdea5f5a523f4a32d215ee7caf29e

Download Submit
memory/1056-48-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-119-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-239-0x00007FF78B0A0000-0x00007FF78B3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-168-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp

Filesize
3.3MB

Download
memory/1488-0-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp

Filesize
3.3MB

Download
memory/1488-1-0x000001AA8DC90000-0x000001AA8DCA0000-memory.dmp

Filesize
64KB

Download
memory/1488-143-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp

Filesize
3.3MB

Download
memory/1488-58-0x00007FF6A2CE0000-0x00007FF6A3031000-memory.dmp

Filesize
3.3MB

Download
memory/1580-120-0x00007FF727B30000-0x00007FF727E81000-memory.dmp

Filesize
3.3MB

Download
memory/1580-275-0x00007FF727B30000-0x00007FF727E81000-memory.dmp

Filesize
3.3MB

Download
memory/1580-163-0x00007FF727B30000-0x00007FF727E81000-memory.dmp

Filesize
3.3MB

Download
memory/1744-63-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-129-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-253-0x00007FF621A70000-0x00007FF621DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-265-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp

Filesize
3.3MB

Download
memory/1852-153-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp

Filesize
3.3MB

Download
memory/1852-105-0x00007FF6D7410000-0x00007FF6D7761000-memory.dmp

Filesize
3.3MB

Download
memory/1976-273-0x00007FF641840000-0x00007FF641B91000-memory.dmp

Filesize
3.3MB

Download
memory/1976-167-0x00007FF641840000-0x00007FF641B91000-memory.dmp

Filesize
3.3MB

Download
memory/1976-136-0x00007FF641840000-0x00007FF641B91000-memory.dmp

Filesize
3.3MB

Download
memory/2232-165-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-131-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-271-0x00007FF6BBB70000-0x00007FF6BBEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-67-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-8-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-217-0x00007FF6D6B90000-0x00007FF6D6EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-97-0x00007FF678A10000-0x00007FF678D61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-144-0x00007FF678A10000-0x00007FF678D61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-261-0x00007FF678A10000-0x00007FF678D61000-memory.dmp

Filesize
3.3MB

Download
memory/3076-135-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp

Filesize
3.3MB

Download
memory/3076-255-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp

Filesize
3.3MB

Download
memory/3076-68-0x00007FF77F2B0000-0x00007FF77F601000-memory.dmp

Filesize
3.3MB

Download
memory/3116-75-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp

Filesize
3.3MB

Download
memory/3116-139-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp

Filesize
3.3MB

Download
memory/3116-257-0x00007FF7BD8D0000-0x00007FF7BDC21000-memory.dmp

Filesize
3.3MB

Download
memory/3356-229-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp

Filesize
3.3MB

Download
memory/3356-81-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp

Filesize
3.3MB

Download
memory/3356-20-0x00007FF76F2C0000-0x00007FF76F611000-memory.dmp

Filesize
3.3MB

Download
memory/3408-125-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp

Filesize
3.3MB

Download
memory/3408-251-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp

Filesize
3.3MB

Download
memory/3408-56-0x00007FF7C3510000-0x00007FF7C3861000-memory.dmp

Filesize
3.3MB

Download
memory/3476-13-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-227-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-74-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-235-0x00007FF783B20000-0x00007FF783E71000-memory.dmp

Filesize
3.3MB

Download
memory/3500-103-0x00007FF783B20000-0x00007FF783E71000-memory.dmp

Filesize
3.3MB

Download
memory/3500-38-0x00007FF783B20000-0x00007FF783E71000-memory.dmp

Filesize
3.3MB

Download
memory/3564-88-0x00007FF713400000-0x00007FF713751000-memory.dmp

Filesize
3.3MB

Download
memory/3564-259-0x00007FF713400000-0x00007FF713751000-memory.dmp

Filesize
3.3MB

Download
memory/3564-142-0x00007FF713400000-0x00007FF713751000-memory.dmp

Filesize
3.3MB

Download
memory/3616-112-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3616-166-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3616-267-0x00007FF6EEAE0000-0x00007FF6EEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3772-43-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-237-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-111-0x00007FF7A6690000-0x00007FF7A69E1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-121-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp

Filesize
3.3MB

Download
memory/4048-164-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp

Filesize
3.3MB

Download
memory/4048-269-0x00007FF7AFF40000-0x00007FF7B0291000-memory.dmp

Filesize
3.3MB

Download
memory/4564-82-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-141-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-263-0x00007FF7B0670000-0x00007FF7B09C1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-30-0x00007FF62FD20000-0x00007FF630071000-memory.dmp

Filesize
3.3MB

Download
memory/4684-96-0x00007FF62FD20000-0x00007FF630071000-memory.dmp

Filesize
3.3MB

Download
memory/4684-233-0x00007FF62FD20000-0x00007FF630071000-memory.dmp

Filesize
3.3MB

Download
memory/4924-231-0x00007FF736420000-0x00007FF736771000-memory.dmp

Filesize
3.3MB

Download
memory/4924-24-0x00007FF736420000-0x00007FF736771000-memory.dmp

Filesize
3.3MB

Download
memory/4924-87-0x00007FF736420000-0x00007FF736771000-memory.dmp

Filesize
3.3MB

Download