cobaltstrike | 1204529716d0c29be68eeacdc4a24742037bb8bcfa2a7b9444e52a6ebe54e2dd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e0a98c69e06689cb28f24d3bb17d476b
SHA1

675f8589724fce0a905b3a3b546d1309f938c7c9
SHA256

1204529716d0c29be68eeacdc4a24742037bb8bcfa2a7b9444e52a6ebe54e2dd
SHA512

f3034aef20b32e04ad191d412f0ff98b71e6e56639417496f9a87239132833fb7739030b34b4ea493ea71ca09904dc5dc2770331805b27fc41c8d16003ddc778
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8d-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-47.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8e-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-88.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-97.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba0-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-117.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb0-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-128.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3352-56-0x00007FF792F00000-0x00007FF793251000-memory.dmp	xmrig
behavioral2/memory/2880-62-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp	xmrig
behavioral2/memory/3456-68-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp	xmrig
behavioral2/memory/4456-71-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp	xmrig
behavioral2/memory/3108-64-0x00007FF7AD3B0000-0x00007FF7AD701000-memory.dmp	xmrig
behavioral2/memory/4568-94-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp	xmrig
behavioral2/memory/3656-102-0x00007FF621590000-0x00007FF6218E1000-memory.dmp	xmrig
behavioral2/memory/3392-95-0x00007FF6713B0000-0x00007FF671701000-memory.dmp	xmrig
behavioral2/memory/460-93-0x00007FF6F4F30000-0x00007FF6F5281000-memory.dmp	xmrig
behavioral2/memory/3124-82-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp	xmrig
behavioral2/memory/4972-74-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp	xmrig
behavioral2/memory/1576-107-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp	xmrig
behavioral2/memory/3924-112-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp	xmrig
behavioral2/memory/1868-118-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/836-115-0x00007FF7D7510000-0x00007FF7D7861000-memory.dmp	xmrig
behavioral2/memory/2812-136-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp	xmrig
behavioral2/memory/4456-129-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp	xmrig
behavioral2/memory/3352-140-0x00007FF792F00000-0x00007FF793251000-memory.dmp	xmrig
behavioral2/memory/4488-148-0x00007FF617020000-0x00007FF617371000-memory.dmp	xmrig
behavioral2/memory/868-151-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp	xmrig
behavioral2/memory/1524-160-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp	xmrig
behavioral2/memory/3852-161-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp	xmrig
behavioral2/memory/2452-164-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp	xmrig
behavioral2/memory/2932-165-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	xmrig
behavioral2/memory/3352-166-0x00007FF792F00000-0x00007FF793251000-memory.dmp	xmrig
behavioral2/memory/2880-216-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp	xmrig
behavioral2/memory/3456-218-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp	xmrig
behavioral2/memory/4972-225-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp	xmrig
behavioral2/memory/3124-224-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp	xmrig
behavioral2/memory/4568-229-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp	xmrig
behavioral2/memory/3656-228-0x00007FF621590000-0x00007FF6218E1000-memory.dmp	xmrig
behavioral2/memory/1576-233-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp	xmrig
behavioral2/memory/3924-235-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp	xmrig
behavioral2/memory/1868-237-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/3108-244-0x00007FF7AD3B0000-0x00007FF7AD701000-memory.dmp	xmrig
behavioral2/memory/4456-246-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp	xmrig
behavioral2/memory/2812-248-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp	xmrig
behavioral2/memory/460-253-0x00007FF6F4F30000-0x00007FF6F5281000-memory.dmp	xmrig
behavioral2/memory/3392-255-0x00007FF6713B0000-0x00007FF671701000-memory.dmp	xmrig
behavioral2/memory/4488-257-0x00007FF617020000-0x00007FF617371000-memory.dmp	xmrig
behavioral2/memory/868-259-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp	xmrig
behavioral2/memory/836-264-0x00007FF7D7510000-0x00007FF7D7861000-memory.dmp	xmrig
behavioral2/memory/1524-266-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp	xmrig
behavioral2/memory/3852-268-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp	xmrig
behavioral2/memory/2452-271-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp	xmrig
behavioral2/memory/2932-273-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2880	EQBCUjZ.exe
3456	VidWPLH.exe
4972	IZDKVhx.exe
3124	hVeWTyf.exe
4568	KVnDCDr.exe
3656	tbFTLCz.exe
1576	yNVQsNy.exe
3924	UttUIgv.exe
1868	DdXjMMg.exe
3108	cUhdvrQ.exe
4456	SmAXpdR.exe
2812	syQOOsn.exe
460	wojklOX.exe
3392	ltLjsho.exe
4488	BVFKJJL.exe
868	lgOWxNl.exe
836	CfBKYEG.exe
1524	FSyInVs.exe
3852	egoswCA.exe
2452	VdTjFnY.exe
2932	cUiKKoW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3352-0-0x00007FF792F00000-0x00007FF793251000-memory.dmp	upx
behavioral2/files/0x000b000000023b8d-4.dat	upx
behavioral2/memory/2880-8-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-10.dat	upx
behavioral2/files/0x000a000000023b92-11.dat	upx
behavioral2/memory/3456-13-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-22.dat	upx
behavioral2/files/0x000a000000023b94-28.dat	upx
behavioral2/files/0x000a000000023b95-34.dat	upx
behavioral2/memory/3656-35-0x00007FF621590000-0x00007FF6218E1000-memory.dmp	upx
behavioral2/memory/4568-30-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp	upx
behavioral2/memory/4972-18-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp	upx
behavioral2/memory/3124-23-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-43.dat	upx
behavioral2/memory/1576-42-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-47.dat	upx
behavioral2/files/0x000b000000023b8e-54.dat	upx
behavioral2/memory/1868-53-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	upx
behavioral2/memory/3924-48-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp	upx
behavioral2/memory/3352-56-0x00007FF792F00000-0x00007FF793251000-memory.dmp	upx
behavioral2/memory/2880-62-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-61.dat	upx
behavioral2/files/0x000a000000023b9a-67.dat	upx
behavioral2/memory/3456-68-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp	upx
behavioral2/memory/4456-71-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp	upx
behavioral2/memory/3108-64-0x00007FF7AD3B0000-0x00007FF7AD701000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-73.dat	upx
behavioral2/files/0x000a000000023b9c-83.dat	upx
behavioral2/files/0x000a000000023b9d-88.dat	upx
behavioral2/memory/4568-94-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp	upx
behavioral2/memory/4488-101-0x00007FF617020000-0x00007FF617371000-memory.dmp	upx
behavioral2/files/0x000b000000023b9f-104.dat	upx
behavioral2/memory/868-103-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp	upx
behavioral2/memory/3656-102-0x00007FF621590000-0x00007FF6218E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-97.dat	upx
behavioral2/memory/3392-95-0x00007FF6713B0000-0x00007FF671701000-memory.dmp	upx
behavioral2/memory/460-93-0x00007FF6F4F30000-0x00007FF6F5281000-memory.dmp	upx
behavioral2/memory/3124-82-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp	upx
behavioral2/memory/2812-80-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp	upx
behavioral2/memory/4972-74-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp	upx
behavioral2/memory/1576-107-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp	upx
behavioral2/files/0x000b000000023ba0-110.dat	upx
behavioral2/memory/3924-112-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-117.dat	upx
behavioral2/memory/1524-119-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp	upx
behavioral2/files/0x000e000000023bb0-121.dat	upx
behavioral2/memory/3852-124-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp	upx
behavioral2/memory/1868-118-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	upx
behavioral2/memory/836-115-0x00007FF7D7510000-0x00007FF7D7861000-memory.dmp	upx
behavioral2/files/0x0008000000023bb9-128.dat	upx
behavioral2/memory/2452-132-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp	upx
behavioral2/files/0x0009000000023bbe-135.dat	upx
behavioral2/memory/2932-137-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	upx
behavioral2/memory/2812-136-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp	upx
behavioral2/memory/4456-129-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp	upx
behavioral2/memory/3352-140-0x00007FF792F00000-0x00007FF793251000-memory.dmp	upx
behavioral2/memory/4488-148-0x00007FF617020000-0x00007FF617371000-memory.dmp	upx
behavioral2/memory/868-151-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp	upx
behavioral2/memory/1524-160-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp	upx
behavioral2/memory/3852-161-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp	upx
behavioral2/memory/2452-164-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp	upx
behavioral2/memory/2932-165-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	upx
behavioral2/memory/3352-166-0x00007FF792F00000-0x00007FF793251000-memory.dmp	upx
behavioral2/memory/2880-216-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tbFTLCz.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgOWxNl.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfBKYEG.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUiKKoW.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVFKJJL.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQBCUjZ.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VidWPLH.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVeWTyf.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UttUIgv.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DdXjMMg.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUhdvrQ.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SmAXpdR.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KVnDCDr.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNVQsNy.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\syQOOsn.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egoswCA.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IZDKVhx.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wojklOX.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltLjsho.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSyInVs.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdTjFnY.exe	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2880	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3352 wrote to memory of 2880	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3352 wrote to memory of 3456	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3352 wrote to memory of 3456	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3352 wrote to memory of 4972	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3352 wrote to memory of 4972	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3352 wrote to memory of 3124	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3352 wrote to memory of 3124	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3352 wrote to memory of 4568	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3352 wrote to memory of 4568	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3352 wrote to memory of 3656	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3352 wrote to memory of 3656	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3352 wrote to memory of 1576	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3352 wrote to memory of 1576	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3352 wrote to memory of 3924	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3352 wrote to memory of 3924	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3352 wrote to memory of 1868	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3352 wrote to memory of 1868	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3352 wrote to memory of 3108	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3352 wrote to memory of 3108	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3352 wrote to memory of 4456	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3352 wrote to memory of 4456	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3352 wrote to memory of 2812	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3352 wrote to memory of 2812	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3352 wrote to memory of 460	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3352 wrote to memory of 460	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3352 wrote to memory of 3392	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3352 wrote to memory of 3392	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3352 wrote to memory of 4488	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3352 wrote to memory of 4488	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3352 wrote to memory of 868	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3352 wrote to memory of 868	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3352 wrote to memory of 836	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3352 wrote to memory of 836	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3352 wrote to memory of 1524	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3352 wrote to memory of 1524	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3352 wrote to memory of 3852	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3352 wrote to memory of 3852	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3352 wrote to memory of 2452	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3352 wrote to memory of 2452	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3352 wrote to memory of 2932	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3352 wrote to memory of 2932	3352	2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-04_e0a98c69e06689cb28f24d3bb17d476b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\System\EQBCUjZ.exe
  C:\Windows\System\EQBCUjZ.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\VidWPLH.exe
  C:\Windows\System\VidWPLH.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\IZDKVhx.exe
  C:\Windows\System\IZDKVhx.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\hVeWTyf.exe
  C:\Windows\System\hVeWTyf.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\KVnDCDr.exe
  C:\Windows\System\KVnDCDr.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\tbFTLCz.exe
  C:\Windows\System\tbFTLCz.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\yNVQsNy.exe
  C:\Windows\System\yNVQsNy.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\UttUIgv.exe
  C:\Windows\System\UttUIgv.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\DdXjMMg.exe
  C:\Windows\System\DdXjMMg.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\cUhdvrQ.exe
  C:\Windows\System\cUhdvrQ.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\SmAXpdR.exe
  C:\Windows\System\SmAXpdR.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\syQOOsn.exe
  C:\Windows\System\syQOOsn.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\wojklOX.exe
  C:\Windows\System\wojklOX.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\ltLjsho.exe
  C:\Windows\System\ltLjsho.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\BVFKJJL.exe
  C:\Windows\System\BVFKJJL.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\lgOWxNl.exe
  C:\Windows\System\lgOWxNl.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\CfBKYEG.exe
  C:\Windows\System\CfBKYEG.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\FSyInVs.exe
  C:\Windows\System\FSyInVs.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\egoswCA.exe
  C:\Windows\System\egoswCA.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\VdTjFnY.exe
  C:\Windows\System\VdTjFnY.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\cUiKKoW.exe
  C:\Windows\System\cUiKKoW.exe
  2⤵
  - Executes dropped EXE
  PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BVFKJJL.exe

Filesize
5.2MB

MD5
57d5fc8a73f79ab5c96f85c079a90587

SHA1
30d9a2ba2fa15641ca41b5bb2f2968045c9a7ee6

SHA256
4d11e88bdd2a96fc2bdd11d1183bf5599fa49472f557c9d65582fc99e15d4338

SHA512
40dcf63abf04fb89416464995a62f5cabe120d48dca10298194b49e91ffb4b82744eaa5f41fd3b45f3c079ec031933e38987d4ec2ea8866a03ade55f3df3052f

Download Submit
C:\Windows\System\CfBKYEG.exe

Filesize
5.2MB

MD5
1b9d99e3ceb8c4106d142e51ceb96582

SHA1
a1c10f2b123ce8bca389e438aa15ac9d37869e3c

SHA256
64b1d4e5672c00ef5dccb9133a327f9da63d6a1d456f8c5e57138d1bad05c80c

SHA512
ab8299d971885f38f17e83490d3c526250fc6914b048704c9be0b8b9fa5e72df68c5a2c971d073e85c1f020cc59c6ac282a80b026a743ff66116326a7ff0c4f1

Download Submit
C:\Windows\System\DdXjMMg.exe

Filesize
5.2MB

MD5
26f72318c58016f3ffd408b89b3ddc50

SHA1
7b77302d88c713a499dd40accc4b62397289503c

SHA256
8e5ccc5cea4fcbc1560c3b13916db10fd4ebbff0c0889066d3a721e443734ecb

SHA512
a0175443f5786ca73fe8faf26e2c72357c4894b6688c453781f06bb5ab4b34f70eabf103dd745c66d23ca6f7669326be9e164f306047b826343ef820d0cacd1e

Download Submit
C:\Windows\System\EQBCUjZ.exe

Filesize
5.2MB

MD5
3689d039d456aade5d94052ea0b78e86

SHA1
fe9151c6f3897e2fd5fcc23b6846a0fff37bc0f1

SHA256
73e1425cd42488739f31476915b77367b961358e68e007627113dada54c8af89

SHA512
48c7dbc28afe7df9aeb9dee15a699aed5989d256f7f2cbf52747e01dbca2ca00f77c17305f61846636e565af66047506863a8d8efc5bb54e950c868b61876c0b

Download Submit
C:\Windows\System\FSyInVs.exe

Filesize
5.2MB

MD5
eb053137d01102431d9093e8bd7b4547

SHA1
65a2d452b0dc7169e741ac1b62174d70803cd183

SHA256
2de61e90a35b21c2c7ebd9d928781e2850f1db62235c3accf9650f638f9ea84f

SHA512
cdb9ad15c4562061b43b9f400f4c86804b28dff78c3aa047e4102a12d02886acc935ef6f7cf3e309f988bfa44d4404f9b5368f4a83c096555a002cfa943e4a20

Download Submit
C:\Windows\System\IZDKVhx.exe

Filesize
5.2MB

MD5
85448d1608f0bdc03aafe98cbe39bb60

SHA1
a5fe0980a61e3904aeaab6eca819b4fc62870727

SHA256
d30a14669ba98df58036547403c6875fd3f292d6d0e95d057fd38879e8770ea7

SHA512
1147eabc60ff9df005eed2a9336cb8db141c1e885a9031cf9dea8755d88f2540f5f90e904b56f02242b90a2b4a242ffea7ca973659d0018d962399e402b855c0

Download Submit
C:\Windows\System\KVnDCDr.exe

Filesize
5.2MB

MD5
11bc9da989c7c270b5d571771397a2af

SHA1
c1e9c42f634ae2cbadda0c7eb2a4a35e8f18c520

SHA256
0c0cd2809e4eb8807cff0f825145320e49ed8e6693ae7f22e549695e9ce6d4dd

SHA512
cadf9a38d06929e9b56ec4ba65e2aeccbba2700d3993807e2b69dd82b7f44d33f200d3dc9a9cad8837e0a89a7b3379814cf87354865aadd0d415b5a5f9709ceb

Download Submit
C:\Windows\System\SmAXpdR.exe

Filesize
5.2MB

MD5
2113247f1284447804f9b740c138e290

SHA1
13329205458cd1b4220421eaf688a465ddae1689

SHA256
180436d0cf736c2c60a5714e072736235d73be3a51cbe7e3e9e6a45dfedb97b1

SHA512
78db4179fc50a4b476f057e4a464db17e6eca97854026bfe7175e0a09eb031986b412514ce3ac6b6b9b2d4b2635f06e473c5793c6a673c777d86948b9bc9b00c

Download Submit
C:\Windows\System\UttUIgv.exe

Filesize
5.2MB

MD5
407ca8853d72c44242e522a00cdc3254

SHA1
ffdb4e9a8f8252e636dd4dd3baffb822f02e622c

SHA256
d571a56c91c0a6fcea880aa35490cc4f79a865a13891563185e5e90f1aadbcfd

SHA512
d0c2e165536745c588f6878fb33fb25f47920826ab639088c8a793b2be82a85242107df19714d3a470d4a59fabbe6d6ba985958c104e713a9cbd321ce6e3e3fd

Download Submit
C:\Windows\System\VdTjFnY.exe

Filesize
5.2MB

MD5
b056a743bfde8e06e29563b04c72de4e

SHA1
2d9f8992659ce51259babfea55390dae12b0a557

SHA256
ea3b942fcd6c2366c8e98295032d2164f4e1f86093df0788b5033ace6b7cab4f

SHA512
6ca16b7f95aae2078c8d3e47dfd6ae79f15296f4600a6f724d340336d8597983c48a8302cbbd8678fa89775e32750798fbcd4deb167812cf6c41bd40e89fba03

Download Submit
C:\Windows\System\VidWPLH.exe

Filesize
5.2MB

MD5
c516cc27378de0ed97e6151f7788a307

SHA1
dd6139fea3b470130d85c3cd44586784c351d453

SHA256
205019b505b1444e1322011f90cd374950c154dc26dab24c1ac3ea415e13d950

SHA512
3d8f2f529a37b355413bd508de2b22d360cf679a84c4e21d4593a55db4b778bd40e4ce6496337906f5664bc6f63ac9b02c642f6bf1c882408736f8aca8e7702e

Download Submit
C:\Windows\System\cUhdvrQ.exe

Filesize
5.2MB

MD5
fa6c4d76df83fd175ec1f555fee59c9b

SHA1
0e4ba90aea29866728eb96c21f3aef1ce10b943f

SHA256
43c138a7c1950b1797f6fc6b422e7e273671e60fbbd3bff68452cbd3ff5d9e7f

SHA512
aec130451f88d70b41fac0c72f3895a82187f4e7c70282169d940a49a4aeb71b4b535dadafc0825e1a985bec0bceae4359dd7d5c2104d0584d2ef1975c5f8262

Download Submit
C:\Windows\System\cUiKKoW.exe

Filesize
5.2MB

MD5
1c8f0cb67348a4dc460914612ef8dae9

SHA1
44df8fed6a6d6a832b74a86ac53022a3d134ecb4

SHA256
1c1eafafed258989c1b66cb81dcf9f4fb20eb9e911a56ad31848126cc54ff8c5

SHA512
8b72e9ccb03b4095ccbd58664da2219d61131861363a7b11f8aaa9db6b11c96cc5b90420745d48f73e00b80317aa8d8db1d8b32b9a08a390ef8a6a07cd150b20

Download Submit
C:\Windows\System\egoswCA.exe

Filesize
5.2MB

MD5
7f27818ae6abddb993c12e2a713bf9e0

SHA1
949f241a776a67d034f35149b8a1a02abcc25321

SHA256
bfe4eb39361462b9e6882c0ca49e556afa705c028122d83d48ccd8aab40408cd

SHA512
1d6e66c3379a01bbac90f0d90695085d562e54b3cb2e0ad395afb25b15fe34dd1e8e424458f003c4d8f392ca496efb81457f827bb82403b3058ff0c2396d2fe6

Download Submit
C:\Windows\System\hVeWTyf.exe

Filesize
5.2MB

MD5
4143164a2f88187d9bf4cd6276e64f4a

SHA1
94e0d01f96be9698f5e506b1c06c7d7b2bb458f7

SHA256
b68bac33e3f6937f0cc496fe237f708294e31ed158a482ea91f5afd33338abb8

SHA512
bd0b2957aef212cccc42cdf23c25392129749cd91d57d9eb5710f82040d85af4d6acbf4d7a4ede6b5059daef1cda9e48abdaf7b2982b05950e09b7639dac8c1f

Download Submit
C:\Windows\System\lgOWxNl.exe

Filesize
5.2MB

MD5
42020920bb70bc1f109a9ea14e309af7

SHA1
c68f161b2dd50e4c9704df160c58eff8a8caa6ff

SHA256
36eda800939ddf1544b92397ab5087c3a551e3e48f747d1f043a848d982f2e59

SHA512
58fdcbd590e03e1d0189dc9cab6e02e95d3bfd1f82455e88d587fe99f048e68671aeecd75c9264dac6caad024f56b8be2fb4a17fd300e34f33b10df7a72ebec0

Download Submit
C:\Windows\System\ltLjsho.exe

Filesize
5.2MB

MD5
ecffc38f4ee006ea5d6039b759ad6a0a

SHA1
32b31f07f2159167437e38b7ac05a9a5f5ba847d

SHA256
ae876dd7eee6112ca6daacfd22122534cd338c20cc9844bb49c74f88e77aafed

SHA512
7f564d1dd907e84cdeb0284b3d91cfcbb8f1a9f4288cb1164296cd9dbbd96e717203264df2db471c37f02a5538f4f504aec6a5a41724cdaa277bc6251c10e3f4

Download Submit
C:\Windows\System\syQOOsn.exe

Filesize
5.2MB

MD5
d8065f48dbe8cc594f4ea44b2ae03310

SHA1
22b21bcf2a9faa826f28ba6ec4cd902071c25dfd

SHA256
68085ce24d58acb52425a91fe7a934faa4ff5810d8b9995928c1106eaa0461d9

SHA512
d91895ce3eafb831a530451830332398ed456c6becef20e34396b83ce395b7d6c141a4637e541c0dd5e69a4e80ed467044fe443b5567baaa8aa981d2d8fa4922

Download Submit
C:\Windows\System\tbFTLCz.exe

Filesize
5.2MB

MD5
54f84cc14d963c07d91ab6a1d3b31e13

SHA1
3379e6329334b6f433f9fbc1d859738cf1dc3fd5

SHA256
cb24d8ea3dd507c7d9466a36b83334f487ed2dc860b046647fea69e710f74f64

SHA512
4e51463251b2b6a37ee4802e8225a4123754eaf76e1cc59f9db201313f2cafeafc6d1c430d4424995a4be0efef9e90018d3b432a225c3988b6929786b1fe7593

Download Submit
C:\Windows\System\wojklOX.exe

Filesize
5.2MB

MD5
c4027ca3747047554ed69d2db96edc30

SHA1
fc7f736461a98c7bf3ccc4fda569d1ed08479781

SHA256
baf0206d7647ab688976a347561c0c427635b49303bc97dbba0970c2516e70c7

SHA512
b1986e81a11ae13c148641383818578e10f100c6e66a095a11de0386c786afa6b40ffb3f8e8215a0d85f6b183dbe1731f929dfd5e66b8c6b4edfd9104833018a

Download Submit
C:\Windows\System\yNVQsNy.exe

Filesize
5.2MB

MD5
6778b10cec11b2d6a3405ab6bd8a7925

SHA1
ea66b5af5ca853fd2ad6f97488e4ea0a6f9ed820

SHA256
6a47d9f086222945817165d291b102e2763b1475852cdb4c57efcdd4cd95a81e

SHA512
32cd29b3fa300f6113587a1be776b3fdfc228aff008e7839e806941a881364b389334e274779dab7fb8bcf14b75df46519b3d3779a0c234726df34f13a61e3ac

Download Submit
memory/460-93-0x00007FF6F4F30000-0x00007FF6F5281000-memory.dmp

Filesize
3.3MB

Download
memory/460-253-0x00007FF6F4F30000-0x00007FF6F5281000-memory.dmp

Filesize
3.3MB

Download
memory/836-264-0x00007FF7D7510000-0x00007FF7D7861000-memory.dmp

Filesize
3.3MB

Download
memory/836-115-0x00007FF7D7510000-0x00007FF7D7861000-memory.dmp

Filesize
3.3MB

Download
memory/868-151-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp

Filesize
3.3MB

Download
memory/868-103-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp

Filesize
3.3MB

Download
memory/868-259-0x00007FF6BB910000-0x00007FF6BBC61000-memory.dmp

Filesize
3.3MB

Download
memory/1524-160-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-119-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-266-0x00007FF6E2060000-0x00007FF6E23B1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-233-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-42-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-107-0x00007FF616E90000-0x00007FF6171E1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-53-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-237-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-118-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-164-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-132-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-271-0x00007FF6ECF90000-0x00007FF6ED2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-80-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp

Filesize
3.3MB

Download
memory/2812-136-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp

Filesize
3.3MB

Download
memory/2812-248-0x00007FF6F92C0000-0x00007FF6F9611000-memory.dmp

Filesize
3.3MB

Download
memory/2880-62-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp

Filesize
3.3MB

Download
memory/2880-216-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp

Filesize
3.3MB

Download
memory/2880-8-0x00007FF7D2340000-0x00007FF7D2691000-memory.dmp

Filesize
3.3MB

Download
memory/2932-273-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp

Filesize
3.3MB

Download
memory/2932-165-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp

Filesize
3.3MB

Download
memory/2932-137-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp

Filesize
3.3MB

Download
memory/3108-244-0x00007FF7AD3B0000-0x00007FF7AD701000-memory.dmp

Filesize
3.3MB

Download
memory/3108-64-0x00007FF7AD3B0000-0x00007FF7AD701000-memory.dmp

Filesize
3.3MB

Download
memory/3124-82-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-23-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-224-0x00007FF7BD880000-0x00007FF7BDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-140-0x00007FF792F00000-0x00007FF793251000-memory.dmp

Filesize
3.3MB

Download
memory/3352-1-0x00000265563E0000-0x00000265563F0000-memory.dmp

Filesize
64KB

Download
memory/3352-56-0x00007FF792F00000-0x00007FF793251000-memory.dmp

Filesize
3.3MB

Download
memory/3352-166-0x00007FF792F00000-0x00007FF793251000-memory.dmp

Filesize
3.3MB

Download
memory/3352-0-0x00007FF792F00000-0x00007FF793251000-memory.dmp

Filesize
3.3MB

Download
memory/3392-255-0x00007FF6713B0000-0x00007FF671701000-memory.dmp

Filesize
3.3MB

Download
memory/3392-95-0x00007FF6713B0000-0x00007FF671701000-memory.dmp

Filesize
3.3MB

Download
memory/3456-218-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-68-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-13-0x00007FF7290A0000-0x00007FF7293F1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-35-0x00007FF621590000-0x00007FF6218E1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-102-0x00007FF621590000-0x00007FF6218E1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-228-0x00007FF621590000-0x00007FF6218E1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-161-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-268-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-124-0x00007FF623C50000-0x00007FF623FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-112-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-48-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-235-0x00007FF7E5650000-0x00007FF7E59A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-71-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp

Filesize
3.3MB

Download
memory/4456-246-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp

Filesize
3.3MB

Download
memory/4456-129-0x00007FF7E8B00000-0x00007FF7E8E51000-memory.dmp

Filesize
3.3MB

Download
memory/4488-257-0x00007FF617020000-0x00007FF617371000-memory.dmp

Filesize
3.3MB

Download
memory/4488-148-0x00007FF617020000-0x00007FF617371000-memory.dmp

Filesize
3.3MB

Download
memory/4488-101-0x00007FF617020000-0x00007FF617371000-memory.dmp

Filesize
3.3MB

Download
memory/4568-30-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp

Filesize
3.3MB

Download
memory/4568-229-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp

Filesize
3.3MB

Download
memory/4568-94-0x00007FF7BBE20000-0x00007FF7BC171000-memory.dmp

Filesize
3.3MB

Download
memory/4972-18-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp

Filesize
3.3MB

Download
memory/4972-225-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp

Filesize
3.3MB

Download
memory/4972-74-0x00007FF7D9E00000-0x00007FF7DA151000-memory.dmp

Filesize
3.3MB

Download