cobaltstrike | 32015a889671dae053521b9c35923950c13038c742edbc940e3f94c30f4d0cd0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

42caf276ea16047308a3ab558f2e3b63
SHA1

71242578289d232270728ee988999a98c819e56f
SHA256

32015a889671dae053521b9c35923950c13038c742edbc940e3f94c30f4d0cd0
SHA512

bcee8e0e2592e22fc0c25879a090e75e2a13a4314ace257fe701e949712b79321cc85509c9520ad37b1060b1af96d024899edd7df70b46f027592ccaedd33033
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU2:T+q56utgpPF8u/72

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023459-6.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-36.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345a-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-88.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-77.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e550-119.dat	cobalt_reflective_dll
behavioral2/files/0x000c00000001e4f6-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-109.dat	cobalt_reflective_dll
behavioral2/files/0x000900000001e557-123.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e559-128.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2252-0-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023459-6.dat	xmrig
behavioral2/memory/1220-8-0x00007FF774900000-0x00007FF774C54000-memory.dmp	xmrig
behavioral2/files/0x000700000002345d-12.dat	xmrig
behavioral2/files/0x000700000002345e-17.dat	xmrig
behavioral2/memory/4272-14-0x00007FF651440000-0x00007FF651794000-memory.dmp	xmrig
behavioral2/memory/3668-24-0x00007FF683CC0000-0x00007FF684014000-memory.dmp	xmrig
behavioral2/files/0x0007000000023460-29.dat	xmrig
behavioral2/memory/3664-30-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-27.dat	xmrig
behavioral2/memory/2996-19-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023461-36.dat	xmrig
behavioral2/memory/4956-38-0x00007FF705520000-0x00007FF705874000-memory.dmp	xmrig
behavioral2/files/0x000800000002345a-41.dat	xmrig
behavioral2/memory/3872-42-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp	xmrig
behavioral2/files/0x0007000000023462-47.dat	xmrig
behavioral2/memory/5112-48-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023464-50.dat	xmrig
behavioral2/memory/3900-52-0x00007FF652490000-0x00007FF6527E4000-memory.dmp	xmrig
behavioral2/memory/2252-59-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023465-61.dat	xmrig
behavioral2/memory/1660-66-0x00007FF6A3000000-0x00007FF6A3354000-memory.dmp	xmrig
behavioral2/memory/4272-68-0x00007FF651440000-0x00007FF651794000-memory.dmp	xmrig
behavioral2/memory/2640-69-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023466-70.dat	xmrig
behavioral2/memory/1648-75-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp	xmrig
behavioral2/memory/3668-81-0x00007FF683CC0000-0x00007FF684014000-memory.dmp	xmrig
behavioral2/files/0x0007000000023468-83.dat	xmrig
behavioral2/files/0x0007000000023469-88.dat	xmrig
behavioral2/memory/4956-95-0x00007FF705520000-0x00007FF705874000-memory.dmp	xmrig
behavioral2/memory/4024-96-0x00007FF6BE240000-0x00007FF6BE594000-memory.dmp	xmrig
behavioral2/files/0x000700000002346a-98.dat	xmrig
behavioral2/memory/1644-97-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp	xmrig
behavioral2/memory/3664-94-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp	xmrig
behavioral2/memory/412-92-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023467-77.dat	xmrig
behavioral2/memory/2996-74-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	xmrig
behavioral2/memory/1220-63-0x00007FF774900000-0x00007FF774C54000-memory.dmp	xmrig
behavioral2/memory/3872-100-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp	xmrig
behavioral2/memory/4692-118-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp	xmrig
behavioral2/files/0x000600000001e550-119.dat	xmrig
behavioral2/memory/1196-114-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp	xmrig
behavioral2/files/0x000c00000001e4f6-113.dat	xmrig
behavioral2/memory/3900-110-0x00007FF652490000-0x00007FF6527E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002346b-109.dat	xmrig
behavioral2/memory/4120-105-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp	xmrig
behavioral2/memory/5112-104-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp	xmrig
behavioral2/files/0x000900000001e557-123.dat	xmrig
behavioral2/files/0x000600000001e559-128.dat	xmrig
behavioral2/files/0x000700000002346c-134.dat	xmrig
behavioral2/memory/2640-132-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp	xmrig
behavioral2/memory/5044-124-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp	xmrig
behavioral2/memory/1648-138-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp	xmrig
behavioral2/memory/1748-140-0x00007FF6E4EA0000-0x00007FF6E51F4000-memory.dmp	xmrig
behavioral2/memory/412-139-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp	xmrig
behavioral2/memory/1880-137-0x00007FF6061B0000-0x00007FF606504000-memory.dmp	xmrig
behavioral2/memory/1644-141-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp	xmrig
behavioral2/memory/4120-142-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp	xmrig
behavioral2/memory/1196-143-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp	xmrig
behavioral2/memory/4692-144-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp	xmrig
behavioral2/memory/5044-145-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp	xmrig
behavioral2/memory/1220-146-0x00007FF774900000-0x00007FF774C54000-memory.dmp	xmrig
behavioral2/memory/4272-147-0x00007FF651440000-0x00007FF651794000-memory.dmp	xmrig
behavioral2/memory/2996-148-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1220	YiViXVR.exe
4272	HURQCdt.exe
2996	FiqCEvH.exe
3668	LCTYmLj.exe
3664	MkFyZZQ.exe
4956	SkFYGRk.exe
3872	piIJuPE.exe
5112	FMqpNjB.exe
3900	DUOkVCd.exe
1660	HiGpkmR.exe
2640	piIDQZe.exe
1648	sgNHtfE.exe
412	eQPEZqa.exe
4024	pyADYyU.exe
1644	ggxDPUj.exe
4120	yndTDFQ.exe
1196	uFbCqyH.exe
4692	LjbuQgt.exe
5044	jNmMWjp.exe
1880	zqNbBYY.exe
1748	MnxaSQF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2252-0-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp	upx
behavioral2/files/0x0008000000023459-6.dat	upx
behavioral2/memory/1220-8-0x00007FF774900000-0x00007FF774C54000-memory.dmp	upx
behavioral2/files/0x000700000002345d-12.dat	upx
behavioral2/files/0x000700000002345e-17.dat	upx
behavioral2/memory/4272-14-0x00007FF651440000-0x00007FF651794000-memory.dmp	upx
behavioral2/memory/3668-24-0x00007FF683CC0000-0x00007FF684014000-memory.dmp	upx
behavioral2/files/0x0007000000023460-29.dat	upx
behavioral2/memory/3664-30-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp	upx
behavioral2/files/0x000700000002345f-27.dat	upx
behavioral2/memory/2996-19-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	upx
behavioral2/files/0x0007000000023461-36.dat	upx
behavioral2/memory/4956-38-0x00007FF705520000-0x00007FF705874000-memory.dmp	upx
behavioral2/files/0x000800000002345a-41.dat	upx
behavioral2/memory/3872-42-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp	upx
behavioral2/files/0x0007000000023462-47.dat	upx
behavioral2/memory/5112-48-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp	upx
behavioral2/files/0x0007000000023464-50.dat	upx
behavioral2/memory/3900-52-0x00007FF652490000-0x00007FF6527E4000-memory.dmp	upx
behavioral2/memory/2252-59-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp	upx
behavioral2/files/0x0007000000023465-61.dat	upx
behavioral2/memory/1660-66-0x00007FF6A3000000-0x00007FF6A3354000-memory.dmp	upx
behavioral2/memory/4272-68-0x00007FF651440000-0x00007FF651794000-memory.dmp	upx
behavioral2/memory/2640-69-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp	upx
behavioral2/files/0x0007000000023466-70.dat	upx
behavioral2/memory/1648-75-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp	upx
behavioral2/memory/3668-81-0x00007FF683CC0000-0x00007FF684014000-memory.dmp	upx
behavioral2/files/0x0007000000023468-83.dat	upx
behavioral2/files/0x0007000000023469-88.dat	upx
behavioral2/memory/4956-95-0x00007FF705520000-0x00007FF705874000-memory.dmp	upx
behavioral2/memory/4024-96-0x00007FF6BE240000-0x00007FF6BE594000-memory.dmp	upx
behavioral2/files/0x000700000002346a-98.dat	upx
behavioral2/memory/1644-97-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp	upx
behavioral2/memory/3664-94-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp	upx
behavioral2/memory/412-92-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp	upx
behavioral2/files/0x0007000000023467-77.dat	upx
behavioral2/memory/2996-74-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	upx
behavioral2/memory/1220-63-0x00007FF774900000-0x00007FF774C54000-memory.dmp	upx
behavioral2/memory/3872-100-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp	upx
behavioral2/memory/4692-118-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp	upx
behavioral2/files/0x000600000001e550-119.dat	upx
behavioral2/memory/1196-114-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp	upx
behavioral2/files/0x000c00000001e4f6-113.dat	upx
behavioral2/memory/3900-110-0x00007FF652490000-0x00007FF6527E4000-memory.dmp	upx
behavioral2/files/0x000700000002346b-109.dat	upx
behavioral2/memory/4120-105-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp	upx
behavioral2/memory/5112-104-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp	upx
behavioral2/files/0x000900000001e557-123.dat	upx
behavioral2/files/0x000600000001e559-128.dat	upx
behavioral2/files/0x000700000002346c-134.dat	upx
behavioral2/memory/2640-132-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp	upx
behavioral2/memory/5044-124-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp	upx
behavioral2/memory/1648-138-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp	upx
behavioral2/memory/1748-140-0x00007FF6E4EA0000-0x00007FF6E51F4000-memory.dmp	upx
behavioral2/memory/412-139-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp	upx
behavioral2/memory/1880-137-0x00007FF6061B0000-0x00007FF606504000-memory.dmp	upx
behavioral2/memory/1644-141-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp	upx
behavioral2/memory/4120-142-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp	upx
behavioral2/memory/1196-143-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp	upx
behavioral2/memory/4692-144-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp	upx
behavioral2/memory/5044-145-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp	upx
behavioral2/memory/1220-146-0x00007FF774900000-0x00007FF774C54000-memory.dmp	upx
behavioral2/memory/4272-147-0x00007FF651440000-0x00007FF651794000-memory.dmp	upx
behavioral2/memory/2996-148-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HURQCdt.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piIDQZe.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqNbBYY.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SkFYGRk.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piIJuPE.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HiGpkmR.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pyADYyU.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjbuQgt.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnxaSQF.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FiqCEvH.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCTYmLj.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MkFyZZQ.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUOkVCd.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggxDPUj.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uFbCqyH.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNmMWjp.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiViXVR.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMqpNjB.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sgNHtfE.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQPEZqa.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yndTDFQ.exe	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1220	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2252 wrote to memory of 1220	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2252 wrote to memory of 4272	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2252 wrote to memory of 4272	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2252 wrote to memory of 2996	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2252 wrote to memory of 2996	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2252 wrote to memory of 3668	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2252 wrote to memory of 3668	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2252 wrote to memory of 3664	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2252 wrote to memory of 3664	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2252 wrote to memory of 4956	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2252 wrote to memory of 4956	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2252 wrote to memory of 3872	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2252 wrote to memory of 3872	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2252 wrote to memory of 5112	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2252 wrote to memory of 5112	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2252 wrote to memory of 3900	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2252 wrote to memory of 3900	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2252 wrote to memory of 1660	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2252 wrote to memory of 1660	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2252 wrote to memory of 2640	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2252 wrote to memory of 2640	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2252 wrote to memory of 1648	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2252 wrote to memory of 1648	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2252 wrote to memory of 412	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2252 wrote to memory of 412	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2252 wrote to memory of 4024	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2252 wrote to memory of 4024	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2252 wrote to memory of 1644	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2252 wrote to memory of 1644	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2252 wrote to memory of 4120	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2252 wrote to memory of 4120	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2252 wrote to memory of 1196	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2252 wrote to memory of 1196	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2252 wrote to memory of 4692	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2252 wrote to memory of 4692	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2252 wrote to memory of 5044	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2252 wrote to memory of 5044	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2252 wrote to memory of 1880	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2252 wrote to memory of 1880	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2252 wrote to memory of 1748	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2252 wrote to memory of 1748	2252	2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_42caf276ea16047308a3ab558f2e3b63_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System\YiViXVR.exe
  C:\Windows\System\YiViXVR.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\HURQCdt.exe
  C:\Windows\System\HURQCdt.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\FiqCEvH.exe
  C:\Windows\System\FiqCEvH.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\LCTYmLj.exe
  C:\Windows\System\LCTYmLj.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\MkFyZZQ.exe
  C:\Windows\System\MkFyZZQ.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\SkFYGRk.exe
  C:\Windows\System\SkFYGRk.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\piIJuPE.exe
  C:\Windows\System\piIJuPE.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\FMqpNjB.exe
  C:\Windows\System\FMqpNjB.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\DUOkVCd.exe
  C:\Windows\System\DUOkVCd.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\HiGpkmR.exe
  C:\Windows\System\HiGpkmR.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\piIDQZe.exe
  C:\Windows\System\piIDQZe.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\sgNHtfE.exe
  C:\Windows\System\sgNHtfE.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\eQPEZqa.exe
  C:\Windows\System\eQPEZqa.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\pyADYyU.exe
  C:\Windows\System\pyADYyU.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\ggxDPUj.exe
  C:\Windows\System\ggxDPUj.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\yndTDFQ.exe
  C:\Windows\System\yndTDFQ.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\uFbCqyH.exe
  C:\Windows\System\uFbCqyH.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\LjbuQgt.exe
  C:\Windows\System\LjbuQgt.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\jNmMWjp.exe
  C:\Windows\System\jNmMWjp.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\zqNbBYY.exe
  C:\Windows\System\zqNbBYY.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\MnxaSQF.exe
  C:\Windows\System\MnxaSQF.exe
  2⤵
  - Executes dropped EXE
  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DUOkVCd.exe

Filesize
5.9MB

MD5
07ec56a0da8b28ce88588c822a8bac52

SHA1
66c4570c853e145806e55f93076750043aa3dd77

SHA256
f0ee4a6361ec82f558a9c24f1fde723620f4e2000cabed7cdbb54e5fd8a9b17a

SHA512
9bc02f2e1043470bb8961a72ee75aebab05637b492d87dcf1ad2996b7a4a1676dfe119486443558e84c58261024a168c4e283ce485d354f26b8511687b6cc863

Download Submit
C:\Windows\System\FMqpNjB.exe

Filesize
5.9MB

MD5
63550f5792eff71d7cac8e10c52f21fa

SHA1
3cf5b15298d6792ea11b6858be74e89c026ddff9

SHA256
9034960557aaece35a43ee9335b71d987c4321fd70aaa2496bf5f7136ce8f1dc

SHA512
c94db5d1002b24d725ae0a10abb1076885890effb5ae1785ccd3d56233c52af571e0ea3327273fe23825577697fbf26502374924eda6ccdc72b55cc529fe555f

Download Submit
C:\Windows\System\FiqCEvH.exe

Filesize
5.9MB

MD5
142793c75391f5d23aac2b61564c1247

SHA1
c2e4b2e0bf71dea4a60784fe39f2d90547989a85

SHA256
1a7441a3e68ef0abdce658232bbf1af21332b21b7416f63006607a3df79ba173

SHA512
0720606d3aa57922383bbba15219a9aeca9ebc30919b6473485073cb55b1dc9d9d5eae463adbedcd5310eefc735e6235d7edcc5fcf272d1f35812401434d435d

Download Submit
C:\Windows\System\HURQCdt.exe

Filesize
5.9MB

MD5
54161e43f7c68e98bc6342e58a9a2a7c

SHA1
e001477ba36ced8bec2d4a5a67a8f943adf8011e

SHA256
f66ee24cb4196fec3a6be73befeb90a78e1a4f98aa28f22920f88d957fcc06d0

SHA512
cffb387c2321deddc4c17b56b78dfffd87f60b9e09901e56ed550c82b3264111745e086e7066739fab7b743805e2dd80bb7c8184357f45568643683cd19eab90

Download Submit
C:\Windows\System\HiGpkmR.exe

Filesize
5.9MB

MD5
5f1ff8058644ff0393dfc048d5b991c6

SHA1
bd30e771c5580e4d232986d83a394b1c4b530e08

SHA256
654680da1fb8db56a3124528649dd12908c899622b1aca9042b59a8836dbc7fc

SHA512
0d6e49cb142ac1fe374c4541a0c6348700736cc793d4915095df31b264e68cb4e4a81d9bbff906ad202f52a4d92a87dac804ead654e9e016f11e0899b7e905fb

Download Submit
C:\Windows\System\LCTYmLj.exe

Filesize
5.9MB

MD5
0d4cadfd8721f9e82d98ac645e5e8a48

SHA1
c957be00a34ee881a4f9b3e14da7cfc4dd89e8c5

SHA256
ae4a39c2093f1a3211030a6283a9648b95612bc65734bfe5fcb1cf3720eb1fb3

SHA512
89c35069d033fd62325cf2d4ed7131c701eac3983c58f2d814992b3296eef99023bfd3093242f99bb7e490b3f32da154ac1aff61d33dcd7619001d8c21f4947a

Download Submit
C:\Windows\System\LjbuQgt.exe

Filesize
5.9MB

MD5
85765c06636636bd4964b500db47592d

SHA1
ca38136d562fc09e97523f17b0e07fce87053976

SHA256
475851c5605034d812abcf7f3cf6d2ad913aa4de724c044b5b2d54469aba9ac4

SHA512
05a30adddc088414cf6e03257b55487d7bc2c37766bad2ea7196f85b96d6270d04a5320f26534f3b7f51ad8bc39cb76222f9e87f339c4e469287be80fca7feb3

Download Submit
C:\Windows\System\MkFyZZQ.exe

Filesize
5.9MB

MD5
f040454c566fa7a72d67e8dd5bd8e634

SHA1
3a32afacd68c6b32d9bc13c391a3e04dab61df0f

SHA256
1dc521821a79f054731e65ccadf3306d224ab3d222f43bc93885a096070fcdc3

SHA512
9196daf93c9062aef8fe63779dec87e650fe9875237f6ab5db0fc5b08e8d8dd5c6e64c876bdb9350ef345695eca419e2cfa74f3386d8791e3294980d1783af78

Download Submit
C:\Windows\System\MnxaSQF.exe

Filesize
5.9MB

MD5
c0405689f253cee13d273df31dbb67b9

SHA1
9eb127868b44ca0d8f1d3e296a9154030264e0d8

SHA256
70295bdd38c7717b8200530a102f75bccf8234607a3c16cb8883d6a15ef05f0a

SHA512
ca4af7e66f7d25645904cd0d80d9b3fbfb4b17c6da1f0200ec20855e1c7fb2bb9dc8fbceb6c6459f9cba17ef90f1471bc137762a2f4feb43fa134cc4b8a5d2f4

Download Submit
C:\Windows\System\SkFYGRk.exe

Filesize
5.9MB

MD5
5ba8db69a3c9a292a7aadabdff289863

SHA1
201e015d4cbc8d7ac1c01a74f92028ecb5d37f51

SHA256
1ba9a63e78ade42c8d2bcfbde21b2bc247028aeb11eacf9df7422a29bb1113f0

SHA512
ff2168f21cb101ee3cb8267425750888aa8040a836bd2e2ddfdb627aefdc7c659b7a4696a551e665e13ea77ba830b0d9467f70e8f0e2ba6d4d960054fed47893

Download Submit
C:\Windows\System\YiViXVR.exe

Filesize
5.9MB

MD5
4eaa5f929f961237375e8ac3729bf2ae

SHA1
c7c155e854feb84eff377481871c4bb9a1d20171

SHA256
620d0403ba1969461ecce81f86dd0ca57f2752cbed57723bc52d8e98b2633c8b

SHA512
e04679055d296fc7ee700c2676f1dc3d5b451a5359a4b1d5c8aa50d5d92ca551ed617be9e3459aca8406d38697156fe205cc4da4f42a8eacd1cadd65719313e4

Download Submit
C:\Windows\System\eQPEZqa.exe

Filesize
5.9MB

MD5
6a34ca5a77747becf2e8996955a02b9c

SHA1
1fbef9ab7c2f2326e8d1c1eedac27e1f3395cf71

SHA256
a956a97a041d41ad7601e5c661d4f484fdb770d19483d8e3c79afc7d7ec3acd3

SHA512
ccde7793627c1e05a2e33f593bfa04b6acd336b6a65598600a69d8167c469c6a4dc8c1bb3924fed8726f180aba7fabca78af0480b31ece24a495651889b2bded

Download Submit
C:\Windows\System\ggxDPUj.exe

Filesize
5.9MB

MD5
9ffd0fe84e71bc0c1b7264de7d4f6b86

SHA1
eaa91166ca46749654b495f68a10f3a53dcdf19c

SHA256
376541c071a93f4c6ecb6889d680688f90f0d9cfd334c20b75edc0725da50b2d

SHA512
351d28843e27d0730e47a3af0229c86869cacdc8c706f632423a0df52b46cfb14afff205adf4195bd48538ad9ff6417be5fcc5ecc3c506fc50ade8c83bca1f50

Download Submit
C:\Windows\System\jNmMWjp.exe

Filesize
5.9MB

MD5
c6c01302ef2233bdabce7893bafeb411

SHA1
d8db2bf036b54b356729cd8f4e1b588aaa2adae1

SHA256
1080ecca0e0414b58cca0365e4c5abccfdaac640ace20866e8f6557e772fd868

SHA512
7af68acc27cf3dab8589840e0cb322339eb79863ec80e8d4a04ee2dc8e5ba6944005ad9c8eff1ab5fec77f2e5dc8480f5c20bddc0409fdaa21f06dd9282ad7a2

Download Submit
C:\Windows\System\piIDQZe.exe

Filesize
5.9MB

MD5
b4316c547939fc313f4e42f85934266b

SHA1
ebf5a148333d008d365650708014d58fca5323ba

SHA256
b557d8ff5f4020003906e3e7ac583459690ff613ede291dd19035a6da9b3ce54

SHA512
f102ad1e1a9c4aff77487833329af2238d7344b878f2c2426a9508454e38600cbca10676a9b4fb06783c50d7b603273056e0f34e40d3473131352417f087a1fa

Download Submit
C:\Windows\System\piIJuPE.exe

Filesize
5.9MB

MD5
69cb67883f6a0d6e45f22dd8aa3c0aa3

SHA1
019071139169d9de1883093f29635006b727467a

SHA256
d28642cf4127bac99ec42de15511286016a42e3cc98356f9598427b22a0a6f7a

SHA512
80dc53b0e7d8b063009a9be5cfb59068020c1ca21fb6409d3924ed7b1267bdadd8a3c17505cfaf55d3c717ceac8aab96e3dcf01e191779136b48cd46522319b5

Download Submit
C:\Windows\System\pyADYyU.exe

Filesize
5.9MB

MD5
f0e61800f35217a6a7a988bfb16eca34

SHA1
ff6ce31e0d08e1ad5344b5301275b75b39f1a1f7

SHA256
d38e46b82fd4061ac3590791bbf40cb5026ce47a0ec09579b3160544cd9a1ca1

SHA512
4c95bd580f89b4cb31d0c227aaa7d4d5da51f833f3220bdc725734107bd0bc12fbf589d138ac64f4404cdf387b48aec36420e87c7baffd53eed94d05a26a7b57

Download Submit
C:\Windows\System\sgNHtfE.exe

Filesize
5.9MB

MD5
07e5d2b37160783e627137e5c66b9971

SHA1
b2c6f5d14ffe509ff06bbe56be1dbfb08165b795

SHA256
ca54e04bf9669979fa1946b156ebe4fecc18d0b6831a25f114e462a17742234e

SHA512
e82cfa1a1db4e4ce7a4932677177dc927a0a5312eb4caf8eb7b1e29b2859aa94d466c094b2bcd1f6c08dfae73cf5b636d9244bfdcb5b630a1599fa5d10663a5c

Download Submit
C:\Windows\System\uFbCqyH.exe

Filesize
5.9MB

MD5
ce024aada92035ea995f8b92078d6d60

SHA1
fe54394f5e90fc267274cba3d6a4e604c28e05f5

SHA256
4eedce6f741236f55ee6a1e830c236cf2f0dc357ecdf46a6162f3c5fdc80bdf7

SHA512
87fd5969554e027592e3b5cdaae899a1dd5af8150258be706f2b45e492749c3c0d87e6b471b05959b274d6ca499628aaded441d3b5f21d9895d95690c78df240

Download Submit
C:\Windows\System\yndTDFQ.exe

Filesize
5.9MB

MD5
385389d5da3d42d83559b3e0778147db

SHA1
2c9820057f3bfef76bd9ffa0b0ae4414b71ef062

SHA256
81c52b187b5cefb675ed432f70b89d113f1be51af184a42de41c0b4158c7a3b0

SHA512
6359d2e7b836976e28b70aed7177c08faa3b22959adcca424072e8269a2fe14f198a432f09535289354be15cb1adf0c29e2dafc0e8e6307033d6f9500cc85f71

Download Submit
C:\Windows\System\zqNbBYY.exe

Filesize
5.9MB

MD5
f173807fad2260fbc4a691fde71cffc2

SHA1
4e6461edf36c3227f431320d30ecbb38f70dd7cc

SHA256
8cf9a1d5c33e0f6fa07fb52ba418ebd5f951c59d2a7406199be8c456947ae4a8

SHA512
e63bf7f7b7f52f55c87ef83640aa5a9ff09cf94a5e20b70dadf65b4740632cb8698e99387092c54763a36ec2e7e138c8f557a96d783b790beff70048ea1956c3

Download Submit
memory/412-139-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp

Filesize
3.3MB

Download
memory/412-92-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp

Filesize
3.3MB

Download
memory/412-158-0x00007FF7AD6A0000-0x00007FF7AD9F4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-161-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-114-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-143-0x00007FF7FA760000-0x00007FF7FAAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-8-0x00007FF774900000-0x00007FF774C54000-memory.dmp

Filesize
3.3MB

Download
memory/1220-63-0x00007FF774900000-0x00007FF774C54000-memory.dmp

Filesize
3.3MB

Download
memory/1220-146-0x00007FF774900000-0x00007FF774C54000-memory.dmp

Filesize
3.3MB

Download
memory/1644-97-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp

Filesize
3.3MB

Download
memory/1644-141-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp

Filesize
3.3MB

Download
memory/1644-160-0x00007FF7C4090000-0x00007FF7C43E4000-memory.dmp

Filesize
3.3MB

Download
memory/1648-75-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp

Filesize
3.3MB

Download
memory/1648-157-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp

Filesize
3.3MB

Download
memory/1648-138-0x00007FF7D16F0000-0x00007FF7D1A44000-memory.dmp

Filesize
3.3MB

Download
memory/1660-155-0x00007FF6A3000000-0x00007FF6A3354000-memory.dmp

Filesize
3.3MB

Download
memory/1660-66-0x00007FF6A3000000-0x00007FF6A3354000-memory.dmp

Filesize
3.3MB

Download
memory/1748-140-0x00007FF6E4EA0000-0x00007FF6E51F4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-166-0x00007FF6E4EA0000-0x00007FF6E51F4000-memory.dmp

Filesize
3.3MB

Download
memory/1880-165-0x00007FF6061B0000-0x00007FF606504000-memory.dmp

Filesize
3.3MB

Download
memory/1880-137-0x00007FF6061B0000-0x00007FF606504000-memory.dmp

Filesize
3.3MB

Download
memory/2252-59-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-0-0x00007FF7D8C50000-0x00007FF7D8FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-1-0x0000014D49010000-0x0000014D49020000-memory.dmp

Filesize
64KB

Download
memory/2640-132-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp

Filesize
3.3MB

Download
memory/2640-69-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp

Filesize
3.3MB

Download
memory/2640-156-0x00007FF6E6730000-0x00007FF6E6A84000-memory.dmp

Filesize
3.3MB

Download
memory/2996-74-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-148-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-19-0x00007FF68B190000-0x00007FF68B4E4000-memory.dmp

Filesize
3.3MB

Download
memory/3664-150-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3664-94-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3664-30-0x00007FF688B70000-0x00007FF688EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-149-0x00007FF683CC0000-0x00007FF684014000-memory.dmp

Filesize
3.3MB

Download
memory/3668-24-0x00007FF683CC0000-0x00007FF684014000-memory.dmp

Filesize
3.3MB

Download
memory/3668-81-0x00007FF683CC0000-0x00007FF684014000-memory.dmp

Filesize
3.3MB

Download
memory/3872-100-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp

Filesize
3.3MB

Download
memory/3872-42-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp

Filesize
3.3MB

Download
memory/3872-152-0x00007FF60A1E0000-0x00007FF60A534000-memory.dmp

Filesize
3.3MB

Download
memory/3900-110-0x00007FF652490000-0x00007FF6527E4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-52-0x00007FF652490000-0x00007FF6527E4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-154-0x00007FF652490000-0x00007FF6527E4000-memory.dmp

Filesize
3.3MB

Download
memory/4024-159-0x00007FF6BE240000-0x00007FF6BE594000-memory.dmp

Filesize
3.3MB

Download
memory/4024-96-0x00007FF6BE240000-0x00007FF6BE594000-memory.dmp

Filesize
3.3MB

Download
memory/4120-105-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp

Filesize
3.3MB

Download
memory/4120-142-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp

Filesize
3.3MB

Download
memory/4120-162-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp

Filesize
3.3MB

Download
memory/4272-147-0x00007FF651440000-0x00007FF651794000-memory.dmp

Filesize
3.3MB

Download
memory/4272-14-0x00007FF651440000-0x00007FF651794000-memory.dmp

Filesize
3.3MB

Download
memory/4272-68-0x00007FF651440000-0x00007FF651794000-memory.dmp

Filesize
3.3MB

Download
memory/4692-144-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-118-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-163-0x00007FF6B10A0000-0x00007FF6B13F4000-memory.dmp

Filesize
3.3MB

Download
memory/4956-95-0x00007FF705520000-0x00007FF705874000-memory.dmp

Filesize
3.3MB

Download
memory/4956-151-0x00007FF705520000-0x00007FF705874000-memory.dmp

Filesize
3.3MB

Download
memory/4956-38-0x00007FF705520000-0x00007FF705874000-memory.dmp

Filesize
3.3MB

Download
memory/5044-145-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp

Filesize
3.3MB

Download
memory/5044-124-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp

Filesize
3.3MB

Download
memory/5044-164-0x00007FF79D8A0000-0x00007FF79DBF4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-48-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp

Filesize
3.3MB

Download
memory/5112-153-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp

Filesize
3.3MB

Download
memory/5112-104-0x00007FF68BBB0000-0x00007FF68BF04000-memory.dmp

Filesize
3.3MB

Download