cobaltstrike | 83def0bfeed3fbac6266334034de9c5b5ca4ede6261a521393f7d88d4819cc1f

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

650edeea4c3dd560f8d799d9fa38550d
SHA1

0af0491d63a9f218d2bfee3f0e05b09c372bf3dd
SHA256

83def0bfeed3fbac6266334034de9c5b5ca4ede6261a521393f7d88d4819cc1f
SHA512

c76674b77e20c3c331293be6a20308e74227f6ef08ef7e155d77a861edfe4f46cae443a9ef39ac24b2948946933bbbc0567533bb80ac3844e0d118fd74d59888
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c4e-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb0-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cae-48.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b6f-55.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb8-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb6-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-82.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4852-16-0x00007FF7964C0000-0x00007FF796811000-memory.dmp	xmrig
behavioral2/memory/8-54-0x00007FF696440000-0x00007FF696791000-memory.dmp	xmrig
behavioral2/memory/244-86-0x00007FF780100000-0x00007FF780451000-memory.dmp	xmrig
behavioral2/memory/3708-100-0x00007FF6CBBE0000-0x00007FF6CBF31000-memory.dmp	xmrig
behavioral2/memory/2436-130-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp	xmrig
behavioral2/memory/2612-120-0x00007FF717400000-0x00007FF717751000-memory.dmp	xmrig
behavioral2/memory/2316-107-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp	xmrig
behavioral2/memory/4772-103-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp	xmrig
behavioral2/memory/4608-99-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp	xmrig
behavioral2/memory/3628-94-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp	xmrig
behavioral2/memory/5084-79-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp	xmrig
behavioral2/memory/4852-78-0x00007FF7964C0000-0x00007FF796811000-memory.dmp	xmrig
behavioral2/memory/1436-64-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp	xmrig
behavioral2/memory/8-136-0x00007FF696440000-0x00007FF696791000-memory.dmp	xmrig
behavioral2/memory/2696-144-0x00007FF70FF10000-0x00007FF710261000-memory.dmp	xmrig
behavioral2/memory/4864-147-0x00007FF75C230000-0x00007FF75C581000-memory.dmp	xmrig
behavioral2/memory/1904-146-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp	xmrig
behavioral2/memory/2416-145-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp	xmrig
behavioral2/memory/3628-148-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp	xmrig
behavioral2/memory/4384-151-0x00007FF673250000-0x00007FF6735A1000-memory.dmp	xmrig
behavioral2/memory/4008-160-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp	xmrig
behavioral2/memory/468-163-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp	xmrig
behavioral2/memory/224-162-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp	xmrig
behavioral2/memory/764-161-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp	xmrig
behavioral2/memory/1688-159-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	xmrig
behavioral2/memory/8-164-0x00007FF696440000-0x00007FF696791000-memory.dmp	xmrig
behavioral2/memory/1436-212-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp	xmrig
behavioral2/memory/4852-219-0x00007FF7964C0000-0x00007FF796811000-memory.dmp	xmrig
behavioral2/memory/5084-221-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp	xmrig
behavioral2/memory/4608-223-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp	xmrig
behavioral2/memory/2316-225-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp	xmrig
behavioral2/memory/2612-227-0x00007FF717400000-0x00007FF717751000-memory.dmp	xmrig
behavioral2/memory/2436-236-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp	xmrig
behavioral2/memory/2696-238-0x00007FF70FF10000-0x00007FF710261000-memory.dmp	xmrig
behavioral2/memory/2416-240-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp	xmrig
behavioral2/memory/4864-242-0x00007FF75C230000-0x00007FF75C581000-memory.dmp	xmrig
behavioral2/memory/1904-247-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp	xmrig
behavioral2/memory/244-253-0x00007FF780100000-0x00007FF780451000-memory.dmp	xmrig
behavioral2/memory/3628-257-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp	xmrig
behavioral2/memory/3708-256-0x00007FF6CBBE0000-0x00007FF6CBF31000-memory.dmp	xmrig
behavioral2/memory/4772-259-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp	xmrig
behavioral2/memory/4384-261-0x00007FF673250000-0x00007FF6735A1000-memory.dmp	xmrig
behavioral2/memory/1688-263-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	xmrig
behavioral2/memory/4008-265-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp	xmrig
behavioral2/memory/764-267-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp	xmrig
behavioral2/memory/224-270-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp	xmrig
behavioral2/memory/468-271-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1436	QZofwfz.exe
4852	zEifGzI.exe
5084	LlvozdU.exe
4608	DMpGbeS.exe
2316	jbeIgrA.exe
2612	zrmFHpH.exe
2436	rESQTaB.exe
2696	eOTzCTD.exe
2416	AuixOUU.exe
4864	NOlSBiA.exe
1904	nGwLOte.exe
244	VsxgBOe.exe
3708	fEYFdAK.exe
3628	xraUYsR.exe
4772	OhewwUA.exe
4384	EvkjWCY.exe
1688	wbJZxWP.exe
4008	SFPBDLK.exe
764	EzACZaJ.exe
224	bHmiOsh.exe
468	XUhFaxA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/8-0-0x00007FF696440000-0x00007FF696791000-memory.dmp	upx
behavioral2/files/0x000a000000023c4e-5.dat	upx
behavioral2/files/0x0008000000023cb0-12.dat	upx
behavioral2/files/0x0007000000023cb1-10.dat	upx
behavioral2/files/0x0007000000023cb2-27.dat	upx
behavioral2/files/0x0007000000023cb3-26.dat	upx
behavioral2/memory/5084-23-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp	upx
behavioral2/memory/4852-16-0x00007FF7964C0000-0x00007FF796811000-memory.dmp	upx
behavioral2/memory/1436-8-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp	upx
behavioral2/memory/4608-29-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp	upx
behavioral2/memory/2316-33-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-37.dat	upx
behavioral2/memory/2612-36-0x00007FF717400000-0x00007FF717751000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-41.dat	upx
behavioral2/memory/2436-42-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp	upx
behavioral2/files/0x0008000000023cae-48.dat	upx
behavioral2/memory/2696-49-0x00007FF70FF10000-0x00007FF710261000-memory.dmp	upx
behavioral2/files/0x000c000000023b6f-55.dat	upx
behavioral2/files/0x0008000000023cb8-63.dat	upx
behavioral2/memory/8-54-0x00007FF696440000-0x00007FF696791000-memory.dmp	upx
behavioral2/files/0x0008000000023cb6-62.dat	upx
behavioral2/memory/2416-59-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp	upx
behavioral2/memory/4864-68-0x00007FF75C230000-0x00007FF75C581000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-80.dat	upx
behavioral2/memory/244-86-0x00007FF780100000-0x00007FF780451000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-90.dat	upx
behavioral2/files/0x0007000000023cbd-97.dat	upx
behavioral2/memory/3708-100-0x00007FF6CBBE0000-0x00007FF6CBF31000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-113.dat	upx
behavioral2/files/0x0007000000023cc0-117.dat	upx
behavioral2/memory/764-125-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-134.dat	upx
behavioral2/memory/468-133-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-131.dat	upx
behavioral2/memory/2436-130-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp	upx
behavioral2/memory/224-126-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp	upx
behavioral2/memory/2612-120-0x00007FF717400000-0x00007FF717751000-memory.dmp	upx
behavioral2/memory/4008-116-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-111.dat	upx
behavioral2/memory/1688-110-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	upx
behavioral2/memory/2316-107-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp	upx
behavioral2/memory/4772-103-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp	upx
behavioral2/memory/4608-99-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp	upx
behavioral2/memory/4384-98-0x00007FF673250000-0x00007FF6735A1000-memory.dmp	upx
behavioral2/memory/3628-94-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-92.dat	upx
behavioral2/files/0x0007000000023cb9-82.dat	upx
behavioral2/memory/5084-79-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp	upx
behavioral2/memory/4852-78-0x00007FF7964C0000-0x00007FF796811000-memory.dmp	upx
behavioral2/memory/1904-74-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp	upx
behavioral2/memory/1436-64-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp	upx
behavioral2/memory/8-136-0x00007FF696440000-0x00007FF696791000-memory.dmp	upx
behavioral2/memory/2696-144-0x00007FF70FF10000-0x00007FF710261000-memory.dmp	upx
behavioral2/memory/4864-147-0x00007FF75C230000-0x00007FF75C581000-memory.dmp	upx
behavioral2/memory/1904-146-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp	upx
behavioral2/memory/2416-145-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp	upx
behavioral2/memory/3628-148-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp	upx
behavioral2/memory/4384-151-0x00007FF673250000-0x00007FF6735A1000-memory.dmp	upx
behavioral2/memory/4008-160-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp	upx
behavioral2/memory/468-163-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp	upx
behavioral2/memory/224-162-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp	upx
behavioral2/memory/764-161-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp	upx
behavioral2/memory/1688-159-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	upx
behavioral2/memory/8-164-0x00007FF696440000-0x00007FF696791000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EzACZaJ.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QZofwfz.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rESQTaB.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fEYFdAK.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SFPBDLK.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NOlSBiA.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xraUYsR.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EvkjWCY.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XUhFaxA.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zrmFHpH.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eOTzCTD.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AuixOUU.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbJZxWP.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGwLOte.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VsxgBOe.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OhewwUA.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bHmiOsh.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEifGzI.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LlvozdU.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DMpGbeS.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jbeIgrA.exe	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1436	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 8 wrote to memory of 1436	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 8 wrote to memory of 4852	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 8 wrote to memory of 4852	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 8 wrote to memory of 5084	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 8 wrote to memory of 5084	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 8 wrote to memory of 4608	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 8 wrote to memory of 4608	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 8 wrote to memory of 2316	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 8 wrote to memory of 2316	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 8 wrote to memory of 2612	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 8 wrote to memory of 2612	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 8 wrote to memory of 2436	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 8 wrote to memory of 2436	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 8 wrote to memory of 2696	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 8 wrote to memory of 2696	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 8 wrote to memory of 2416	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 8 wrote to memory of 2416	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 8 wrote to memory of 4864	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 8 wrote to memory of 4864	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 8 wrote to memory of 1904	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 8 wrote to memory of 1904	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 8 wrote to memory of 244	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 8 wrote to memory of 244	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 8 wrote to memory of 3708	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 8 wrote to memory of 3708	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 8 wrote to memory of 3628	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 8 wrote to memory of 3628	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 8 wrote to memory of 4772	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 8 wrote to memory of 4772	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 8 wrote to memory of 4384	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 8 wrote to memory of 4384	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 8 wrote to memory of 1688	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 8 wrote to memory of 1688	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 8 wrote to memory of 4008	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 8 wrote to memory of 4008	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 8 wrote to memory of 764	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 8 wrote to memory of 764	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 8 wrote to memory of 224	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 8 wrote to memory of 224	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 8 wrote to memory of 468	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 8 wrote to memory of 468	8	2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_650edeea4c3dd560f8d799d9fa38550d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\System\QZofwfz.exe
  C:\Windows\System\QZofwfz.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\zEifGzI.exe
  C:\Windows\System\zEifGzI.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\LlvozdU.exe
  C:\Windows\System\LlvozdU.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\DMpGbeS.exe
  C:\Windows\System\DMpGbeS.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\jbeIgrA.exe
  C:\Windows\System\jbeIgrA.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\zrmFHpH.exe
  C:\Windows\System\zrmFHpH.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\rESQTaB.exe
  C:\Windows\System\rESQTaB.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\eOTzCTD.exe
  C:\Windows\System\eOTzCTD.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\AuixOUU.exe
  C:\Windows\System\AuixOUU.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\NOlSBiA.exe
  C:\Windows\System\NOlSBiA.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\nGwLOte.exe
  C:\Windows\System\nGwLOte.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\VsxgBOe.exe
  C:\Windows\System\VsxgBOe.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System\fEYFdAK.exe
  C:\Windows\System\fEYFdAK.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\xraUYsR.exe
  C:\Windows\System\xraUYsR.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\OhewwUA.exe
  C:\Windows\System\OhewwUA.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\EvkjWCY.exe
  C:\Windows\System\EvkjWCY.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\wbJZxWP.exe
  C:\Windows\System\wbJZxWP.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\SFPBDLK.exe
  C:\Windows\System\SFPBDLK.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\EzACZaJ.exe
  C:\Windows\System\EzACZaJ.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\bHmiOsh.exe
  C:\Windows\System\bHmiOsh.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\XUhFaxA.exe
  C:\Windows\System\XUhFaxA.exe
  2⤵
  - Executes dropped EXE
  PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AuixOUU.exe

Filesize
5.2MB

MD5
d1aa760880eeb61a412a3a47657f9e31

SHA1
75434077bbe64e389f91ec19985fc7a581c0d6f0

SHA256
c3a87b83f91e4e97258d89cec207a7a11063ca289e67e262637ab0ea16ec502d

SHA512
7c9626475de46cb237658db283019519b9039ec319bc79db239a9eec5140de4d1cdc8a128075429514c985b5424fea56be5853938dc8927714268ff00ca08724

Download Submit
C:\Windows\System\DMpGbeS.exe

Filesize
5.2MB

MD5
36f2480d80cbd1b1256bc0b0f95a2bdd

SHA1
3302bc4b6670005344baf3c4620beef69f5acfa5

SHA256
a3ab8190a29664ef11e3914c9cfe831c58eb415c6bdaa64378075de87525620e

SHA512
43fe726a864d4f6afc1254113cad32622ef914936119cae63f8f1a834149a75f9c149a205e30224f3736594ba5da99f2339d00e9a18835c0af2dde7f279ac832

Download Submit
C:\Windows\System\EvkjWCY.exe

Filesize
5.2MB

MD5
dbea1f66a9145d640f27db8b9c2fe373

SHA1
05947ec7f7364cc54122ed141368298bad6badd1

SHA256
81bf5ca622024666079c250ba32db722b90c20a91b734f1f4c39fd8b027965c5

SHA512
0c9cb0dfed74126f015b8e52076a3f2c2a5bca0cfd18ab661a6522a3386e85eafd98f6295795bf3e398d9954f31c43d85313a5988324f5e7c05b93132d5c745a

Download Submit
C:\Windows\System\EzACZaJ.exe

Filesize
5.2MB

MD5
086c5643568aa78469d0d78c4af3e684

SHA1
7ad067a50a7c331fc7deef28bc0df4a57d46f2f1

SHA256
144012da448d64fded88d042922246377f64c48638cdd59fdf0f0007e2bc0363

SHA512
fe5836c57f9c0b62b3b94df12d3a8b8dedff68ba8c3c20bf4d1c7f14ea8311b1ef8039fd2c7f34ef12d8ee04a2913d141b13d3a9265700d88cd0743fac75e91a

Download Submit
C:\Windows\System\LlvozdU.exe

Filesize
5.2MB

MD5
db9c37f01765c893ab26076573809cd1

SHA1
370851fa2d73617a1da9f47cc9c934716434d464

SHA256
16eb8cef4a4c27066ba107caca0eadbb693280cb3e61a7bf7e1c8ea2b4b03983

SHA512
fabbdb41a00da791fb4724b6be21cba0a5fb2b3fb1ebaf86f00390b44eb0524f1ae81e015a6d8197dbbd295c3d9dbed3e67b317b2cac5adc3180a698dbe91614

Download Submit
C:\Windows\System\NOlSBiA.exe

Filesize
5.2MB

MD5
7fa8a8be9c32911eb4dbe1ca1797be57

SHA1
ea929bfa76cd679d12dbd6953e0a025f9664d841

SHA256
e7bec16926896ae00894f9779126eed86b3120f5a81dcd608d62a27fc8b4b2e7

SHA512
9bdd68d4e4465afed46a64a459ade7a25d4ccb09f1ea2dfc8456cab5362e4452f0c59542d53ad3fd219b0096f80bc7ae012405a88572ae74f8e2bb32c8bc1ad0

Download Submit
C:\Windows\System\OhewwUA.exe

Filesize
5.2MB

MD5
90589ae12181a70349ff71fe0a5bb0f6

SHA1
ae1c4b9214cc487c1637333b05a324415e7f46a9

SHA256
600f826f9446647b8e522b5c571293722801872c8bf6476d3180d99a1ede185d

SHA512
d5ab9bd392d0f11241a5f1e45ab11b86272eae44495805d6ab626c953aeea017a3eddb91a036cfd6fe1b539162b8c433c0ae4cee62956a818fece2c4b2f581c4

Download Submit
C:\Windows\System\QZofwfz.exe

Filesize
5.2MB

MD5
20079ccf7f3366331e1933ca2106ce49

SHA1
6bdfd7f927289f178db57a598a814083cc6d90ca

SHA256
e0feeccffa510f1e36228eb2467eea49cc037d71efa305df78816fa8cad89b46

SHA512
3b6535e221d55d60b38f721f49781647c9cf719541c35f8a03ead64d3df40d1e89b5466b9b5a72d162f7a128d027e8ff443d63356473835ed0747ffabcbcd4af

Download Submit
C:\Windows\System\SFPBDLK.exe

Filesize
5.2MB

MD5
344f429924b0c13931fb1d0acf72719c

SHA1
027abb1b2e70a761dd9a55a819e9134b0d7e7911

SHA256
86a941ea9642a082d6115408d22f391684338f89fdd8bf3c530900125efaf983

SHA512
b3ac495689dcc02bdddfcb54fa47c36b3f50a2debe992342d2158dc731a81e6741014956e5125965d21c6fa8d189b3f483b36eb08c53838aae6f393f4a0f7b74

Download Submit
C:\Windows\System\VsxgBOe.exe

Filesize
5.2MB

MD5
24a06972ccbf93ce14101ae4f41e8f28

SHA1
001ecf8ef89d12db5a646534f1785c510452ac24

SHA256
1a3b9ebc7689d26bd655d3170cdb4cbdeb1cddc4f04cad36c2e3d5f1f7a91068

SHA512
fbbe4616f1614a7ba7d9044595540e096aa26970e9ac348ec06a1dad94aad226dd5d0824a2dc6e9d740f450fd4359215ab84a29af48f655dcfcd6ce574b71b0f

Download Submit
C:\Windows\System\XUhFaxA.exe

Filesize
5.2MB

MD5
0a38e341f3285949ea7e6477e2b08b66

SHA1
144fe48395e53891f5bcf22bef6726a8126dd193

SHA256
060a773e248f90849fee0cd4976d2798e243ca55561ea2ba6f9971d3c1d67a88

SHA512
447457d18a67719aa0681c1290d004abe67cba2aa0e5a8a757a99a9bb8d4be17cd8aa41aa412637d8a847bc2dde33dbee8b2bce2932ee129cf0a445a458197a6

Download Submit
C:\Windows\System\bHmiOsh.exe

Filesize
5.2MB

MD5
f002a35feaf745656c90a7d6274c4491

SHA1
4fff3345d5429bb33b50d1c38973c824e20c4838

SHA256
ed61eeb3fe9f638d6e52f11e6c1b136c1482cb6c60894a01717ed09bf5a48cc8

SHA512
7a9c8f4c8d154b74550cfa8dcb5933b363b1f25834f6010f8ca0c953925f774824cbb1f0d4b9fb78f84574280d00f9ed125a130ba7accf8baa75f4a2ebe15664

Download Submit
C:\Windows\System\eOTzCTD.exe

Filesize
5.2MB

MD5
dd68ea91f27d44dfa8838dec8f42ec3d

SHA1
31adff3040b17f18973b06cba1be48bcdb56694d

SHA256
22a04e0e24e81736d02a7c7f26d9d9cb8c2ee359e9a0dbb7792199d06d0b5ff0

SHA512
b3ac109b43650156598b83805c5a9d6e3714b22da4a4e9ffbe9aef4ff3027d788ebc1293f87d142aed64499e31c08d5581ef7d2551804e9aad959b58aa9cc119

Download Submit
C:\Windows\System\fEYFdAK.exe

Filesize
5.2MB

MD5
b6e73f0c1dc93a8afda89ccff4a429d8

SHA1
fe98de0a6c63e1d8f83a97989294fd7c267fa7e8

SHA256
f0fdaf92d57d83807fc6317b76f9c2aad7895ba13eb5a247fb7fabf36b802477

SHA512
40bb2f9572a09387d014decd6ed9fb133facbaa523b49e143dfbd9904fcf2dc00155fd6f22430aea586136dd54699eb292121e4f5b2f8e9d02ede4b9b1880b64

Download Submit
C:\Windows\System\jbeIgrA.exe

Filesize
5.2MB

MD5
0f03257569b85c734d76bb603bf22ab3

SHA1
026a0944cf3aefe573d99f3d6b9ce9396d106094

SHA256
4f4e3cf86fb9f7783e296e837ca30d17962778e0680ca274a66842f74ef88e6f

SHA512
4a227817eebf0c490e2e873f0521d39e2e0985376faf6e4d0146cb418acc2be10e1832817f7960dc546adaf3652824f7005e55199acc1223b6f269384c87cca0

Download Submit
C:\Windows\System\nGwLOte.exe

Filesize
5.2MB

MD5
1b66468d739f642b198695415844223f

SHA1
a01242c21a690b89a41eb1d1af9639ce2f83bc54

SHA256
95327ff52857045633e7be4874020fcd3d1c34a3904ba645d5f0eba6e498fbde

SHA512
3c2ea39341e1a3d395c6ebb8538d64a83f9866a5ce10f097d07aa5eb273e6c836aaf1134c9c70b770f8b5c1ce06b89bfd032c9e8eadc034d6d3965d7830241ad

Download Submit
C:\Windows\System\rESQTaB.exe

Filesize
5.2MB

MD5
2dd13fcf19195b1297fccdec5ba79fd7

SHA1
15c1ce0f3625a968d7fd30d3aa920bc8ac992050

SHA256
e90d9456ea57b77d595a6d17633d5ff2dc922650d9e58a0b6908f4e44ce0e240

SHA512
e7faef3d4c61aa33d420dd4e557ed11d1d61295d0bf4259776e0f7fdc0f0363be017fa3a429f40f09e3e6b77cbf86b148d65f6cb316d7e565d46a2aff682507c

Download Submit
C:\Windows\System\wbJZxWP.exe

Filesize
5.2MB

MD5
d969a93d24ff1be8aa8fc71130fb4c3b

SHA1
2a1e7ffc16aee722a39a6449a4b47fcd1e8b17ac

SHA256
6d8c8ebf58dac9dff724cc476428aef60d2890758e3400ccbd086655740ba85e

SHA512
7ee6828aee289c947cf29d7158f41f7005c7e4c2fe4f494d0718f3bf565f9394f795ade1d13eb22a67674eab5c72b26a1c873bf9fe396372f52ffccd6db78567

Download Submit
C:\Windows\System\xraUYsR.exe

Filesize
5.2MB

MD5
7c0e4881eabd93d69c5cbccdfb42786f

SHA1
255bf114526e799f0820e9226c0b5e3530b15bd2

SHA256
a735ca454256c3219b68250e8fc8289046cea42eed1c9e389218530a5beeea9a

SHA512
2d4fe77c0b077ca654f0cdd325ec0d1c154c8479056466d51b628ae4185d23751e76efd3b21018c47e0a2fd81c505229c537368726ff11c31c909f1c4919a2fb

Download Submit
C:\Windows\System\zEifGzI.exe

Filesize
5.2MB

MD5
bf01eb9a0068845a76ab0c5e85f2417d

SHA1
7da58b191fc50c70d0fa806abda7281d86cfe8d7

SHA256
a687dd4fcfca078563a80b9654a90e6002affb87ffed83c065f516262bdec212

SHA512
2dc03822a6cfad44dd828ec403ec50eb2c669e62f5441095b4bed5a3ae842864581e0e639090e6d504ef1e69e0cec062ed241bc106209b64d135a3c6590de3ce

Download Submit
C:\Windows\System\zrmFHpH.exe

Filesize
5.2MB

MD5
686fdb681a7f17199c9cd44e8ddeb0bc

SHA1
48aceab64c1aaf5bc546e85e7afd9a123c1c0cd1

SHA256
cac1f8824c65800fb33a2d1cdaa9e3e2d700b74bc3f7e924b5a9898fd2f54b18

SHA512
6b90bedf8671370e11e44150b255cc94fa4e186240108e99f7118b54ec421ed1a2eac40aac97d75d4112ffc0309bf5dafc156fbd9456425802605609ef1c37e3

Download Submit
memory/8-54-0x00007FF696440000-0x00007FF696791000-memory.dmp

Filesize
3.3MB

Download
memory/8-164-0x00007FF696440000-0x00007FF696791000-memory.dmp

Filesize
3.3MB

Download
memory/8-0-0x00007FF696440000-0x00007FF696791000-memory.dmp

Filesize
3.3MB

Download
memory/8-136-0x00007FF696440000-0x00007FF696791000-memory.dmp

Filesize
3.3MB

Download
memory/8-1-0x0000021771490000-0x00000217714A0000-memory.dmp

Filesize
64KB

Download
memory/224-162-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp

Filesize
3.3MB

Download
memory/224-270-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp

Filesize
3.3MB

Download
memory/224-126-0x00007FF63C1C0000-0x00007FF63C511000-memory.dmp

Filesize
3.3MB

Download
memory/244-86-0x00007FF780100000-0x00007FF780451000-memory.dmp

Filesize
3.3MB

Download
memory/244-253-0x00007FF780100000-0x00007FF780451000-memory.dmp

Filesize
3.3MB

Download
memory/468-271-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp

Filesize
3.3MB

Download
memory/468-163-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp

Filesize
3.3MB

Download
memory/468-133-0x00007FF6D0E10000-0x00007FF6D1161000-memory.dmp

Filesize
3.3MB

Download
memory/764-161-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp

Filesize
3.3MB

Download
memory/764-125-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp

Filesize
3.3MB

Download
memory/764-267-0x00007FF77C1B0000-0x00007FF77C501000-memory.dmp

Filesize
3.3MB

Download
memory/1436-64-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-212-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-8-0x00007FF7E2470000-0x00007FF7E27C1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-159-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download
memory/1688-110-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download
memory/1688-263-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download
memory/1904-146-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp

Filesize
3.3MB

Download
memory/1904-74-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp

Filesize
3.3MB

Download
memory/1904-247-0x00007FF7F12C0000-0x00007FF7F1611000-memory.dmp

Filesize
3.3MB

Download
memory/2316-225-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-33-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-107-0x00007FF7A7890000-0x00007FF7A7BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-240-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-59-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-145-0x00007FF7DFB60000-0x00007FF7DFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-236-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp

Filesize
3.3MB

Download
memory/2436-42-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp

Filesize
3.3MB

Download
memory/2436-130-0x00007FF7BFBC0000-0x00007FF7BFF11000-memory.dmp

Filesize
3.3MB

Download
memory/2612-120-0x00007FF717400000-0x00007FF717751000-memory.dmp

Filesize
3.3MB

Download
memory/2612-227-0x00007FF717400000-0x00007FF717751000-memory.dmp

Filesize
3.3MB

Download
memory/2612-36-0x00007FF717400000-0x00007FF717751000-memory.dmp

Filesize
3.3MB

Download
memory/2696-238-0x00007FF70FF10000-0x00007FF710261000-memory.dmp

Filesize
3.3MB

Download
memory/2696-144-0x00007FF70FF10000-0x00007FF710261000-memory.dmp

Filesize
3.3MB

Download
memory/2696-49-0x00007FF70FF10000-0x00007FF710261000-memory.dmp

Filesize
3.3MB

Download
memory/3628-148-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-257-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-94-0x00007FF7C5A50000-0x00007FF7C5DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-256-0x00007FF6CBBE0000-0x00007FF6CBF31000-memory.dmp

Filesize
3.3MB

Download
memory/3708-100-0x00007FF6CBBE0000-0x00007FF6CBF31000-memory.dmp

Filesize
3.3MB

Download
memory/4008-160-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-116-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-265-0x00007FF66F260000-0x00007FF66F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-98-0x00007FF673250000-0x00007FF6735A1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-151-0x00007FF673250000-0x00007FF6735A1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-261-0x00007FF673250000-0x00007FF6735A1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-223-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp

Filesize
3.3MB

Download
memory/4608-29-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp

Filesize
3.3MB

Download
memory/4608-99-0x00007FF76ACF0000-0x00007FF76B041000-memory.dmp

Filesize
3.3MB

Download
memory/4772-259-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp

Filesize
3.3MB

Download
memory/4772-103-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp

Filesize
3.3MB

Download
memory/4852-78-0x00007FF7964C0000-0x00007FF796811000-memory.dmp

Filesize
3.3MB

Download
memory/4852-219-0x00007FF7964C0000-0x00007FF796811000-memory.dmp

Filesize
3.3MB

Download
memory/4852-16-0x00007FF7964C0000-0x00007FF796811000-memory.dmp

Filesize
3.3MB

Download
memory/4864-68-0x00007FF75C230000-0x00007FF75C581000-memory.dmp

Filesize
3.3MB

Download
memory/4864-242-0x00007FF75C230000-0x00007FF75C581000-memory.dmp

Filesize
3.3MB

Download
memory/4864-147-0x00007FF75C230000-0x00007FF75C581000-memory.dmp

Filesize
3.3MB

Download
memory/5084-79-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-221-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-23-0x00007FF758A50000-0x00007FF758DA1000-memory.dmp

Filesize
3.3MB

Download