cobaltstrike | 2128ccac979b26d874bd54b97b6d6feaae133ddcb8340da6a2d38614c77178f8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e3ed426e7ad495fdb649578d3e50e500
SHA1

e95009fdb0ebd368a17c0c15750677175f8345b3
SHA256

2128ccac979b26d874bd54b97b6d6feaae133ddcb8340da6a2d38614c77178f8
SHA512

e36819585c52637e6f5eff8250125180dbdf87f3bbc68c6149d06daeafebddeae634498c01e9a58182c8e9efd883b2688571ac63592ea9f841fd6ff221759633
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUB

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b5c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-10.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-13.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-26.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-32.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-48.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-45.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-75.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c32-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c2c-127.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c34-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c33-118.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1a-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-96.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4992-54-0x00007FF6DB6C0000-0x00007FF6DBA11000-memory.dmp	xmrig
behavioral2/memory/1188-43-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp	xmrig
behavioral2/memory/4788-39-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp	xmrig
behavioral2/memory/332-29-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp	xmrig
behavioral2/memory/3336-120-0x00007FF6C0CD0000-0x00007FF6C1021000-memory.dmp	xmrig
behavioral2/memory/4620-122-0x00007FF642830000-0x00007FF642B81000-memory.dmp	xmrig
behavioral2/memory/4840-119-0x00007FF6491F0000-0x00007FF649541000-memory.dmp	xmrig
behavioral2/memory/2968-110-0x00007FF6BAF50000-0x00007FF6BB2A1000-memory.dmp	xmrig
behavioral2/memory/4312-91-0x00007FF7ACF80000-0x00007FF7AD2D1000-memory.dmp	xmrig
behavioral2/memory/2012-88-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp	xmrig
behavioral2/memory/4540-87-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp	xmrig
behavioral2/memory/4516-74-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	xmrig
behavioral2/memory/4516-132-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	xmrig
behavioral2/memory/2680-140-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp	xmrig
behavioral2/memory/3960-143-0x00007FF741FB0000-0x00007FF742301000-memory.dmp	xmrig
behavioral2/memory/2100-142-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp	xmrig
behavioral2/memory/1744-144-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp	xmrig
behavioral2/memory/2128-145-0x00007FF7252C0000-0x00007FF725611000-memory.dmp	xmrig
behavioral2/memory/4588-154-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp	xmrig
behavioral2/memory/2624-155-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp	xmrig
behavioral2/memory/4620-153-0x00007FF642830000-0x00007FF642B81000-memory.dmp	xmrig
behavioral2/memory/3364-152-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp	xmrig
behavioral2/memory/5032-151-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp	xmrig
behavioral2/memory/1688-150-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp	xmrig
behavioral2/memory/4516-156-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	xmrig
behavioral2/memory/4540-213-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp	xmrig
behavioral2/memory/2012-215-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp	xmrig
behavioral2/memory/332-217-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp	xmrig
behavioral2/memory/4788-220-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp	xmrig
behavioral2/memory/4840-223-0x00007FF6491F0000-0x00007FF649541000-memory.dmp	xmrig
behavioral2/memory/1188-221-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp	xmrig
behavioral2/memory/2680-227-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp	xmrig
behavioral2/memory/4992-226-0x00007FF6DB6C0000-0x00007FF6DBA11000-memory.dmp	xmrig
behavioral2/memory/3960-229-0x00007FF741FB0000-0x00007FF742301000-memory.dmp	xmrig
behavioral2/memory/2100-231-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp	xmrig
behavioral2/memory/1744-243-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp	xmrig
behavioral2/memory/2128-247-0x00007FF7252C0000-0x00007FF725611000-memory.dmp	xmrig
behavioral2/memory/4312-245-0x00007FF7ACF80000-0x00007FF7AD2D1000-memory.dmp	xmrig
behavioral2/memory/2968-249-0x00007FF6BAF50000-0x00007FF6BB2A1000-memory.dmp	xmrig
behavioral2/memory/2624-251-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp	xmrig
behavioral2/memory/1688-253-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp	xmrig
behavioral2/memory/3336-255-0x00007FF6C0CD0000-0x00007FF6C1021000-memory.dmp	xmrig
behavioral2/memory/3364-261-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp	xmrig
behavioral2/memory/4588-259-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp	xmrig
behavioral2/memory/5032-257-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp	xmrig
behavioral2/memory/4620-264-0x00007FF642830000-0x00007FF642B81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4540	AXnTooB.exe
2012	pYhomQc.exe
332	XwJmnlP.exe
4788	piMokec.exe
4840	CyWHxpJ.exe
1188	HrmonyK.exe
4992	OyPZeni.exe
2680	FDAQDjY.exe
2100	GKghiUz.exe
3960	psFzTeY.exe
1744	OmJEauh.exe
2128	kYKjekA.exe
4312	ASIwUCX.exe
2968	cWGTIPf.exe
2624	kgafWDY.exe
3336	FmQtsho.exe
1688	iCnhaID.exe
5032	xvGsNxN.exe
3364	USYrBwi.exe
4620	lOwgbAG.exe
4588	ebdINIh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4516-0-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	upx
behavioral2/files/0x000c000000023b5c-5.dat	upx
behavioral2/memory/4540-6-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp	upx
behavioral2/files/0x0009000000023bd3-10.dat	upx
behavioral2/files/0x000e000000023bd7-13.dat	upx
behavioral2/files/0x0008000000023bd9-26.dat	upx
behavioral2/files/0x0008000000023bdc-32.dat	upx
behavioral2/files/0x0008000000023bdd-35.dat	upx
behavioral2/memory/2680-44-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp	upx
behavioral2/files/0x0008000000023bdf-48.dat	upx
behavioral2/memory/2100-57-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp	upx
behavioral2/files/0x0008000000023c0f-61.dat	upx
behavioral2/files/0x0008000000023c0e-59.dat	upx
behavioral2/memory/3960-58-0x00007FF741FB0000-0x00007FF742301000-memory.dmp	upx
behavioral2/memory/4992-54-0x00007FF6DB6C0000-0x00007FF6DBA11000-memory.dmp	upx
behavioral2/files/0x0008000000023bde-45.dat	upx
behavioral2/memory/1188-43-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp	upx
behavioral2/memory/4788-39-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp	upx
behavioral2/memory/4840-34-0x00007FF6491F0000-0x00007FF649541000-memory.dmp	upx
behavioral2/memory/332-29-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp	upx
behavioral2/memory/2012-15-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c11-69.dat	upx
behavioral2/files/0x0008000000023c12-75.dat	upx
behavioral2/files/0x0008000000023c18-86.dat	upx
behavioral2/files/0x0008000000023c19-94.dat	upx
behavioral2/files/0x0008000000023c32-113.dat	upx
behavioral2/memory/3336-120-0x00007FF6C0CD0000-0x00007FF6C1021000-memory.dmp	upx
behavioral2/memory/4620-122-0x00007FF642830000-0x00007FF642B81000-memory.dmp	upx
behavioral2/memory/4588-124-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp	upx
behavioral2/files/0x0008000000023c2c-127.dat	upx
behavioral2/files/0x0008000000023c34-126.dat	upx
behavioral2/memory/5032-123-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp	upx
behavioral2/memory/3364-121-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp	upx
behavioral2/memory/4840-119-0x00007FF6491F0000-0x00007FF649541000-memory.dmp	upx
behavioral2/files/0x0008000000023c33-118.dat	upx
behavioral2/memory/2968-110-0x00007FF6BAF50000-0x00007FF6BB2A1000-memory.dmp	upx
behavioral2/memory/1688-109-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp	upx
behavioral2/files/0x0008000000023c1a-105.dat	upx
behavioral2/files/0x0008000000023c13-96.dat	upx
behavioral2/memory/2624-97-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp	upx
behavioral2/memory/4312-91-0x00007FF7ACF80000-0x00007FF7AD2D1000-memory.dmp	upx
behavioral2/memory/2012-88-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp	upx
behavioral2/memory/4540-87-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp	upx
behavioral2/memory/2128-82-0x00007FF7252C0000-0x00007FF725611000-memory.dmp	upx
behavioral2/memory/4516-74-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	upx
behavioral2/files/0x0008000000023c10-70.dat	upx
behavioral2/memory/1744-68-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp	upx
behavioral2/memory/4516-132-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	upx
behavioral2/memory/2680-140-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp	upx
behavioral2/memory/3960-143-0x00007FF741FB0000-0x00007FF742301000-memory.dmp	upx
behavioral2/memory/2100-142-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp	upx
behavioral2/memory/1744-144-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp	upx
behavioral2/memory/2128-145-0x00007FF7252C0000-0x00007FF725611000-memory.dmp	upx
behavioral2/memory/4588-154-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp	upx
behavioral2/memory/2624-155-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp	upx
behavioral2/memory/4620-153-0x00007FF642830000-0x00007FF642B81000-memory.dmp	upx
behavioral2/memory/3364-152-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp	upx
behavioral2/memory/5032-151-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp	upx
behavioral2/memory/1688-150-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp	upx
behavioral2/memory/4516-156-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp	upx
behavioral2/memory/4540-213-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp	upx
behavioral2/memory/2012-215-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp	upx
behavioral2/memory/332-217-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp	upx
behavioral2/memory/4788-220-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CyWHxpJ.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FDAQDjY.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OmJEauh.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ASIwUCX.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iCnhaID.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\USYrBwi.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwJmnlP.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKghiUz.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kYKjekA.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AXnTooB.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piMokec.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HrmonyK.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OyPZeni.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xvGsNxN.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOwgbAG.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ebdINIh.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYhomQc.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cWGTIPf.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kgafWDY.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FmQtsho.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\psFzTeY.exe	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4540	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4516 wrote to memory of 4540	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4516 wrote to memory of 2012	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4516 wrote to memory of 2012	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4516 wrote to memory of 332	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4516 wrote to memory of 332	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4516 wrote to memory of 4788	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4516 wrote to memory of 4788	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4516 wrote to memory of 4840	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4516 wrote to memory of 4840	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4516 wrote to memory of 1188	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4516 wrote to memory of 1188	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4516 wrote to memory of 4992	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4516 wrote to memory of 4992	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4516 wrote to memory of 2680	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4516 wrote to memory of 2680	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4516 wrote to memory of 2100	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4516 wrote to memory of 2100	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4516 wrote to memory of 3960	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4516 wrote to memory of 3960	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4516 wrote to memory of 1744	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4516 wrote to memory of 1744	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4516 wrote to memory of 2128	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4516 wrote to memory of 2128	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4516 wrote to memory of 4312	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4516 wrote to memory of 4312	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4516 wrote to memory of 2968	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4516 wrote to memory of 2968	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4516 wrote to memory of 2624	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4516 wrote to memory of 2624	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4516 wrote to memory of 3336	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4516 wrote to memory of 3336	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4516 wrote to memory of 1688	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4516 wrote to memory of 1688	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4516 wrote to memory of 5032	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4516 wrote to memory of 5032	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4516 wrote to memory of 3364	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4516 wrote to memory of 3364	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4516 wrote to memory of 4620	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4516 wrote to memory of 4620	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4516 wrote to memory of 4588	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4516 wrote to memory of 4588	4516	2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_e3ed426e7ad495fdb649578d3e50e500_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\System\AXnTooB.exe
  C:\Windows\System\AXnTooB.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\pYhomQc.exe
  C:\Windows\System\pYhomQc.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\XwJmnlP.exe
  C:\Windows\System\XwJmnlP.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\piMokec.exe
  C:\Windows\System\piMokec.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\CyWHxpJ.exe
  C:\Windows\System\CyWHxpJ.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\HrmonyK.exe
  C:\Windows\System\HrmonyK.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\OyPZeni.exe
  C:\Windows\System\OyPZeni.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\FDAQDjY.exe
  C:\Windows\System\FDAQDjY.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\GKghiUz.exe
  C:\Windows\System\GKghiUz.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\psFzTeY.exe
  C:\Windows\System\psFzTeY.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\OmJEauh.exe
  C:\Windows\System\OmJEauh.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\kYKjekA.exe
  C:\Windows\System\kYKjekA.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\ASIwUCX.exe
  C:\Windows\System\ASIwUCX.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\cWGTIPf.exe
  C:\Windows\System\cWGTIPf.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\kgafWDY.exe
  C:\Windows\System\kgafWDY.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\FmQtsho.exe
  C:\Windows\System\FmQtsho.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\iCnhaID.exe
  C:\Windows\System\iCnhaID.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\xvGsNxN.exe
  C:\Windows\System\xvGsNxN.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\USYrBwi.exe
  C:\Windows\System\USYrBwi.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\lOwgbAG.exe
  C:\Windows\System\lOwgbAG.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\ebdINIh.exe
  C:\Windows\System\ebdINIh.exe
  2⤵
  - Executes dropped EXE
  PID:4588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ASIwUCX.exe

Filesize
5.2MB

MD5
d1dce0d85072c0d43023cb8574d5cfd0

SHA1
cd84a3a378fd419fa909c6f3b1c85cc5f4895db6

SHA256
bcf713b0844f4d784f80c2fd2e2bc36570007d8364f61f12bf5e8d8a7bf25824

SHA512
bb1e40235d7a081911876793615cb90c0ec1c0baef074ad9f04913a6896ea672f6a65e3ed92b356ebdb167b888b1acf0c886c790af1f7ecc7aa9c976fcd71bab

Download Submit
C:\Windows\System\AXnTooB.exe

Filesize
5.2MB

MD5
c22d585db1576fe6794bce2774da6b24

SHA1
1de55509556aece4b7899aa5bda0ce420f069bb8

SHA256
8f9c44ec1b9d03ea3b998d5530be1d40e949ca9287533c7d6a7854fc106e1ad4

SHA512
e4c8143cd7e64a10ee39cc5bdd2c3a9ec655cc94b5c8433a4fc1e12a40d546d84dcd82818f728780092e8b48b7c9180460d4132a1cd3f0da6673ca999dd3e217

Download Submit
C:\Windows\System\CyWHxpJ.exe

Filesize
5.2MB

MD5
722f5d17c686e0addc9bde0ca878c27d

SHA1
60f8148e4e7ac60a23659b95ecd24ff03e415f4c

SHA256
23024404724713a4fdfdd4e4c27cccc809bf60f60476537980eb3dcaf29b2588

SHA512
0f10ba0a3d76dc6d482fbb0ef3c5f88af2ca7a441ff9f763eadeca297ee240f53dff63d0e7fcabddfecc128df3f88002fc2143f4ca6298daeba5a765a6bb8ef5

Download Submit
C:\Windows\System\FDAQDjY.exe

Filesize
5.2MB

MD5
f62f00c53c24bcc2d70c4cd5aec6d148

SHA1
8c717271bfeb9d3a7925cda6a1a644b1b9bd72e4

SHA256
b437eed6c1bbe6ffc282e6865395a789f4c57b7efe04b6a1516416593ad327de

SHA512
fc28c79ad7f0f9a95dda9ba1f86c83191ebaa344212ec8757a4f1c675b544f6faa35b55b2254b169acdfdd3514791aa52c16d8c4a47f642bab4595680cc98ee3

Download Submit
C:\Windows\System\FmQtsho.exe

Filesize
5.2MB

MD5
d427b554b0b9d2acc52c08904195df26

SHA1
dab43ca675425c9edf23236c0774cf8f31a810ea

SHA256
d96e40fd17aa9417f07b677dd19eac1039f5496c573644504bc3ca510e55fbb1

SHA512
73adcb801631bb0b5a832e4c9029be314bd3167e8c9c3c4b2dea3ac94840a72dbb243b8e0bb3aa2eef012df8e98337c2cff38b929587280be5389ee64cc986b1

Download Submit
C:\Windows\System\GKghiUz.exe

Filesize
5.2MB

MD5
c99a661074bcbf9149bf6f6801dd2fe5

SHA1
f63a2ef3857e8427a003e476f3ed9b40be0b76d2

SHA256
57a963988b9c8b1ebf9b751373bbdc1bdf1fb09a03673121600408dbb0b0aa7f

SHA512
ad029a2918da7ab5163b5e25964ede6b201bf82cc14acb7fb0e8603807e2b54a46195d928e957ab99deb5fa19a938f85f0d5b192d5f478c76d89c89e89c1e98f

Download Submit
C:\Windows\System\HrmonyK.exe

Filesize
5.2MB

MD5
2b869b6b2859fa2a66cac6bd1ec8f079

SHA1
2ce71d0e9289973833548ca329f2816cd09b5d7e

SHA256
7ff8a6083576e678f9c903c45d253a0a3605b0b38c68545969e5520da18e0877

SHA512
7f599117b2a2f790047920dc3f2064a0611598cc1ca17a692adcb24148712f19011673932d7116e382abfbb99649be45a356fb3aac9a0551de0fc715e60afee6

Download Submit
C:\Windows\System\OmJEauh.exe

Filesize
5.2MB

MD5
a6ff06e26f46d2971fda693f1ed1cd43

SHA1
0de24981b4ab6a436438e9322b07a323879bcf2b

SHA256
ba24d3ba7029985d125aa2612da863fb6ed5d22ec6c5312f7bf258123d03db1b

SHA512
8fdb3f37eccda19b4c5f271579ae85369bfe4a6688e7ee3304f2d4be1ec2199f604759b8f41c18a3802f49bc73080343cf7d4b687957d12e2f8e3f3f9dd1a329

Download Submit
C:\Windows\System\OyPZeni.exe

Filesize
5.2MB

MD5
de52d970b309ae0526c2fdb57f5b901e

SHA1
5760188ea7193e7f7f6519f3e303e82222e006aa

SHA256
2f07c31379c0464732b9551e18485f8f46b2f420784e466ea283770d5d2eb63c

SHA512
b42bbd0d0f4355dbde49fc0e53f315d8f6de71089159b9800e413216bc7747f0f4bc9c7d6af019f25d291fbf42dcf40bb278214d9d3adc156452c059b3feccce

Download Submit
C:\Windows\System\USYrBwi.exe

Filesize
5.2MB

MD5
1e0b5eba752b8bc3108cf91d946d47a8

SHA1
6ff626b885515902db433aded94299683f03f64c

SHA256
84d0644c722fb15c1d1d95f710aad19fc109987d06ab68a780d5b4bc3bf01846

SHA512
ac51657b78c2dd887996f555da6a74868fdc25f93c5fcb1329fe4b54132e21a926f46beaaa48e22f4e46db00228ef6af8dc35addfe4d2b45a49b8d55493ff124

Download Submit
C:\Windows\System\XwJmnlP.exe

Filesize
5.2MB

MD5
5143f834321c161fbafa265f76473335

SHA1
fcaa2e4ba86615d10c4dea7afaaf63058d95f10e

SHA256
6161ee7351433b6e5179293d719939129b0cd5abe3648f33ad4fa9eb32c3695b

SHA512
a30fdfcd43edd933abefa77d051a16431783762da2865022e372863bda7d20446c738917de9433ed6416ad4db81487f37702a18ee607120cb9d62a035ad5be83

Download Submit
C:\Windows\System\cWGTIPf.exe

Filesize
5.2MB

MD5
792f40974c245ba22c3ef993feba8a05

SHA1
7c3dcb2173603b29dcaf1039b8d7d8461950af38

SHA256
38e1eefadd0c95b0ed8522b539580c6dbc14319cc722c31d7b27c6f421c0809d

SHA512
f7e341c270532a0626d4962e9ea73964f48d8376f12bd62f309a2a2f9b710cbf1dcc933e407ca186099c97f772e797c2a41d7c580fd5ce5d20984539a760d899

Download Submit
C:\Windows\System\ebdINIh.exe

Filesize
5.2MB

MD5
aa85184b19e28b95dc14e43b0a1f8341

SHA1
bd3b2fa5a9730d0e8411ec1479bbcd942de27df1

SHA256
87f51c791ce3fa358278bef5fe57b1463de58d60483f631a3bb0e6f7eabf72d9

SHA512
ff9ceecaddddb326a6244a81f4d9d4d031db5c380f9fa6ab05b76c7a5992ba2dd09a0ee59b71c968732a908d219e259975c93a4b67e363e029475f9018814915

Download Submit
C:\Windows\System\iCnhaID.exe

Filesize
5.2MB

MD5
58cf9d7103a07b687104ced82e6b5a86

SHA1
60d62675664af8260c0b74b7fd16dd02f98109c3

SHA256
a9d1ec5719cf68d50e094aedc22e1cb8293e0c9aeda468ad0e4d3711b2913788

SHA512
375e0034ccfa7617ab48433b17160d6402405936aa5c9cc23d8c389fa79a3f40eb29e48670c70be7bc143fbd86e560ecf82f9768876e345c82fb5ba33a2c41f5

Download Submit
C:\Windows\System\kYKjekA.exe

Filesize
5.2MB

MD5
38958e4a29efa90ae82903fa57cf24b2

SHA1
dfe2edca15bda69437ad0f6b949ba1d8b9e63cb6

SHA256
92fc87886637dc4ece2e4719b7976cab6340c162c93ebd69a81cd8dce347d3c4

SHA512
ff33d044ec6f512a41af102ff28323d09bd8a8c3a3cca00c9dbd8c944d6399b84122a7392c97884d01db81c6b9fa639a65185b99b5e5356f153f520aa3701e72

Download Submit
C:\Windows\System\kgafWDY.exe

Filesize
5.2MB

MD5
35b8aeec2410bcc28bf9bca4ccd55394

SHA1
e2f6ba5d63f5001aadd5cfa31070716fa0f9196c

SHA256
acf24631b77c80e587f8adc41353599a3d8a15ff59be76b523c7272bbbef5287

SHA512
86f379a87117b1b1d83e9bd0c845ac670074743f8e595e255dfe0b1bdb09dc181292ae44b16921f5a68e236b3018dd783f4963546b567604e094b87dee34809f

Download Submit
C:\Windows\System\lOwgbAG.exe

Filesize
5.2MB

MD5
df74be8cbaeb1e73bbc85d6eb774c10c

SHA1
d313f04b5214c92626be8f7853b3aa4baab54e0c

SHA256
4138e1436d5328d209492c667c6bd9f0673acff5659d5cc501426c13417caecc

SHA512
26b3d5fe13aec5070365afa6e26912b5cf681f9326e12ef69c38408612759c9d5452310a76e2c2a2288850f279a622500981f0e1f9c49c7d9c8e5c0a4f0341ee

Download Submit
C:\Windows\System\pYhomQc.exe

Filesize
5.2MB

MD5
b42d7bb2386ff9fd0b36db56a3da308f

SHA1
809c9fee64d56e3095c1341299f017a5b062261c

SHA256
f6caa6578972b3f2cd85922007d95237cca47b13bfc07f5f5b3496aa51ce1cd4

SHA512
95a838be857f7addf74f2135a23528f0c3946fd415c647a530d452e90a05412418250a5373f708f7553d8b20f7dec15aff0139d0458ecd92b94c1fa7b4a309dc

Download Submit
C:\Windows\System\piMokec.exe

Filesize
5.2MB

MD5
15c2533125fe158cfaea3a80f8ce0d64

SHA1
1854fa5366c0bf304cfdb1b305731e67cfa53390

SHA256
247b94223d156aac6220a53e998adef5dcbd78aa29edfaa2c8f3cf4389d01933

SHA512
d4aa31e067f21b8aeaeb327a6a31bf2d543cecf510aaf93809a5b262762832ad984a335d8bf083423223bccf7575bf138cfa1c48410c70f1d7370892a2a61af8

Download Submit
C:\Windows\System\psFzTeY.exe

Filesize
5.2MB

MD5
0ec4d93ee4f34aa02dd323264a2cd54b

SHA1
ddb5595d0ec0d34c0bce332752a3d3dd2c8ffa99

SHA256
c7e0d9176dc3a2e2d5b8a1a94ab552475df75af22d84385bb3479144dc0195e9

SHA512
d0734baa4f5d0dc5420c6d7532147b81e702da3bc7a88ecf0adcbba27986527df3089e8191bec0fb433d414f23505a50cebf8329a89a2bccb12597678c25ceb5

Download Submit
C:\Windows\System\xvGsNxN.exe

Filesize
5.2MB

MD5
cef0ceb39a4eac2e27079df5fcea4373

SHA1
ce946e16d1085049a310db4992c36ac58bdaa024

SHA256
c474462bb24ab018970165f3a12efff8eb3c65ccdcbd5197558122473c308a65

SHA512
3b1a60a714f5a2e7bac7a4ec05554a927627c7fe8661007482c74f96912f054978cf1d99204a2ed2a92cc52d17bfb87cb8e8a8fa2627ecf9cd32deeff3fd4816

Download Submit
memory/332-29-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp

Filesize
3.3MB

Download
memory/332-217-0x00007FF6B53B0000-0x00007FF6B5701000-memory.dmp

Filesize
3.3MB

Download
memory/1188-43-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp

Filesize
3.3MB

Download
memory/1188-221-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp

Filesize
3.3MB

Download
memory/1688-109-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-253-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-150-0x00007FF6F7C90000-0x00007FF6F7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-144-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp

Filesize
3.3MB

Download
memory/1744-68-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp

Filesize
3.3MB

Download
memory/1744-243-0x00007FF6A1800000-0x00007FF6A1B51000-memory.dmp

Filesize
3.3MB

Download
memory/2012-15-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-88-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-215-0x00007FF6784A0000-0x00007FF6787F1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-231-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp

Filesize
3.3MB

Download
memory/2100-142-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp

Filesize
3.3MB

Download
memory/2100-57-0x00007FF7E7E30000-0x00007FF7E8181000-memory.dmp

Filesize
3.3MB

Download
memory/2128-82-0x00007FF7252C0000-0x00007FF725611000-memory.dmp

Filesize
3.3MB

Download
memory/2128-145-0x00007FF7252C0000-0x00007FF725611000-memory.dmp

Filesize
3.3MB

Download
memory/2128-247-0x00007FF7252C0000-0x00007FF725611000-memory.dmp

Filesize
3.3MB

Download
memory/2624-97-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-155-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-251-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-140-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2680-44-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2680-227-0x00007FF61FC30000-0x00007FF61FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2968-110-0x00007FF6BAF50000-0x00007FF6BB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-249-0x00007FF6BAF50000-0x00007FF6BB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/3336-255-0x00007FF6C0CD0000-0x00007FF6C1021000-memory.dmp

Filesize
3.3MB

Download
memory/3336-120-0x00007FF6C0CD0000-0x00007FF6C1021000-memory.dmp

Filesize
3.3MB

Download
memory/3364-261-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-121-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-152-0x00007FF6D1A70000-0x00007FF6D1DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-58-0x00007FF741FB0000-0x00007FF742301000-memory.dmp

Filesize
3.3MB

Download
memory/3960-143-0x00007FF741FB0000-0x00007FF742301000-memory.dmp

Filesize
3.3MB

Download
memory/3960-229-0x00007FF741FB0000-0x00007FF742301000-memory.dmp

Filesize
3.3MB

Download
memory/4312-245-0x00007FF7ACF80000-0x00007FF7AD2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4312-91-0x00007FF7ACF80000-0x00007FF7AD2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4516-1-0x000002C506760000-0x000002C506770000-memory.dmp

Filesize
64KB

Download
memory/4516-74-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp

Filesize
3.3MB

Download
memory/4516-132-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp

Filesize
3.3MB

Download
memory/4516-0-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp

Filesize
3.3MB

Download
memory/4516-156-0x00007FF7456D0000-0x00007FF745A21000-memory.dmp

Filesize
3.3MB

Download
memory/4540-213-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp

Filesize
3.3MB

Download
memory/4540-6-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp

Filesize
3.3MB

Download
memory/4540-87-0x00007FF6DD3B0000-0x00007FF6DD701000-memory.dmp

Filesize
3.3MB

Download
memory/4588-154-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp

Filesize
3.3MB

Download
memory/4588-259-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp

Filesize
3.3MB

Download
memory/4588-124-0x00007FF7F7700000-0x00007FF7F7A51000-memory.dmp

Filesize
3.3MB

Download
memory/4620-153-0x00007FF642830000-0x00007FF642B81000-memory.dmp

Filesize
3.3MB

Download
memory/4620-264-0x00007FF642830000-0x00007FF642B81000-memory.dmp

Filesize
3.3MB

Download
memory/4620-122-0x00007FF642830000-0x00007FF642B81000-memory.dmp

Filesize
3.3MB

Download
memory/4788-39-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp

Filesize
3.3MB

Download
memory/4788-220-0x00007FF6DFED0000-0x00007FF6E0221000-memory.dmp

Filesize
3.3MB

Download
memory/4840-34-0x00007FF6491F0000-0x00007FF649541000-memory.dmp

Filesize
3.3MB

Download
memory/4840-119-0x00007FF6491F0000-0x00007FF649541000-memory.dmp

Filesize
3.3MB

Download
memory/4840-223-0x00007FF6491F0000-0x00007FF649541000-memory.dmp

Filesize
3.3MB

Download
memory/4992-226-0x00007FF6DB6C0000-0x00007FF6DBA11000-memory.dmp

Filesize
3.3MB

Download
memory/4992-54-0x00007FF6DB6C0000-0x00007FF6DBA11000-memory.dmp

Filesize
3.3MB

Download
memory/5032-123-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp

Filesize
3.3MB

Download
memory/5032-151-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp

Filesize
3.3MB

Download
memory/5032-257-0x00007FF74A5B0000-0x00007FF74A901000-memory.dmp

Filesize
3.3MB

Download