cobaltstrike | 72e70c19dea387120774d5a513544a63b2e9a338238d58182645f8781b9b7071

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3c91bad4f2f3ec57a667e19a407ce506
SHA1

219d6690610cf5640825ba487635e53fcedd9a6e
SHA256

72e70c19dea387120774d5a513544a63b2e9a338238d58182645f8781b9b7071
SHA512

5ea6f98ff6254db293833d05379661b1d82cf8cc2b0289478ea107526b0d363ad49e1e186d06378406bcf5d6a038b43c82c17f842c0d0976927a05f107e888bc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cbb-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-35.dat	cobalt_reflective_dll
behavioral2/files/0x000800000001e560-41.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022a9d-46.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022a9f-53.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023b72-60.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b73-66.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b75-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-142.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-115.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/184-14-0x00007FF7E18E0000-0x00007FF7E1C31000-memory.dmp	xmrig
behavioral2/memory/3468-44-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp	xmrig
behavioral2/memory/1544-55-0x00007FF777640000-0x00007FF777991000-memory.dmp	xmrig
behavioral2/memory/4764-56-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	xmrig
behavioral2/memory/3084-57-0x00007FF7B2180000-0x00007FF7B24D1000-memory.dmp	xmrig
behavioral2/memory/5080-61-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	xmrig
behavioral2/memory/3116-80-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp	xmrig
behavioral2/memory/4404-88-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp	xmrig
behavioral2/memory/3484-73-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp	xmrig
behavioral2/memory/2916-140-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp	xmrig
behavioral2/memory/384-132-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp	xmrig
behavioral2/memory/2016-125-0x00007FF7B5E40000-0x00007FF7B6191000-memory.dmp	xmrig
behavioral2/memory/3468-114-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp	xmrig
behavioral2/memory/1680-107-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp	xmrig
behavioral2/memory/2336-149-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp	xmrig
behavioral2/memory/3988-150-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp	xmrig
behavioral2/memory/4468-153-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp	xmrig
behavioral2/memory/1860-152-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp	xmrig
behavioral2/memory/4572-151-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp	xmrig
behavioral2/memory/4764-154-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	xmrig
behavioral2/memory/1696-163-0x00007FF694140000-0x00007FF694491000-memory.dmp	xmrig
behavioral2/memory/1632-161-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp	xmrig
behavioral2/memory/3392-164-0x00007FF690500000-0x00007FF690851000-memory.dmp	xmrig
behavioral2/memory/5084-165-0x00007FF731870000-0x00007FF731BC1000-memory.dmp	xmrig
behavioral2/memory/4764-176-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	xmrig
behavioral2/memory/5080-202-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	xmrig
behavioral2/memory/184-208-0x00007FF7E18E0000-0x00007FF7E1C31000-memory.dmp	xmrig
behavioral2/memory/3484-210-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp	xmrig
behavioral2/memory/3116-213-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp	xmrig
behavioral2/memory/4404-214-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp	xmrig
behavioral2/memory/1680-222-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp	xmrig
behavioral2/memory/3468-226-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp	xmrig
behavioral2/memory/1544-233-0x00007FF777640000-0x00007FF777991000-memory.dmp	xmrig
behavioral2/memory/3084-235-0x00007FF7B2180000-0x00007FF7B24D1000-memory.dmp	xmrig
behavioral2/memory/2916-237-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp	xmrig
behavioral2/memory/2336-239-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp	xmrig
behavioral2/memory/3988-243-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp	xmrig
behavioral2/memory/384-245-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp	xmrig
behavioral2/memory/4572-247-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp	xmrig
behavioral2/memory/1860-249-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp	xmrig
behavioral2/memory/1632-257-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp	xmrig
behavioral2/memory/2016-259-0x00007FF7B5E40000-0x00007FF7B6191000-memory.dmp	xmrig
behavioral2/memory/4468-261-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp	xmrig
behavioral2/memory/1696-264-0x00007FF694140000-0x00007FF694491000-memory.dmp	xmrig
behavioral2/memory/3392-265-0x00007FF690500000-0x00007FF690851000-memory.dmp	xmrig
behavioral2/memory/5084-267-0x00007FF731870000-0x00007FF731BC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5080	WtMQweQ.exe
184	zVuoMKF.exe
3484	icaBbMi.exe
3116	BLxJgml.exe
4404	tvpmhmv.exe
1680	VqluxxR.exe
3468	GULjNdn.exe
1544	RWiGwtp.exe
3084	uKTHnDM.exe
384	iHfkwTZ.exe
2916	dhlcZsy.exe
2336	pJNXvGS.exe
3988	SkErAGV.exe
4572	lOwTDWC.exe
1860	RkSuOqE.exe
1632	LkfwncV.exe
4468	hcYztjC.exe
2016	PCOvDuG.exe
1696	qRHPZEN.exe
3392	WTyZASd.exe
5084	WGYlzIm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4764-0-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	upx
behavioral2/files/0x0008000000023cbb-5.dat	upx
behavioral2/memory/5080-6-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-12.dat	upx
behavioral2/files/0x0007000000023cc0-11.dat	upx
behavioral2/memory/184-14-0x00007FF7E18E0000-0x00007FF7E1C31000-memory.dmp	upx
behavioral2/memory/3484-18-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp	upx
behavioral2/memory/3116-24-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-29.dat	upx
behavioral2/memory/4404-30-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-26.dat	upx
behavioral2/files/0x0007000000023cc3-35.dat	upx
behavioral2/memory/1680-38-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp	upx
behavioral2/files/0x000800000001e560-41.dat	upx
behavioral2/files/0x0002000000022a9d-46.dat	upx
behavioral2/memory/3468-44-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp	upx
behavioral2/files/0x0002000000022a9f-53.dat	upx
behavioral2/memory/1544-55-0x00007FF777640000-0x00007FF777991000-memory.dmp	upx
behavioral2/memory/4764-56-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	upx
behavioral2/memory/3084-57-0x00007FF7B2180000-0x00007FF7B24D1000-memory.dmp	upx
behavioral2/files/0x000f000000023b72-60.dat	upx
behavioral2/files/0x000d000000023b73-66.dat	upx
behavioral2/memory/2916-67-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp	upx
behavioral2/memory/384-62-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp	upx
behavioral2/memory/5080-61-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	upx
behavioral2/files/0x000d000000023b75-72.dat	upx
behavioral2/memory/3116-80-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-82.dat	upx
behavioral2/files/0x0007000000023cc5-87.dat	upx
behavioral2/files/0x0007000000023cc6-96.dat	upx
behavioral2/memory/1860-95-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp	upx
behavioral2/memory/4572-89-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp	upx
behavioral2/memory/4404-88-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp	upx
behavioral2/memory/3988-81-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp	upx
behavioral2/memory/2336-74-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp	upx
behavioral2/memory/3484-73-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-111.dat	upx
behavioral2/memory/4468-120-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-130.dat	upx
behavioral2/files/0x0007000000023cca-133.dat	upx
behavioral2/memory/2916-140-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-142.dat	upx
behavioral2/memory/5084-141-0x00007FF731870000-0x00007FF731BC1000-memory.dmp	upx
behavioral2/memory/3392-134-0x00007FF690500000-0x00007FF690851000-memory.dmp	upx
behavioral2/memory/384-132-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp	upx
behavioral2/memory/1696-131-0x00007FF694140000-0x00007FF694491000-memory.dmp	upx
behavioral2/memory/2016-125-0x00007FF7B5E40000-0x00007FF7B6191000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-119.dat	upx
behavioral2/memory/1632-118-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp	upx
behavioral2/memory/3468-114-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-115.dat	upx
behavioral2/memory/1680-107-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp	upx
behavioral2/memory/2336-149-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp	upx
behavioral2/memory/3988-150-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp	upx
behavioral2/memory/4468-153-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp	upx
behavioral2/memory/1860-152-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp	upx
behavioral2/memory/4572-151-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp	upx
behavioral2/memory/4764-154-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	upx
behavioral2/memory/1696-163-0x00007FF694140000-0x00007FF694491000-memory.dmp	upx
behavioral2/memory/1632-161-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp	upx
behavioral2/memory/3392-164-0x00007FF690500000-0x00007FF690851000-memory.dmp	upx
behavioral2/memory/5084-165-0x00007FF731870000-0x00007FF731BC1000-memory.dmp	upx
behavioral2/memory/4764-176-0x00007FF6404B0000-0x00007FF640801000-memory.dmp	upx
behavioral2/memory/5080-202-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zVuoMKF.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\icaBbMi.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GULjNdn.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKTHnDM.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iHfkwTZ.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SkErAGV.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWiGwtp.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pJNXvGS.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOwTDWC.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hcYztjC.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtMQweQ.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLxJgml.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvpmhmv.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qRHPZEN.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WGYlzIm.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqluxxR.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dhlcZsy.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RkSuOqE.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkfwncV.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCOvDuG.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WTyZASd.exe	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 5080	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4764 wrote to memory of 5080	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4764 wrote to memory of 184	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4764 wrote to memory of 184	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4764 wrote to memory of 3484	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4764 wrote to memory of 3484	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4764 wrote to memory of 3116	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4764 wrote to memory of 3116	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4764 wrote to memory of 4404	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4764 wrote to memory of 4404	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4764 wrote to memory of 1680	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4764 wrote to memory of 1680	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4764 wrote to memory of 3468	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4764 wrote to memory of 3468	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4764 wrote to memory of 1544	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4764 wrote to memory of 1544	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4764 wrote to memory of 3084	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4764 wrote to memory of 3084	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4764 wrote to memory of 384	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4764 wrote to memory of 384	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4764 wrote to memory of 2916	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4764 wrote to memory of 2916	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4764 wrote to memory of 2336	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4764 wrote to memory of 2336	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4764 wrote to memory of 3988	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4764 wrote to memory of 3988	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4764 wrote to memory of 4572	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4764 wrote to memory of 4572	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4764 wrote to memory of 1860	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4764 wrote to memory of 1860	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4764 wrote to memory of 4468	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4764 wrote to memory of 4468	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4764 wrote to memory of 1632	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4764 wrote to memory of 1632	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4764 wrote to memory of 2016	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4764 wrote to memory of 2016	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4764 wrote to memory of 1696	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4764 wrote to memory of 1696	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4764 wrote to memory of 3392	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4764 wrote to memory of 3392	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4764 wrote to memory of 5084	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4764 wrote to memory of 5084	4764	2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_3c91bad4f2f3ec57a667e19a407ce506_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\System\WtMQweQ.exe
  C:\Windows\System\WtMQweQ.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\zVuoMKF.exe
  C:\Windows\System\zVuoMKF.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\icaBbMi.exe
  C:\Windows\System\icaBbMi.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\BLxJgml.exe
  C:\Windows\System\BLxJgml.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\tvpmhmv.exe
  C:\Windows\System\tvpmhmv.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\VqluxxR.exe
  C:\Windows\System\VqluxxR.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\GULjNdn.exe
  C:\Windows\System\GULjNdn.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\RWiGwtp.exe
  C:\Windows\System\RWiGwtp.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\uKTHnDM.exe
  C:\Windows\System\uKTHnDM.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\iHfkwTZ.exe
  C:\Windows\System\iHfkwTZ.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\dhlcZsy.exe
  C:\Windows\System\dhlcZsy.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\pJNXvGS.exe
  C:\Windows\System\pJNXvGS.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\SkErAGV.exe
  C:\Windows\System\SkErAGV.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\lOwTDWC.exe
  C:\Windows\System\lOwTDWC.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\RkSuOqE.exe
  C:\Windows\System\RkSuOqE.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\hcYztjC.exe
  C:\Windows\System\hcYztjC.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\LkfwncV.exe
  C:\Windows\System\LkfwncV.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\PCOvDuG.exe
  C:\Windows\System\PCOvDuG.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\qRHPZEN.exe
  C:\Windows\System\qRHPZEN.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\WTyZASd.exe
  C:\Windows\System\WTyZASd.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\WGYlzIm.exe
  C:\Windows\System\WGYlzIm.exe
  2⤵
  - Executes dropped EXE
  PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BLxJgml.exe

Filesize
5.2MB

MD5
9736b39569f18f81548890458ec7871e

SHA1
0cc05b2be8a8313ce8b5d1d836a5dc6051bd794e

SHA256
cb48246981b165e81b2c551b18a3ea5383ffe025089a3ffe53f0c1edfdb5cce5

SHA512
03d44c0ea947ffc467791da68ff35da2b44775f1327b8dd985b70c0249b2689ff559cec73799f0ab33b48b898dbccc2ac091a0f29e5eb57e34ceb3fbc4219c0a

Download Submit
C:\Windows\System\GULjNdn.exe

Filesize
5.2MB

MD5
eb09d4a8aef46f854b264fde9244c376

SHA1
642296a635a7f1674674b30151722176c8efb332

SHA256
149f41a4d4ccadf1bca79e80e7c1591ca60c251a2e656cf46b21097dcfba87f4

SHA512
c30b35383cddd92be80668ca0e1fee767675835fb9e8592d39dc52b21fe501790605906b7e533b8bfbd7414c6569b135dbec5976bea9a46f57d0f24cec44d7e8

Download Submit
C:\Windows\System\LkfwncV.exe

Filesize
5.2MB

MD5
325538a70d7eb3e1dbafeaa2e4d78451

SHA1
31044fd9dff93ee5d1f9219c8c7eb954227abf11

SHA256
60c73126e1bc4a5ff1ae588caabc202b83493b6f9c5e62091007ff65cce2840a

SHA512
d7fee3fbc106cd445ec60f99028aeac22f472a3207c486393c3e1c7f686b17ffaa7cdd394b1e703716eb1663fd7d7316a61ac9b5193e30986bbdca6ecc7aaadc

Download Submit
C:\Windows\System\PCOvDuG.exe

Filesize
5.2MB

MD5
e3639149a1e06460b6aded87a98d623c

SHA1
875b87507deaf1fa40a754943bbf492bae1b6511

SHA256
ebfa181f47e13ab569c8f3a9f38b96769628109cc4547f47330bf1c55e5f5334

SHA512
187dfb1acf4c9aa4a07684ece07e57dc346cf8e830b266376bca31d80e7a7df7eea081a9a1200c50057a86afe4f292ac9d24fd8bf8744d5c7b9e03edd9a614c8

Download Submit
C:\Windows\System\RWiGwtp.exe

Filesize
5.2MB

MD5
a9fc2a6626dd13246b43241810a122f5

SHA1
e91a75b71185e1d6852eaa53c61646a0206b9cc8

SHA256
cf8e5e69203d6855a03572db74475bac0c004d2c00121cf3d82f471809979ca7

SHA512
c10ece9aced5dca02b5231e885f6015eceb3399d80d2931273de17ac6c08a747c2f3edde7936ec64fc5b6e038a07d31be888541fc33be75825de34a143587c55

Download Submit
C:\Windows\System\RkSuOqE.exe

Filesize
5.2MB

MD5
062d2361908381dee219d5fb1b0ac557

SHA1
9e00c058e62aa4f03d0da6772ffc7beae65bc029

SHA256
4d0ae55bb66877f5ecde97c26db018f2dd18f242b1f3d349f840b97446f5152c

SHA512
ceb0cd7b02be2ee6f316272d9e2043baf2360f756822e8cde9ca91af23dc3c64aad92a59e18ec91bda814860423b22fe841f17fce69bda0aa68555f6438be72b

Download Submit
C:\Windows\System\SkErAGV.exe

Filesize
5.2MB

MD5
d961160652b14025a62c00922e1edcf1

SHA1
b13965e7f4b07720ce035dbc4d19892e335fb4e4

SHA256
0bdb0f5501a18ca82b6ca4cf1198fded1f69c0c619dd09cb1a59248a30946796

SHA512
9e259c1165744f24c0ee637c33453a63172163b5ad59146c2f45b6afb2909502e6086511a3a72c8a52429cf74085deb7b2a192a371209225556897035fa3fa77

Download Submit
C:\Windows\System\VqluxxR.exe

Filesize
5.2MB

MD5
937cb0aeb4a5489ef1125decf149ada1

SHA1
cca6f516ecb6f68215b9a9eda1b615807573c71a

SHA256
1a60632e19b835a8403c700371e50cd9f1bb81f8f1aed4e1c3f9be434215d6ea

SHA512
04d3c62afa5046eee6032ce62d84144ff8e0ccac4899f0759e6d61272d30685e5730a9c0c00d6978f6fa2ee3b2e15d31e833b26b91bb93faa72e52c60e0edf5a

Download Submit
C:\Windows\System\WGYlzIm.exe

Filesize
5.2MB

MD5
53d89e8c9013b6b015eedb614552c503

SHA1
2bee92bfe19a5474071943a124423c71de925abe

SHA256
c500eb3a089dc9d4f3ddd4a39f797d3dfcf9fac7a9d0eef1223d08d12d2cc581

SHA512
b8e0c74bef60ce000753de099d78ef5573c9ccffa95796101168578aa91792a07ff1a0a8f66fd12cd853fd98ad286dcd880d77bbbbb01dce13fe2354557344a3

Download Submit
C:\Windows\System\WTyZASd.exe

Filesize
5.2MB

MD5
7bcc5561c0f1da8ba3731845ff26a636

SHA1
7a84d8f51b6acdf9f144c7373592953ce11b2549

SHA256
3f79f00235b8b070b7622e74fc2868e8679c1b6f39ee1f51fd1f1d65076bc109

SHA512
d524a329eb88938d93837f28ef211e6a02106a84217500a47630debdd732147f66ce32ddcb3b9f0b6d55f458ba51462b43201146dbac53a6936a692f189ae471

Download Submit
C:\Windows\System\WtMQweQ.exe

Filesize
5.2MB

MD5
409ab874a913fd881104852bf54620ec

SHA1
cb0cfaee1e8812ad00fe9bb0510e913f40af617b

SHA256
ba88faeab90a3f9ec205060ecac80d1f788a522be87ba7240880ff66d2407a56

SHA512
5f5b2b0e607b670fec0fa44e789f1686aa6bc99d49a17d3bfe4a9a4d7087a2052631a135e6ad8f0027bb5089601df4c077a256607c9098312892ad1db4ec34a1

Download Submit
C:\Windows\System\dhlcZsy.exe

Filesize
5.2MB

MD5
708ad31f63e714c250ce5f23625ffd2b

SHA1
935d20ff078d67a3e202dee733e84eee624485c7

SHA256
d7bbd5e282eb658ace0d0151982b092099ba5cbb1490f861dac87e96343eb40a

SHA512
5deb72243716d0e5cd42c3f18edcedfab77e16f62c60e0ff37f704826a7a22d4312abca01837f5f59250236f776eb5290e892967ff8255511199f1c852fc7440

Download Submit
C:\Windows\System\hcYztjC.exe

Filesize
5.2MB

MD5
cbe0ab06f57171bc83bbb04b30d9d523

SHA1
67e075e6fe42f9ca7c6bb1ccc94a51f784e12b78

SHA256
e1932873b4e9a27248a2a712233b9eea5ad7aad38f7afbef229ad0054c3d6d85

SHA512
943e151bd9808ef3d762fbb76a414b4fabe55b1df0df421aa78c128a3ce0e335b18e203de5f1ef96fa95b5c1b765c887d6747e73413d5c9b8fa15791ad3fdaba

Download Submit
C:\Windows\System\iHfkwTZ.exe

Filesize
5.2MB

MD5
a309110847b904e3b89b99dddfeec016

SHA1
87f074038198b11374ff17d91bed8253454aa377

SHA256
76baafc05bb11b68dc92db880661db036d1d2ed71e73f1dbe8eb8b6ea5f9f6c6

SHA512
5478a9103bc83c04711e78563decd4769d7ac0b865a17f4a7c72048d6bb76f1fb1a6266b5571b325cae21c429fff0fd42e5400697b341db206a28d5261706c2c

Download Submit
C:\Windows\System\icaBbMi.exe

Filesize
5.2MB

MD5
02aa176da00e88522f1e7bde58508158

SHA1
6b6276545347041d457d28edb7e463d8350171f6

SHA256
ffc8b17d9d3a147e78b7b13b24bc735dc18f10b0b36b47434b3320d0126d8724

SHA512
71c7eae8e28b5bf64816712ee6c528ba80bcc8da15ed7e840436b658f2c6e1c3757bbc9d44b6f8dddcd2e7594395efe62e67f422771072ac08c0e29a7c009368

Download Submit
C:\Windows\System\lOwTDWC.exe

Filesize
5.2MB

MD5
ce61d9724d27e3d149c72e6bd2817d6e

SHA1
d5fbb8b0c53563b1c8bcb0bd09e3e389e05c8a53

SHA256
c31789b01018520762a949c2284fe6a935c24f907994f7b5154d5d329e4ebe0b

SHA512
a4670cab28494c8476d9006ced045dcd3bc3a7285dda8da1dd1701cdf385a096caa32499da41a2f2fc1b6a7603427b93534db9451fc5c3243d21f6d4a51c3a1f

Download Submit
C:\Windows\System\pJNXvGS.exe

Filesize
5.2MB

MD5
099b1775f83aa26d7206dcf82b37e39f

SHA1
ad7b76897a55d44ff605f329c1f3a297f85fd73f

SHA256
b69db66a37195777cae690c69f3846d6179ce849432fabd95bcb326cd0343e35

SHA512
e8353b3e9da956aefd2478c4ae4b0c7ba93068f2a2d592593ed3900f1f5d42451438c996be620851badb72833d1327b21329ad75189910213d99346a1feb13a3

Download Submit
C:\Windows\System\qRHPZEN.exe

Filesize
5.2MB

MD5
59ba6f077e582e6da8e0ca3a76ba0109

SHA1
defbaadc5e381c2445c4c0d54b5caabc1bc6387d

SHA256
cc21f77076d7ab924991f3ebbd5d0f81a44f55563c76d43ddf95f69cd75fead7

SHA512
6cc475247002326d30f1d5e020dfea65ddf03ce3993e0d8622019962de407b2ccbc70879630b367f37342c3b611505103a5649acce0ac03119e5d2e002360721

Download Submit
C:\Windows\System\tvpmhmv.exe

Filesize
5.2MB

MD5
d4ad648cc8df196ad3ce2dd7b434bb44

SHA1
9e317b04b3520890aeb47274ebe3217028bafdb2

SHA256
754cb9209a9b6b0478b3d50318828b200198764e7b494abd1dac614682f60825

SHA512
dd4a312d70040b96d1fd0249a452aa157ed960ca611ce23abe9fafa56986521ce14d4c7a068b93f654b85cd91eeb4b33e5ecbc06b6e70e6ba21ac9355fd4a215

Download Submit
C:\Windows\System\uKTHnDM.exe

Filesize
5.2MB

MD5
a637c862ca5aa5b557436b40788eaf42

SHA1
9138d7f863b8146696cbad00e794ecb083d5ad57

SHA256
256e94c6f0d5bc7c7bca728bd1255b7ec2ccae209ae27f8d8c1b8d260c81d4a3

SHA512
7182ee3d555cdcfb4de61af19b45bab40eca4c1260755574de63f32ac6d1b30e38597e3b0bef0a00d11ccfb849631ceaa1a591de17a3db6a027e78fccddf5909

Download Submit
C:\Windows\System\zVuoMKF.exe

Filesize
5.2MB

MD5
7d0576dbcff44d03288b2aad4fa4a3ab

SHA1
7336d8cda1d6b0d90618bc0d37759a07fda0d592

SHA256
d1c47d7999de67f13d5d6557e50824afe737e8f17f04b809145f218a1cdbb4a0

SHA512
815bda24ec5ecfb2c05cf67ce0b310c718bc88bbe0b2eb54718eed7686fed8e8e247c37485f265d728a4aa96ee533a6512c7d4f1e9d6bde42161549613a3987b

Download Submit
memory/184-208-0x00007FF7E18E0000-0x00007FF7E1C31000-memory.dmp

Filesize
3.3MB

Download
memory/184-14-0x00007FF7E18E0000-0x00007FF7E1C31000-memory.dmp

Filesize
3.3MB

Download
memory/384-62-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp

Filesize
3.3MB

Download
memory/384-132-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp

Filesize
3.3MB

Download
memory/384-245-0x00007FF7D3CD0000-0x00007FF7D4021000-memory.dmp

Filesize
3.3MB

Download
memory/1544-233-0x00007FF777640000-0x00007FF777991000-memory.dmp

Filesize
3.3MB

Download
memory/1544-55-0x00007FF777640000-0x00007FF777991000-memory.dmp

Filesize
3.3MB

Download
memory/1632-257-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp

Filesize
3.3MB

Download
memory/1632-161-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp

Filesize
3.3MB

Download
memory/1632-118-0x00007FF6EAA20000-0x00007FF6EAD71000-memory.dmp

Filesize
3.3MB

Download
memory/1680-107-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-38-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-222-0x00007FF6A5180000-0x00007FF6A54D1000-memory.dmp

Filesize
3.3MB

Download
memory/1696-131-0x00007FF694140000-0x00007FF694491000-memory.dmp

Filesize
3.3MB

Download
memory/1696-264-0x00007FF694140000-0x00007FF694491000-memory.dmp

Filesize
3.3MB

Download
memory/1696-163-0x00007FF694140000-0x00007FF694491000-memory.dmp

Filesize
3.3MB

Download
memory/1860-152-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp

Filesize
3.3MB

Download
memory/1860-249-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp

Filesize
3.3MB

Download
memory/1860-95-0x00007FF6AB9E0000-0x00007FF6ABD31000-memory.dmp

Filesize
3.3MB

Download
memory/2016-125-0x00007FF7B5E40000-0x00007FF7B6191000-memory.dmp

Filesize
3.3MB

Download
memory/2016-259-0x00007FF7B5E40000-0x00007FF7B6191000-memory.dmp

Filesize
3.3MB

Download
memory/2336-149-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp

Filesize
3.3MB

Download
memory/2336-239-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp

Filesize
3.3MB

Download
memory/2336-74-0x00007FF65E9B0000-0x00007FF65ED01000-memory.dmp

Filesize
3.3MB

Download
memory/2916-140-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp

Filesize
3.3MB

Download
memory/2916-67-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp

Filesize
3.3MB

Download
memory/2916-237-0x00007FF6AAAB0000-0x00007FF6AAE01000-memory.dmp

Filesize
3.3MB

Download
memory/3084-235-0x00007FF7B2180000-0x00007FF7B24D1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-57-0x00007FF7B2180000-0x00007FF7B24D1000-memory.dmp

Filesize
3.3MB

Download
memory/3116-24-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp

Filesize
3.3MB

Download
memory/3116-80-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp

Filesize
3.3MB

Download
memory/3116-213-0x00007FF69D5D0000-0x00007FF69D921000-memory.dmp

Filesize
3.3MB

Download
memory/3392-134-0x00007FF690500000-0x00007FF690851000-memory.dmp

Filesize
3.3MB

Download
memory/3392-164-0x00007FF690500000-0x00007FF690851000-memory.dmp

Filesize
3.3MB

Download
memory/3392-265-0x00007FF690500000-0x00007FF690851000-memory.dmp

Filesize
3.3MB

Download
memory/3468-114-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp

Filesize
3.3MB

Download
memory/3468-226-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp

Filesize
3.3MB

Download
memory/3468-44-0x00007FF6038E0000-0x00007FF603C31000-memory.dmp

Filesize
3.3MB

Download
memory/3484-73-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp

Filesize
3.3MB

Download
memory/3484-210-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp

Filesize
3.3MB

Download
memory/3484-18-0x00007FF7319F0000-0x00007FF731D41000-memory.dmp

Filesize
3.3MB

Download
memory/3988-243-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-150-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-81-0x00007FF6A3C70000-0x00007FF6A3FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-30-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-88-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-214-0x00007FF7CE270000-0x00007FF7CE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-153-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-120-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-261-0x00007FF605BA0000-0x00007FF605EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-247-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp

Filesize
3.3MB

Download
memory/4572-151-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp

Filesize
3.3MB

Download
memory/4572-89-0x00007FF7D7500000-0x00007FF7D7851000-memory.dmp

Filesize
3.3MB

Download
memory/4764-56-0x00007FF6404B0000-0x00007FF640801000-memory.dmp

Filesize
3.3MB

Download
memory/4764-154-0x00007FF6404B0000-0x00007FF640801000-memory.dmp

Filesize
3.3MB

Download
memory/4764-0-0x00007FF6404B0000-0x00007FF640801000-memory.dmp

Filesize
3.3MB

Download
memory/4764-176-0x00007FF6404B0000-0x00007FF640801000-memory.dmp

Filesize
3.3MB

Download
memory/4764-1-0x0000015833660000-0x0000015833670000-memory.dmp

Filesize
64KB

Download
memory/5080-61-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-202-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-6-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-165-0x00007FF731870000-0x00007FF731BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-141-0x00007FF731870000-0x00007FF731BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-267-0x00007FF731870000-0x00007FF731BC1000-memory.dmp

Filesize
3.3MB

Download