cobaltstrike | 4e2de6091fb0b1b344fd73f3e2294c61ddaa3b014b5a8e70f6af4b4bcd68061c

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f89d73f8cf1c3e3023eeed73d1a6f669
SHA1

f7967da68bf322f089aac43fbd7bc0c733835fe2
SHA256

4e2de6091fb0b1b344fd73f3e2294c61ddaa3b014b5a8e70f6af4b4bcd68061c
SHA512

1cd2a4a483fc8055c3a0898fb38bf16587b9714ee87918815aa843741dabc80c1fb9e26538e3a7c9bd0864f45eaef4cf633fa1df62aae5b047ac20b453fb6bef
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bdf-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca8-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-36.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4308-120-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp	xmrig
behavioral2/memory/3644-118-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp	xmrig
behavioral2/memory/752-116-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	xmrig
behavioral2/memory/64-117-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp	xmrig
behavioral2/memory/3500-122-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp	xmrig
behavioral2/memory/4736-126-0x00007FF6E2EE0000-0x00007FF6E3231000-memory.dmp	xmrig
behavioral2/memory/4024-128-0x00007FF723EB0000-0x00007FF724201000-memory.dmp	xmrig
behavioral2/memory/4564-130-0x00007FF622220000-0x00007FF622571000-memory.dmp	xmrig
behavioral2/memory/3060-129-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	xmrig
behavioral2/memory/1984-127-0x00007FF7BA390000-0x00007FF7BA6E1000-memory.dmp	xmrig
behavioral2/memory/4720-125-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp	xmrig
behavioral2/memory/4464-123-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp	xmrig
behavioral2/memory/2324-124-0x00007FF620080000-0x00007FF6203D1000-memory.dmp	xmrig
behavioral2/memory/4168-121-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	xmrig
behavioral2/memory/3988-119-0x00007FF735CF0000-0x00007FF736041000-memory.dmp	xmrig
behavioral2/memory/1460-135-0x00007FF6D5960000-0x00007FF6D5CB1000-memory.dmp	xmrig
behavioral2/memory/1508-137-0x00007FF728C30000-0x00007FF728F81000-memory.dmp	xmrig
behavioral2/memory/3152-136-0x00007FF6D5FF0000-0x00007FF6D6341000-memory.dmp	xmrig
behavioral2/memory/220-134-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	xmrig
behavioral2/memory/3892-133-0x00007FF725640000-0x00007FF725991000-memory.dmp	xmrig
behavioral2/memory/3404-132-0x00007FF698010000-0x00007FF698361000-memory.dmp	xmrig
behavioral2/memory/4568-131-0x00007FF6DC640000-0x00007FF6DC991000-memory.dmp	xmrig
behavioral2/memory/752-138-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	xmrig
behavioral2/memory/752-139-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	xmrig
behavioral2/memory/64-188-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp	xmrig
behavioral2/memory/3644-190-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp	xmrig
behavioral2/memory/3988-199-0x00007FF735CF0000-0x00007FF736041000-memory.dmp	xmrig
behavioral2/memory/4308-201-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp	xmrig
behavioral2/memory/3500-203-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp	xmrig
behavioral2/memory/4168-205-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	xmrig
behavioral2/memory/4464-217-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp	xmrig
behavioral2/memory/2324-219-0x00007FF620080000-0x00007FF6203D1000-memory.dmp	xmrig
behavioral2/memory/4720-223-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp	xmrig
behavioral2/memory/4736-222-0x00007FF6E2EE0000-0x00007FF6E3231000-memory.dmp	xmrig
behavioral2/memory/1984-225-0x00007FF7BA390000-0x00007FF7BA6E1000-memory.dmp	xmrig
behavioral2/memory/4024-227-0x00007FF723EB0000-0x00007FF724201000-memory.dmp	xmrig
behavioral2/memory/3060-229-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	xmrig
behavioral2/memory/220-237-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	xmrig
behavioral2/memory/3152-244-0x00007FF6D5FF0000-0x00007FF6D6341000-memory.dmp	xmrig
behavioral2/memory/1508-246-0x00007FF728C30000-0x00007FF728F81000-memory.dmp	xmrig
behavioral2/memory/1460-242-0x00007FF6D5960000-0x00007FF6D5CB1000-memory.dmp	xmrig
behavioral2/memory/3892-240-0x00007FF725640000-0x00007FF725991000-memory.dmp	xmrig
behavioral2/memory/4568-234-0x00007FF6DC640000-0x00007FF6DC991000-memory.dmp	xmrig
behavioral2/memory/3404-232-0x00007FF698010000-0x00007FF698361000-memory.dmp	xmrig
behavioral2/memory/4564-236-0x00007FF622220000-0x00007FF622571000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
64	lLCYqWu.exe
3644	nPFccuL.exe
3988	AXsJqfk.exe
4308	nGVgQNU.exe
4168	RAQQfcL.exe
3500	yaKNzRc.exe
2324	QhGpomg.exe
4464	kNJEUMN.exe
4720	PIqXqbT.exe
4736	GUCahnw.exe
1984	ZgkbMeM.exe
4024	EYdyeSQ.exe
3060	zXcfWlT.exe
4564	WaxPKWX.exe
4568	bqdPZvj.exe
3404	dItVtlz.exe
3892	nsxgINP.exe
220	CWCPVgQ.exe
1460	XdckjYk.exe
3152	CGMQNrD.exe
1508	YxjoFtX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/752-0-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	upx
behavioral2/files/0x000a000000023bdf-5.dat	upx
behavioral2/files/0x0007000000023cab-11.dat	upx
behavioral2/memory/3644-12-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-10.dat	upx
behavioral2/memory/64-6-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca8-20.dat	upx
behavioral2/memory/4308-25-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-32.dat	upx
behavioral2/memory/3500-39-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-45.dat	upx
behavioral2/files/0x0007000000023cb2-60.dat	upx
behavioral2/files/0x0007000000023cb4-65.dat	upx
behavioral2/files/0x0007000000023cb5-78.dat	upx
behavioral2/files/0x0007000000023cbb-105.dat	upx
behavioral2/files/0x0007000000023cbd-114.dat	upx
behavioral2/files/0x0007000000023cbc-110.dat	upx
behavioral2/files/0x0007000000023cba-101.dat	upx
behavioral2/files/0x0007000000023cb9-99.dat	upx
behavioral2/files/0x0007000000023cb8-92.dat	upx
behavioral2/files/0x0007000000023cb7-88.dat	upx
behavioral2/files/0x0007000000023cb6-83.dat	upx
behavioral2/memory/4720-71-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-67.dat	upx
behavioral2/memory/4464-57-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-53.dat	upx
behavioral2/memory/2324-50-0x00007FF620080000-0x00007FF6203D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-49.dat	upx
behavioral2/files/0x0007000000023cad-36.dat	upx
behavioral2/memory/4168-31-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	upx
behavioral2/memory/3988-19-0x00007FF735CF0000-0x00007FF736041000-memory.dmp	upx
behavioral2/memory/4308-120-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp	upx
behavioral2/memory/3644-118-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp	upx
behavioral2/memory/752-116-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	upx
behavioral2/memory/64-117-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp	upx
behavioral2/memory/3500-122-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp	upx
behavioral2/memory/4736-126-0x00007FF6E2EE0000-0x00007FF6E3231000-memory.dmp	upx
behavioral2/memory/4024-128-0x00007FF723EB0000-0x00007FF724201000-memory.dmp	upx
behavioral2/memory/4564-130-0x00007FF622220000-0x00007FF622571000-memory.dmp	upx
behavioral2/memory/3060-129-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	upx
behavioral2/memory/1984-127-0x00007FF7BA390000-0x00007FF7BA6E1000-memory.dmp	upx
behavioral2/memory/4720-125-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp	upx
behavioral2/memory/4464-123-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp	upx
behavioral2/memory/2324-124-0x00007FF620080000-0x00007FF6203D1000-memory.dmp	upx
behavioral2/memory/4168-121-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	upx
behavioral2/memory/3988-119-0x00007FF735CF0000-0x00007FF736041000-memory.dmp	upx
behavioral2/memory/1460-135-0x00007FF6D5960000-0x00007FF6D5CB1000-memory.dmp	upx
behavioral2/memory/1508-137-0x00007FF728C30000-0x00007FF728F81000-memory.dmp	upx
behavioral2/memory/3152-136-0x00007FF6D5FF0000-0x00007FF6D6341000-memory.dmp	upx
behavioral2/memory/220-134-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp	upx
behavioral2/memory/3892-133-0x00007FF725640000-0x00007FF725991000-memory.dmp	upx
behavioral2/memory/3404-132-0x00007FF698010000-0x00007FF698361000-memory.dmp	upx
behavioral2/memory/4568-131-0x00007FF6DC640000-0x00007FF6DC991000-memory.dmp	upx
behavioral2/memory/752-138-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	upx
behavioral2/memory/752-139-0x00007FF695280000-0x00007FF6955D1000-memory.dmp	upx
behavioral2/memory/64-188-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp	upx
behavioral2/memory/3644-190-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp	upx
behavioral2/memory/3988-199-0x00007FF735CF0000-0x00007FF736041000-memory.dmp	upx
behavioral2/memory/4308-201-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp	upx
behavioral2/memory/3500-203-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp	upx
behavioral2/memory/4168-205-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	upx
behavioral2/memory/4464-217-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp	upx
behavioral2/memory/2324-219-0x00007FF620080000-0x00007FF6203D1000-memory.dmp	upx
behavioral2/memory/4720-223-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AXsJqfk.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PIqXqbT.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgkbMeM.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CGMQNrD.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lLCYqWu.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yaKNzRc.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dItVtlz.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CWCPVgQ.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGVgQNU.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RAQQfcL.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EYdyeSQ.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zXcfWlT.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WaxPKWX.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bqdPZvj.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdckjYk.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YxjoFtX.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nPFccuL.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNJEUMN.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhGpomg.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GUCahnw.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsxgINP.exe	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 64	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 752 wrote to memory of 64	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 752 wrote to memory of 3644	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 752 wrote to memory of 3644	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 752 wrote to memory of 3988	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 752 wrote to memory of 3988	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 752 wrote to memory of 4308	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 752 wrote to memory of 4308	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 752 wrote to memory of 4168	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 752 wrote to memory of 4168	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 752 wrote to memory of 3500	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 752 wrote to memory of 3500	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 752 wrote to memory of 4464	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 752 wrote to memory of 4464	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 752 wrote to memory of 2324	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 752 wrote to memory of 2324	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 752 wrote to memory of 4720	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 752 wrote to memory of 4720	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 752 wrote to memory of 4736	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 752 wrote to memory of 4736	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 752 wrote to memory of 1984	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 752 wrote to memory of 1984	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 752 wrote to memory of 4024	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 752 wrote to memory of 4024	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 752 wrote to memory of 3060	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 752 wrote to memory of 3060	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 752 wrote to memory of 4564	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 752 wrote to memory of 4564	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 752 wrote to memory of 4568	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 752 wrote to memory of 4568	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 752 wrote to memory of 3404	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 752 wrote to memory of 3404	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 752 wrote to memory of 3892	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 752 wrote to memory of 3892	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 752 wrote to memory of 220	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 752 wrote to memory of 220	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 752 wrote to memory of 1460	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 752 wrote to memory of 1460	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 752 wrote to memory of 3152	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 752 wrote to memory of 3152	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 752 wrote to memory of 1508	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 752 wrote to memory of 1508	752	2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_f89d73f8cf1c3e3023eeed73d1a6f669_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\System\lLCYqWu.exe
  C:\Windows\System\lLCYqWu.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\nPFccuL.exe
  C:\Windows\System\nPFccuL.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\AXsJqfk.exe
  C:\Windows\System\AXsJqfk.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\nGVgQNU.exe
  C:\Windows\System\nGVgQNU.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\RAQQfcL.exe
  C:\Windows\System\RAQQfcL.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\yaKNzRc.exe
  C:\Windows\System\yaKNzRc.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\kNJEUMN.exe
  C:\Windows\System\kNJEUMN.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\QhGpomg.exe
  C:\Windows\System\QhGpomg.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\PIqXqbT.exe
  C:\Windows\System\PIqXqbT.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\GUCahnw.exe
  C:\Windows\System\GUCahnw.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\ZgkbMeM.exe
  C:\Windows\System\ZgkbMeM.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\EYdyeSQ.exe
  C:\Windows\System\EYdyeSQ.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\zXcfWlT.exe
  C:\Windows\System\zXcfWlT.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\WaxPKWX.exe
  C:\Windows\System\WaxPKWX.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\bqdPZvj.exe
  C:\Windows\System\bqdPZvj.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\dItVtlz.exe
  C:\Windows\System\dItVtlz.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\nsxgINP.exe
  C:\Windows\System\nsxgINP.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\CWCPVgQ.exe
  C:\Windows\System\CWCPVgQ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\XdckjYk.exe
  C:\Windows\System\XdckjYk.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\CGMQNrD.exe
  C:\Windows\System\CGMQNrD.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\YxjoFtX.exe
  C:\Windows\System\YxjoFtX.exe
  2⤵
  - Executes dropped EXE
  PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AXsJqfk.exe

Filesize
5.2MB

MD5
bba533fe0724fd6c934cee5b47888e12

SHA1
d5aa1a888a70f5de0e65bd0b6dcf5ad5ddb37d8d

SHA256
a8580e6852e79c69be94338c3ef93fe6f5e95ff4e12e45696dca678a2af749c3

SHA512
63b6798c52a0579aa9e90b2e4a1001395d3b76696c3ae832db9e5ef64c6279a000b1a0aeb5e57ebda9e2785348b7bbd1f369f28881235f8b226bc0c5f9df7d6d

Download Submit
C:\Windows\System\CGMQNrD.exe

Filesize
5.2MB

MD5
0f34d18144d4506547dc1a4c87028f18

SHA1
bb47a72cea7b5d896fce1f6d77d4a61da2596006

SHA256
cbd1edeaa77e966985097a6029b2eb6fa64d26999153482d44bdc5de60438136

SHA512
905ea55bf5a3a546617a6c2c5ff047d9aee2dcc095dd339e9e9ce05654de5bc88cb8ef5f47a4f51317452e9e1b8f7afeaa84dae06d277901c8433686d3ceaef1

Download Submit
C:\Windows\System\CWCPVgQ.exe

Filesize
5.2MB

MD5
8127988c72e47cf0ddac4a0d73958946

SHA1
769bdc0bd0ffecd98f7f8c52f7867a10547623ad

SHA256
fd8a27d45984961b3d001bf14a8db78f6fbc3c1e48b8553b82357bb5e47cee6e

SHA512
e5c1f8e707406766e5596ba568e6800cc8f3e4c282aba460c57b49ff45cd1cdb8b36c64457eb5c9cda56e2af1ab911d72bfd598b08fe5866522fc6a56a10236c

Download Submit
C:\Windows\System\EYdyeSQ.exe

Filesize
5.2MB

MD5
009961348d575a0443031c8968b79bf7

SHA1
ab5ba3972493b9b4d555bf6365413a65f930737b

SHA256
5e654c2ece2b28fe8f6c481e23b11fc1463e765f880f19f900e387ffc5c7c4f6

SHA512
3a87777fc5f23e6b9e02dba8ec4e0091804a07bbfdd54208bdf49460ceb19e61d90e77f97d7e6b5ba9271bb0bd30787c76334123f30ee64531bb1f93c683c77c

Download Submit
C:\Windows\System\GUCahnw.exe

Filesize
5.2MB

MD5
1e5d7c01fc0a167408fb7df2bb764c10

SHA1
38e29d6b5e8d04be72457beb9dd2f4b09f9d5e9b

SHA256
8c9664e3af389e95d308b1c3d03cbfb8ef3b9c605ed287dbc362b4675a7976b6

SHA512
ce80e7dd8a1a33af42532de6e7333c85e30adb3d6e31011a8451244b140e92ed6e0f29d01ce15d84b5ed3e9afd2f7c10b25f8d4eea9ed75c80044bc22eb92d60

Download Submit
C:\Windows\System\PIqXqbT.exe

Filesize
5.2MB

MD5
da872ec851b938c18bf28e5c8ba2c72d

SHA1
24a963a125b77e5232292fc36fcae3a3e94bc926

SHA256
5ff6f3e61fbeed2332a3faba74cac8287a6ca7f33d3b46ac0afb290e8411d19d

SHA512
2421621da84014ddd061f545859d3c9735ff2cfead2fb27f6468b2a6fc173d64cfed4d94b7f2db94668ce08ce93ad84357abe6098e1242afce94bb025970461c

Download Submit
C:\Windows\System\QhGpomg.exe

Filesize
5.2MB

MD5
b7bc22b94de4cb820367355b2716c355

SHA1
97405001703d058b94f28badbd8c5dd3662f6498

SHA256
f80b9c45a0e1f4b0377e6bbf41a8cc47045244adc56079eb190c3efda4bc18da

SHA512
091b2d9d10186a3af68444d5d7b0cdbcb07ca1b56032ae360cdce70c1b0f4c686dfda91ceefd7f80e830687df9cbb7d85f63e1481ecaa9702a00f7d357f2a854

Download Submit
C:\Windows\System\RAQQfcL.exe

Filesize
5.2MB

MD5
de6fb8d95b1cf1964f150f969ba0a341

SHA1
67b5d94a50e91d46568ef7df5b308453638cb343

SHA256
d2a5ee659519198bc6f8a410b128173516be7824e848dc71ebae4b039a2729f1

SHA512
a2b8075b3cb4ca29ac5e245be349e3570ef99fd08f411d7797601e5ecba81355238d1c2bf3c4fcf4ed660e40a431f0d34825e609556f4aba4fb06ab54dac0605

Download Submit
C:\Windows\System\WaxPKWX.exe

Filesize
5.2MB

MD5
59ffc2cf1be2d9644ef4daddd5e9a8d4

SHA1
82c48320c756b76de858283ae7f6eb8b41926e8c

SHA256
7c6a4834199b0cc2c836bc8acb1841a5a973e93e439b652efc632da8c1bf777a

SHA512
ff10ab90ab2f8a3bf6d6ce1640811e5e9f2f688a9ac34bd5637b94712310d017abfbeb0f6850ecfc3f8ac02d201cbfbaf6fff80a80e7515d4d6a25be8e7a4fdf

Download Submit
C:\Windows\System\XdckjYk.exe

Filesize
5.2MB

MD5
5d879f4b4f3fd3e828fb59ad58fa6b3e

SHA1
324dfcb21ab10ba1e2fcaf80df0f6c40a8ffaabd

SHA256
5ceab6172a4414737207242e12f11faa3d4de345317760d0628122521fb54588

SHA512
eedaf4e3d620b5b87e1aa022553d6fdb7aaae2b039307860bb8ea921ed0777639c54888b1cd3ba4a2597182dd426c09a7a72efc9246a1eb5c6fbca90ab0a0093

Download Submit
C:\Windows\System\YxjoFtX.exe

Filesize
5.2MB

MD5
99de6a21002947f27116844d5c2cdc35

SHA1
f4172e875407a42f4347759232c0370f82759726

SHA256
24048e6d6a329b6cd31b37e14fd82c68d2fbd0e5b24ed03dd515e89a84f8e8e6

SHA512
0fb7521774cd1957c54e9fd4854743f3faaab678ab6e6b487d6f162b76ce156074850e8b42003d5aa5c11bd59d63814de9a00b79bf52cded6b1aeff3bd120bb7

Download Submit
C:\Windows\System\ZgkbMeM.exe

Filesize
5.2MB

MD5
2ac0df1b26b99e2a451c8dd40328e2e1

SHA1
16ae175c8c01a77e77b9589feaae739c02acaf0f

SHA256
1537cbaee6b3d8e6b32c8c0e3f9c93f3e791770ea5f4bd2270a5273647166733

SHA512
dd13a6c1de4b9a23c555a25593a42acf9efa7e0e010ab9aee697dbc9e544b888bb8a6babdfaba1957deee788d94a9340af1b8d0e37095495ccd187ae213efa2c

Download Submit
C:\Windows\System\bqdPZvj.exe

Filesize
5.2MB

MD5
adead633fc330460ec174489cedbd323

SHA1
d5321630dacecd9e5f115134be72ca06eda58143

SHA256
dcfb29fe17affcf4c90c8227c182b3b6675351c52f3ca39700c690d770959251

SHA512
0a3f7618e7352a947a81f077872138763ae4f2b1ccc1ad76ed834f7d2dc3c1e4b730caa386b57b12509e9fff35eb995753b98332cb7de94927b2900fd2b84952

Download Submit
C:\Windows\System\dItVtlz.exe

Filesize
5.2MB

MD5
61ef8f1404882fc60d84688d466303f7

SHA1
9a9d1b2853a8e6dcfbf5575215106b8c041f0d2d

SHA256
0744fd0dce13d07bbfba4d0f3f5af80e08e932f4b93848104d7edd5208bd80bb

SHA512
24809c808f014a6418dc09c3e438778fad4578fe83f7b6dc76686fce63f543d2013e82dad3058a49a26b960e94cafefb15e1e9530743ff20f41155d27d59857f

Download Submit
C:\Windows\System\kNJEUMN.exe

Filesize
5.2MB

MD5
f293704ea80c1524f007341406aa84ce

SHA1
6b12c8a0c457e8833c938068fd26f197f8ede9d1

SHA256
d5b88a20179f078556c1aeb57fe3be48cccf85ee6ff0429b2f44bbfe7ae07c66

SHA512
0d5402d84f4f460f0899328950a93d635c6631449622ff15b4ad718b2998fd77a461f7a5f3cfafb038959deeba1d8d91185fa4c99bc3641adb52e65ae2ab0ca3

Download Submit
C:\Windows\System\lLCYqWu.exe

Filesize
5.2MB

MD5
2a407e7f1113acc698e82831978a5bbd

SHA1
fe9f46e3c00a3cbc21d241324b873da2384992df

SHA256
25d19489f5a35421f85c733b2e80a5e517115ece1784f48a88528b5916f9c37a

SHA512
c086f433bedd5f33fd6158abcee1b246880a4771406dae1f37090d05a8fb7e4a50c555ab3ef6d8b856b7cdd9f5de726ee6c5e3ff0f401d80f4f80c3461a8c473

Download Submit
C:\Windows\System\nGVgQNU.exe

Filesize
5.2MB

MD5
2b9c0ee8631bc59f962683441285e909

SHA1
efb89a7966d916848ac0f1721bdea20594c44343

SHA256
4b857bd714833f92c56fe0d8a0d4b04862687d65dfc99b9c6ce067902bfb9e70

SHA512
fd27262f402ffd60474e376f194d1fc5d34e9d5aa8fb68a026cd310bfbef3bdd41a5406c495bd7029a6bb9c749a4073f2f3b507712a620a97df523dec2b98ef5

Download Submit
C:\Windows\System\nPFccuL.exe

Filesize
5.2MB

MD5
c80730a20efbf6f57fa645223a3991a5

SHA1
ecb567a3beb70046ca27e4d796df0c9c2eff3e14

SHA256
6adcc92212806b08bf715d21b8a15eba634fd01d935e15b8f14ed7301c34b516

SHA512
d9f2008ad135ca67ca7be4a85a33b51ebc0d7bc8186c64c754b0224d0ee8dfd1312c962d8de2081ba736a59ace43c726e79ffb8f668fdc1aa836ba6b13678894

Download Submit
C:\Windows\System\nsxgINP.exe

Filesize
5.2MB

MD5
8bcf0b840003559e43048ce5ec61d747

SHA1
a58c83ca81b9a668bdce08a1e81e284f98c4f7b2

SHA256
809a7afbe208e4b47c26f4032089312c06718dd967be6253e31822aecc02daa4

SHA512
f469eed30b39fb3a68f98faa307b48e183621ba84d1bbfcd904d59ef733c984bfd8662671c9e33a28dddabebe14fbc55e83f3fd73002d5873ec13b2152f22b97

Download Submit
C:\Windows\System\yaKNzRc.exe

Filesize
5.2MB

MD5
f3a0d4bd9a20f6ac5940371ced2f055e

SHA1
172e6ad39d5bfb38df997a1a96bccf7290945725

SHA256
156c18829a4f8cd6ea9bc1074c4a799fcecd5deb7bbac789215c55473dda4552

SHA512
71ef38172fe660520543f9a9c1910741fa29c95a6f1151c9844a279881f0304bcb28977924d014351e18b58f1746436698030672dd667a0dc08b21895308ec75

Download Submit
C:\Windows\System\zXcfWlT.exe

Filesize
5.2MB

MD5
4e0115703b6bcffb92ab62671ef3dc1a

SHA1
e6c0945c87b70a7c92bbb3ccea3de7a052e18868

SHA256
cd2417f808790f0ce1e44a813c064bce43594084720672168f468d2c15d7f862

SHA512
fc788a8f063bd97ecbb5b37ac132603380a4e8765e24fb6a4363ff030c98b640994d5ed781ef074de9abae93433f9cfde4da2e3e5154d79f687d24b0b5792ca1

Download Submit
memory/64-188-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

Filesize
3.3MB

Download
memory/64-6-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

Filesize
3.3MB

Download
memory/64-117-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

Filesize
3.3MB

Download
memory/220-134-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp

Filesize
3.3MB

Download
memory/220-237-0x00007FF6EF990000-0x00007FF6EFCE1000-memory.dmp

Filesize
3.3MB

Download
memory/752-116-0x00007FF695280000-0x00007FF6955D1000-memory.dmp

Filesize
3.3MB

Download
memory/752-138-0x00007FF695280000-0x00007FF6955D1000-memory.dmp

Filesize
3.3MB

Download
memory/752-139-0x00007FF695280000-0x00007FF6955D1000-memory.dmp

Filesize
3.3MB

Download
memory/752-0-0x00007FF695280000-0x00007FF6955D1000-memory.dmp

Filesize
3.3MB

Download
memory/752-1-0x00000258CBB00000-0x00000258CBB10000-memory.dmp

Filesize
64KB

Download
memory/1460-242-0x00007FF6D5960000-0x00007FF6D5CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-135-0x00007FF6D5960000-0x00007FF6D5CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-137-0x00007FF728C30000-0x00007FF728F81000-memory.dmp

Filesize
3.3MB

Download
memory/1508-246-0x00007FF728C30000-0x00007FF728F81000-memory.dmp

Filesize
3.3MB

Download
memory/1984-225-0x00007FF7BA390000-0x00007FF7BA6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-127-0x00007FF7BA390000-0x00007FF7BA6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-219-0x00007FF620080000-0x00007FF6203D1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-124-0x00007FF620080000-0x00007FF6203D1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-50-0x00007FF620080000-0x00007FF6203D1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-129-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

Filesize
3.3MB

Download
memory/3060-229-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

Filesize
3.3MB

Download
memory/3152-244-0x00007FF6D5FF0000-0x00007FF6D6341000-memory.dmp

Filesize
3.3MB

Download
memory/3152-136-0x00007FF6D5FF0000-0x00007FF6D6341000-memory.dmp

Filesize
3.3MB

Download
memory/3404-132-0x00007FF698010000-0x00007FF698361000-memory.dmp

Filesize
3.3MB

Download
memory/3404-232-0x00007FF698010000-0x00007FF698361000-memory.dmp

Filesize
3.3MB

Download
memory/3500-39-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-203-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-122-0x00007FF61D470000-0x00007FF61D7C1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-190-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-12-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-118-0x00007FF6A25A0000-0x00007FF6A28F1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-133-0x00007FF725640000-0x00007FF725991000-memory.dmp

Filesize
3.3MB

Download
memory/3892-240-0x00007FF725640000-0x00007FF725991000-memory.dmp

Filesize
3.3MB

Download
memory/3988-19-0x00007FF735CF0000-0x00007FF736041000-memory.dmp

Filesize
3.3MB

Download
memory/3988-119-0x00007FF735CF0000-0x00007FF736041000-memory.dmp

Filesize
3.3MB

Download
memory/3988-199-0x00007FF735CF0000-0x00007FF736041000-memory.dmp

Filesize
3.3MB

Download
memory/4024-227-0x00007FF723EB0000-0x00007FF724201000-memory.dmp

Filesize
3.3MB

Download
memory/4024-128-0x00007FF723EB0000-0x00007FF724201000-memory.dmp

Filesize
3.3MB

Download
memory/4168-31-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-205-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-121-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/4308-201-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp

Filesize
3.3MB

Download
memory/4308-120-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp

Filesize
3.3MB

Download
memory/4308-25-0x00007FF6E2600000-0x00007FF6E2951000-memory.dmp

Filesize
3.3MB

Download
memory/4464-217-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-57-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-123-0x00007FF77F390000-0x00007FF77F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-130-0x00007FF622220000-0x00007FF622571000-memory.dmp

Filesize
3.3MB

Download
memory/4564-236-0x00007FF622220000-0x00007FF622571000-memory.dmp

Filesize
3.3MB

Download
memory/4568-234-0x00007FF6DC640000-0x00007FF6DC991000-memory.dmp

Filesize
3.3MB

Download
memory/4568-131-0x00007FF6DC640000-0x00007FF6DC991000-memory.dmp

Filesize
3.3MB

Download
memory/4720-223-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp

Filesize
3.3MB

Download
memory/4720-71-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp

Filesize
3.3MB

Download
memory/4720-125-0x00007FF7FE3D0000-0x00007FF7FE721000-memory.dmp

Filesize
3.3MB

Download
memory/4736-222-0x00007FF6E2EE0000-0x00007FF6E3231000-memory.dmp

Filesize
3.3MB

Download
memory/4736-126-0x00007FF6E2EE0000-0x00007FF6E3231000-memory.dmp

Filesize
3.3MB

Download