cobaltstrike | 08ce4102fbc224848fbe3863ae9f59e347dd4d287a8ad9df5ea06d34c9b01f95

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ef669fa0aa37beaf6132b9b05b594e1d
SHA1

4b061f6769e2b52b9ea2631d75f99543a021e966
SHA256

08ce4102fbc224848fbe3863ae9f59e347dd4d287a8ad9df5ea06d34c9b01f95
SHA512

ea71f579419d2b0398e9810cdfbefde47013128b18cb4e5d27b1c70e9c190e4be5a5beb49ddeb947f41e62bd04eea4227910c1c90677b43aca14f16114dba848
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6la:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c95-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c93-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-72.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/5012-8-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp	xmrig
behavioral2/memory/1484-33-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	xmrig
behavioral2/memory/1684-49-0x00007FF678240000-0x00007FF678591000-memory.dmp	xmrig
behavioral2/memory/4024-51-0x00007FF7775D0000-0x00007FF777921000-memory.dmp	xmrig
behavioral2/memory/5012-55-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp	xmrig
behavioral2/memory/2428-75-0x00007FF783080000-0x00007FF7833D1000-memory.dmp	xmrig
behavioral2/memory/3536-97-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp	xmrig
behavioral2/memory/4984-132-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp	xmrig
behavioral2/memory/4024-128-0x00007FF7775D0000-0x00007FF777921000-memory.dmp	xmrig
behavioral2/memory/3272-111-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp	xmrig
behavioral2/memory/4688-82-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp	xmrig
behavioral2/memory/4468-62-0x00007FF61F540000-0x00007FF61F891000-memory.dmp	xmrig
behavioral2/memory/1684-136-0x00007FF678240000-0x00007FF678591000-memory.dmp	xmrig
behavioral2/memory/3500-146-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp	xmrig
behavioral2/memory/4572-147-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp	xmrig
behavioral2/memory/3368-153-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp	xmrig
behavioral2/memory/628-154-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	xmrig
behavioral2/memory/2228-152-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp	xmrig
behavioral2/memory/908-159-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp	xmrig
behavioral2/memory/3592-160-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp	xmrig
behavioral2/memory/4944-161-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp	xmrig
behavioral2/memory/4156-158-0x00007FF761710000-0x00007FF761A61000-memory.dmp	xmrig
behavioral2/memory/2308-157-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp	xmrig
behavioral2/memory/3612-156-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	xmrig
behavioral2/memory/5056-155-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp	xmrig
behavioral2/memory/1684-162-0x00007FF678240000-0x00007FF678591000-memory.dmp	xmrig
behavioral2/memory/5012-211-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp	xmrig
behavioral2/memory/4468-213-0x00007FF61F540000-0x00007FF61F891000-memory.dmp	xmrig
behavioral2/memory/2428-220-0x00007FF783080000-0x00007FF7833D1000-memory.dmp	xmrig
behavioral2/memory/1484-223-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	xmrig
behavioral2/memory/4688-224-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp	xmrig
behavioral2/memory/3536-226-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp	xmrig
behavioral2/memory/3272-228-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp	xmrig
behavioral2/memory/4024-237-0x00007FF7775D0000-0x00007FF777921000-memory.dmp	xmrig
behavioral2/memory/4984-239-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp	xmrig
behavioral2/memory/3500-241-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp	xmrig
behavioral2/memory/4572-243-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp	xmrig
behavioral2/memory/3368-245-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp	xmrig
behavioral2/memory/2228-247-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp	xmrig
behavioral2/memory/628-249-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	xmrig
behavioral2/memory/5056-257-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp	xmrig
behavioral2/memory/2308-259-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp	xmrig
behavioral2/memory/4156-262-0x00007FF761710000-0x00007FF761A61000-memory.dmp	xmrig
behavioral2/memory/3612-263-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	xmrig
behavioral2/memory/908-265-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp	xmrig
behavioral2/memory/4944-267-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp	xmrig
behavioral2/memory/3592-270-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5012	wUoASKo.exe
4468	rqTtdKy.exe
2428	chZYuIo.exe
4688	kTuhQkU.exe
1484	albuaxG.exe
3536	FssxrLK.exe
3272	tpFqVWC.exe
4024	uMsjQCj.exe
4984	AXBZwaI.exe
3500	CdUXGDT.exe
4572	hlRZyWY.exe
3368	mfONYiq.exe
2228	AWngXRT.exe
628	Kgwahty.exe
5056	RUoFEIm.exe
2308	mPaKzbt.exe
4156	BEDLoiv.exe
3612	daGRMOE.exe
908	jteQYSk.exe
3592	zrSxMIc.exe
4944	pMCDqWT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1684-0-0x00007FF678240000-0x00007FF678591000-memory.dmp	upx
behavioral2/files/0x0008000000023c95-4.dat	upx
behavioral2/files/0x0007000000023c97-11.dat	upx
behavioral2/files/0x0007000000023c96-10.dat	upx
behavioral2/memory/4468-13-0x00007FF61F540000-0x00007FF61F891000-memory.dmp	upx
behavioral2/memory/5012-8-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-22.dat	upx
behavioral2/files/0x0007000000023c98-27.dat	upx
behavioral2/memory/1484-33-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-39.dat	upx
behavioral2/memory/3272-42-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-43.dat	upx
behavioral2/memory/3536-37-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp	upx
behavioral2/memory/4688-24-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp	upx
behavioral2/memory/2428-18-0x00007FF783080000-0x00007FF7833D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-47.dat	upx
behavioral2/memory/1684-49-0x00007FF678240000-0x00007FF678591000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-53.dat	upx
behavioral2/memory/4024-51-0x00007FF7775D0000-0x00007FF777921000-memory.dmp	upx
behavioral2/memory/4984-56-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp	upx
behavioral2/memory/5012-55-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-67.dat	upx
behavioral2/memory/4572-69-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-74.dat	upx
behavioral2/memory/2428-75-0x00007FF783080000-0x00007FF7833D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-79.dat	upx
behavioral2/files/0x0007000000023ca2-88.dat	upx
behavioral2/memory/628-89-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	upx
behavioral2/memory/3536-97-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-108.dat	upx
behavioral2/memory/2308-112-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp	upx
behavioral2/memory/908-116-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-122.dat	upx
behavioral2/files/0x0007000000023ca8-125.dat	upx
behavioral2/memory/3592-130-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-134.dat	upx
behavioral2/memory/4944-133-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp	upx
behavioral2/memory/4984-132-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp	upx
behavioral2/memory/4024-128-0x00007FF7775D0000-0x00007FF777921000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-120.dat	upx
behavioral2/memory/4156-117-0x00007FF761710000-0x00007FF761A61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-114.dat	upx
behavioral2/memory/3612-113-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	upx
behavioral2/memory/3272-111-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp	upx
behavioral2/memory/5056-107-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-103.dat	upx
behavioral2/memory/2228-85-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp	upx
behavioral2/memory/4688-82-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp	upx
behavioral2/memory/3368-78-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-72.dat	upx
behavioral2/memory/3500-65-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp	upx
behavioral2/memory/4468-62-0x00007FF61F540000-0x00007FF61F891000-memory.dmp	upx
behavioral2/memory/1684-136-0x00007FF678240000-0x00007FF678591000-memory.dmp	upx
behavioral2/memory/3500-146-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp	upx
behavioral2/memory/4572-147-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp	upx
behavioral2/memory/3368-153-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp	upx
behavioral2/memory/628-154-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	upx
behavioral2/memory/2228-152-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp	upx
behavioral2/memory/908-159-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp	upx
behavioral2/memory/3592-160-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp	upx
behavioral2/memory/4944-161-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp	upx
behavioral2/memory/4156-158-0x00007FF761710000-0x00007FF761A61000-memory.dmp	upx
behavioral2/memory/2308-157-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp	upx
behavioral2/memory/3612-156-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rqTtdKy.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kTuhQkU.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AWngXRT.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daGRMOE.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AXBZwaI.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hlRZyWY.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUoFEIm.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEDLoiv.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jteQYSk.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zrSxMIc.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\chZYuIo.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\albuaxG.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CdUXGDT.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfONYiq.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pMCDqWT.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUoASKo.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FssxrLK.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tpFqVWC.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uMsjQCj.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Kgwahty.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mPaKzbt.exe	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 5012	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1684 wrote to memory of 5012	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1684 wrote to memory of 4468	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1684 wrote to memory of 4468	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1684 wrote to memory of 2428	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1684 wrote to memory of 2428	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1684 wrote to memory of 4688	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1684 wrote to memory of 4688	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1684 wrote to memory of 1484	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1684 wrote to memory of 1484	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1684 wrote to memory of 3536	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1684 wrote to memory of 3536	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1684 wrote to memory of 3272	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1684 wrote to memory of 3272	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1684 wrote to memory of 4024	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1684 wrote to memory of 4024	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1684 wrote to memory of 4984	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1684 wrote to memory of 4984	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1684 wrote to memory of 3500	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1684 wrote to memory of 3500	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1684 wrote to memory of 4572	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1684 wrote to memory of 4572	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1684 wrote to memory of 3368	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1684 wrote to memory of 3368	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1684 wrote to memory of 2228	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1684 wrote to memory of 2228	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1684 wrote to memory of 628	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1684 wrote to memory of 628	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1684 wrote to memory of 5056	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1684 wrote to memory of 5056	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1684 wrote to memory of 3612	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1684 wrote to memory of 3612	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1684 wrote to memory of 2308	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1684 wrote to memory of 2308	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1684 wrote to memory of 4156	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1684 wrote to memory of 4156	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1684 wrote to memory of 908	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1684 wrote to memory of 908	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1684 wrote to memory of 3592	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1684 wrote to memory of 3592	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1684 wrote to memory of 4944	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1684 wrote to memory of 4944	1684	2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_ef669fa0aa37beaf6132b9b05b594e1d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System\wUoASKo.exe
  C:\Windows\System\wUoASKo.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\rqTtdKy.exe
  C:\Windows\System\rqTtdKy.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\chZYuIo.exe
  C:\Windows\System\chZYuIo.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\kTuhQkU.exe
  C:\Windows\System\kTuhQkU.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\albuaxG.exe
  C:\Windows\System\albuaxG.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\FssxrLK.exe
  C:\Windows\System\FssxrLK.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\tpFqVWC.exe
  C:\Windows\System\tpFqVWC.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\uMsjQCj.exe
  C:\Windows\System\uMsjQCj.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\AXBZwaI.exe
  C:\Windows\System\AXBZwaI.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\CdUXGDT.exe
  C:\Windows\System\CdUXGDT.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\hlRZyWY.exe
  C:\Windows\System\hlRZyWY.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\mfONYiq.exe
  C:\Windows\System\mfONYiq.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\AWngXRT.exe
  C:\Windows\System\AWngXRT.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\Kgwahty.exe
  C:\Windows\System\Kgwahty.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\RUoFEIm.exe
  C:\Windows\System\RUoFEIm.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\daGRMOE.exe
  C:\Windows\System\daGRMOE.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\mPaKzbt.exe
  C:\Windows\System\mPaKzbt.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\BEDLoiv.exe
  C:\Windows\System\BEDLoiv.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\jteQYSk.exe
  C:\Windows\System\jteQYSk.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\zrSxMIc.exe
  C:\Windows\System\zrSxMIc.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\pMCDqWT.exe
  C:\Windows\System\pMCDqWT.exe
  2⤵
  - Executes dropped EXE
  PID:4944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AWngXRT.exe

Filesize
5.2MB

MD5
4d2f8d0f4bc55ac1dc868b5865c7ecda

SHA1
3e8be77c433c3453c8585810b6671d569e10f332

SHA256
0d5b13300edbea911fc9252d86b2153a431ffd68999f48a730b3d03beb9c457e

SHA512
34eae6d6cc82fedc625946c39f28627b55920ea9fdf6d7783a9de19c0e48ba3b751b045593a6560122e53b2fe4f676e6cbbb3d11937eca94675db83d96c2df58

Download Submit
C:\Windows\System\AXBZwaI.exe

Filesize
5.2MB

MD5
7f7d56eeb2ae4e1bcb94901065d86808

SHA1
0dcccce4d1fd2aed6fdd1fa46409615583903b0c

SHA256
f9091483da8616cc1cf13bd883cadf971ecaef358f75af397274c04e0fdd3b1a

SHA512
e2b33a649ab1c9be9c31fd2add9ec7c10ca9d27a563b1b0ffaa37bddfc7afb91c7a411b8e51875f65f9248cf910d592ed31147420005e58bfae35b51da236487

Download Submit
C:\Windows\System\BEDLoiv.exe

Filesize
5.2MB

MD5
b51b1a93db6c82907010262e326983e7

SHA1
e0981ef056b9f7fa0c3b3d36b9e5b15f4ee28f63

SHA256
503289c80d574374180c4bd5e73a490cb74b9bc6ac1b581ea68a0c8fddbb34af

SHA512
cd7272d3073b8631182ca4285fb205a368ab3db70281dd0631c2f86ce462e00886e4dda05cd93fe7976308c2ddb8f8bef5dfb32dcfc79ef11e0c7a2edb595d75

Download Submit
C:\Windows\System\CdUXGDT.exe

Filesize
5.2MB

MD5
42e3e664636780dd2b07d6f91e6dbe13

SHA1
61bad1ef09ab6caa06e32f78ca846d3a76c100db

SHA256
e1afb442fa345bb134c3327016fc61eac3e06fd5f43acd1993cdfc776f0fd5f9

SHA512
612d2b0a8bd9fbc9bd257a1b0447da12dda5131b1caa68bb41ea7db690a5c090a6b9200bb1cc3ce59995ef50fd6cebf3b88f22646bcc35f1b8e754d84464edbd

Download Submit
C:\Windows\System\FssxrLK.exe

Filesize
5.2MB

MD5
ef096b3497cac3f00f122d6080548c96

SHA1
8013de9f826948da24af368232a2b63ee321aadb

SHA256
2683acd74085b98ca17f7dfdd3a3ff8962ddc8c179158d3a51a205b584dd6bfb

SHA512
e67caf399f77f2b6a5ab8403fc1f474ea838d8ab00d89ca742d56ee90be61c27cc1597338c5800cf6d104ab7580185d6b5b4c094a6ccfcf8b38e2c6e3912f665

Download Submit
C:\Windows\System\Kgwahty.exe

Filesize
5.2MB

MD5
49cf2958e006b7beb78c93265a4d6ea0

SHA1
e4853b4d38638029057968c2e1d5834ae53ea581

SHA256
27dfe3f0399defbfcf0ebac39ffbb00573da1eba8d1127042f7bd9dcad0466dd

SHA512
03245fe9d21c45855830f8de2f767648d3ba6b84f6d52e8eac0de5de35409a3599fc5b64f2b98e51f0158e22a74d912c474a0405bcbc93af3f49a16143d60541

Download Submit
C:\Windows\System\RUoFEIm.exe

Filesize
5.2MB

MD5
36e9b9d7d38f5d8a773f3f9c7f891d37

SHA1
7b506ff8d8e8f157157136c6ac2e6cee3dfaf17d

SHA256
2ba62a835e2d2240f34d7083c665210a043b3058cd4a00936e0f0c20d9ba363c

SHA512
862a153d7ebd4f3e46a7bab09b6f04c5f74677dee88c85ba70aee52130989bd924ac6f7e2e4e973e82ff93999d4e8b4e0c3d2c0a86d58c4f559b854a140b0262

Download Submit
C:\Windows\System\albuaxG.exe

Filesize
5.2MB

MD5
034910c49127536459f5705ede469e61

SHA1
5fea3393d44274e5e9ab9e1f7612a11a5924534c

SHA256
5972278642e10d89b47f393eaa5bd8268a8c12d91b1c19973d8d7c644c5434ba

SHA512
5632b1e999cc7bc6fe7d1cdc3660e5c4438e8895be5a648da4815a6bd5cce646a696f4f9c39439c9a9c4c399f3a818b43f3b04cf5b8ae51ee3aec3f50d3d3806

Download Submit
C:\Windows\System\chZYuIo.exe

Filesize
5.2MB

MD5
1e6ac8a16194e924f974bf4891cbc477

SHA1
d7178e1c1ce5a50c8eeeadd4c58782cafe477fea

SHA256
d0a6459b41a3c971ed30714a3133fde763c16d4cd1be95978136b1e3ed48c030

SHA512
23b9d6125ebd30766d669699b4d8971b3414283df7e88575351eedd63e645b8e9f9619e60ed535e8601429dee55a5914abd0a228655da313eb80997baceff0a9

Download Submit
C:\Windows\System\daGRMOE.exe

Filesize
5.2MB

MD5
ed40d5c5cb187724cdfb4870bf47db88

SHA1
48bc424a6ba531ed34beadc9c09ea3e2294703c2

SHA256
6d92782e05f898ac76c02992b70ae6a187d57dbd061b4d3026cef649f916b486

SHA512
a14e688ab72c602770eef5ad06b710e4b4df7a075dca42dbecf59ef85ab03e4a4498a9e9b540f72ebb238a1bf65895d792a16de73f8e4a44a8038b13a9e930cd

Download Submit
C:\Windows\System\hlRZyWY.exe

Filesize
5.2MB

MD5
153e116b7a4013e9ba180521330c414d

SHA1
d0ffcf63c71138d9a6eb8a72383b0e47ae269b96

SHA256
db88b4c48f1881d165216a4ac1420d4af7af25b6ac1dd6dcbd6afb0028a2b451

SHA512
f40bf21abf7b5b6b9976c21bbc7e1ea7d9cec4a9f6aad92af07e882320750afb648eeb786226685ed2a60532bf3679b4510346d40ae888d77fbaba0a0a30caad

Download Submit
C:\Windows\System\jteQYSk.exe

Filesize
5.2MB

MD5
2997b47497ca340c27de434321ac4c80

SHA1
516aa19337b2f4c9fd6f27de6238ee0683a3b69d

SHA256
5a8f968e5009e79343428bb30bdc940cce6f9af5dabb4844d14128f171f6e272

SHA512
6581882f8735f50e5027fca0749d87e717bac86e7826be1138b8aad4fd261d7808b14bc4f42839a550728f455e392a2dfd597f67a3d3ab9995fa1592a1217c11

Download Submit
C:\Windows\System\kTuhQkU.exe

Filesize
5.2MB

MD5
fad9e2dd2981b72c70dcf9ea5a60548a

SHA1
92e74b8bc752881bd0ae7895ab25feb7276f1dda

SHA256
37ffc7c1f5a4b3a36d2b13ea9964dd4e9cbd4989b984888799980cb613249202

SHA512
1045499fcee334ce31e5446a6c7c26133a9f98ee652417392e8624d6515df2c3db41f57f26c0ad7c792fdf3bca12323d268b5aa47a1d584387a83d3ee678645f

Download Submit
C:\Windows\System\mPaKzbt.exe

Filesize
5.2MB

MD5
338ff71c9fa225a1252d31fdb3a75a4f

SHA1
fe3192569db2a32211c955f69a79a956810e33ed

SHA256
670c3ea3e3c973cb9e6033bd71ddaaefe1c58402154ba6b82e15d6a19905e419

SHA512
305cfc35a39d081f62a36f3cd4b8c175de4686f4e1fed66f225c1d696be237c8a79a628f462a8424531706d6df5d16336f46655f0c99acb668035795ef92c705

Download Submit
C:\Windows\System\mfONYiq.exe

Filesize
5.2MB

MD5
8e8dd8eb65a589a13e6c5a3c69e14a85

SHA1
fb2911223f9ec4d326b264481ad6c99dbe4c6c95

SHA256
3c7fa760b60f6456e3e7a91255b3b63eae37e275e003c895f22f8f714bfd61f8

SHA512
0bd9771e3e0eb4415eb06c8c2003179f892542d1390e7583c48b5cc62dbeb7b571a68fb8ce313fc98947c038a8f19fae670efe33a49142d7a0ae9b112bc45bd0

Download Submit
C:\Windows\System\pMCDqWT.exe

Filesize
5.2MB

MD5
1b65136330af3c58479e9559989710be

SHA1
10c250e621c07603f6b77d1dad4c1a340b364cc4

SHA256
f64707cc871bb1a1d8e637adfbfc2fc509bd2db7cc3de8e445609bb90b6d1da5

SHA512
033db25d59b0cbb503fc54a242d3c992b21e8caad050e698b8b07b14e399b8b5b5a82fb47cf914e60f1cee09f6e6bb71271b427ddf22e14550a8b3dd3389c530

Download Submit
C:\Windows\System\rqTtdKy.exe

Filesize
5.2MB

MD5
a91ea134cdd2b65a4d46edb0b15aab9c

SHA1
e4cc36c11a1edcd18096b8331fb05ceb0a5884c1

SHA256
b4ef69d5d475572c2b2f0e54ab4e622c5773d70edb94019436aba755ac8d2f93

SHA512
65f254fc93e0faf496445441067aa1e4b850c237e90e55d34d22859fb404e67eb7a309b73a5302ab373f36145ff9aa3c419d8adc18a1ee9c21571abd27c77832

Download Submit
C:\Windows\System\tpFqVWC.exe

Filesize
5.2MB

MD5
92d74c86cb1587fae44510fccb234660

SHA1
98904a1a870f88b2f6ae8fb573760cc60c7cb194

SHA256
b1b73c1db981a4a291f564a199b575aecdb697ffea477d0eba5cb69b8a2dbad9

SHA512
5d6fc410b526f3e02cdac3d73e84f8736e5686963a15bb6cd5e0f40f39c933fe51fc5d11d3769514a29b4363ed52255b2c08d19c4d4c1f3d05fa3781a885dbd1

Download Submit
C:\Windows\System\uMsjQCj.exe

Filesize
5.2MB

MD5
f0f6217bd4cb3613f9caa25a4d9b5380

SHA1
c3862603777393d8de57b3ab6de09e91a0eb5b05

SHA256
ad2541215e7e8f9c89d3b9449e5d287c2f16fdb522d62b0ce2b660062a361a56

SHA512
ce10a6046b4b72db7c6dcb3347b573cd527b1294df558a1b3140963787484c95ed8be062c2af53de4e8ce55a9d236ae6fc3386bd94a4b73e96490a6445cea9ab

Download Submit
C:\Windows\System\wUoASKo.exe

Filesize
5.2MB

MD5
0a3ecdc068796aa2646f05e28027f056

SHA1
9fd9e2e8d33ff9ff71a3496354efd65cd57bb8b5

SHA256
34d9a60e6c861552586ac3b9992c122a7704a9554c90e5bd645576330c3ab6b1

SHA512
417787238e3068948ecabc91826573d7a9d97c57499b155d79714408ef545bcab64eaac8d06bb7de33e65f9e1876e3b78790c1eec895846af8cf2c3a3d71f372

Download Submit
C:\Windows\System\zrSxMIc.exe

Filesize
5.2MB

MD5
aee861cf756ccf28d31c9f3661e0e931

SHA1
3ce5169e8c1b654218a99d27b05bd4a4c1a3341f

SHA256
55b9c248cd88a3d572401e3e68bc27435bfd46d0ca6444f0dcb1168ab20a6e09

SHA512
aa2dfa82764c9d74be5956196d2c045114163ae3b10543b1a5362624c7489678acb609a5f1f13ef9fe9ba03848e8bcd7741e38d086ffff6d2cabd14a2acafc68

Download Submit
memory/628-154-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-249-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-89-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/908-265-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp

Filesize
3.3MB

Download
memory/908-159-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp

Filesize
3.3MB

Download
memory/908-116-0x00007FF65A750000-0x00007FF65AAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1484-223-0x00007FF69D240000-0x00007FF69D591000-memory.dmp

Filesize
3.3MB

Download
memory/1484-33-0x00007FF69D240000-0x00007FF69D591000-memory.dmp

Filesize
3.3MB

Download
memory/1684-49-0x00007FF678240000-0x00007FF678591000-memory.dmp

Filesize
3.3MB

Download
memory/1684-136-0x00007FF678240000-0x00007FF678591000-memory.dmp

Filesize
3.3MB

Download
memory/1684-0-0x00007FF678240000-0x00007FF678591000-memory.dmp

Filesize
3.3MB

Download
memory/1684-1-0x0000018A40A50000-0x0000018A40A60000-memory.dmp

Filesize
64KB

Download
memory/1684-162-0x00007FF678240000-0x00007FF678591000-memory.dmp

Filesize
3.3MB

Download
memory/2228-247-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-152-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-85-0x00007FF6418A0000-0x00007FF641BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-259-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp

Filesize
3.3MB

Download
memory/2308-112-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp

Filesize
3.3MB

Download
memory/2308-157-0x00007FF75D830000-0x00007FF75DB81000-memory.dmp

Filesize
3.3MB

Download
memory/2428-75-0x00007FF783080000-0x00007FF7833D1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-18-0x00007FF783080000-0x00007FF7833D1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-220-0x00007FF783080000-0x00007FF7833D1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-228-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-42-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-111-0x00007FF6A3960000-0x00007FF6A3CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3368-153-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-245-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-78-0x00007FF65E6B0000-0x00007FF65EA01000-memory.dmp

Filesize
3.3MB

Download
memory/3500-146-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-241-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-65-0x00007FF6EC950000-0x00007FF6ECCA1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-97-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-37-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-226-0x00007FF6B1F70000-0x00007FF6B22C1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-160-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-270-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-130-0x00007FF652C50000-0x00007FF652FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3612-113-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3612-156-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3612-263-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-51-0x00007FF7775D0000-0x00007FF777921000-memory.dmp

Filesize
3.3MB

Download
memory/4024-237-0x00007FF7775D0000-0x00007FF777921000-memory.dmp

Filesize
3.3MB

Download
memory/4024-128-0x00007FF7775D0000-0x00007FF777921000-memory.dmp

Filesize
3.3MB

Download
memory/4156-158-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/4156-262-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/4156-117-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/4468-62-0x00007FF61F540000-0x00007FF61F891000-memory.dmp

Filesize
3.3MB

Download
memory/4468-13-0x00007FF61F540000-0x00007FF61F891000-memory.dmp

Filesize
3.3MB

Download
memory/4468-213-0x00007FF61F540000-0x00007FF61F891000-memory.dmp

Filesize
3.3MB

Download
memory/4572-69-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-147-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-243-0x00007FF74DB80000-0x00007FF74DED1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-24-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp

Filesize
3.3MB

Download
memory/4688-82-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp

Filesize
3.3MB

Download
memory/4688-224-0x00007FF7F6500000-0x00007FF7F6851000-memory.dmp

Filesize
3.3MB

Download
memory/4944-133-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-267-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-161-0x00007FF68B8A0000-0x00007FF68BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-239-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-56-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-132-0x00007FF65AE90000-0x00007FF65B1E1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-55-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-211-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-8-0x00007FF6829A0000-0x00007FF682CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-257-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-107-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-155-0x00007FF79F880000-0x00007FF79FBD1000-memory.dmp

Filesize
3.3MB

Download