cobaltstrike | 8ee6a69509b3669509d7fad8f87452cd8598f6221a0673b1e8f8796dec77c2c2

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

21f308bf659eb603b4df09f06e7f6641
SHA1

baf719af332a52d9df08cfe643bb7dac3ecfb095
SHA256

8ee6a69509b3669509d7fad8f87452cd8598f6221a0673b1e8f8796dec77c2c2
SHA512

d0f7bb575c53463a41dd60e857c1d6d463a71c7c2892112b3095212593a5e90a446d11720ae37a386297e44045c4e84b2934245c53f4ad6cd0df81ffe8098cca
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibf56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000e000000023a3a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023a68-10.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023a69-9.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023a6a-23.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023a3b-31.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023aa7-35.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ac9-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023acb-60.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ace-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ad5-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-90.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b7b-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ad4-79.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023acd-66.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023aa9-39.dat	cobalt_reflective_dll
behavioral2/files/0x002800000002153c-135.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-141.dat	cobalt_reflective_dll
behavioral2/files/0x0014000000023a21-145.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023a2f-150.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3260-29-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp	xmrig
behavioral2/memory/2564-45-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	xmrig
behavioral2/memory/624-57-0x00007FF685180000-0x00007FF6854D1000-memory.dmp	xmrig
behavioral2/memory/4628-110-0x00007FF647310000-0x00007FF647661000-memory.dmp	xmrig
behavioral2/memory/468-104-0x00007FF711A20000-0x00007FF711D71000-memory.dmp	xmrig
behavioral2/memory/1388-93-0x00007FF704550000-0x00007FF7048A1000-memory.dmp	xmrig
behavioral2/memory/3260-76-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp	xmrig
behavioral2/memory/3536-69-0x00007FF780A00000-0x00007FF780D51000-memory.dmp	xmrig
behavioral2/memory/1572-62-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp	xmrig
behavioral2/memory/4464-48-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	xmrig
behavioral2/memory/1556-127-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	xmrig
behavioral2/memory/5052-131-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp	xmrig
behavioral2/memory/3960-126-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp	xmrig
behavioral2/memory/4444-125-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp	xmrig
behavioral2/memory/1592-123-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp	xmrig
behavioral2/memory/4632-122-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp	xmrig
behavioral2/memory/3012-124-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	xmrig
behavioral2/memory/3124-121-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	xmrig
behavioral2/memory/3036-120-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp	xmrig
behavioral2/memory/4464-153-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	xmrig
behavioral2/memory/4144-171-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp	xmrig
behavioral2/memory/4176-172-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	xmrig
behavioral2/memory/4808-173-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp	xmrig
behavioral2/memory/1972-174-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp	xmrig
behavioral2/memory/4464-175-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	xmrig
behavioral2/memory/624-202-0x00007FF685180000-0x00007FF6854D1000-memory.dmp	xmrig
behavioral2/memory/1572-204-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp	xmrig
behavioral2/memory/3536-207-0x00007FF780A00000-0x00007FF780D51000-memory.dmp	xmrig
behavioral2/memory/3260-211-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp	xmrig
behavioral2/memory/1388-213-0x00007FF704550000-0x00007FF7048A1000-memory.dmp	xmrig
behavioral2/memory/468-221-0x00007FF711A20000-0x00007FF711D71000-memory.dmp	xmrig
behavioral2/memory/2564-222-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	xmrig
behavioral2/memory/3036-228-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp	xmrig
behavioral2/memory/3124-232-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	xmrig
behavioral2/memory/4632-234-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp	xmrig
behavioral2/memory/1592-236-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp	xmrig
behavioral2/memory/3012-238-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	xmrig
behavioral2/memory/4444-240-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp	xmrig
behavioral2/memory/1556-245-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	xmrig
behavioral2/memory/5052-247-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp	xmrig
behavioral2/memory/4628-249-0x00007FF647310000-0x00007FF647661000-memory.dmp	xmrig
behavioral2/memory/3960-251-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp	xmrig
behavioral2/memory/4176-259-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	xmrig
behavioral2/memory/4808-261-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp	xmrig
behavioral2/memory/1972-264-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp	xmrig
behavioral2/memory/4144-266-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
624	jEqkaHL.exe
1572	XqHGwiN.exe
3536	JSstoat.exe
3260	EhQRyMz.exe
1388	cNPaCXI.exe
468	MdqQCgF.exe
2564	ZUcjjue.exe
3036	bmTyWAy.exe
3124	wAPyvWv.exe
4632	DPZLZXC.exe
1592	bLAKKCD.exe
3012	ugoKCxd.exe
4444	bkvuTJq.exe
1556	RBsOtLH.exe
3960	sRmBXqM.exe
5052	lZgKiFN.exe
4628	bEurdEa.exe
4144	kkYbXqI.exe
4176	EkTodvH.exe
4808	UgLtebF.exe
1972	aorlkjx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4464-0-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	upx
behavioral2/files/0x000e000000023a3a-5.dat	upx
behavioral2/files/0x000d000000023a68-10.dat	upx
behavioral2/files/0x000d000000023a69-9.dat	upx
behavioral2/memory/1572-12-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp	upx
behavioral2/memory/624-7-0x00007FF685180000-0x00007FF6854D1000-memory.dmp	upx
behavioral2/memory/3536-18-0x00007FF780A00000-0x00007FF780D51000-memory.dmp	upx
behavioral2/files/0x000d000000023a6a-23.dat	upx
behavioral2/memory/3260-29-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp	upx
behavioral2/files/0x000e000000023a3b-31.dat	upx
behavioral2/memory/1388-30-0x00007FF704550000-0x00007FF7048A1000-memory.dmp	upx
behavioral2/files/0x000f000000023aa7-35.dat	upx
behavioral2/memory/2564-45-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	upx
behavioral2/memory/468-40-0x00007FF711A20000-0x00007FF711D71000-memory.dmp	upx
behavioral2/memory/3036-49-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp	upx
behavioral2/files/0x000c000000023ac9-53.dat	upx
behavioral2/memory/624-57-0x00007FF685180000-0x00007FF6854D1000-memory.dmp	upx
behavioral2/files/0x0008000000023acb-60.dat	upx
behavioral2/memory/4632-63-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp	upx
behavioral2/files/0x0008000000023ace-68.dat	upx
behavioral2/files/0x0008000000023ad5-81.dat	upx
behavioral2/memory/4444-87-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-90.dat	upx
behavioral2/files/0x000c000000023b7b-106.dat	upx
behavioral2/memory/4628-110-0x00007FF647310000-0x00007FF647661000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-108.dat	upx
behavioral2/memory/3960-105-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp	upx
behavioral2/memory/468-104-0x00007FF711A20000-0x00007FF711D71000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-102.dat	upx
behavioral2/memory/5052-101-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp	upx
behavioral2/memory/1556-97-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	upx
behavioral2/memory/1388-93-0x00007FF704550000-0x00007FF7048A1000-memory.dmp	upx
behavioral2/files/0x0008000000023ad4-79.dat	upx
behavioral2/memory/3012-78-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	upx
behavioral2/memory/3260-76-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp	upx
behavioral2/memory/1592-70-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp	upx
behavioral2/memory/3536-69-0x00007FF780A00000-0x00007FF780D51000-memory.dmp	upx
behavioral2/files/0x000c000000023acd-66.dat	upx
behavioral2/memory/1572-62-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp	upx
behavioral2/memory/3124-59-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	upx
behavioral2/memory/4464-48-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	upx
behavioral2/files/0x000c000000023aa9-39.dat	upx
behavioral2/memory/1556-127-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	upx
behavioral2/memory/5052-131-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp	upx
behavioral2/memory/3960-126-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp	upx
behavioral2/files/0x002800000002153c-135.dat	upx
behavioral2/memory/4176-137-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-141.dat	upx
behavioral2/files/0x0014000000023a21-145.dat	upx
behavioral2/memory/4808-144-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp	upx
behavioral2/files/0x000f000000023a2f-150.dat	upx
behavioral2/memory/1972-149-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp	upx
behavioral2/memory/4144-136-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp	upx
behavioral2/memory/4444-125-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp	upx
behavioral2/memory/1592-123-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp	upx
behavioral2/memory/4632-122-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp	upx
behavioral2/memory/3012-124-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	upx
behavioral2/memory/3124-121-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	upx
behavioral2/memory/3036-120-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp	upx
behavioral2/memory/4464-153-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp	upx
behavioral2/memory/4144-171-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp	upx
behavioral2/memory/4176-172-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp	upx
behavioral2/memory/4808-173-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp	upx
behavioral2/memory/1972-174-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cNPaCXI.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MdqQCgF.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPZLZXC.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bLAKKCD.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRmBXqM.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBsOtLH.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EkTodvH.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEqkaHL.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkvuTJq.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgLtebF.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZUcjjue.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JSstoat.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhQRyMz.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bmTyWAy.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kkYbXqI.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aorlkjx.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XqHGwiN.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugoKCxd.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEurdEa.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lZgKiFN.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wAPyvWv.exe	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 624	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4464 wrote to memory of 624	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4464 wrote to memory of 1572	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4464 wrote to memory of 1572	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4464 wrote to memory of 3536	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4464 wrote to memory of 3536	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4464 wrote to memory of 3260	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4464 wrote to memory of 3260	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4464 wrote to memory of 1388	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4464 wrote to memory of 1388	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4464 wrote to memory of 468	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4464 wrote to memory of 468	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4464 wrote to memory of 2564	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4464 wrote to memory of 2564	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4464 wrote to memory of 3036	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4464 wrote to memory of 3036	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4464 wrote to memory of 3124	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4464 wrote to memory of 3124	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4464 wrote to memory of 4632	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4464 wrote to memory of 4632	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4464 wrote to memory of 1592	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4464 wrote to memory of 1592	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4464 wrote to memory of 3012	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4464 wrote to memory of 3012	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4464 wrote to memory of 4444	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4464 wrote to memory of 4444	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4464 wrote to memory of 3960	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4464 wrote to memory of 3960	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4464 wrote to memory of 1556	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4464 wrote to memory of 1556	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4464 wrote to memory of 4628	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4464 wrote to memory of 4628	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4464 wrote to memory of 5052	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4464 wrote to memory of 5052	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4464 wrote to memory of 4144	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4464 wrote to memory of 4144	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4464 wrote to memory of 4176	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4464 wrote to memory of 4176	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4464 wrote to memory of 4808	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4464 wrote to memory of 4808	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4464 wrote to memory of 1972	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4464 wrote to memory of 1972	4464	2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_21f308bf659eb603b4df09f06e7f6641_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\System\jEqkaHL.exe
  C:\Windows\System\jEqkaHL.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\XqHGwiN.exe
  C:\Windows\System\XqHGwiN.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\JSstoat.exe
  C:\Windows\System\JSstoat.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\EhQRyMz.exe
  C:\Windows\System\EhQRyMz.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\cNPaCXI.exe
  C:\Windows\System\cNPaCXI.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\MdqQCgF.exe
  C:\Windows\System\MdqQCgF.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\ZUcjjue.exe
  C:\Windows\System\ZUcjjue.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\bmTyWAy.exe
  C:\Windows\System\bmTyWAy.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\wAPyvWv.exe
  C:\Windows\System\wAPyvWv.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\DPZLZXC.exe
  C:\Windows\System\DPZLZXC.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\bLAKKCD.exe
  C:\Windows\System\bLAKKCD.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\ugoKCxd.exe
  C:\Windows\System\ugoKCxd.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\bkvuTJq.exe
  C:\Windows\System\bkvuTJq.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\sRmBXqM.exe
  C:\Windows\System\sRmBXqM.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\RBsOtLH.exe
  C:\Windows\System\RBsOtLH.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\bEurdEa.exe
  C:\Windows\System\bEurdEa.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\lZgKiFN.exe
  C:\Windows\System\lZgKiFN.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\kkYbXqI.exe
  C:\Windows\System\kkYbXqI.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\EkTodvH.exe
  C:\Windows\System\EkTodvH.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\UgLtebF.exe
  C:\Windows\System\UgLtebF.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\aorlkjx.exe
  C:\Windows\System\aorlkjx.exe
  2⤵
  - Executes dropped EXE
  PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DPZLZXC.exe

Filesize
5.2MB

MD5
f523a27caa1953a536f0778d086c8f74

SHA1
076b504e18ccc50ad282e0986b5f44f5ba84b323

SHA256
428acd6d7374a647ba9604b6370b439c641351abdec144fddf6c89b62b9869e6

SHA512
1cbc97fd9162e32917b6181bff8022adec0109f5155177b27bb58bf0845a4df908bce9d918b339fa906b84dc39cc1ba94ebea5d3a12eb0c2274ae260edaf99b6

Download Submit
C:\Windows\System\EhQRyMz.exe

Filesize
5.2MB

MD5
04c7714eeda4afa89e895a7ed84ba54e

SHA1
42753a6bdf9084b5594b5abf22393b6a02a54998

SHA256
8d7046bd74a1bea5ccf689bbdf02b65d4a7c4522b0f8956dd0536f2ff34fcadc

SHA512
c35733af63e9be57d08d19526987f774e4ceafe6ca07bec10a750e1a25369129da8fd3f0ced3944a64d37767dc69c9120034621bbc723ea0181ab67244f0af8e

Download Submit
C:\Windows\System\EkTodvH.exe

Filesize
5.2MB

MD5
0037cfde79e14b7522ae595896bc976b

SHA1
0ee67200d8d7cfedfb663129da9740fc41344118

SHA256
69983474a7bdb369e3dd794b9290440262aee3245fb26ee5228a9726e32bd22b

SHA512
87a76ab5df497096da526944b2ca8cf804c7d03a4248055fd8c891c5f84b53ed32225b9ad9c5c77905e2ba188b94d1a038829200ed01be9fc0742fd9cf8dbbf2

Download Submit
C:\Windows\System\JSstoat.exe

Filesize
5.2MB

MD5
cf0a1666abb553ac2d1c2c1c0fed2330

SHA1
7327109665113376d3b9dea075b698685f06cb5b

SHA256
c92ec6e2cb8015ae55990ac0ddae30167cdb49d18967f4049f4a3172270e4a4c

SHA512
30cd5dc5425f90134e5e491a18e952222651e07bd97e340099e9fcd2aa120e5159cdbee23fa2fff0511102e4ce5aabd03f9705e4af6c9b51ac2cef7a8709ef23

Download Submit
C:\Windows\System\MdqQCgF.exe

Filesize
5.2MB

MD5
265c171e2ab649aa796e8283a6ed1268

SHA1
1cc2e1ec8ab404fc10aa3c237f311c4a5756c9ef

SHA256
f84110719ad2f3c428106af54b6ec21b735231636b790df0a993fe02c9277ad0

SHA512
aa65bd72d610bc727a0bb5b663b406bd1d70be60995640e50c76ac36d3815d1d5ef963b063cd8252590a81bf385299a301514945cced9685f3e6109ac973bb1f

Download Submit
C:\Windows\System\RBsOtLH.exe

Filesize
5.2MB

MD5
9cb995690a19acfc63b994c35274a006

SHA1
a067fe4217d325d5badb2dfec8cf7a48ae7ddd5c

SHA256
a6cd98eb86eeef6b1b5395a89e8a260cedc6061022f0d8a266e0fa6fd0905d45

SHA512
8607004c229aed97875d9f3aa83ff2f4c4031b5f1489232ab9dc662f1eb26bb98e74d400f98091d16492b7b0642ee9d2ebd0d601012414fd59aa7506858babd5

Download Submit
C:\Windows\System\UgLtebF.exe

Filesize
5.2MB

MD5
39918cad1f7df2d4e9f483ea68391bc1

SHA1
fec255732227da31cd3a306181112fd1a05f7fb5

SHA256
e8c5669b67cc573f7149b021e7c30788e3bf8d907e42f3d129a7ac710f9b1c25

SHA512
b3c1803bd496b7aad4e5212c156dcada529b4f2f1cd2815b607320403f2bd603ecfaa0213914016a7008585b5e09067faa6aae76e7a3cbb1a5a2bf5467694f7a

Download Submit
C:\Windows\System\XqHGwiN.exe

Filesize
5.2MB

MD5
e5e26f9efcd389b7c985050cf038c641

SHA1
2c73759b5cd7ff4380db2746a9d269d111c17a39

SHA256
453b4e18b1ef486e8b946e90a2eb2ac3e5613a472022acea634df43c5f4b572c

SHA512
8c2cf93d0b9dff9aa1c8683ceea0abef049417d5985e95614316d570e87bcaab70cf90d27e45941afbbac3c968e0ca40aa5d05380bc8499e3b52a70d1234d30a

Download Submit
C:\Windows\System\ZUcjjue.exe

Filesize
5.2MB

MD5
77327f641e225086f9485a42e4e36de0

SHA1
93bfc3868ec3be6007c6cc4bfc4802bf4021bfc1

SHA256
c5b7eb5d7b58271150cabeb354b540ea04f621f1f161fd3c11f5fda828ea08ce

SHA512
8efcf922a5a4c53cba6bd2b9a397f46502e30ee848e975b83f682fc0aac2b85460e05549a2e12a0e805bbdbb96f9a38111ea96150b99da99075afa30d6baab52

Download Submit
C:\Windows\System\aorlkjx.exe

Filesize
5.2MB

MD5
ddef9161cd3db53d8927500c6445ccd1

SHA1
8030c5f5d4e56948cf038d7f9a1842e892c29ddb

SHA256
db0cf1fee724ad2c3940b6470d0efda864d30da1ef863ddf113933163c95cc87

SHA512
8bdd6498d1dac93adbde802ae278875dbbc00d347f8a5453285279a6b4be946a8485ac6f2ed98424cec0db24ddb82d2302c6627b1eb4f428d7c4a49fe749eb2c

Download Submit
C:\Windows\System\bEurdEa.exe

Filesize
5.2MB

MD5
6dc3766aa2cf03c00a7d216c1abe3f68

SHA1
fa81a402e9f0c08cd4a93ad0888ed6799a5a9ea3

SHA256
322074c5c4e4c4d7bd41014ffc6e6e6cdc4d66cda238a963641cb050fea74878

SHA512
4dce0873017ca4403b961f7a2e1165a3c46ac067d53a505e4472ca56496c3f4d23de2a606cc95fba372e6a8776b32e5d4b8675a35ebe30ca127f9b14230c3c34

Download Submit
C:\Windows\System\bLAKKCD.exe

Filesize
5.2MB

MD5
19c5af626f2de6e6c5adcf2ee30af8b2

SHA1
7c80d9a30a9fa200864d6eeb394d1512e55b1748

SHA256
815ed816721f588e8347f29bd4510b9824a9ab6a06fe4ddc2fab956ee2c803ae

SHA512
9ffac5cf1449ef4bdf843a805756dc5150d849f54d638a6a01b4e38ee6b62feded3a9db3fa9b955dc432e99db032635b566596731ff40ed1af839b46c1559555

Download Submit
C:\Windows\System\bkvuTJq.exe

Filesize
5.2MB

MD5
e58bc0cfa4814ee8544ebb38a135d90a

SHA1
a20479e1732dde26c437b361e3c55a9c11950336

SHA256
c6efb25cc3ce6ea63fa0d8093caa3f7ab4f3ba824d16f88f33fc8c082a147941

SHA512
a73aba276386c4347c9a38d6daced18709166590b8a985fa720c4b7a4c3e865d4dc6f009f6a07a96e841635d1124089e80443c0f5fd60edbd574921a4aeeecf2

Download Submit
C:\Windows\System\bmTyWAy.exe

Filesize
5.2MB

MD5
8c80d2f79682d559c19b947f4a401a4b

SHA1
b78807f8b7051c1a75b8682c2c6741801e0dade2

SHA256
e16ed001a378bf1e51e22708a9ccb2484f08136a8887a0da7491161be3c515ba

SHA512
eb7121c049ed2b8524b926d6c78407be0add3a9a64f0250e3e116739ca89532aa3c8f9bd8dba31d8fa4fc29ccb07fddad08fcf23c3e797cd5b66cee2af0a912d

Download Submit
C:\Windows\System\cNPaCXI.exe

Filesize
5.2MB

MD5
904a3106f3b51c5f10eb08e8662f2361

SHA1
7ff913f2cc3cfc61400471b576fdd8b5bc9d15b7

SHA256
5266480529d3512cb9dd6b389f0a06bb3adc88d8fdd22f1cbde709f25675a54f

SHA512
f318a731301dc530119b3013f3e3a66ec06afcc2422beda0f274c4ec9720e15ba4dc7c319eca91062ec586b48ae6646b819424d80f45a10cc542da4e256d95a9

Download Submit
C:\Windows\System\jEqkaHL.exe

Filesize
5.2MB

MD5
51596f2d10e5e4cd4f6f801a48d94da1

SHA1
bdad12e96f118b7d4fbaf9a1e05615a719f9e845

SHA256
98f252d4c6124cc1900b1deb6e23ff85df98f34d70eaa018d00905bb12014091

SHA512
af4b16debfcb41845a2399ef7d9faf9ca2dee4b84f01cdbe49154d62296473b535539dacb7fe4b7153868f1496824226fe872ea866dc4480f8cd80b5ae46e6d5

Download Submit
C:\Windows\System\kkYbXqI.exe

Filesize
5.2MB

MD5
5e0de7c23a7cdeb265b14757e18d965e

SHA1
dd996765510e0942741ba827ed9b642e078a4131

SHA256
b360ab82eb2df661d697a71bb08c160e18c4c1f7284a11c045ee6b11e40a58aa

SHA512
e82a9c40e17fbb4e3ef103406373275f1e91ab02acb7725bf526302fa9bf505702252b413e1ea114e2d9be23c8a60f45638323a04bccd2515f81bdec76ba2d63

Download Submit
C:\Windows\System\lZgKiFN.exe

Filesize
5.2MB

MD5
f4e6f666c0e82355ce00bea0ea7c2108

SHA1
369e6d18dc50f167f11bde7a494045af16946bbf

SHA256
e3026ee7abc95dd5dfc6cc274c4199d3e3a78a56447f25794887e88803337fe6

SHA512
c2abdd75e218e36963c5f68f2a588e8b8ea31b03da2413d53aa9ab5257ece5c71d6e5c6795cda351541eb5e5a44e2faa2a722786976e004a36a509b6f7541d00

Download Submit
C:\Windows\System\sRmBXqM.exe

Filesize
5.2MB

MD5
bb4f76454f4ae8758be69f0346f1e89c

SHA1
e1ebb3da54f913ca8b0c5d9f3af9c0e59c26f5d9

SHA256
3b4bd7d29903adbfa8a2083c90067d2d6574dbe5664e95e3a0364f9831517cf5

SHA512
655365c0bb97fb5f28246ddb181396e697d49ba76588b655a8ac25c6ca1ef6063800f3b8ff0eeec538e49985ad86f098f48d6e4d0fed9c9f90a4dc3d4380e21a

Download Submit
C:\Windows\System\ugoKCxd.exe

Filesize
5.2MB

MD5
292d92a0d8ded4d039597425363c77b4

SHA1
965ed737b7b99f4d39a5e87415596790ca5b9b2f

SHA256
184d545d57fc62dccc1a2efa0886b0d9b6247bdeda37e5f91cea58e2f281cc4f

SHA512
fcf3fa75231a7a13a8df6d7aafd6207e9424c712e7ad8d00c99a041e3dd92c8a8c01fc38c6ce98e1d37d5c4c856f3b57e0578b25eb8057ff00676c8c1c44af6b

Download Submit
C:\Windows\System\wAPyvWv.exe

Filesize
5.2MB

MD5
a4850925d3ca45a60a583d28fefc8cfc

SHA1
7c2d47d2260783b78e039da4d83d1e2f6d32314c

SHA256
88a2598df264918271e007735ccab46c6932445cd5b66196bff50612909d6673

SHA512
617e718f6350504549de9f9064e8a4e2216dcc726e22fb27cf6185ba1cbe5edb2d8e0705aac10cb5313bebd1d16bd22857a6f65a400f9fbd547d2c79efd821b1

Download Submit
memory/468-40-0x00007FF711A20000-0x00007FF711D71000-memory.dmp

Filesize
3.3MB

Download
memory/468-104-0x00007FF711A20000-0x00007FF711D71000-memory.dmp

Filesize
3.3MB

Download
memory/468-221-0x00007FF711A20000-0x00007FF711D71000-memory.dmp

Filesize
3.3MB

Download
memory/624-57-0x00007FF685180000-0x00007FF6854D1000-memory.dmp

Filesize
3.3MB

Download
memory/624-202-0x00007FF685180000-0x00007FF6854D1000-memory.dmp

Filesize
3.3MB

Download
memory/624-7-0x00007FF685180000-0x00007FF6854D1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-93-0x00007FF704550000-0x00007FF7048A1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-30-0x00007FF704550000-0x00007FF7048A1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-213-0x00007FF704550000-0x00007FF7048A1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-127-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp

Filesize
3.3MB

Download
memory/1556-245-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp

Filesize
3.3MB

Download
memory/1556-97-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp

Filesize
3.3MB

Download
memory/1572-62-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp

Filesize
3.3MB

Download
memory/1572-204-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp

Filesize
3.3MB

Download
memory/1572-12-0x00007FF6698D0000-0x00007FF669C21000-memory.dmp

Filesize
3.3MB

Download
memory/1592-123-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-70-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-236-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-174-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp

Filesize
3.3MB

Download
memory/1972-149-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp

Filesize
3.3MB

Download
memory/1972-264-0x00007FF6A20E0000-0x00007FF6A2431000-memory.dmp

Filesize
3.3MB

Download
memory/2564-222-0x00007FF76D320000-0x00007FF76D671000-memory.dmp

Filesize
3.3MB

Download
memory/2564-45-0x00007FF76D320000-0x00007FF76D671000-memory.dmp

Filesize
3.3MB

Download
memory/3012-238-0x00007FF65F000000-0x00007FF65F351000-memory.dmp

Filesize
3.3MB

Download
memory/3012-78-0x00007FF65F000000-0x00007FF65F351000-memory.dmp

Filesize
3.3MB

Download
memory/3012-124-0x00007FF65F000000-0x00007FF65F351000-memory.dmp

Filesize
3.3MB

Download
memory/3036-228-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-120-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-49-0x00007FF6D4A50000-0x00007FF6D4DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-121-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3124-59-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3124-232-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3260-29-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3260-211-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3260-76-0x00007FF7AFC50000-0x00007FF7AFFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-69-0x00007FF780A00000-0x00007FF780D51000-memory.dmp

Filesize
3.3MB

Download
memory/3536-207-0x00007FF780A00000-0x00007FF780D51000-memory.dmp

Filesize
3.3MB

Download
memory/3536-18-0x00007FF780A00000-0x00007FF780D51000-memory.dmp

Filesize
3.3MB

Download
memory/3960-105-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp

Filesize
3.3MB

Download
memory/3960-126-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp

Filesize
3.3MB

Download
memory/3960-251-0x00007FF6AC130000-0x00007FF6AC481000-memory.dmp

Filesize
3.3MB

Download
memory/4144-171-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-136-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-266-0x00007FF67AD90000-0x00007FF67B0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-137-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp

Filesize
3.3MB

Download
memory/4176-172-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp

Filesize
3.3MB

Download
memory/4176-259-0x00007FF660BD0000-0x00007FF660F21000-memory.dmp

Filesize
3.3MB

Download
memory/4444-240-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-87-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-125-0x00007FF6F4450000-0x00007FF6F47A1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-153-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp

Filesize
3.3MB

Download
memory/4464-48-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp

Filesize
3.3MB

Download
memory/4464-1-0x0000018CB54C0000-0x0000018CB54D0000-memory.dmp

Filesize
64KB

Download
memory/4464-175-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp

Filesize
3.3MB

Download
memory/4464-0-0x00007FF7BD6F0000-0x00007FF7BDA41000-memory.dmp

Filesize
3.3MB

Download
memory/4628-110-0x00007FF647310000-0x00007FF647661000-memory.dmp

Filesize
3.3MB

Download
memory/4628-249-0x00007FF647310000-0x00007FF647661000-memory.dmp

Filesize
3.3MB

Download
memory/4632-63-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp

Filesize
3.3MB

Download
memory/4632-122-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp

Filesize
3.3MB

Download
memory/4632-234-0x00007FF7957F0000-0x00007FF795B41000-memory.dmp

Filesize
3.3MB

Download
memory/4808-173-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp

Filesize
3.3MB

Download
memory/4808-261-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp

Filesize
3.3MB

Download
memory/4808-144-0x00007FF6BA7E0000-0x00007FF6BAB31000-memory.dmp

Filesize
3.3MB

Download
memory/5052-131-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-247-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-101-0x00007FF63EC70000-0x00007FF63EFC1000-memory.dmp

Filesize
3.3MB

Download