cobaltstrike | d89ab30cdd35bcc4b58dde7b38a1a3dc90b083df909c329e4a86c9604f329893

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

00e16d028b70b0edcb364f22daac49ce
SHA1

d94901a7a206f36d63e67b51ed355279071bdc1c
SHA256

d89ab30cdd35bcc4b58dde7b38a1a3dc90b083df909c329e4a86c9604f329893
SHA512

1548895ba74257987fd1e7fb1e7c1b7a768fce9c84170192bfe6e1b5ddb10774ead537af67314626a3b74b28453b40cc71d7821f8e34c83abf38ea76e4cb2b47
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023b03-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b57-9.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b53-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b59-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5a-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5b-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5d-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b54-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2360-14-0x00007FF6ADA80000-0x00007FF6ADDD1000-memory.dmp	xmrig
behavioral2/memory/3000-57-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	xmrig
behavioral2/memory/3188-93-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp	xmrig
behavioral2/memory/2344-91-0x00007FF75A810000-0x00007FF75AB61000-memory.dmp	xmrig
behavioral2/memory/2036-83-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp	xmrig
behavioral2/memory/1704-80-0x00007FF62AAF0000-0x00007FF62AE41000-memory.dmp	xmrig
behavioral2/memory/5088-66-0x00007FF668E40000-0x00007FF669191000-memory.dmp	xmrig
behavioral2/memory/1784-108-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp	xmrig
behavioral2/memory/744-101-0x00007FF6812C0000-0x00007FF681611000-memory.dmp	xmrig
behavioral2/memory/4136-97-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp	xmrig
behavioral2/memory/1668-129-0x00007FF743990000-0x00007FF743CE1000-memory.dmp	xmrig
behavioral2/memory/3668-135-0x00007FF669810000-0x00007FF669B61000-memory.dmp	xmrig
behavioral2/memory/3880-122-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp	xmrig
behavioral2/memory/3456-118-0x00007FF6A1730000-0x00007FF6A1A81000-memory.dmp	xmrig
behavioral2/memory/2856-116-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp	xmrig
behavioral2/memory/2556-139-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp	xmrig
behavioral2/memory/4728-140-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp	xmrig
behavioral2/memory/3000-141-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	xmrig
behavioral2/memory/4924-151-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp	xmrig
behavioral2/memory/3844-159-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	xmrig
behavioral2/memory/2224-160-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	xmrig
behavioral2/memory/4408-163-0x00007FF7541C0000-0x00007FF754511000-memory.dmp	xmrig
behavioral2/memory/1392-167-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp	xmrig
behavioral2/memory/3000-168-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	xmrig
behavioral2/memory/5088-217-0x00007FF668E40000-0x00007FF669191000-memory.dmp	xmrig
behavioral2/memory/2360-219-0x00007FF6ADA80000-0x00007FF6ADDD1000-memory.dmp	xmrig
behavioral2/memory/2036-227-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp	xmrig
behavioral2/memory/3188-229-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp	xmrig
behavioral2/memory/4136-231-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp	xmrig
behavioral2/memory/744-233-0x00007FF6812C0000-0x00007FF681611000-memory.dmp	xmrig
behavioral2/memory/1784-235-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp	xmrig
behavioral2/memory/2856-237-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp	xmrig
behavioral2/memory/3880-246-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp	xmrig
behavioral2/memory/1668-249-0x00007FF743990000-0x00007FF743CE1000-memory.dmp	xmrig
behavioral2/memory/3668-250-0x00007FF669810000-0x00007FF669B61000-memory.dmp	xmrig
behavioral2/memory/1704-252-0x00007FF62AAF0000-0x00007FF62AE41000-memory.dmp	xmrig
behavioral2/memory/2556-254-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp	xmrig
behavioral2/memory/2344-256-0x00007FF75A810000-0x00007FF75AB61000-memory.dmp	xmrig
behavioral2/memory/4728-258-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp	xmrig
behavioral2/memory/4924-262-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp	xmrig
behavioral2/memory/3844-264-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	xmrig
behavioral2/memory/3456-269-0x00007FF6A1730000-0x00007FF6A1A81000-memory.dmp	xmrig
behavioral2/memory/2224-271-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	xmrig
behavioral2/memory/4408-273-0x00007FF7541C0000-0x00007FF754511000-memory.dmp	xmrig
behavioral2/memory/1392-275-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JVKnhID.exeCDFOAJT.exehIkBAhV.exeyJzKexO.exeFqKMfdR.exeXfjmDks.exeToPXKfR.exeeHgGTsT.exeibUwICc.exeDriqeJp.exeCLCxprt.exeQqdAtPv.exeOaMIOST.exeMIMPyze.exeCgUEQBM.exeWXXkBMO.exeeQaAumy.exeeeWIGKW.exeVhZCOQx.exeYXCcWvR.execmfqtaX.exe

pid	Process
5088	JVKnhID.exe
2360	CDFOAJT.exe
2036	hIkBAhV.exe
3188	yJzKexO.exe
4136	FqKMfdR.exe
744	XfjmDks.exe
1784	ToPXKfR.exe
2856	eHgGTsT.exe
3880	ibUwICc.exe
1668	DriqeJp.exe
3668	CLCxprt.exe
1704	QqdAtPv.exe
2556	OaMIOST.exe
2344	MIMPyze.exe
4728	CgUEQBM.exe
4924	WXXkBMO.exe
3844	eQaAumy.exe
3456	eeWIGKW.exe
2224	VhZCOQx.exe
4408	YXCcWvR.exe
1392	cmfqtaX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3000-0-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	upx
behavioral2/files/0x000c000000023b03-4.dat	upx
behavioral2/files/0x000a000000023b57-9.dat	upx
behavioral2/files/0x000b000000023b53-11.dat	upx
behavioral2/memory/2360-14-0x00007FF6ADA80000-0x00007FF6ADDD1000-memory.dmp	upx
behavioral2/memory/5088-8-0x00007FF668E40000-0x00007FF669191000-memory.dmp	upx
behavioral2/memory/2036-20-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b59-23.dat	upx
behavioral2/memory/3188-24-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b5a-28.dat	upx
behavioral2/files/0x000a000000023b5b-36.dat	upx
behavioral2/files/0x000a000000023b5c-41.dat	upx
behavioral2/files/0x000a000000023b5d-49.dat	upx
behavioral2/memory/2856-48-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp	upx
behavioral2/memory/1784-42-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp	upx
behavioral2/memory/744-40-0x00007FF6812C0000-0x00007FF681611000-memory.dmp	upx
behavioral2/memory/4136-32-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp	upx
behavioral2/files/0x000b000000023b54-53.dat	upx
behavioral2/memory/3000-57-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	upx
behavioral2/memory/1668-59-0x00007FF743990000-0x00007FF743CE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b60-65.dat	upx
behavioral2/memory/3668-67-0x00007FF669810000-0x00007FF669B61000-memory.dmp	upx
behavioral2/files/0x000a000000023b61-74.dat	upx
behavioral2/files/0x000a000000023b62-82.dat	upx
behavioral2/memory/3188-93-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-95.dat	upx
behavioral2/memory/4728-94-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp	upx
behavioral2/memory/2344-91-0x00007FF75A810000-0x00007FF75AB61000-memory.dmp	upx
behavioral2/memory/2556-90-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp	upx
behavioral2/files/0x000a000000023b63-84.dat	upx
behavioral2/memory/2036-83-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp	upx
behavioral2/memory/1704-80-0x00007FF62AAF0000-0x00007FF62AE41000-memory.dmp	upx
behavioral2/memory/5088-66-0x00007FF668E40000-0x00007FF669191000-memory.dmp	upx
behavioral2/files/0x000a000000023b5f-63.dat	upx
behavioral2/memory/3880-54-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp	upx
behavioral2/files/0x000a000000023b65-103.dat	upx
behavioral2/memory/1784-108-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-110.dat	upx
behavioral2/memory/3844-109-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	upx
behavioral2/memory/4924-105-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp	upx
behavioral2/memory/744-101-0x00007FF6812C0000-0x00007FF681611000-memory.dmp	upx
behavioral2/memory/4136-97-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-114.dat	upx
behavioral2/files/0x000a000000023b68-121.dat	upx
behavioral2/memory/1668-129-0x00007FF743990000-0x00007FF743CE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-131.dat	upx
behavioral2/memory/4408-130-0x00007FF7541C0000-0x00007FF754511000-memory.dmp	upx
behavioral2/memory/3668-135-0x00007FF669810000-0x00007FF669B61000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-137.dat	upx
behavioral2/memory/1392-136-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp	upx
behavioral2/memory/2224-123-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	upx
behavioral2/memory/3880-122-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp	upx
behavioral2/memory/3456-118-0x00007FF6A1730000-0x00007FF6A1A81000-memory.dmp	upx
behavioral2/memory/2856-116-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp	upx
behavioral2/memory/2556-139-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp	upx
behavioral2/memory/4728-140-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp	upx
behavioral2/memory/3000-141-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	upx
behavioral2/memory/4924-151-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp	upx
behavioral2/memory/3844-159-0x00007FF7494F0000-0x00007FF749841000-memory.dmp	upx
behavioral2/memory/2224-160-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	upx
behavioral2/memory/4408-163-0x00007FF7541C0000-0x00007FF754511000-memory.dmp	upx
behavioral2/memory/1392-167-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp	upx
behavioral2/memory/3000-168-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp	upx
behavioral2/memory/5088-217-0x00007FF668E40000-0x00007FF669191000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\JVKnhID.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eHgGTsT.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQaAumy.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CDFOAJT.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FqKMfdR.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibUwICc.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DriqeJp.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIMPyze.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ToPXKfR.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLCxprt.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VhZCOQx.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YXCcWvR.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cmfqtaX.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgUEQBM.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXXkBMO.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eeWIGKW.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hIkBAhV.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJzKexO.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfjmDks.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QqdAtPv.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OaMIOST.exe	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 3000 wrote to memory of 5088	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3000 wrote to memory of 5088	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3000 wrote to memory of 2360	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3000 wrote to memory of 2360	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3000 wrote to memory of 2036	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3000 wrote to memory of 2036	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3000 wrote to memory of 3188	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3000 wrote to memory of 3188	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3000 wrote to memory of 4136	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3000 wrote to memory of 4136	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3000 wrote to memory of 744	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3000 wrote to memory of 744	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3000 wrote to memory of 1784	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3000 wrote to memory of 1784	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3000 wrote to memory of 2856	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3000 wrote to memory of 2856	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3000 wrote to memory of 3880	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3000 wrote to memory of 3880	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3000 wrote to memory of 1668	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3000 wrote to memory of 1668	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3000 wrote to memory of 3668	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3000 wrote to memory of 3668	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3000 wrote to memory of 1704	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3000 wrote to memory of 1704	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3000 wrote to memory of 2344	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3000 wrote to memory of 2344	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3000 wrote to memory of 2556	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3000 wrote to memory of 2556	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3000 wrote to memory of 4728	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3000 wrote to memory of 4728	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3000 wrote to memory of 4924	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3000 wrote to memory of 4924	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3000 wrote to memory of 3844	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3000 wrote to memory of 3844	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3000 wrote to memory of 3456	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3000 wrote to memory of 3456	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3000 wrote to memory of 2224	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3000 wrote to memory of 2224	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3000 wrote to memory of 4408	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3000 wrote to memory of 4408	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3000 wrote to memory of 1392	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3000 wrote to memory of 1392	3000	2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_00e16d028b70b0edcb364f22daac49ce_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System\JVKnhID.exe
  C:\Windows\System\JVKnhID.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\CDFOAJT.exe
  C:\Windows\System\CDFOAJT.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\hIkBAhV.exe
  C:\Windows\System\hIkBAhV.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\yJzKexO.exe
  C:\Windows\System\yJzKexO.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\FqKMfdR.exe
  C:\Windows\System\FqKMfdR.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\XfjmDks.exe
  C:\Windows\System\XfjmDks.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\ToPXKfR.exe
  C:\Windows\System\ToPXKfR.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\eHgGTsT.exe
  C:\Windows\System\eHgGTsT.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\ibUwICc.exe
  C:\Windows\System\ibUwICc.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\DriqeJp.exe
  C:\Windows\System\DriqeJp.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\CLCxprt.exe
  C:\Windows\System\CLCxprt.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\QqdAtPv.exe
  C:\Windows\System\QqdAtPv.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\MIMPyze.exe
  C:\Windows\System\MIMPyze.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\OaMIOST.exe
  C:\Windows\System\OaMIOST.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\CgUEQBM.exe
  C:\Windows\System\CgUEQBM.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\WXXkBMO.exe
  C:\Windows\System\WXXkBMO.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\eQaAumy.exe
  C:\Windows\System\eQaAumy.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\eeWIGKW.exe
  C:\Windows\System\eeWIGKW.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\VhZCOQx.exe
  C:\Windows\System\VhZCOQx.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\YXCcWvR.exe
  C:\Windows\System\YXCcWvR.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\cmfqtaX.exe
  C:\Windows\System\cmfqtaX.exe
  2⤵
  - Executes dropped EXE
  PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CDFOAJT.exe

Filesize
5.2MB

MD5
e571a0c08c9473971374194f1fb71028

SHA1
0c6c4b095a3232d043eb528863ade1fec4e070ad

SHA256
3f0614e002e38cd529cf7c6f5b9622cd53930176e83291ae3c322e0c0eebe8c6

SHA512
22e6060b747812e3c0495f281026e9d9a4d071204d32bd1f0e9a3683184f01f181214a68be34f83f455d2ed4b263717153448dd944ec9ca39fdd67e476098fec

Download Submit
C:\Windows\System\CLCxprt.exe

Filesize
5.2MB

MD5
841fd9e7a8f8a37c626637247b1591c6

SHA1
6b59e3b945c82f7d3ff7711d33c5eed10de9012b

SHA256
7102a22c8ec2b03044a635fe0b83fb018afdae9b982bb999f222fc1db45432d5

SHA512
babee6414fc6892c45d02fcc956f84098e74b529f0efbbf870a7407ffb50805ff01b0901de4a245188e88784b86f67561467ef31b3eb7cc0a5741ac5e09561d0

Download Submit
C:\Windows\System\CgUEQBM.exe

Filesize
5.2MB

MD5
75abe23e0d70d06cd1c0e06e64af27e0

SHA1
94b73de638d936503c4d140a32bbc7a3f29d2a10

SHA256
4af23243319d44e7800749b76e17ee7c505d3877b48aefbce67761c381e8e012

SHA512
eafa14084a2045cd896b41ba49f6e850ff26b5dfd61f4ffddfb62ad37c4685e190dadedee70f0d6585de8c0d30a734a9449e9c77259cd2c6602f61b9daa60599

Download Submit
C:\Windows\System\DriqeJp.exe

Filesize
5.2MB

MD5
bfb8130bd3e6006c9ef7f7d5bba8623e

SHA1
4a23cbe80852d474e9feb7e94be0bee98d48a972

SHA256
4046d8edb25ecad6061197ca7ab3ced88c8c023fec9f2fd29e95fea176f2e837

SHA512
5a505de04d2ed6819f8b3ca9029a45d216680119508e4d90dd20cac9d2f3fba3b0e83b01e6f1d16aee6bbc9098c9e1a187f8ae050647d29073d2e3944c232815

Download Submit
C:\Windows\System\FqKMfdR.exe

Filesize
5.2MB

MD5
8a56017e9187ee8f82705547490ce5f4

SHA1
f50682578271554c4a77c70878e30e93b2955f5d

SHA256
5a390db63e310385881aac08248c6e19249a427db8c59cf34fb38f3ddc56d722

SHA512
87faffff3661232a62daf5a03c367fa8e677f7337504db0db123e6ed1a47db58fcf6fdcb769292bf5af80f7f3b3b94c01cda14ef86f4fc6a22e9a1e32e7f128e

Download Submit
C:\Windows\System\JVKnhID.exe

Filesize
5.2MB

MD5
a05554c9339d470af595fa2e98166b41

SHA1
7e71a0db760258e71c69828f87502e2e8f9b33e6

SHA256
c772aa0ab94e777eff7071e11a9ecf4f9e9a9cd80f20a906688f96e7400cadce

SHA512
c5603db3fc24d9bc710b380aa4672bc0201678e620bbc3601a4f782bb2ce2f5830bfa124e4a12f83620da47be9f0ac9060d21ab57cf7ff83ca107807d3a0a1f0

Download Submit
C:\Windows\System\MIMPyze.exe

Filesize
5.2MB

MD5
978ed07b57691028d237c75f087d394c

SHA1
a99384cf09c650cea65a09a72739a479e9797abf

SHA256
58156f8b7f88fb5b94e9600bcb1d2a68eb987c38dd1ac7cd7fc8eac3cdf4b50b

SHA512
4595a074835c3e064189dea84247edfed5ab23ccad3c5e7e7f4efa1d4060b2bf7d0826699d31b88e0a792a2249db8e5473e91f36aab75514a0597799604300c1

Download Submit
C:\Windows\System\OaMIOST.exe

Filesize
5.2MB

MD5
908b72797c4a570364774bd54db8104a

SHA1
5e520d0d4d6c061ba937d80b6ee6ce6e50e58a32

SHA256
95671423475a5f01e7a8d68b08a3bafe9f37d562b6b7f7fdbd317b551c6340a8

SHA512
6a8bf4584a105dd1042788194579cdff9e97ee1915bdbb67877bc850e90e96e838529b789a07224d5ae9c1b8b07fc42bc4d9dd53805d14ea532f1ea16f46f5af

Download Submit
C:\Windows\System\QqdAtPv.exe

Filesize
5.2MB

MD5
36f868b6c5e73b629e09088fa7802bf9

SHA1
748ee72f915f489f99a91437f7a7b53295afd296

SHA256
78c98464af72df1063ce5c949bfe876e596a483e63d9097721da7d46f70e2de9

SHA512
a23b5ace56918503413d775b0e2ccdf00a587ae259021290a77a83ecf9dd74dd199e67efde8b427957412619d07f3ee560beb4337d20d3299d9e288967d06871

Download Submit
C:\Windows\System\ToPXKfR.exe

Filesize
5.2MB

MD5
07f07fb82fa362cc4f41472b7ee04e89

SHA1
dc716e765d065a144f471d0bde512abc27b93c0a

SHA256
bfeca008eeb4e516e772a09b7cefe09ff4cc8a7ad9b8fa688acbd54a4f9d0725

SHA512
f9233c9f4a7fef34cbca1346963d7fafdea46ac39ae45d3a19b4932d44e0b143116d6403a6a5b974446c2d35a556e2c319abc63baeb6e84f04b72d00e25ef813

Download Submit
C:\Windows\System\VhZCOQx.exe

Filesize
5.2MB

MD5
4bd440ff2e12184fac81c5dd2c62ae04

SHA1
5300224b0568835f4f9c506ab66b5faa320aabc1

SHA256
103bdf2c1e1ab962a4a03de3a410fd96c750082ce796619abdfe0a99482a09ae

SHA512
4d0f785249625d30fb13496134fc5d81889179688550791e8806e4dfbb18f7ad7b4e7097bbe9e8ed049ce73af8f5622a5d0eeada0b39474b4fbeeecabfbcc9dd

Download Submit
C:\Windows\System\WXXkBMO.exe

Filesize
5.2MB

MD5
a8119b7577890c071a13ede045a78762

SHA1
9ca46f450a2f0869373294cba6f1354f69a3712f

SHA256
dee7b009316a363a8997c0a5a166cdfb77862c213995381c7815f32cb352f159

SHA512
3b3a2eb30cfe0d9ea485db6baaf0f4952f707ba2f2631d1d0cef2a36143b592c4d3c6fb2fa516d21a2ecfe956bfb145566f9051c62a86fe1fa2722538f65dff0

Download Submit
C:\Windows\System\XfjmDks.exe

Filesize
5.2MB

MD5
6ad15ca58d0a7288a19f28f0f29e6875

SHA1
16855e12f891c50f894c6d9aee752a822412a2d1

SHA256
d42ace5086142f4e1e503292456a21e29473976c1491389b4cf32f007ede6b16

SHA512
b8a6255501d83115ab0d2eeaa68aa47ad730b0ab0d66c50d76dec224bd23f98a2016a38f985e9ebbfec38debdcc014a8e6df9976d4e524423795660aa679e7f3

Download Submit
C:\Windows\System\YXCcWvR.exe

Filesize
5.2MB

MD5
8727d6fcfde1cd9ba6d47a1b2c878faf

SHA1
4b4ea95ac3a96fd462c31729a80dae48fbd8a47e

SHA256
1c400dcb69e110e5e4fe1d964e0b657b6e97c6c8796445758887db1a6c3b7e71

SHA512
4519436496eecfc289532b3b3e1c6e9c00ead4b7e7dd32e996dbb5adc20f3a645fa11b9282b1cca84c7feae082360388f304aa8a02bd06ddd6ca46579ce4a207

Download Submit
C:\Windows\System\cmfqtaX.exe

Filesize
5.2MB

MD5
571786eed8c31c37fdbd9c96e0917247

SHA1
b5da6e9d1b587f7e0b0cee0c407b0c3d7681f02e

SHA256
836d628541fccfd832f962bb06d323e6a28694463571bab9319b6fa310a78d88

SHA512
143707527d0327d31f6ff7601086312b115a480abb5f91766c14c53b7829f600a6a08e175854a95d93679e4c75dc5c848ef61883a3abc6570b145ffee09af987

Download Submit
C:\Windows\System\eHgGTsT.exe

Filesize
5.2MB

MD5
7b31688a8ce0559bb4ff64a245c1589f

SHA1
63bc014a33dea7d652100d5b670cae28b99d0452

SHA256
660660c81b98d4f14680dd61222060c18b815234f01a059e0aedab7848dea71b

SHA512
de0d9e094f875e108e51ba618d903e3400f6b6d6946750a553b7d27c26f5cee9766828b7b85a28629adda897ae95319319156166475f6fe96c18deca8e929dcd

Download Submit
C:\Windows\System\eQaAumy.exe

Filesize
5.2MB

MD5
825953ee42b5e9a5b1f26f68c9e40b96

SHA1
ad5f6ba5ee1d67c2db8af4f6ec0f41515b97d028

SHA256
10c54a11de8b1728cbd7213feb514afa6ce2737634281ba461fb1f2cf56e25f8

SHA512
704ed10ff15f3b7ab4219dbf3228638bc7da04ccffcd5b0475772b154110e1d69bbcadd42e88a688f581c464f27e64cb6b8e8a411c82a52fdcd6f61245d958ee

Download Submit
C:\Windows\System\eeWIGKW.exe

Filesize
5.2MB

MD5
116830505985c367907c2ae9f2a790f7

SHA1
1715b404f10033d5c7c25500841621f490a68e79

SHA256
972387355111f4648ccaeaa823032ff6baa705474917495168a31d851b443828

SHA512
a525379260b404d652c2adae03ac8c12f23023cb2b3b331e184ba214343d8cdf2eea056408b31168501cb2199e51a7d6651faa2bfd84f0a9fad5377a68e45b03

Download Submit
C:\Windows\System\hIkBAhV.exe

Filesize
5.2MB

MD5
852beb7f48891db1989e6a61fb5cc5b2

SHA1
eec7ca67d4bb15480ff917f9236809e77706b3ca

SHA256
99b6c9b8c0ebd00441da4c1fc27627f0a9efcc072c2a2090116db90ea89a0c13

SHA512
fbe530131c761ab137c73a064d706c1f51e5536b49b4b60d321e65d61303e3c8db980c12d8913ee39612f5143ccbeffb7b7ea2afe5480b0c3ee257a067168993

Download Submit
C:\Windows\System\ibUwICc.exe

Filesize
5.2MB

MD5
48e743e32ca586fcfa234cf6de101073

SHA1
d027b55214c8c675114eaf1c8ff928846c3824f3

SHA256
e77ca99dbcf2213c13957f84483f9c33ae369f47d2e2d37d300a4e46d6e00116

SHA512
b2d148fe14b3ae469d51c74a401f772b1c752289356994ab3e22a2574386b046e94f4501b3e8049cc2a32b623566fdba418b929e1f9ef96ff3027ef2ee4e28b3

Download Submit
C:\Windows\System\yJzKexO.exe

Filesize
5.2MB

MD5
7b2faf35e65b7cd657f673dc08579cfb

SHA1
ebd955381f1369b58ecba80b40da3edd51d37672

SHA256
dcc3e29bb8f728a6c26a8c148be99d889d124cfedd359c82910aa0dc824d9a6d

SHA512
ee91336a515eb53e8b4e788dad04af3de315b2ea54070d8624de86d744acd7c42afdfa274e0fb95c0fcb4de274d9a1397650dad24b160753102c14a7531da092

Download Submit
memory/744-101-0x00007FF6812C0000-0x00007FF681611000-memory.dmp

Filesize
3.3MB

Download
memory/744-40-0x00007FF6812C0000-0x00007FF681611000-memory.dmp

Filesize
3.3MB

Download
memory/744-233-0x00007FF6812C0000-0x00007FF681611000-memory.dmp

Filesize
3.3MB

Download
memory/1392-136-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-167-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-275-0x00007FF7F8960000-0x00007FF7F8CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-59-0x00007FF743990000-0x00007FF743CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-249-0x00007FF743990000-0x00007FF743CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-129-0x00007FF743990000-0x00007FF743CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1704-80-0x00007FF62AAF0000-0x00007FF62AE41000-memory.dmp

Filesize
3.3MB

Download
memory/1704-252-0x00007FF62AAF0000-0x00007FF62AE41000-memory.dmp

Filesize
3.3MB

Download
memory/1784-108-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp

Filesize
3.3MB

Download
memory/1784-42-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp

Filesize
3.3MB

Download
memory/1784-235-0x00007FF6FDB20000-0x00007FF6FDE71000-memory.dmp

Filesize
3.3MB

Download
memory/2036-83-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-20-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-227-0x00007FF7A1080000-0x00007FF7A13D1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-123-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-271-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-160-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-256-0x00007FF75A810000-0x00007FF75AB61000-memory.dmp

Filesize
3.3MB

Download
memory/2344-91-0x00007FF75A810000-0x00007FF75AB61000-memory.dmp

Filesize
3.3MB

Download
memory/2360-219-0x00007FF6ADA80000-0x00007FF6ADDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-14-0x00007FF6ADA80000-0x00007FF6ADDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-254-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp

Filesize
3.3MB

Download
memory/2556-139-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp

Filesize
3.3MB

Download
memory/2556-90-0x00007FF6F5420000-0x00007FF6F5771000-memory.dmp

Filesize
3.3MB

Download
memory/2856-237-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-48-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-116-0x00007FF6BAA60000-0x00007FF6BADB1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-141-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp

Filesize
3.3MB

Download
memory/3000-0-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp

Filesize
3.3MB

Download
memory/3000-1-0x000001FC35410000-0x000001FC35420000-memory.dmp

Filesize
64KB

Download
memory/3000-57-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp

Filesize
3.3MB

Download
memory/3000-168-0x00007FF7096F0000-0x00007FF709A41000-memory.dmp

Filesize
3.3MB

Download
memory/3188-93-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-24-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-229-0x00007FF648C90000-0x00007FF648FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-118-0x00007FF6A1730000-0x00007FF6A1A81000-memory.dmp

Filesize
3.3MB

Download
memory/3456-269-0x00007FF6A1730000-0x00007FF6A1A81000-memory.dmp

Filesize
3.3MB

Download
memory/3668-250-0x00007FF669810000-0x00007FF669B61000-memory.dmp

Filesize
3.3MB

Download
memory/3668-67-0x00007FF669810000-0x00007FF669B61000-memory.dmp

Filesize
3.3MB

Download
memory/3668-135-0x00007FF669810000-0x00007FF669B61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-109-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/3844-159-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/3844-264-0x00007FF7494F0000-0x00007FF749841000-memory.dmp

Filesize
3.3MB

Download
memory/3880-54-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp

Filesize
3.3MB

Download
memory/3880-122-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp

Filesize
3.3MB

Download
memory/3880-246-0x00007FF63F920000-0x00007FF63FC71000-memory.dmp

Filesize
3.3MB

Download
memory/4136-32-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp

Filesize
3.3MB

Download
memory/4136-231-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp

Filesize
3.3MB

Download
memory/4136-97-0x00007FF65D0C0000-0x00007FF65D411000-memory.dmp

Filesize
3.3MB

Download
memory/4408-163-0x00007FF7541C0000-0x00007FF754511000-memory.dmp

Filesize
3.3MB

Download
memory/4408-273-0x00007FF7541C0000-0x00007FF754511000-memory.dmp

Filesize
3.3MB

Download
memory/4408-130-0x00007FF7541C0000-0x00007FF754511000-memory.dmp

Filesize
3.3MB

Download
memory/4728-94-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp

Filesize
3.3MB

Download
memory/4728-140-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp

Filesize
3.3MB

Download
memory/4728-258-0x00007FF7C9F30000-0x00007FF7CA281000-memory.dmp

Filesize
3.3MB

Download
memory/4924-105-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp

Filesize
3.3MB

Download
memory/4924-262-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp

Filesize
3.3MB

Download
memory/4924-151-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp

Filesize
3.3MB

Download
memory/5088-217-0x00007FF668E40000-0x00007FF669191000-memory.dmp

Filesize
3.3MB

Download
memory/5088-66-0x00007FF668E40000-0x00007FF669191000-memory.dmp

Filesize
3.3MB

Download
memory/5088-8-0x00007FF668E40000-0x00007FF669191000-memory.dmp

Filesize
3.3MB

Download