cobaltstrike | 64aeea6446689c574d67693cfc3fc12d5e8daf08e09f9986cf2ba0aa6423b6c8

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8546c1ad5f416a817e69a0ae6cfb0f0e
SHA1

7352327f0cdc858eac5cd965e11f9086ffadc7f7
SHA256

64aeea6446689c574d67693cfc3fc12d5e8daf08e09f9986cf2ba0aa6423b6c8
SHA512

423728ded30ce690b8a8c874ef865f2af0e42f266ec6762ce40d18e673ccec53a076364df35fa29703276a137a15db333a45329bb1d7505706d75b1eac1b094d
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibd56utgpPFotBER/mQ32lUT

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b86-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-93.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b87-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-100.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9c-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-132.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-117.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9a-113.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1496-47-0x00007FF737660000-0x00007FF7379B1000-memory.dmp	xmrig
behavioral2/memory/4972-42-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp	xmrig
behavioral2/memory/1344-36-0x00007FF766740000-0x00007FF766A91000-memory.dmp	xmrig
behavioral2/memory/208-98-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	xmrig
behavioral2/memory/1892-97-0x00007FF685ED0000-0x00007FF686221000-memory.dmp	xmrig
behavioral2/memory/2340-85-0x00007FF6D63C0000-0x00007FF6D6711000-memory.dmp	xmrig
behavioral2/memory/4004-64-0x00007FF69FB90000-0x00007FF69FEE1000-memory.dmp	xmrig
behavioral2/memory/2960-116-0x00007FF66E020000-0x00007FF66E371000-memory.dmp	xmrig
behavioral2/memory/2104-121-0x00007FF7EE170000-0x00007FF7EE4C1000-memory.dmp	xmrig
behavioral2/memory/2396-124-0x00007FF651390000-0x00007FF6516E1000-memory.dmp	xmrig
behavioral2/memory/1812-129-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp	xmrig
behavioral2/memory/4624-123-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp	xmrig
behavioral2/memory/2084-109-0x00007FF630A80000-0x00007FF630DD1000-memory.dmp	xmrig
behavioral2/memory/3564-107-0x00007FF602010000-0x00007FF602361000-memory.dmp	xmrig
behavioral2/memory/5032-148-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp	xmrig
behavioral2/memory/880-147-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp	xmrig
behavioral2/memory/1668-143-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp	xmrig
behavioral2/memory/1212-144-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp	xmrig
behavioral2/memory/60-140-0x00007FF72E020000-0x00007FF72E371000-memory.dmp	xmrig
behavioral2/memory/4612-151-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp	xmrig
behavioral2/memory/3564-152-0x00007FF602010000-0x00007FF602361000-memory.dmp	xmrig
behavioral2/memory/116-165-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp	xmrig
behavioral2/memory/3964-163-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp	xmrig
behavioral2/memory/3564-175-0x00007FF602010000-0x00007FF602361000-memory.dmp	xmrig
behavioral2/memory/2960-215-0x00007FF66E020000-0x00007FF66E371000-memory.dmp	xmrig
behavioral2/memory/4624-217-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp	xmrig
behavioral2/memory/2396-219-0x00007FF651390000-0x00007FF6516E1000-memory.dmp	xmrig
behavioral2/memory/4972-221-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp	xmrig
behavioral2/memory/1344-223-0x00007FF766740000-0x00007FF766A91000-memory.dmp	xmrig
behavioral2/memory/1496-225-0x00007FF737660000-0x00007FF7379B1000-memory.dmp	xmrig
behavioral2/memory/1812-234-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp	xmrig
behavioral2/memory/60-233-0x00007FF72E020000-0x00007FF72E371000-memory.dmp	xmrig
behavioral2/memory/1668-238-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp	xmrig
behavioral2/memory/4004-236-0x00007FF69FB90000-0x00007FF69FEE1000-memory.dmp	xmrig
behavioral2/memory/1212-245-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp	xmrig
behavioral2/memory/5032-250-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp	xmrig
behavioral2/memory/880-248-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp	xmrig
behavioral2/memory/208-243-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	xmrig
behavioral2/memory/1892-246-0x00007FF685ED0000-0x00007FF686221000-memory.dmp	xmrig
behavioral2/memory/2340-241-0x00007FF6D63C0000-0x00007FF6D6711000-memory.dmp	xmrig
behavioral2/memory/2084-257-0x00007FF630A80000-0x00007FF630DD1000-memory.dmp	xmrig
behavioral2/memory/4612-259-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp	xmrig
behavioral2/memory/2104-261-0x00007FF7EE170000-0x00007FF7EE4C1000-memory.dmp	xmrig
behavioral2/memory/116-265-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp	xmrig
behavioral2/memory/3964-264-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2960	TfFEbMw.exe
4624	AFwDQcq.exe
2396	DjlacnM.exe
1344	XgduDSM.exe
4972	JkSzcJy.exe
1496	vEBsdRg.exe
60	TWjrjBp.exe
4004	bizpSQL.exe
1812	hJfSNzg.exe
1668	VBwdnWP.exe
1212	UxBEhuq.exe
2340	pUiJmRV.exe
1892	KkdHeBJ.exe
880	SsCZZsw.exe
5032	IsPQiYQ.exe
208	HsJIZhu.exe
2084	lnMgvAM.exe
4612	pftIPNo.exe
2104	SArtgEN.exe
116	QeWFHVC.exe
3964	XtcKTQw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3564-0-0x00007FF602010000-0x00007FF602361000-memory.dmp	upx
behavioral2/files/0x000b000000023b86-4.dat	upx
behavioral2/files/0x000a000000023b8a-12.dat	upx
behavioral2/files/0x000a000000023b8c-20.dat	upx
behavioral2/files/0x000a000000023b8b-21.dat	upx
behavioral2/memory/2396-24-0x00007FF651390000-0x00007FF6516E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-29.dat	upx
behavioral2/files/0x000a000000023b8e-38.dat	upx
behavioral2/files/0x000a000000023b91-46.dat	upx
behavioral2/memory/1496-47-0x00007FF737660000-0x00007FF7379B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-50.dat	upx
behavioral2/memory/4972-42-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-45.dat	upx
behavioral2/memory/1344-36-0x00007FF766740000-0x00007FF766A91000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-76.dat	upx
behavioral2/files/0x000a000000023b97-86.dat	upx
behavioral2/memory/5032-92-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp	upx
behavioral2/memory/208-98-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	upx
behavioral2/memory/1892-97-0x00007FF685ED0000-0x00007FF686221000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-93.dat	upx
behavioral2/files/0x000b000000023b87-90.dat	upx
behavioral2/memory/880-87-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp	upx
behavioral2/memory/2340-85-0x00007FF6D63C0000-0x00007FF6D6711000-memory.dmp	upx
behavioral2/memory/1212-84-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-81.dat	upx
behavioral2/files/0x000a000000023b94-74.dat	upx
behavioral2/memory/1668-72-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-68.dat	upx
behavioral2/memory/4004-64-0x00007FF69FB90000-0x00007FF69FEE1000-memory.dmp	upx
behavioral2/memory/60-63-0x00007FF72E020000-0x00007FF72E371000-memory.dmp	upx
behavioral2/memory/1812-53-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp	upx
behavioral2/memory/4624-15-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp	upx
behavioral2/memory/2960-7-0x00007FF66E020000-0x00007FF66E371000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-100.dat	upx
behavioral2/memory/2960-116-0x00007FF66E020000-0x00007FF66E371000-memory.dmp	upx
behavioral2/memory/2104-121-0x00007FF7EE170000-0x00007FF7EE4C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9c-122.dat	upx
behavioral2/memory/2396-124-0x00007FF651390000-0x00007FF6516E1000-memory.dmp	upx
behavioral2/memory/116-127-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-132.dat	upx
behavioral2/memory/3964-131-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp	upx
behavioral2/memory/1812-129-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp	upx
behavioral2/memory/4624-123-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp	upx
behavioral2/files/0x000b000000023b9b-117.dat	upx
behavioral2/memory/4612-115-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp	upx
behavioral2/files/0x000b000000023b9a-113.dat	upx
behavioral2/memory/2084-109-0x00007FF630A80000-0x00007FF630DD1000-memory.dmp	upx
behavioral2/memory/3564-107-0x00007FF602010000-0x00007FF602361000-memory.dmp	upx
behavioral2/memory/5032-148-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp	upx
behavioral2/memory/880-147-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp	upx
behavioral2/memory/1668-143-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp	upx
behavioral2/memory/1212-144-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp	upx
behavioral2/memory/60-140-0x00007FF72E020000-0x00007FF72E371000-memory.dmp	upx
behavioral2/memory/4612-151-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp	upx
behavioral2/memory/3564-152-0x00007FF602010000-0x00007FF602361000-memory.dmp	upx
behavioral2/memory/116-165-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp	upx
behavioral2/memory/3964-163-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp	upx
behavioral2/memory/3564-175-0x00007FF602010000-0x00007FF602361000-memory.dmp	upx
behavioral2/memory/2960-215-0x00007FF66E020000-0x00007FF66E371000-memory.dmp	upx
behavioral2/memory/4624-217-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp	upx
behavioral2/memory/2396-219-0x00007FF651390000-0x00007FF6516E1000-memory.dmp	upx
behavioral2/memory/4972-221-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp	upx
behavioral2/memory/1344-223-0x00007FF766740000-0x00007FF766A91000-memory.dmp	upx
behavioral2/memory/1496-225-0x00007FF737660000-0x00007FF7379B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TfFEbMw.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TWjrjBp.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bizpSQL.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJfSNzg.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IsPQiYQ.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HsJIZhu.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pftIPNo.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vEBsdRg.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxBEhuq.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pUiJmRV.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QeWFHVC.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XtcKTQw.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjlacnM.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkSzcJy.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VBwdnWP.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KkdHeBJ.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AFwDQcq.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XgduDSM.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SsCZZsw.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnMgvAM.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SArtgEN.exe	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 2960	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3564 wrote to memory of 2960	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3564 wrote to memory of 4624	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3564 wrote to memory of 4624	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3564 wrote to memory of 2396	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3564 wrote to memory of 2396	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3564 wrote to memory of 1344	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3564 wrote to memory of 1344	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3564 wrote to memory of 4972	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3564 wrote to memory of 4972	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3564 wrote to memory of 1496	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3564 wrote to memory of 1496	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3564 wrote to memory of 60	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3564 wrote to memory of 60	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3564 wrote to memory of 4004	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3564 wrote to memory of 4004	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3564 wrote to memory of 1812	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3564 wrote to memory of 1812	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3564 wrote to memory of 1668	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3564 wrote to memory of 1668	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3564 wrote to memory of 1212	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3564 wrote to memory of 1212	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3564 wrote to memory of 2340	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3564 wrote to memory of 2340	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3564 wrote to memory of 1892	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3564 wrote to memory of 1892	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3564 wrote to memory of 880	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3564 wrote to memory of 880	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3564 wrote to memory of 5032	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3564 wrote to memory of 5032	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3564 wrote to memory of 208	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3564 wrote to memory of 208	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3564 wrote to memory of 2084	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3564 wrote to memory of 2084	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3564 wrote to memory of 4612	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3564 wrote to memory of 4612	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3564 wrote to memory of 2104	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3564 wrote to memory of 2104	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3564 wrote to memory of 116	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3564 wrote to memory of 116	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3564 wrote to memory of 3964	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3564 wrote to memory of 3964	3564	2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_8546c1ad5f416a817e69a0ae6cfb0f0e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\System\TfFEbMw.exe
  C:\Windows\System\TfFEbMw.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\AFwDQcq.exe
  C:\Windows\System\AFwDQcq.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\DjlacnM.exe
  C:\Windows\System\DjlacnM.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\XgduDSM.exe
  C:\Windows\System\XgduDSM.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\JkSzcJy.exe
  C:\Windows\System\JkSzcJy.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\vEBsdRg.exe
  C:\Windows\System\vEBsdRg.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\TWjrjBp.exe
  C:\Windows\System\TWjrjBp.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\bizpSQL.exe
  C:\Windows\System\bizpSQL.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\hJfSNzg.exe
  C:\Windows\System\hJfSNzg.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\VBwdnWP.exe
  C:\Windows\System\VBwdnWP.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\UxBEhuq.exe
  C:\Windows\System\UxBEhuq.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\pUiJmRV.exe
  C:\Windows\System\pUiJmRV.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\KkdHeBJ.exe
  C:\Windows\System\KkdHeBJ.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\SsCZZsw.exe
  C:\Windows\System\SsCZZsw.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\IsPQiYQ.exe
  C:\Windows\System\IsPQiYQ.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\HsJIZhu.exe
  C:\Windows\System\HsJIZhu.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\lnMgvAM.exe
  C:\Windows\System\lnMgvAM.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\pftIPNo.exe
  C:\Windows\System\pftIPNo.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\SArtgEN.exe
  C:\Windows\System\SArtgEN.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\QeWFHVC.exe
  C:\Windows\System\QeWFHVC.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\XtcKTQw.exe
  C:\Windows\System\XtcKTQw.exe
  2⤵
  - Executes dropped EXE
  PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFwDQcq.exe

Filesize
5.2MB

MD5
1ed7846b4c188063d5a16270871217fd

SHA1
74c998220e8eadbd6af85e2ebe05066cbeda5d88

SHA256
ea349885d829618ae966cad2c06a0459b6e019c2f591a156abf1fc0a9c9709bf

SHA512
bc9fa543568de1a35bf75cefb05aea54e40f7774d5fe0a7b4ba64a9f17b47204e088979c75ef72bc86d18c4a99b291c26d348ec314504b84f51d6158e3839b76

Download Submit
C:\Windows\System\DjlacnM.exe

Filesize
5.2MB

MD5
448037946fda539c476c0629ee73ded9

SHA1
95761c76ba74738ec6017fdee3cae93f69d9217d

SHA256
dafd0756d567eb0f3a6d72c6a1ce7a3fcc170b682da3a4ae15ad1fc20fdc854a

SHA512
3d289f8761645440d3b239294f40a9de8f812b13bdbb2c9e4cb27e8d1466bcdde061fc916e6598d69a83e596fb8a9375b0da9c9a8580562674a27f22866b1b13

Download Submit
C:\Windows\System\HsJIZhu.exe

Filesize
5.2MB

MD5
890b930928fb50dee6e797aa8be2038b

SHA1
d661b2f87ce9151797c82a0aa40c60ddf90479ef

SHA256
7b9e472a3191e29523695042998ccaca4877d8bba111d431582ee6145caf4a03

SHA512
7435c8db4e741172f49c5a2aa7bc6427078429321b120249557229ebb862467a6e022db9fb7c64c674ee9ff803b8d1fa4d82e1e8c1d076ea4ddeb4683466949b

Download Submit
C:\Windows\System\IsPQiYQ.exe

Filesize
5.2MB

MD5
d1b9d8823c9808d8344cb61a4abd1097

SHA1
407f2b3eb9a664abf704e1406c7903c460f74ad0

SHA256
f856772496b0d6c35018209bb60dba0252a4ee1c6b0d66f0ccf2e4879fe6f871

SHA512
cba144b564b46d917c8bef48886275d9d265ce29124fdd5b7c536039930ec1e756905a02b33c158f5165451e935ce45d5b8826df6663ca425220f187fedb59bc

Download Submit
C:\Windows\System\JkSzcJy.exe

Filesize
5.2MB

MD5
a6e23363f2a868401ab3522acb844955

SHA1
2acba9e35ba69af52ed229b150ddf55cc28b98fd

SHA256
0617539d1c15e64562f6dab5df0833d6d829ee91d7ad0d9941eaf44bc4d2914e

SHA512
065361ed9fcfa49e4e6789f455a0c0dd95d1f04cf59861a5dcbbdb4bca29d404ce59371c04307816eaa0b4e29438ac729a80feeaa9d59e8541bf097c2968434b

Download Submit
C:\Windows\System\KkdHeBJ.exe

Filesize
5.2MB

MD5
81848e43aabb181f7a7181eb4d504129

SHA1
f6be91f7371eb14ba32dbca826febbca8ec26098

SHA256
a8baa951c30d4203b350c1af60e1dccff6f8316db6db723b2ecd43cf67e488a8

SHA512
75a83996511ee618631e0400c5595457d20a19f12ddab40806637deb6d0044363e833ec76fdbb8e994bc39c7058fb78df342a20dae899be520f6a11f53bced29

Download Submit
C:\Windows\System\QeWFHVC.exe

Filesize
5.2MB

MD5
611800a083c55a8b2ac9bc47fdc19941

SHA1
75a1da257609d9ab868f8a6fda61ac0ec249c083

SHA256
f38e673b334b980d10fd2fd8c69ebba2b86879e6fa6859abbc7691a433926eb1

SHA512
fab9e86111cd5c8a05c672899cf92a55ac7246b87f4455a52c0b9b632b335a57631d30df454269554856eed51bc6503b1102bbda43832a67a245fb2898e7e6c2

Download Submit
C:\Windows\System\SArtgEN.exe

Filesize
5.2MB

MD5
99092113105245891e611e4b29be9bba

SHA1
f3b794accbb110ebadecc096f763a0bf5609e617

SHA256
e5bf2fbc8d6e1d8d58f0337292f2ae0c9c351d6b24f132b3eeecd6b42a7306fc

SHA512
b59c2ad5770bdd6298a5be485201009fa78b91cf72aad5f5e81e24ccd55b19db2006b70baec965012b965b3b3b36c818b7a3daf6af4dd1700ceb1de7ba21095b

Download Submit
C:\Windows\System\SsCZZsw.exe

Filesize
5.2MB

MD5
f84f34633fc662a7e0d5a155cf52c540

SHA1
1a49eafe83688e980a5164d9ca09cfa32d6c9e59

SHA256
b348e64592188ee98420652ea10eda4839c5c913b8e4b59947aa50df7add981c

SHA512
bd8900f3728c78bacbd2f605ec908b9cd59dde4ce7fa31b4e2aaadacd4c0a93704e6eb2a2c2254a8dbc4ed11a39ee7f3aa40776d691d2a64061f475ff776e22a

Download Submit
C:\Windows\System\TWjrjBp.exe

Filesize
5.2MB

MD5
27b747c98d8859f6523d00d512cd37a7

SHA1
c3561b168bba7ffc3fb6b4ea9bc2d15a23a7c5b9

SHA256
af7a2cf8e14628346527f0f47526e053320fb487441b2a31023c7da81cb7a451

SHA512
ebf853f7711a26caa4d8613859581711b6bb2f5b652b8893b164ec149a5339442ad94c848a3788af87bd2024032c75e38d7ec5fa8d81c8e7c1362bdb40b3ccc2

Download Submit
C:\Windows\System\TfFEbMw.exe

Filesize
5.2MB

MD5
ae24e32c3f262535e50a6caf1b289886

SHA1
db9f1ce4d5f525c0723ec98cb76afdc05ef8233f

SHA256
75917d74989a688c28f394e2e07358117647bd3a9b706e4da79d8e5f217fdc99

SHA512
f9b9fd4ebf3f6331dc2e7e80c8c2fee2b91ab109057b4cf35e8fb348361ba50cae0e30732620cada71778313b98cbf1c58dc2d6973a9ebb5a8df9ccf4158987e

Download Submit
C:\Windows\System\UxBEhuq.exe

Filesize
5.2MB

MD5
7c9926074372e209363e7d25527ed9a8

SHA1
484bb7c4053ed9767ace3cd86c7d5e1a4f857bd0

SHA256
15864b6901a323ac3fbf536705ce7fde67f17d7ccdae0c5de15d7989ac238595

SHA512
95bc7bf24a1c108258bc7a56c2d230bc6c4f56bb5d155e63dd5047420667e9e141b5c7a3d7c8dadeb5f05165dcf518a7cef99c43b0ea60e7be4bb1d9687ba4ee

Download Submit
C:\Windows\System\VBwdnWP.exe

Filesize
5.2MB

MD5
6c3443351227bf1e3e6c46c269ac64c4

SHA1
0b8098d91a0befc164cb36ccfd87ffb45be843f0

SHA256
9339162e6313d69fe1bad1a9fc89f408293a38bbad323e5fb227efc79cfa2169

SHA512
2deb55193c5d0bf03c8d57709c0e366face4713d1fc212de6d538113e36ee9f069bcb15177cb9d9e8f77cd1513993f3bf9212d64fd5daae617fa28b22a9d79e6

Download Submit
C:\Windows\System\XgduDSM.exe

Filesize
5.2MB

MD5
6febdbfadb2842d8d3b7a4eab7892f63

SHA1
f46beaeaf07a06ba34a3ffbdc307212a6248b00e

SHA256
abe7b843e5a316a66c357d90e164df5735ca69d5c899cf39fcc32253e54939bd

SHA512
a276c0efcad3d7e9c7440a19fc81f6f270c23ba15976ea7c03ae77391588546a126189b1014336e8b875bf519ebdfde5c0235081e0aa9cd73112d0257a73e53a

Download Submit
C:\Windows\System\XtcKTQw.exe

Filesize
5.2MB

MD5
7be018f838ca7f82be7ce737a994a6ee

SHA1
6596b12b82140adfc1cf40bda247f54e28677f06

SHA256
de808107aa03e0b81862d461873851c7b56c3bfe144ed13b54e5629862b1fd50

SHA512
3db01831e3ff1c809844c3da159f6aadc7a375e190d4e2f765db3623c35424c6bbcec9fc95fb26295a187b2c1921a1b4a7ad4cf7d4e21a8656803b79e46dbf2b

Download Submit
C:\Windows\System\bizpSQL.exe

Filesize
5.2MB

MD5
44d6f7eb0caa4fd00114ff0a9a1a404d

SHA1
3e05faedf72b46cba6353c728d239e20ccf82ab2

SHA256
e01acf8ea68198ab49bd8ed80886973ebfaf4c66976e5dd94292701b5ee0db52

SHA512
31403e9dcf1fe7e4c2e414da64a15dbc5c19fe516ab40400094a97297c700fd2c888e6186be23dbc98104242cd06d816d7f536c71d32e3e00109d1bc5d160adf

Download Submit
C:\Windows\System\hJfSNzg.exe

Filesize
5.2MB

MD5
60abec0f4ea81945e3a8246730c4a377

SHA1
be53f826253d219cd4166a5100eaee348f44c69f

SHA256
bfb573bf26bfd5dd90e42d9b3d4c5a6408c3912138ebae796d7be2f0164ad1b7

SHA512
d7b26555b90d2b4bc41bd547ec3389a082a60fd7a861086d60ed7e074c13b21afe819e24e96f0feb994444e9912206dfb25595bc0be9efa2d8737540ddb79b0f

Download Submit
C:\Windows\System\lnMgvAM.exe

Filesize
5.2MB

MD5
e32fa9a5067cb3fdfc9da14b1abbbd8a

SHA1
bd28d73a408288d029aedcbded84ce97cf38956a

SHA256
1cf9b70523527ce0dee4afbd98c6d43614c6d78c5be195220c0560a81b96e630

SHA512
779623d15f30962a94efd9c63ea428e46c39b3273e0b7e90b3f037033b2d6603b4ae73d008b9ae3122a5a1968acd5c35fbefef26b136dbf3466efa7ac8e9d1dc

Download Submit
C:\Windows\System\pUiJmRV.exe

Filesize
5.2MB

MD5
3c23ada8add8e48cdfa0ef6fad0f67c2

SHA1
05cd4853f0b92f0ed37b31d7eb9e88d5a6cf58db

SHA256
6562d3d3311a46c405c0d3b7c731672330da267394ae14071cdae696e8b7dfc6

SHA512
6fe46d147edde8d511a176a0759563305a262249a3f342e2922f5d27d51f67a286224aedf3157582da892f20ccf8f95bef546004cdb08a730d97b049cb613425

Download Submit
C:\Windows\System\pftIPNo.exe

Filesize
5.2MB

MD5
b2fac716b70aac1112c924e398ae3dde

SHA1
0ced1264fd4c9fd7154fdae0a74350d568a347e8

SHA256
51dd56d319c0ea60c20fd9e44168a67a89e64f05315adae10d788351a8e9093c

SHA512
c1aef88095f14aae1651b324ab48886b3dc5b83bf6c4c746bde440162ce5d1c6b3573c40f607d02bc8f85cb8927e8b0e416ba2770003397b10c4b2d88d3c79ba

Download Submit
C:\Windows\System\vEBsdRg.exe

Filesize
5.2MB

MD5
c9c2cd5d2fa8b8573c3940fe8d1df1ed

SHA1
c950cc66205e1fe81d0a6d91845d323b3e17f8ec

SHA256
28ba79db9d619bb3c562d458bb4b8bfc00a30aeb8f309bf912f62df3e655213d

SHA512
1e2678981c808d32b97417151abcb28358326106722d436bfeb11addfa8ecfbde30d699ecbf51160cc641c0efceeb4e92f0b4c40ff700996a4fd797189bf1df2

Download Submit
memory/60-63-0x00007FF72E020000-0x00007FF72E371000-memory.dmp

Filesize
3.3MB

Download
memory/60-140-0x00007FF72E020000-0x00007FF72E371000-memory.dmp

Filesize
3.3MB

Download
memory/60-233-0x00007FF72E020000-0x00007FF72E371000-memory.dmp

Filesize
3.3MB

Download
memory/116-127-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/116-265-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/116-165-0x00007FF7B0A60000-0x00007FF7B0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/208-243-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp

Filesize
3.3MB

Download
memory/208-98-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp

Filesize
3.3MB

Download
memory/880-87-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp

Filesize
3.3MB

Download
memory/880-248-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp

Filesize
3.3MB

Download
memory/880-147-0x00007FF7B0530000-0x00007FF7B0881000-memory.dmp

Filesize
3.3MB

Download
memory/1212-245-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp

Filesize
3.3MB

Download
memory/1212-84-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp

Filesize
3.3MB

Download
memory/1212-144-0x00007FF6748B0000-0x00007FF674C01000-memory.dmp

Filesize
3.3MB

Download
memory/1344-36-0x00007FF766740000-0x00007FF766A91000-memory.dmp

Filesize
3.3MB

Download
memory/1344-223-0x00007FF766740000-0x00007FF766A91000-memory.dmp

Filesize
3.3MB

Download
memory/1496-225-0x00007FF737660000-0x00007FF7379B1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-47-0x00007FF737660000-0x00007FF7379B1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-238-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp

Filesize
3.3MB

Download
memory/1668-143-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp

Filesize
3.3MB

Download
memory/1668-72-0x00007FF6E89D0000-0x00007FF6E8D21000-memory.dmp

Filesize
3.3MB

Download
memory/1812-53-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp

Filesize
3.3MB

Download
memory/1812-129-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp

Filesize
3.3MB

Download
memory/1812-234-0x00007FF6B7FE0000-0x00007FF6B8331000-memory.dmp

Filesize
3.3MB

Download
memory/1892-97-0x00007FF685ED0000-0x00007FF686221000-memory.dmp

Filesize
3.3MB

Download
memory/1892-246-0x00007FF685ED0000-0x00007FF686221000-memory.dmp

Filesize
3.3MB

Download
memory/2084-257-0x00007FF630A80000-0x00007FF630DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2084-109-0x00007FF630A80000-0x00007FF630DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-261-0x00007FF7EE170000-0x00007FF7EE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-121-0x00007FF7EE170000-0x00007FF7EE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-241-0x00007FF6D63C0000-0x00007FF6D6711000-memory.dmp

Filesize
3.3MB

Download
memory/2340-85-0x00007FF6D63C0000-0x00007FF6D6711000-memory.dmp

Filesize
3.3MB

Download
memory/2396-24-0x00007FF651390000-0x00007FF6516E1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-219-0x00007FF651390000-0x00007FF6516E1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-124-0x00007FF651390000-0x00007FF6516E1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-116-0x00007FF66E020000-0x00007FF66E371000-memory.dmp

Filesize
3.3MB

Download
memory/2960-215-0x00007FF66E020000-0x00007FF66E371000-memory.dmp

Filesize
3.3MB

Download
memory/2960-7-0x00007FF66E020000-0x00007FF66E371000-memory.dmp

Filesize
3.3MB

Download
memory/3564-175-0x00007FF602010000-0x00007FF602361000-memory.dmp

Filesize
3.3MB

Download
memory/3564-107-0x00007FF602010000-0x00007FF602361000-memory.dmp

Filesize
3.3MB

Download
memory/3564-0-0x00007FF602010000-0x00007FF602361000-memory.dmp

Filesize
3.3MB

Download
memory/3564-152-0x00007FF602010000-0x00007FF602361000-memory.dmp

Filesize
3.3MB

Download
memory/3564-1-0x0000022DC2C20000-0x0000022DC2C30000-memory.dmp

Filesize
64KB

Download
memory/3964-163-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp

Filesize
3.3MB

Download
memory/3964-264-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp

Filesize
3.3MB

Download
memory/3964-131-0x00007FF72CDE0000-0x00007FF72D131000-memory.dmp

Filesize
3.3MB

Download
memory/4004-64-0x00007FF69FB90000-0x00007FF69FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-236-0x00007FF69FB90000-0x00007FF69FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-151-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4612-115-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4612-259-0x00007FF7B3100000-0x00007FF7B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4624-123-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp

Filesize
3.3MB

Download
memory/4624-217-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp

Filesize
3.3MB

Download
memory/4624-15-0x00007FF6A2610000-0x00007FF6A2961000-memory.dmp

Filesize
3.3MB

Download
memory/4972-42-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp

Filesize
3.3MB

Download
memory/4972-221-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp

Filesize
3.3MB

Download
memory/5032-250-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-148-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-92-0x00007FF7F7A70000-0x00007FF7F7DC1000-memory.dmp

Filesize
3.3MB

Download