cobaltstrike | 261e08362e4a8aa8f2a0566cca0f243c04aaf3da528f8992ed6d60ee2d4ed68f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a5db4d1bd216e28713ed8a7bda8ce7b8
SHA1

21b91cf4daa744ca59984ab971fba39eb2a2a6d2
SHA256

261e08362e4a8aa8f2a0566cca0f243c04aaf3da528f8992ed6d60ee2d4ed68f
SHA512

0f62be2412faf1a6dda7dee8ed08b35ddca5573dd5eeb2d5dd1a891347502e6d427e650f284c4072b493c3b9b683872b0402818c273766e9e8fdac33dae45a18
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibd56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c71-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c72-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-57.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1384-53-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	xmrig
behavioral2/memory/4108-54-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp	xmrig
behavioral2/memory/4616-110-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp	xmrig
behavioral2/memory/324-129-0x00007FF750090000-0x00007FF7503E1000-memory.dmp	xmrig
behavioral2/memory/3260-128-0x00007FF60F500000-0x00007FF60F851000-memory.dmp	xmrig
behavioral2/memory/4000-124-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp	xmrig
behavioral2/memory/3892-117-0x00007FF638840000-0x00007FF638B91000-memory.dmp	xmrig
behavioral2/memory/3236-99-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp	xmrig
behavioral2/memory/1296-94-0x00007FF629770000-0x00007FF629AC1000-memory.dmp	xmrig
behavioral2/memory/4476-84-0x00007FF798630000-0x00007FF798981000-memory.dmp	xmrig
behavioral2/memory/2740-74-0x00007FF6221E0000-0x00007FF622531000-memory.dmp	xmrig
behavioral2/memory/3512-67-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp	xmrig
behavioral2/memory/1384-139-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	xmrig
behavioral2/memory/540-152-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp	xmrig
behavioral2/memory/4404-158-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp	xmrig
behavioral2/memory/2460-162-0x00007FF688840000-0x00007FF688B91000-memory.dmp	xmrig
behavioral2/memory/1220-160-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp	xmrig
behavioral2/memory/5008-159-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp	xmrig
behavioral2/memory/1480-157-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp	xmrig
behavioral2/memory/2852-155-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp	xmrig
behavioral2/memory/3964-161-0x00007FF649380000-0x00007FF6496D1000-memory.dmp	xmrig
behavioral2/memory/4944-156-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp	xmrig
behavioral2/memory/1388-154-0x00007FF7700E0000-0x00007FF770431000-memory.dmp	xmrig
behavioral2/memory/1384-163-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	xmrig
behavioral2/memory/4108-216-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp	xmrig
behavioral2/memory/3512-218-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp	xmrig
behavioral2/memory/2740-220-0x00007FF6221E0000-0x00007FF622531000-memory.dmp	xmrig
behavioral2/memory/4476-222-0x00007FF798630000-0x00007FF798981000-memory.dmp	xmrig
behavioral2/memory/3236-226-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp	xmrig
behavioral2/memory/1296-224-0x00007FF629770000-0x00007FF629AC1000-memory.dmp	xmrig
behavioral2/memory/4616-237-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp	xmrig
behavioral2/memory/3892-240-0x00007FF638840000-0x00007FF638B91000-memory.dmp	xmrig
behavioral2/memory/4000-241-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp	xmrig
behavioral2/memory/324-244-0x00007FF750090000-0x00007FF7503E1000-memory.dmp	xmrig
behavioral2/memory/3260-245-0x00007FF60F500000-0x00007FF60F851000-memory.dmp	xmrig
behavioral2/memory/540-254-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp	xmrig
behavioral2/memory/2852-252-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp	xmrig
behavioral2/memory/4944-256-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp	xmrig
behavioral2/memory/1480-258-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp	xmrig
behavioral2/memory/4404-260-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp	xmrig
behavioral2/memory/1220-265-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp	xmrig
behavioral2/memory/5008-266-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp	xmrig
behavioral2/memory/2460-268-0x00007FF688840000-0x00007FF688B91000-memory.dmp	xmrig
behavioral2/memory/3964-263-0x00007FF649380000-0x00007FF6496D1000-memory.dmp	xmrig
behavioral2/memory/1388-271-0x00007FF7700E0000-0x00007FF770431000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4108	RRBJXxN.exe
3512	uhBpoeN.exe
2740	ejgnoVH.exe
4476	tNyzvMR.exe
1296	ScQBrtU.exe
3236	TEaxrRG.exe
4616	yNFRjxy.exe
3892	ebDHZxa.exe
4000	gzMBbNY.exe
3260	NzvJRAY.exe
324	KQlpbZX.exe
540	iVGgVMr.exe
1388	MvoREeh.exe
2852	ErskifR.exe
4944	cSarKJs.exe
1480	vfMqSfm.exe
4404	mrSFtwT.exe
5008	omYTkhq.exe
1220	kuTCeCX.exe
3964	MdFQhIk.exe
2460	mpUwLfK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-0-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c71-4.dat	upx
behavioral2/files/0x0007000000023c76-9.dat	upx
behavioral2/memory/3512-15-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-21.dat	upx
behavioral2/files/0x0007000000023c78-28.dat	upx
behavioral2/files/0x0007000000023c79-37.dat	upx
behavioral2/memory/3236-36-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp	upx
behavioral2/memory/1296-32-0x00007FF629770000-0x00007FF629AC1000-memory.dmp	upx
behavioral2/memory/4476-24-0x00007FF798630000-0x00007FF798981000-memory.dmp	upx
behavioral2/memory/2740-20-0x00007FF6221E0000-0x00007FF622531000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-13.dat	upx
behavioral2/memory/4108-11-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-41.dat	upx
behavioral2/memory/4616-44-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp	upx
behavioral2/files/0x0008000000023c72-47.dat	upx
behavioral2/memory/3892-48-0x00007FF638840000-0x00007FF638B91000-memory.dmp	upx
behavioral2/memory/1384-53-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	upx
behavioral2/memory/4108-54-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-63.dat	upx
behavioral2/memory/3260-65-0x00007FF60F500000-0x00007FF60F851000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-82.dat	upx
behavioral2/files/0x0007000000023c81-91.dat	upx
behavioral2/memory/4616-110-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-119.dat	upx
behavioral2/files/0x0007000000023c87-132.dat	upx
behavioral2/files/0x0007000000023c86-135.dat	upx
behavioral2/memory/2460-134-0x00007FF688840000-0x00007FF688B91000-memory.dmp	upx
behavioral2/memory/3964-133-0x00007FF649380000-0x00007FF6496D1000-memory.dmp	upx
behavioral2/memory/324-129-0x00007FF750090000-0x00007FF7503E1000-memory.dmp	upx
behavioral2/memory/3260-128-0x00007FF60F500000-0x00007FF60F851000-memory.dmp	upx
behavioral2/memory/1220-127-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp	upx
behavioral2/memory/4000-124-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-122.dat	upx
behavioral2/memory/5008-118-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp	upx
behavioral2/memory/3892-117-0x00007FF638840000-0x00007FF638B91000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-115.dat	upx
behavioral2/memory/4404-111-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-105.dat	upx
behavioral2/memory/1480-100-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp	upx
behavioral2/memory/3236-99-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-97.dat	upx
behavioral2/memory/4944-95-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp	upx
behavioral2/memory/1296-94-0x00007FF629770000-0x00007FF629AC1000-memory.dmp	upx
behavioral2/memory/2852-89-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp	upx
behavioral2/memory/1388-85-0x00007FF7700E0000-0x00007FF770431000-memory.dmp	upx
behavioral2/memory/4476-84-0x00007FF798630000-0x00007FF798981000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-78.dat	upx
behavioral2/memory/540-75-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp	upx
behavioral2/memory/2740-74-0x00007FF6221E0000-0x00007FF622531000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-69.dat	upx
behavioral2/memory/3512-67-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp	upx
behavioral2/memory/324-66-0x00007FF750090000-0x00007FF7503E1000-memory.dmp	upx
behavioral2/memory/4000-60-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-57.dat	upx
behavioral2/memory/1384-139-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp	upx
behavioral2/memory/540-152-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp	upx
behavioral2/memory/4404-158-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp	upx
behavioral2/memory/2460-162-0x00007FF688840000-0x00007FF688B91000-memory.dmp	upx
behavioral2/memory/1220-160-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp	upx
behavioral2/memory/5008-159-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp	upx
behavioral2/memory/1480-157-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp	upx
behavioral2/memory/2852-155-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp	upx
behavioral2/memory/3964-161-0x00007FF649380000-0x00007FF6496D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iVGgVMr.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErskifR.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kuTCeCX.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRBJXxN.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzMBbNY.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NzvJRAY.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEaxrRG.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfMqSfm.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MdFQhIk.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhBpoeN.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNyzvMR.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ScQBrtU.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrSFtwT.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omYTkhq.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpUwLfK.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejgnoVH.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ebDHZxa.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KQlpbZX.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNFRjxy.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvoREeh.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cSarKJs.exe	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4108	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1384 wrote to memory of 4108	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1384 wrote to memory of 3512	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1384 wrote to memory of 3512	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1384 wrote to memory of 2740	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1384 wrote to memory of 2740	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1384 wrote to memory of 4476	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1384 wrote to memory of 4476	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1384 wrote to memory of 1296	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1384 wrote to memory of 1296	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1384 wrote to memory of 3236	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1384 wrote to memory of 3236	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1384 wrote to memory of 4616	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1384 wrote to memory of 4616	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1384 wrote to memory of 3892	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1384 wrote to memory of 3892	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1384 wrote to memory of 4000	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1384 wrote to memory of 4000	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1384 wrote to memory of 3260	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1384 wrote to memory of 3260	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1384 wrote to memory of 324	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1384 wrote to memory of 324	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1384 wrote to memory of 540	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1384 wrote to memory of 540	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1384 wrote to memory of 1388	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1384 wrote to memory of 1388	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1384 wrote to memory of 2852	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1384 wrote to memory of 2852	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1384 wrote to memory of 4944	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1384 wrote to memory of 4944	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1384 wrote to memory of 1480	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1384 wrote to memory of 1480	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1384 wrote to memory of 4404	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1384 wrote to memory of 4404	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1384 wrote to memory of 5008	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1384 wrote to memory of 5008	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1384 wrote to memory of 1220	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1384 wrote to memory of 1220	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1384 wrote to memory of 3964	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1384 wrote to memory of 3964	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1384 wrote to memory of 2460	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1384 wrote to memory of 2460	1384	2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_a5db4d1bd216e28713ed8a7bda8ce7b8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System\RRBJXxN.exe
  C:\Windows\System\RRBJXxN.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\uhBpoeN.exe
  C:\Windows\System\uhBpoeN.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\ejgnoVH.exe
  C:\Windows\System\ejgnoVH.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\tNyzvMR.exe
  C:\Windows\System\tNyzvMR.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\ScQBrtU.exe
  C:\Windows\System\ScQBrtU.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\TEaxrRG.exe
  C:\Windows\System\TEaxrRG.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\yNFRjxy.exe
  C:\Windows\System\yNFRjxy.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\ebDHZxa.exe
  C:\Windows\System\ebDHZxa.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\gzMBbNY.exe
  C:\Windows\System\gzMBbNY.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\NzvJRAY.exe
  C:\Windows\System\NzvJRAY.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\KQlpbZX.exe
  C:\Windows\System\KQlpbZX.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\iVGgVMr.exe
  C:\Windows\System\iVGgVMr.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\MvoREeh.exe
  C:\Windows\System\MvoREeh.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\ErskifR.exe
  C:\Windows\System\ErskifR.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\cSarKJs.exe
  C:\Windows\System\cSarKJs.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\vfMqSfm.exe
  C:\Windows\System\vfMqSfm.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\mrSFtwT.exe
  C:\Windows\System\mrSFtwT.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\omYTkhq.exe
  C:\Windows\System\omYTkhq.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\kuTCeCX.exe
  C:\Windows\System\kuTCeCX.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\MdFQhIk.exe
  C:\Windows\System\MdFQhIk.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\mpUwLfK.exe
  C:\Windows\System\mpUwLfK.exe
  2⤵
  - Executes dropped EXE
  PID:2460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ErskifR.exe

Filesize
5.2MB

MD5
6d4b2fcd5e238477894bd9189b04da85

SHA1
a43a76ab24513ead8103615e200ee07efe412a7f

SHA256
44b88e5c5a2ba40d0c015c3591925f04ef1aa3de683aa1f2bd2049e48927b7b5

SHA512
30f78df59d36b093739473ce8931230e889f7f85f5e95ba7835cf2a4c1a497fa9e5446dd708dd3ac7112873580380189a6aadbe0195d0bd77271c1b22c1b6d26

Download Submit
C:\Windows\System\KQlpbZX.exe

Filesize
5.2MB

MD5
b267b804c186288b5842175a00755c1e

SHA1
7378664f61a54c8122183311f251ec49cae36728

SHA256
b2d1fbf2b72935b6763ede784cfdaca4998bbabd8e11562a1f6b5cadcae1407e

SHA512
7b3e589ae18d46cc99e51be1d996ccc3acc6ed97d4b62ca318b36668179b95ec41a67f10bb6750b59c33aea7a44d144404421fce1097a786800f95349cb2dc53

Download Submit
C:\Windows\System\MdFQhIk.exe

Filesize
5.2MB

MD5
e1853982b5eee7fdf368fbb09ed2c095

SHA1
6e131b1de28243fb639aaa90fc82aa2cf33b6745

SHA256
467b09623f5657fa5d621106689d2d3d98367200028b40b21c9a56a7c58859ce

SHA512
21c46b3ba177fa9657834e33745c1796ae19b78110b2a5e4d46b0a05d16138bfae679d611e620c621bb6e6e35ab7904646c013189125ce4cc75052e934454be8

Download Submit
C:\Windows\System\MvoREeh.exe

Filesize
5.2MB

MD5
7402f40a4fb714c91c3cd9f7d3e09f00

SHA1
dc129418672592367f4d9028dae8df850183f8a9

SHA256
6baa731fdfc9db08b2c3aabcc7afc0ed785f6d8e2f9579fb5c27ba5106ffef48

SHA512
3df5809b042d5bac39e2c76c152c64cffa640a67130233f5ccc2c0e8e4285628d2970f3704f4dca861f70be9be9f21c4a711e6dad0a9b654db2cb6058fcf05cd

Download Submit
C:\Windows\System\NzvJRAY.exe

Filesize
5.2MB

MD5
2ff1eb5f93a343d2baf7d11b13fcc6d7

SHA1
1db3a7e1da67a2b2242e12d0efc4498909fe1ef9

SHA256
a8053ceefa172de7a55b8aca49a56fad67efb4639442ffccc3465fae50332f69

SHA512
fe6bc9c1ad36f23820d12e2866c90c271070821e9ae54fa885f1323a81481ba2a0c11e57fd6e48887f57583233630906be80d1335b7704940eeabaf2cda5d04d

Download Submit
C:\Windows\System\RRBJXxN.exe

Filesize
5.2MB

MD5
575032e13223b253d43f5904843b333b

SHA1
618e436913b867c776ce9d81ebe9ad7c5407fa7f

SHA256
37e9f7b20b49bb6cbfe113f6b17d2da8dbf6346f53e69063b8fb4eb70f9f7662

SHA512
50270ea69ff0967076466010749177c51357c19cf36797e3b72332d12c4967b744bcd9bff7b5f2056481be8c7b3108cd387f1a7afd4c0a5de67954a1e13c90c8

Download Submit
C:\Windows\System\ScQBrtU.exe

Filesize
5.2MB

MD5
42b50ddd795efedfffc338064891ef67

SHA1
f81be01869d3f4357e2d801cf4f21050b6584b8c

SHA256
ab01bc2cf49990853f2ec145c62987592339c06f9894bfdf294208cccfa81584

SHA512
c2e03d1679cd67afde32c9acba92afd59cc14ed6cebb2568811badc0861fd5d32e27bfc98030283f05e6af053523a8f1d776d3e8417b77ddc3b50623c5005f3c

Download Submit
C:\Windows\System\TEaxrRG.exe

Filesize
5.2MB

MD5
168e07052ef0640eddee06f7de70e5b8

SHA1
a9eadabab40d3e9dd046f52f4d46bbf76701c419

SHA256
b0084c4d8bba81720a26d177ae5fc451b0908751da1caef67e4312202b6bca06

SHA512
9650bdcd093eccbde9971c278d7e8ac89ad54ff6bac92edb4d8297defc0003fb5faa57e47bb73a1aaf9f5dd49ea6c5e058f4ada389dd1a8c75511ece8f0467ce

Download Submit
C:\Windows\System\cSarKJs.exe

Filesize
5.2MB

MD5
76036c165532a2a608cdb619fe5f0df7

SHA1
0d5f1fea98d35ee68d266061aa0808a3d700e5ae

SHA256
90806064a8414f4aa04f65d6761cd3f91b816ae731fe90053047ff75832252d9

SHA512
68c45dc8f9aad149c15dde5e2460cfa2129d271ecb513e5a5bd6aefb952776ba4e04ab7e7a67655fdf3b9a50ef6b70715d29cee5a55b4399f0bc2d6127c025f1

Download Submit
C:\Windows\System\ebDHZxa.exe

Filesize
5.2MB

MD5
ec893dcc248f703d117b90b6eaa4fafb

SHA1
47f534ce3559e7aa3857f69fb9dbd83967fee467

SHA256
6de19b31f9a5b5e20dc533cf4a1d0f593c176bec10e3f8807610067942842f71

SHA512
f07e669df431f6aa018041d2d096fb73cfe4d108387eb78529bef15068ca1a22ca602f87949c06ffb2452fbaae741051786c1aa7960d154a8186a9143af8df3e

Download Submit
C:\Windows\System\ejgnoVH.exe

Filesize
5.2MB

MD5
04c115051486b67d229261e39122e830

SHA1
7d85c581601c43027d7d2e1cb025ce77d9c5dd81

SHA256
54393171089e2ab2a652d887743fa4ae0af9837d5e5699f2d8960c7f7064d68f

SHA512
12277fbd9db0c388dd5bbb1bf5a5985c6682ef8bb18612e47f54e0ba3cf6fb90371ffd85fa5a3c56359ef95684e6967dbbe6a48e52ba25cb0be4cad8689dec83

Download Submit
C:\Windows\System\gzMBbNY.exe

Filesize
5.2MB

MD5
fbfbe26bf1df490d1cd90895a363e8f8

SHA1
ca8c7dba15b84e5d0353ebfef9b0070b1adac6bc

SHA256
22f428ae0601204ce089e151ed4c59726959a1898af968ab3f950417869ab78c

SHA512
4f828b28cfbe3cc177725d33bb0d4fe4c7b48ad9f7928b056aecd9449af7572387d9204e438aff6d0f728ef56818643d14c70f1245fb79c78281841a0946b07f

Download Submit
C:\Windows\System\iVGgVMr.exe

Filesize
5.2MB

MD5
c85efc584e8f4bde2ad07c29e7b0a7c6

SHA1
6e7c71c0a7c3f42367979c7394a1c31720aee74d

SHA256
118b487ab28cf808fc4c76770c10bfba344025aad375e274558b54ad730572a9

SHA512
afc7fba74e135b81ca0de629a4e6bae445598822af0f614c32d38d79a4968dcfcf97778000a68152e049771273db33a49a02227abaf8f1ff378ac8f60c15cd92

Download Submit
C:\Windows\System\kuTCeCX.exe

Filesize
5.2MB

MD5
42d5b586bc615f1c37665a63578460b2

SHA1
4ce01b0e8a0d42e19ff6d384b5ab7714e8e7aa11

SHA256
727ba24ca0a418357d239bed3fe9ea9629bfef7df5d4a468fa629824b2e1ad0a

SHA512
22432966741a8d9341787c10d6085337cf099fabba0bf0f949f6ef2e83e63b8070a3779c5a65b1e4bf38c4e699544940809f5f0709ccbe22ec0663c7bdeea1a5

Download Submit
C:\Windows\System\mpUwLfK.exe

Filesize
5.2MB

MD5
2e2d4fa974b45784b4257785104a850d

SHA1
42e5a0db5690ecdad8f11564f29cb6fbdb0ebbaf

SHA256
52925cff4b1de1a74d76667a9e886b118d0b5bc7ff38f09f1b2e75608f888122

SHA512
7d073e31bd7519c3014a914ed7e2177384d14076e885b7912aad9f85c6b39829b79bad0f11f2232e45867dd13f9301620ad34d8c037072c4f4ac44ddcd7a9874

Download Submit
C:\Windows\System\mrSFtwT.exe

Filesize
5.2MB

MD5
f85fcab02fe141ac230ad97b4175e23c

SHA1
b2b9e069cd5ce9275aaa3ba0282b7065459b1b7b

SHA256
d5540bff1d660806770a9832a1d0db6def023f2659c0c8bd985d4220cb735cc6

SHA512
517593471b0ee3e497f80aab4b357e5c866f29195e8ca8d8bd86e553a3b0bf46c3603d2364765a24d4e06bb3f4b9525fd372721b242e53e33cd4cc64ae23225a

Download Submit
C:\Windows\System\omYTkhq.exe

Filesize
5.2MB

MD5
1c7864ec109e10dc52fba0d2bac5c3d3

SHA1
58289414398acf2167dbf8900bdbd0d2f2e86930

SHA256
748898607549b14b4ab658d9ee19d1eda9576b87d012d96b74432ecc0ad8db0e

SHA512
61df2b8c306f8780685bdc789e94d852bb6d745ce7a96b0aa7bddfdfb566cb07e6f4fb28ded5cba4dcadead9ee0c31223f0df81dc2d249fa08c613e7be572020

Download Submit
C:\Windows\System\tNyzvMR.exe

Filesize
5.2MB

MD5
7e8f6dde39477dfbf3938f2bef01280c

SHA1
f00679375f52d984c33902a1967f689ca3ce25bc

SHA256
4cd86c33769bc1dfc955a90b66f0ec8add3d1e417c81ab30a70b8e7f10dc45ea

SHA512
ea74b20a2eb119fadc5d3d3a3d471bae70a2e7356959f47d9394d983672deb0ef5607ba3b199741266ffa6e301907e04537af4bbdd04b3abd4c9b5f691c35681

Download Submit
C:\Windows\System\uhBpoeN.exe

Filesize
5.2MB

MD5
1fc6ec7a18bbeb7203325d3bc98943e9

SHA1
ee7e92d5c4086d032bbd464f34182daa52b4449a

SHA256
cfaec6dfe209a4d01dee8efa426bf8fcb3b91daab3b8a33b08f2bbf3e848d94b

SHA512
487fb5548a278c1b1bc156f96ab2a2e70da22f4bb3e2e0856e52aec71bb13736df94908b7e489e5603a686d0fe35b3ffef07db80cacf1f1a3f6d65d026c4aec5

Download Submit
C:\Windows\System\vfMqSfm.exe

Filesize
5.2MB

MD5
3f0d63f71f191eb580f351c7877a3aba

SHA1
840eab11103d801f2f67d6b1546d0f1ff4778291

SHA256
535198869fd23e12d8266604cc47403402b0805466f800da81013d3033645a3b

SHA512
bcf9b568e593479a514698bece89598cd711e2a518ccdc11723ea8a164a40502faff116b911076a1fbf4a7d6fe734897a9e27b29264937817aeeb4726a03e46b

Download Submit
C:\Windows\System\yNFRjxy.exe

Filesize
5.2MB

MD5
8adafe68b0bbc1c0718df6e52950d234

SHA1
3ec09bf0d8b4dbde9a73bc7fe2c5379b738e4f30

SHA256
9ec752d134f465caa0fd30957b7f6aeae812a19922a33855e124cde4d2a81573

SHA512
9384967aef549b905d81542938fbe9126eb6d3663cb382fad0612b4d049a729a0ff84911dcc00f1362e3e3d8fed398ed6be753580bf08b18aed36e3e403aa368

Download Submit
memory/324-129-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

Filesize
3.3MB

Download
memory/324-244-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

Filesize
3.3MB

Download
memory/324-66-0x00007FF750090000-0x00007FF7503E1000-memory.dmp

Filesize
3.3MB

Download
memory/540-75-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp

Filesize
3.3MB

Download
memory/540-152-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp

Filesize
3.3MB

Download
memory/540-254-0x00007FF7F1B50000-0x00007FF7F1EA1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-127-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-160-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-265-0x00007FF7CA880000-0x00007FF7CABD1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-32-0x00007FF629770000-0x00007FF629AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-94-0x00007FF629770000-0x00007FF629AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-224-0x00007FF629770000-0x00007FF629AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-139-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-53-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-0-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-163-0x00007FF648EA0000-0x00007FF6491F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-1-0x0000015CFD400000-0x0000015CFD410000-memory.dmp

Filesize
64KB

Download
memory/1388-154-0x00007FF7700E0000-0x00007FF770431000-memory.dmp

Filesize
3.3MB

Download
memory/1388-271-0x00007FF7700E0000-0x00007FF770431000-memory.dmp

Filesize
3.3MB

Download
memory/1388-85-0x00007FF7700E0000-0x00007FF770431000-memory.dmp

Filesize
3.3MB

Download
memory/1480-100-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp

Filesize
3.3MB

Download
memory/1480-157-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp

Filesize
3.3MB

Download
memory/1480-258-0x00007FF6AC2D0000-0x00007FF6AC621000-memory.dmp

Filesize
3.3MB

Download
memory/2460-268-0x00007FF688840000-0x00007FF688B91000-memory.dmp

Filesize
3.3MB

Download
memory/2460-134-0x00007FF688840000-0x00007FF688B91000-memory.dmp

Filesize
3.3MB

Download
memory/2460-162-0x00007FF688840000-0x00007FF688B91000-memory.dmp

Filesize
3.3MB

Download
memory/2740-74-0x00007FF6221E0000-0x00007FF622531000-memory.dmp

Filesize
3.3MB

Download
memory/2740-20-0x00007FF6221E0000-0x00007FF622531000-memory.dmp

Filesize
3.3MB

Download
memory/2740-220-0x00007FF6221E0000-0x00007FF622531000-memory.dmp

Filesize
3.3MB

Download
memory/2852-89-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp

Filesize
3.3MB

Download
memory/2852-155-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp

Filesize
3.3MB

Download
memory/2852-252-0x00007FF7E1CE0000-0x00007FF7E2031000-memory.dmp

Filesize
3.3MB

Download
memory/3236-226-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp

Filesize
3.3MB

Download
memory/3236-36-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp

Filesize
3.3MB

Download
memory/3236-99-0x00007FF79F2C0000-0x00007FF79F611000-memory.dmp

Filesize
3.3MB

Download
memory/3260-245-0x00007FF60F500000-0x00007FF60F851000-memory.dmp

Filesize
3.3MB

Download
memory/3260-128-0x00007FF60F500000-0x00007FF60F851000-memory.dmp

Filesize
3.3MB

Download
memory/3260-65-0x00007FF60F500000-0x00007FF60F851000-memory.dmp

Filesize
3.3MB

Download
memory/3512-67-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-15-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-218-0x00007FF7C4370000-0x00007FF7C46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-117-0x00007FF638840000-0x00007FF638B91000-memory.dmp

Filesize
3.3MB

Download
memory/3892-240-0x00007FF638840000-0x00007FF638B91000-memory.dmp

Filesize
3.3MB

Download
memory/3892-48-0x00007FF638840000-0x00007FF638B91000-memory.dmp

Filesize
3.3MB

Download
memory/3964-263-0x00007FF649380000-0x00007FF6496D1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-161-0x00007FF649380000-0x00007FF6496D1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-133-0x00007FF649380000-0x00007FF6496D1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-60-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp

Filesize
3.3MB

Download
memory/4000-241-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp

Filesize
3.3MB

Download
memory/4000-124-0x00007FF6A9530000-0x00007FF6A9881000-memory.dmp

Filesize
3.3MB

Download
memory/4108-216-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp

Filesize
3.3MB

Download
memory/4108-54-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp

Filesize
3.3MB

Download
memory/4108-11-0x00007FF7E8DD0000-0x00007FF7E9121000-memory.dmp

Filesize
3.3MB

Download
memory/4404-260-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-111-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-158-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-222-0x00007FF798630000-0x00007FF798981000-memory.dmp

Filesize
3.3MB

Download
memory/4476-84-0x00007FF798630000-0x00007FF798981000-memory.dmp

Filesize
3.3MB

Download
memory/4476-24-0x00007FF798630000-0x00007FF798981000-memory.dmp

Filesize
3.3MB

Download
memory/4616-237-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp

Filesize
3.3MB

Download
memory/4616-110-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp

Filesize
3.3MB

Download
memory/4616-44-0x00007FF6D3DB0000-0x00007FF6D4101000-memory.dmp

Filesize
3.3MB

Download
memory/4944-256-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-95-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-156-0x00007FF73DA80000-0x00007FF73DDD1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-118-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp

Filesize
3.3MB

Download
memory/5008-266-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp

Filesize
3.3MB

Download
memory/5008-159-0x00007FF7FCE10000-0x00007FF7FD161000-memory.dmp

Filesize
3.3MB

Download