cobaltstrike | 8bf609e81ca1b1518d5613c6243c7f1696800b1ec836201b0ef024a69895334f

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

83fbc72a6abd04afaf0579e43b09659f
SHA1

e3cf2c79b63e00e923241505a2b599ec87b19a59
SHA256

8bf609e81ca1b1518d5613c6243c7f1696800b1ec836201b0ef024a69895334f
SHA512

20b6f948d9188c9e629f32b8cd344b9dc7c2520891428dc3c8db94eea83c5e4a66c1de39bed44e28d59f74e045e7426c39f66a99e234eec731a5f950ec39d6ea
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibd56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023b71-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-90.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b6e-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-19.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b0f-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-135.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-109.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1492-68-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	xmrig
behavioral2/memory/4988-81-0x00007FF66A520000-0x00007FF66A871000-memory.dmp	xmrig
behavioral2/memory/3668-88-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp	xmrig
behavioral2/memory/3568-95-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp	xmrig
behavioral2/memory/2632-100-0x00007FF632470000-0x00007FF6327C1000-memory.dmp	xmrig
behavioral2/memory/3928-75-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp	xmrig
behavioral2/memory/804-70-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp	xmrig
behavioral2/memory/2428-57-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp	xmrig
behavioral2/memory/3144-55-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	xmrig
behavioral2/memory/4168-43-0x00007FF653BB0000-0x00007FF653F01000-memory.dmp	xmrig
behavioral2/memory/3836-138-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp	xmrig
behavioral2/memory/804-136-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp	xmrig
behavioral2/memory/116-132-0x00007FF72A7A0000-0x00007FF72AAF1000-memory.dmp	xmrig
behavioral2/memory/1008-131-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp	xmrig
behavioral2/memory/1932-130-0x00007FF7D9FB0000-0x00007FF7DA301000-memory.dmp	xmrig
behavioral2/memory/4756-128-0x00007FF7F4890000-0x00007FF7F4BE1000-memory.dmp	xmrig
behavioral2/memory/2428-122-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp	xmrig
behavioral2/memory/2380-113-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp	xmrig
behavioral2/memory/1796-112-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp	xmrig
behavioral2/memory/2448-139-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp	xmrig
behavioral2/memory/4028-140-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp	xmrig
behavioral2/memory/3728-142-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp	xmrig
behavioral2/memory/3460-141-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp	xmrig
behavioral2/memory/3144-143-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	xmrig
behavioral2/memory/1884-151-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp	xmrig
behavioral2/memory/2380-161-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp	xmrig
behavioral2/memory/3836-167-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp	xmrig
behavioral2/memory/3144-168-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	xmrig
behavioral2/memory/1492-226-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	xmrig
behavioral2/memory/3928-228-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp	xmrig
behavioral2/memory/4988-230-0x00007FF66A520000-0x00007FF66A871000-memory.dmp	xmrig
behavioral2/memory/3668-232-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp	xmrig
behavioral2/memory/3568-234-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp	xmrig
behavioral2/memory/4168-236-0x00007FF653BB0000-0x00007FF653F01000-memory.dmp	xmrig
behavioral2/memory/2632-238-0x00007FF632470000-0x00007FF6327C1000-memory.dmp	xmrig
behavioral2/memory/1796-240-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp	xmrig
behavioral2/memory/2428-242-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp	xmrig
behavioral2/memory/1008-244-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp	xmrig
behavioral2/memory/804-246-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp	xmrig
behavioral2/memory/2448-252-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp	xmrig
behavioral2/memory/4028-254-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp	xmrig
behavioral2/memory/3460-256-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp	xmrig
behavioral2/memory/1884-258-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp	xmrig
behavioral2/memory/3728-260-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp	xmrig
behavioral2/memory/2380-267-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp	xmrig
behavioral2/memory/4756-269-0x00007FF7F4890000-0x00007FF7F4BE1000-memory.dmp	xmrig
behavioral2/memory/1932-271-0x00007FF7D9FB0000-0x00007FF7DA301000-memory.dmp	xmrig
behavioral2/memory/116-273-0x00007FF72A7A0000-0x00007FF72AAF1000-memory.dmp	xmrig
behavioral2/memory/3836-275-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1492	ZyHAXLj.exe
3928	YlKZmGf.exe
4988	bYsTuKQ.exe
3668	GAkNNdP.exe
3568	NgGDdto.exe
2632	hyKcsKd.exe
4168	WXopqTs.exe
1796	brtTnfE.exe
2428	sexSsAV.exe
1008	pfmLIlh.exe
804	jjCymXX.exe
2448	TQFxzZT.exe
4028	oWKXKXe.exe
3460	DPBfrdz.exe
3728	qCUxZKY.exe
1884	UMXWltg.exe
2380	zSWBkgZ.exe
4756	GfEYUMB.exe
1932	sZuvfSb.exe
116	uTPyQoB.exe
3836	rzSSoCS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3144-0-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	upx
behavioral2/memory/1492-7-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-12.dat	upx
behavioral2/files/0x000a000000023b73-22.dat	upx
behavioral2/memory/3568-33-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-40.dat	upx
behavioral2/files/0x000a000000023b79-61.dat	upx
behavioral2/memory/1008-63-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp	upx
behavioral2/memory/1492-68-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-72.dat	upx
behavioral2/files/0x000a000000023b7c-80.dat	upx
behavioral2/memory/4988-81-0x00007FF66A520000-0x00007FF66A871000-memory.dmp	upx
behavioral2/memory/3460-89-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-90.dat	upx
behavioral2/memory/3668-88-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp	upx
behavioral2/memory/4028-82-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp	upx
behavioral2/memory/2448-76-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp	upx
behavioral2/files/0x000b000000023b6e-94.dat	upx
behavioral2/memory/3568-95-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-99.dat	upx
behavioral2/memory/1884-101-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp	upx
behavioral2/memory/2632-100-0x00007FF632470000-0x00007FF6327C1000-memory.dmp	upx
behavioral2/memory/3728-97-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp	upx
behavioral2/memory/3928-75-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp	upx
behavioral2/memory/804-70-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-67.dat	upx
behavioral2/memory/2428-57-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-54.dat	upx
behavioral2/memory/3144-55-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	upx
behavioral2/memory/1796-50-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-48.dat	upx
behavioral2/memory/4168-43-0x00007FF653BB0000-0x00007FF653F01000-memory.dmp	upx
behavioral2/memory/2632-42-0x00007FF632470000-0x00007FF6327C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-39.dat	upx
behavioral2/files/0x000a000000023b74-30.dat	upx
behavioral2/memory/3668-24-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-19.dat	upx
behavioral2/memory/4988-18-0x00007FF66A520000-0x00007FF66A871000-memory.dmp	upx
behavioral2/memory/3928-14-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp	upx
behavioral2/files/0x000c000000023b0f-6.dat	upx
behavioral2/files/0x000a000000023b81-119.dat	upx
behavioral2/files/0x000a000000023b83-126.dat	upx
behavioral2/files/0x000a000000023b84-135.dat	upx
behavioral2/memory/3836-138-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp	upx
behavioral2/memory/804-136-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp	upx
behavioral2/memory/116-132-0x00007FF72A7A0000-0x00007FF72AAF1000-memory.dmp	upx
behavioral2/memory/1008-131-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp	upx
behavioral2/memory/1932-130-0x00007FF7D9FB0000-0x00007FF7DA301000-memory.dmp	upx
behavioral2/memory/4756-128-0x00007FF7F4890000-0x00007FF7F4BE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-124.dat	upx
behavioral2/memory/2428-122-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp	upx
behavioral2/memory/2380-113-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-109.dat	upx
behavioral2/memory/1796-112-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp	upx
behavioral2/memory/2448-139-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp	upx
behavioral2/memory/4028-140-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp	upx
behavioral2/memory/3728-142-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp	upx
behavioral2/memory/3460-141-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp	upx
behavioral2/memory/3144-143-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	upx
behavioral2/memory/1884-151-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp	upx
behavioral2/memory/2380-161-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp	upx
behavioral2/memory/3836-167-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp	upx
behavioral2/memory/3144-168-0x00007FF7751F0000-0x00007FF775541000-memory.dmp	upx
behavioral2/memory/1492-226-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZyHAXLj.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NgGDdto.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brtTnfE.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPBfrdz.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSWBkgZ.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYsTuKQ.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCUxZKY.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMXWltg.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfEYUMB.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTPyQoB.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YlKZmGf.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pfmLIlh.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWKXKXe.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rzSSoCS.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TQFxzZT.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sZuvfSb.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAkNNdP.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hyKcsKd.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXopqTs.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sexSsAV.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jjCymXX.exe	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1492	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3144 wrote to memory of 1492	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3144 wrote to memory of 3928	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3144 wrote to memory of 3928	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3144 wrote to memory of 4988	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3144 wrote to memory of 4988	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3144 wrote to memory of 3668	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3144 wrote to memory of 3668	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3144 wrote to memory of 3568	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3144 wrote to memory of 3568	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3144 wrote to memory of 2632	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3144 wrote to memory of 2632	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3144 wrote to memory of 4168	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3144 wrote to memory of 4168	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3144 wrote to memory of 1796	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3144 wrote to memory of 1796	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3144 wrote to memory of 2428	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3144 wrote to memory of 2428	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3144 wrote to memory of 1008	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3144 wrote to memory of 1008	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3144 wrote to memory of 804	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3144 wrote to memory of 804	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3144 wrote to memory of 2448	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3144 wrote to memory of 2448	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3144 wrote to memory of 4028	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3144 wrote to memory of 4028	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3144 wrote to memory of 3460	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3144 wrote to memory of 3460	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3144 wrote to memory of 3728	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3144 wrote to memory of 3728	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3144 wrote to memory of 1884	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3144 wrote to memory of 1884	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3144 wrote to memory of 2380	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3144 wrote to memory of 2380	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3144 wrote to memory of 4756	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3144 wrote to memory of 4756	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3144 wrote to memory of 1932	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3144 wrote to memory of 1932	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3144 wrote to memory of 116	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3144 wrote to memory of 116	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3144 wrote to memory of 3836	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3144 wrote to memory of 3836	3144	2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_83fbc72a6abd04afaf0579e43b09659f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\System\ZyHAXLj.exe
  C:\Windows\System\ZyHAXLj.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\YlKZmGf.exe
  C:\Windows\System\YlKZmGf.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\bYsTuKQ.exe
  C:\Windows\System\bYsTuKQ.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\GAkNNdP.exe
  C:\Windows\System\GAkNNdP.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\NgGDdto.exe
  C:\Windows\System\NgGDdto.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\hyKcsKd.exe
  C:\Windows\System\hyKcsKd.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\WXopqTs.exe
  C:\Windows\System\WXopqTs.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\brtTnfE.exe
  C:\Windows\System\brtTnfE.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\sexSsAV.exe
  C:\Windows\System\sexSsAV.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\pfmLIlh.exe
  C:\Windows\System\pfmLIlh.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\jjCymXX.exe
  C:\Windows\System\jjCymXX.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System\TQFxzZT.exe
  C:\Windows\System\TQFxzZT.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\oWKXKXe.exe
  C:\Windows\System\oWKXKXe.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\DPBfrdz.exe
  C:\Windows\System\DPBfrdz.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\qCUxZKY.exe
  C:\Windows\System\qCUxZKY.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\UMXWltg.exe
  C:\Windows\System\UMXWltg.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\zSWBkgZ.exe
  C:\Windows\System\zSWBkgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\GfEYUMB.exe
  C:\Windows\System\GfEYUMB.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\sZuvfSb.exe
  C:\Windows\System\sZuvfSb.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\uTPyQoB.exe
  C:\Windows\System\uTPyQoB.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\rzSSoCS.exe
  C:\Windows\System\rzSSoCS.exe
  2⤵
  - Executes dropped EXE
  PID:3836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DPBfrdz.exe

Filesize
5.2MB

MD5
154cef6e0ba63bec3a7ba9dddfef2ebe

SHA1
23c22fbcd629cb5585821988fefce606127d4d2f

SHA256
efef78d78819fcd855ea26feb101dfb17601792f736424cead6329cbda270c6c

SHA512
0394f71f7852b45f5ffa9e9c23acdee620a2890a115c801473338ae033434d9338aa93d64aecf1b93f3901a3a978e0fbd12cb935213763669f6ff6a84cf64996

Download Submit
C:\Windows\System\GAkNNdP.exe

Filesize
5.2MB

MD5
184a989d8f2a3f2f2f2c3267ee4cbd3d

SHA1
16ca5e50d61775c2ae00e10ce2ce6c0714955f29

SHA256
428155378284f09d8e13bdc2d0bd41a08ba95e68dcdb944a3b1f4adaa08143ff

SHA512
7e72eab502427e3d3a91392c0ff2e14684da339d129993b711784471e7ee1675a79c58aba54bd809fdca01f35bc7a5558728f727a93811d1443d5b733ec341ad

Download Submit
C:\Windows\System\GfEYUMB.exe

Filesize
5.2MB

MD5
e157a572f0325f35e72550069315cdd4

SHA1
848687f421377139fbf1e7b52ed91b4173dc2e5d

SHA256
dc06d8b91710ad6a431cef52ef7b21c924f839d9e36ea65ce8252bb279927fd8

SHA512
1a73343c37b603e660d864ddb8b238ee53c743299391807fd79e8c6082b82e0af39ea68450208711f2bdcbd4e7eac94d101b429788eccd10bfbf0573678ab169

Download Submit
C:\Windows\System\NgGDdto.exe

Filesize
5.2MB

MD5
9ad0b1134ce3b949d09e9a9fbefb60a9

SHA1
e3a93b1b8b9da946f360fb035060fc0815ae6d7f

SHA256
f27b0f3f5249ab4993cd9b52623a32e631df8370253e118a2847593e98c114c1

SHA512
d608833eef12c5438a65ed4dde4a7e5394afd798d194ff49593ff20053b9b85e3012d2e7d03bad7c574712c660947edf87a7b4793b9453ae180f42485731bd93

Download Submit
C:\Windows\System\TQFxzZT.exe

Filesize
5.2MB

MD5
fecbaa8f4377f02ca78202165b3d8d9f

SHA1
61b243ce05f5a8ae58a48ae47781e7c27cfb6189

SHA256
36d36416eed4501881d146a0c7931592d7cdd4868a444167a87b34e0960443e9

SHA512
0971782887fe22727d86bfacefc3ea76ab4979f3074fa659df99a2f54d24f302d3301aedc5df8fa1d842a3766a51039d30fe623862b75bd9dada3f5c503e6499

Download Submit
C:\Windows\System\UMXWltg.exe

Filesize
5.2MB

MD5
f49315ac0f454940584d7073270aa5b9

SHA1
3a57666d4a46ffb70666f0c94db440c9771ae30a

SHA256
3416a519167a76cbc0ce2c424e772fef1711f9a75badb9978858f2d35e0f8142

SHA512
aba4793d93437464b89ff2b3a7967ceb37afe1e7a91ea37bace9f7b5b208da17d3ca92351d59b57ada366f0de8b8ec151311302086496828e271779d067b3ea5

Download Submit
C:\Windows\System\WXopqTs.exe

Filesize
5.2MB

MD5
268f57356cdea1b89e8193e9b957d82d

SHA1
27ae1d468140bbd4603be89c8a7b34a578bab8c0

SHA256
7d90c0d4bd40dd70888d9b826992baa81e8709ef716ba5629bb810a91b998ab8

SHA512
b46512340d3bd69b9a8f7a966669eeb91c5844f7fe7ad83f0f0ec34ea2b7ee48ec5417357ad584219a30b1a186bd78501f50a68f823e00f6f2c2fa492e80153d

Download Submit
C:\Windows\System\YlKZmGf.exe

Filesize
5.2MB

MD5
23a047de228fc3ba22f537c3ca2a3544

SHA1
dbf9d9072aae4767cacfa28f3b623fde4e85bd95

SHA256
41c3bfac1eb73280dc0ccb703598e05574262d655944d961ab0fe397fa309ba4

SHA512
354de1d46e03fa72894bb33eae525e77b741dc2dbf23b3af441832f6e8711bd94f5e021ad74a62458dd131108f1c621bb99a07283f42cf184d71d74417d4d219

Download Submit
C:\Windows\System\ZyHAXLj.exe

Filesize
5.2MB

MD5
4601b24d8ba4ef31a06b1b4e8ae5064b

SHA1
38d927ab1570eea7e064c136ec4b12d8b97da43a

SHA256
637ef386d1835e1eb58ca3ad7ecce770afe69410ddf38c6b3c5a498e0420d9f9

SHA512
1d231bbd99e848ba4516bab4414536aef48da74bba00da571d3e2c564686a163833f9a4465c93ad6cbfec7362c86ee40221889128c2dcec5eb56ce4bcd7dc2e5

Download Submit
C:\Windows\System\bYsTuKQ.exe

Filesize
5.2MB

MD5
e2544d9768fbf7633f492ff3befa189f

SHA1
40fdce7c8bbca005438f3524014b9b48b584e05e

SHA256
8c53a89c6ba9c0684478e646dc11bda7f855fc4eebbbf2e4580a2ce8787b5f82

SHA512
32ba3b2c00a7fe0a6c362843955e0aba360df49744904db391be9526ba3aeb60718889f2c37f48e9cbd69eb80e07dc61100f8eb20013aedf751ff4b6c01d5755

Download Submit
C:\Windows\System\brtTnfE.exe

Filesize
5.2MB

MD5
9c891fc2055237cf2136a39f946d1309

SHA1
c68844ac0664e83f0cbfcd2857d173037c916bff

SHA256
4baf1e9a7aa758a5b4edb9568bb6d00db23a48472cc4e51ffda745efc9ad27d4

SHA512
5d05a72a1c49eae84ad079c19692a5eaf201d75161163c1a22adbc5002693921d1a1b7ae70fe6e4f570e484c48c543b62370597ece325a4552a665dec05ff4cc

Download Submit
C:\Windows\System\hyKcsKd.exe

Filesize
5.2MB

MD5
a7a081c88c831c731756951a09ab32fc

SHA1
b826fa3157228b2e0c1586e316e48cbc639d58d4

SHA256
03f66db2e32e87a4096e24e36fec0d37dbb82ec116bbdf1d64772ffdb538321d

SHA512
4163d83f1cd8bff98b3a620b9489f58f4fd792386499e6dd50f6b5e9be41e7f830c67ddd73ea735d9a535441d14063be824ac68b51941a1fa265fc9bd75d829d

Download Submit
C:\Windows\System\jjCymXX.exe

Filesize
5.2MB

MD5
67abccd1a530b1fa59fc59fb543051ef

SHA1
e3b36c2a816be1c0340c582caac35f09fa4af7ef

SHA256
a4eef136b2e56e7c570dd610fdfeb6fcd1cc8bbc3df84096fd98c0c28be0e10c

SHA512
6ddb2c905fdd5a36a677e149be0e8d7be86aa619ccd9c713412ca4850720a0f6b8d349b7fbddfca8788dca0be1d8c172b5b85c20139959fd5fa5eb30d4e3cb70

Download Submit
C:\Windows\System\oWKXKXe.exe

Filesize
5.2MB

MD5
5b520a8a854904b5b5446e2601314283

SHA1
ca82b768bf313a9d5a5497ee4c934ae3fd28d70b

SHA256
97ace0cdb093a511c6d97ddaae7b4717ffed1c81a207753a08595326ec949c59

SHA512
b913d5d746ca90416ba0e31608c1d0c3bc50cee336bf6e7fdb8a5b5455e8e5416716e5e6f751296e1445bc144b1b7c06fd4ee5e51e9aa770d4a0ca1b4b398bed

Download Submit
C:\Windows\System\pfmLIlh.exe

Filesize
5.2MB

MD5
466f1d3186f01d2ed0308173201fd534

SHA1
c7e37da2394f23988e33a5cfd1b99ab542159ab3

SHA256
febe6a097e9add56fe1acb750c6909b20eeb75fa1f08d777886344b807125d93

SHA512
e9720824d915742bc9ceb366572618f0503ba58af846f7eba5eee871d1576d2ebed71d840629ffd6560e9f160f2f1c45b0aef91191ce57bcc4db26c7b7f9080a

Download Submit
C:\Windows\System\qCUxZKY.exe

Filesize
5.2MB

MD5
3702724efd7efd66c54d403be8116c7a

SHA1
75354c4cd35df7f601bc43468ba266ea6590a322

SHA256
181abf6e560a19bd75cc700de7a031c98f4cda5ead399140f81ce4369b11deb0

SHA512
928d58f700bf325c5f34279a655ac1965991b709821506b1d73d6dd3b3e663f65d8ddc2b7ec8ef894dd261c46c6fcec012203690dd18c02fbe1ab1b1fa9fdc3f

Download Submit
C:\Windows\System\rzSSoCS.exe

Filesize
5.2MB

MD5
d98562947ae83b5ecf5a48e9780a1e2a

SHA1
9e59f74a0509c56ede9d9107e115cc396b918bcb

SHA256
f94d2747468d5550f32d9aa396a83b5840344194d57459743f873e2a2d3ef4df

SHA512
e025a4de71dbf88de1ea6f53a4b6a07d982885e34757572400f6b1a17b90e42014611202e62207e5b92f65955b107167bb7591eaf753f308a511c41a02101162

Download Submit
C:\Windows\System\sZuvfSb.exe

Filesize
5.2MB

MD5
d45e354ce74b2d0d365a22e00c2467da

SHA1
ff6e00e88e88a07fb161cf0c03822cdf5f35d771

SHA256
1823d7f03f2b2ac823f4d1f1945f7fa4ea975124d97e4db6730bf82c1c208a89

SHA512
f118ee315aeb84e2953f5440b7bb093c158ba57b01e9e9b6a402fea3817ce14d03ed0d71a5d6ae5467281ef2d4ec830fc82af3d2025ce37ba21b23be934c1260

Download Submit
C:\Windows\System\sexSsAV.exe

Filesize
5.2MB

MD5
da09e563c78fdb853f59a10be474ae79

SHA1
23990edb3128a5ebad647b47bc5f65f47dfa7fbf

SHA256
f1b3f6e3143cb9e06cb04b941bff6f9a359f49571f24b59bd3cb60e7b534d48e

SHA512
d7ace056e4a6f1b15da91b640af64dea8e565a1932aa0957b6eadf3778efb8e66d45e96ab3b79e0d225d1726dfdb1c730eda4f880adbc226c5664f42e3b31196

Download Submit
C:\Windows\System\uTPyQoB.exe

Filesize
5.2MB

MD5
c3d080ba92df2d5f1b64b61f6e828ec3

SHA1
ce94ed521f653f82fae26c163223bd22bf8fdea2

SHA256
ac5c855319bdb39adea542b3c13c3b943b5db90cea12f42735462203628cdde9

SHA512
6e97966ed4852f001cbfd4f9cca262af52bd74757146ed19dd5bdf9ec875370b5698d904ad32c94a66876ec238aa73c5fb87b2dd22a9ba69598d6ca10932fd54

Download Submit
C:\Windows\System\zSWBkgZ.exe

Filesize
5.2MB

MD5
659123db3ec1576e83d5fc84e097c252

SHA1
b2d8cfe593f814ac68c32036c3e5d63de11c5f83

SHA256
9ebdda068239cabbccd29da128a2dc2dd5ecc51a038ed0d0b42446aeccc03a72

SHA512
7a5c5b85c12ddf4c6dcf6916f36953d66bbc26584b49381caeac822020af2929ba8bfd80aa1edd6727eaa48f548be6d5eb783d481fc08c49e93aab9a3629ea87

Download Submit
memory/116-273-0x00007FF72A7A0000-0x00007FF72AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/116-132-0x00007FF72A7A0000-0x00007FF72AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/804-136-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp

Filesize
3.3MB

Download
memory/804-246-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp

Filesize
3.3MB

Download
memory/804-70-0x00007FF78F7C0000-0x00007FF78FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1008-63-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-131-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-244-0x00007FF70B490000-0x00007FF70B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-226-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-68-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-7-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-112-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-50-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-240-0x00007FF7BBF80000-0x00007FF7BC2D1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-101-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp

Filesize
3.3MB

Download
memory/1884-151-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp

Filesize
3.3MB

Download
memory/1884-258-0x00007FF6A0430000-0x00007FF6A0781000-memory.dmp

Filesize
3.3MB

Download
memory/1932-130-0x00007FF7D9FB0000-0x00007FF7DA301000-memory.dmp

Filesize
3.3MB

Download
memory/1932-271-0x00007FF7D9FB0000-0x00007FF7DA301000-memory.dmp

Filesize
3.3MB

Download
memory/2380-113-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp

Filesize
3.3MB

Download
memory/2380-267-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp

Filesize
3.3MB

Download
memory/2380-161-0x00007FF7E8330000-0x00007FF7E8681000-memory.dmp

Filesize
3.3MB

Download
memory/2428-242-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-57-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-122-0x00007FF6DE460000-0x00007FF6DE7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-252-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-76-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-139-0x00007FF7DD580000-0x00007FF7DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-100-0x00007FF632470000-0x00007FF6327C1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-42-0x00007FF632470000-0x00007FF6327C1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-238-0x00007FF632470000-0x00007FF6327C1000-memory.dmp

Filesize
3.3MB

Download
memory/3144-0-0x00007FF7751F0000-0x00007FF775541000-memory.dmp

Filesize
3.3MB

Download
memory/3144-55-0x00007FF7751F0000-0x00007FF775541000-memory.dmp

Filesize
3.3MB

Download
memory/3144-1-0x000001B635340000-0x000001B635350000-memory.dmp

Filesize
64KB

Download
memory/3144-168-0x00007FF7751F0000-0x00007FF775541000-memory.dmp

Filesize
3.3MB

Download
memory/3144-143-0x00007FF7751F0000-0x00007FF775541000-memory.dmp

Filesize
3.3MB

Download
memory/3460-89-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-256-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-141-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-95-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp

Filesize
3.3MB

Download
memory/3568-33-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp

Filesize
3.3MB

Download
memory/3568-234-0x00007FF7B5C40000-0x00007FF7B5F91000-memory.dmp

Filesize
3.3MB

Download
memory/3668-88-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp

Filesize
3.3MB

Download
memory/3668-24-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp

Filesize
3.3MB

Download
memory/3668-232-0x00007FF7DA420000-0x00007FF7DA771000-memory.dmp

Filesize
3.3MB

Download
memory/3728-260-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp

Filesize
3.3MB

Download
memory/3728-142-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp

Filesize
3.3MB

Download
memory/3728-97-0x00007FF68E5C0000-0x00007FF68E911000-memory.dmp

Filesize
3.3MB

Download
memory/3836-138-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp

Filesize
3.3MB

Download
memory/3836-167-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp

Filesize
3.3MB

Download
memory/3836-275-0x00007FF66A940000-0x00007FF66AC91000-memory.dmp

Filesize
3.3MB

Download
memory/3928-14-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3928-75-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3928-228-0x00007FF74F930000-0x00007FF74FC81000-memory.dmp

Filesize
3.3MB

Download
memory/4028-254-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-140-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-82-0x00007FF7EF250000-0x00007FF7EF5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-236-0x00007FF653BB0000-0x00007FF653F01000-memory.dmp

Filesize
3.3MB

Download
memory/4168-43-0x00007FF653BB0000-0x00007FF653F01000-memory.dmp

Filesize
3.3MB

Download
memory/4756-128-0x00007FF7F4890000-0x00007FF7F4BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-269-0x00007FF7F4890000-0x00007FF7F4BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-230-0x00007FF66A520000-0x00007FF66A871000-memory.dmp

Filesize
3.3MB

Download
memory/4988-81-0x00007FF66A520000-0x00007FF66A871000-memory.dmp

Filesize
3.3MB

Download
memory/4988-18-0x00007FF66A520000-0x00007FF66A871000-memory.dmp

Filesize
3.3MB

Download