cobaltstrike | a89190bae83efc59360f88d59546ddc02566b2ab268b9be67eab1719f5d017a2

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e0d2c1099cd1961a619f3f63c34ba4d0
SHA1

c432ee202fc21e7622c946306480007c39ebc4fa
SHA256

a89190bae83efc59360f88d59546ddc02566b2ab268b9be67eab1719f5d017a2
SHA512

4459ea5c54fe4f861a4b4de31c72f085d25e8664a658e11fc1ba4516a7f511cb6a698c5e4ee608690b5ee5221b9079e7d7d848d2abb6a8f21a7d85191fc2c09e
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBib+56utgpPFotBER/mQ32lUf

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023af9-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b80-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-82.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b81-96.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-103.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b93-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-114.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023ba3-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3016-52-0x00007FF650EE0000-0x00007FF651231000-memory.dmp	xmrig
behavioral2/memory/2816-60-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp	xmrig
behavioral2/memory/4024-73-0x00007FF6C6540000-0x00007FF6C6891000-memory.dmp	xmrig
behavioral2/memory/3136-121-0x00007FF7B3CF0000-0x00007FF7B4041000-memory.dmp	xmrig
behavioral2/memory/1504-123-0x00007FF73C0F0000-0x00007FF73C441000-memory.dmp	xmrig
behavioral2/memory/2608-124-0x00007FF66DEB0000-0x00007FF66E201000-memory.dmp	xmrig
behavioral2/memory/8-125-0x00007FF774AD0000-0x00007FF774E21000-memory.dmp	xmrig
behavioral2/memory/2688-126-0x00007FF657520000-0x00007FF657871000-memory.dmp	xmrig
behavioral2/memory/3996-122-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	xmrig
behavioral2/memory/2992-127-0x00007FF6C1C90000-0x00007FF6C1FE1000-memory.dmp	xmrig
behavioral2/memory/4540-128-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	xmrig
behavioral2/memory/1712-129-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp	xmrig
behavioral2/memory/4488-130-0x00007FF621080000-0x00007FF6213D1000-memory.dmp	xmrig
behavioral2/memory/1496-131-0x00007FF613FB0000-0x00007FF614301000-memory.dmp	xmrig
behavioral2/memory/592-140-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp	xmrig
behavioral2/memory/1128-144-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp	xmrig
behavioral2/memory/2892-145-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp	xmrig
behavioral2/memory/1272-143-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp	xmrig
behavioral2/memory/1036-137-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp	xmrig
behavioral2/memory/4540-132-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	xmrig
behavioral2/memory/2568-138-0x00007FF6085D0000-0x00007FF608921000-memory.dmp	xmrig
behavioral2/memory/1356-146-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp	xmrig
behavioral2/memory/676-148-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp	xmrig
behavioral2/memory/4540-155-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	xmrig
behavioral2/memory/1712-216-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp	xmrig
behavioral2/memory/4488-221-0x00007FF621080000-0x00007FF6213D1000-memory.dmp	xmrig
behavioral2/memory/2892-223-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp	xmrig
behavioral2/memory/1496-225-0x00007FF613FB0000-0x00007FF614301000-memory.dmp	xmrig
behavioral2/memory/1036-227-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp	xmrig
behavioral2/memory/3016-229-0x00007FF650EE0000-0x00007FF651231000-memory.dmp	xmrig
behavioral2/memory/2816-231-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp	xmrig
behavioral2/memory/592-233-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp	xmrig
behavioral2/memory/4024-235-0x00007FF6C6540000-0x00007FF6C6891000-memory.dmp	xmrig
behavioral2/memory/2568-237-0x00007FF6085D0000-0x00007FF608921000-memory.dmp	xmrig
behavioral2/memory/1356-239-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp	xmrig
behavioral2/memory/1272-241-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp	xmrig
behavioral2/memory/2688-244-0x00007FF657520000-0x00007FF657871000-memory.dmp	xmrig
behavioral2/memory/1128-245-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp	xmrig
behavioral2/memory/3136-250-0x00007FF7B3CF0000-0x00007FF7B4041000-memory.dmp	xmrig
behavioral2/memory/2992-254-0x00007FF6C1C90000-0x00007FF6C1FE1000-memory.dmp	xmrig
behavioral2/memory/3996-253-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	xmrig
behavioral2/memory/1504-256-0x00007FF73C0F0000-0x00007FF73C441000-memory.dmp	xmrig
behavioral2/memory/2608-260-0x00007FF66DEB0000-0x00007FF66E201000-memory.dmp	xmrig
behavioral2/memory/8-262-0x00007FF774AD0000-0x00007FF774E21000-memory.dmp	xmrig
behavioral2/memory/676-258-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1712	HZhgfQy.exe
4488	IsLkkFs.exe
1496	MsGFGRN.exe
2892	hnVwRPF.exe
1036	qiRNwwM.exe
2568	QtISEuY.exe
3016	OsHyfPK.exe
592	NpoFJxM.exe
2816	iIwAfjv.exe
4024	kVcKLrn.exe
1272	BRnNwPE.exe
1128	FdILRYB.exe
1356	mighouY.exe
2688	KQhupDJ.exe
676	sHvyvUB.exe
3136	JpUKYZg.exe
2992	hEVDoGi.exe
3996	xASUCAp.exe
1504	dTHLpbZ.exe
2608	yRzWGlN.exe
8	kiHUjGB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4540-0-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	upx
behavioral2/files/0x000d000000023af9-5.dat	upx
behavioral2/files/0x000b000000023b80-10.dat	upx
behavioral2/files/0x000a000000023b84-18.dat	upx
behavioral2/files/0x000a000000023b88-32.dat	upx
behavioral2/memory/3016-52-0x00007FF650EE0000-0x00007FF651231000-memory.dmp	upx
behavioral2/memory/592-59-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp	upx
behavioral2/memory/2816-60-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp	upx
behavioral2/memory/2568-72-0x00007FF6085D0000-0x00007FF608921000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-82.dat	upx
behavioral2/files/0x000b000000023b81-96.dat	upx
behavioral2/files/0x000b000000023b92-103.dat	upx
behavioral2/files/0x000b000000023b93-107.dat	upx
behavioral2/files/0x000a000000023b9c-114.dat	upx
behavioral2/files/0x000e000000023ba3-119.dat	upx
behavioral2/memory/676-113-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-100.dat	upx
behavioral2/files/0x000a000000023b91-97.dat	upx
behavioral2/memory/1128-91-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-80.dat	upx
behavioral2/files/0x000a000000023b8e-79.dat	upx
behavioral2/memory/1356-76-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-74.dat	upx
behavioral2/memory/4024-73-0x00007FF6C6540000-0x00007FF6C6891000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-67.dat	upx
behavioral2/memory/1272-63-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-55.dat	upx
behavioral2/memory/1036-49-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-48.dat	upx
behavioral2/files/0x000a000000023b87-43.dat	upx
behavioral2/files/0x000a000000023b86-36.dat	upx
behavioral2/memory/2892-29-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-24.dat	upx
behavioral2/memory/1496-22-0x00007FF613FB0000-0x00007FF614301000-memory.dmp	upx
behavioral2/memory/4488-19-0x00007FF621080000-0x00007FF6213D1000-memory.dmp	upx
behavioral2/memory/1712-12-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp	upx
behavioral2/memory/3136-121-0x00007FF7B3CF0000-0x00007FF7B4041000-memory.dmp	upx
behavioral2/memory/1504-123-0x00007FF73C0F0000-0x00007FF73C441000-memory.dmp	upx
behavioral2/memory/2608-124-0x00007FF66DEB0000-0x00007FF66E201000-memory.dmp	upx
behavioral2/memory/8-125-0x00007FF774AD0000-0x00007FF774E21000-memory.dmp	upx
behavioral2/memory/2688-126-0x00007FF657520000-0x00007FF657871000-memory.dmp	upx
behavioral2/memory/3996-122-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp	upx
behavioral2/memory/2992-127-0x00007FF6C1C90000-0x00007FF6C1FE1000-memory.dmp	upx
behavioral2/memory/4540-128-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	upx
behavioral2/memory/1712-129-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp	upx
behavioral2/memory/4488-130-0x00007FF621080000-0x00007FF6213D1000-memory.dmp	upx
behavioral2/memory/1496-131-0x00007FF613FB0000-0x00007FF614301000-memory.dmp	upx
behavioral2/memory/592-140-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp	upx
behavioral2/memory/1128-144-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp	upx
behavioral2/memory/2892-145-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp	upx
behavioral2/memory/1272-143-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp	upx
behavioral2/memory/1036-137-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp	upx
behavioral2/memory/4540-132-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	upx
behavioral2/memory/2568-138-0x00007FF6085D0000-0x00007FF608921000-memory.dmp	upx
behavioral2/memory/1356-146-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp	upx
behavioral2/memory/676-148-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp	upx
behavioral2/memory/4540-155-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp	upx
behavioral2/memory/1712-216-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp	upx
behavioral2/memory/4488-221-0x00007FF621080000-0x00007FF6213D1000-memory.dmp	upx
behavioral2/memory/2892-223-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp	upx
behavioral2/memory/1496-225-0x00007FF613FB0000-0x00007FF614301000-memory.dmp	upx
behavioral2/memory/1036-227-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp	upx
behavioral2/memory/3016-229-0x00007FF650EE0000-0x00007FF651231000-memory.dmp	upx
behavioral2/memory/2816-231-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IsLkkFs.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hnVwRPF.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qiRNwwM.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIwAfjv.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kVcKLrn.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KQhupDJ.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEVDoGi.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yRzWGlN.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NpoFJxM.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JpUKYZg.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HZhgfQy.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QtISEuY.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xASUCAp.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dTHLpbZ.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kiHUjGB.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MsGFGRN.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OsHyfPK.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRnNwPE.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FdILRYB.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mighouY.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHvyvUB.exe	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1712	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4540 wrote to memory of 1712	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4540 wrote to memory of 4488	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4540 wrote to memory of 4488	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4540 wrote to memory of 1496	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4540 wrote to memory of 1496	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4540 wrote to memory of 2892	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4540 wrote to memory of 2892	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4540 wrote to memory of 1036	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4540 wrote to memory of 1036	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4540 wrote to memory of 2568	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4540 wrote to memory of 2568	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4540 wrote to memory of 3016	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4540 wrote to memory of 3016	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4540 wrote to memory of 592	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4540 wrote to memory of 592	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4540 wrote to memory of 2816	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4540 wrote to memory of 2816	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4540 wrote to memory of 4024	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4540 wrote to memory of 4024	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4540 wrote to memory of 1272	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4540 wrote to memory of 1272	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4540 wrote to memory of 1128	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4540 wrote to memory of 1128	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4540 wrote to memory of 1356	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4540 wrote to memory of 1356	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4540 wrote to memory of 2688	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4540 wrote to memory of 2688	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4540 wrote to memory of 676	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4540 wrote to memory of 676	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4540 wrote to memory of 3136	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4540 wrote to memory of 3136	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4540 wrote to memory of 2992	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4540 wrote to memory of 2992	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4540 wrote to memory of 3996	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4540 wrote to memory of 3996	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4540 wrote to memory of 1504	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4540 wrote to memory of 1504	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4540 wrote to memory of 2608	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4540 wrote to memory of 2608	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4540 wrote to memory of 8	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4540 wrote to memory of 8	4540	2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_e0d2c1099cd1961a619f3f63c34ba4d0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\System\HZhgfQy.exe
  C:\Windows\System\HZhgfQy.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\IsLkkFs.exe
  C:\Windows\System\IsLkkFs.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\MsGFGRN.exe
  C:\Windows\System\MsGFGRN.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\hnVwRPF.exe
  C:\Windows\System\hnVwRPF.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\qiRNwwM.exe
  C:\Windows\System\qiRNwwM.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\QtISEuY.exe
  C:\Windows\System\QtISEuY.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\OsHyfPK.exe
  C:\Windows\System\OsHyfPK.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\NpoFJxM.exe
  C:\Windows\System\NpoFJxM.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\iIwAfjv.exe
  C:\Windows\System\iIwAfjv.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\kVcKLrn.exe
  C:\Windows\System\kVcKLrn.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\BRnNwPE.exe
  C:\Windows\System\BRnNwPE.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\FdILRYB.exe
  C:\Windows\System\FdILRYB.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\mighouY.exe
  C:\Windows\System\mighouY.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\KQhupDJ.exe
  C:\Windows\System\KQhupDJ.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\sHvyvUB.exe
  C:\Windows\System\sHvyvUB.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\JpUKYZg.exe
  C:\Windows\System\JpUKYZg.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\hEVDoGi.exe
  C:\Windows\System\hEVDoGi.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\xASUCAp.exe
  C:\Windows\System\xASUCAp.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\dTHLpbZ.exe
  C:\Windows\System\dTHLpbZ.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\yRzWGlN.exe
  C:\Windows\System\yRzWGlN.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\kiHUjGB.exe
  C:\Windows\System\kiHUjGB.exe
  2⤵
  - Executes dropped EXE
  PID:8

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BRnNwPE.exe

Filesize
5.2MB

MD5
0e08588332a7ddb5c392710ed9470167

SHA1
d9b80fe0961e80fb0d95ed535416f90f1e363136

SHA256
f38fec89bcb5d195c2c4f433f1a19405c82ad0bcc72ab6783b10afc626e1ff81

SHA512
a0d8a780655e1983d14ded228293d10ec359af0c42dd66b303cf1bffa1721fc13c94bcf53976052aece6780a182ac437df4cb6fedde828abd32d2dfa96a0154f

Download Submit
C:\Windows\System\FdILRYB.exe

Filesize
5.2MB

MD5
487970afcd55f657a78773243e673cc9

SHA1
1c0fb919e41d6112a484abd938e7ec5e5802cb64

SHA256
29b46483fa0d79c18faf9825082255cd22725b4a23aef12614d7ba944e58a91e

SHA512
a55d4faf83f1fc5b8c480c105e0d3ebce06bfb0f2303744bcef416f5bfd3d0686fff558067e0dd096ce50a6e4fcd68219932bcbb85234f5f1fb6a90323c86efe

Download Submit
C:\Windows\System\HZhgfQy.exe

Filesize
5.2MB

MD5
de3d26774d10ced1088dcb67fdaa140e

SHA1
572982cb9cfa7903720e6c2f83412cb6467b691c

SHA256
78c86f8173ca45d2296f5c2d3ea0a8b938f82db6376fc7d5b338d64f26ab93ab

SHA512
7030ec968cc3e72748cf311fadc978d810cafa9590ef82b5b0d23fcd7c313059bc1320e9f3e9a0ea57925ec32aed1b46392b40bc567fbd17c671d6135a5ddb9c

Download Submit
C:\Windows\System\IsLkkFs.exe

Filesize
5.2MB

MD5
74934931b009ebad282430096d3c1fbb

SHA1
4145268da6164cfb7d3b80f07fec3d01a052c4dc

SHA256
660dedaa39ce0d7c21f8a1ea3db8e7ac6fbf6f94eed98e34a84ad3163f76337e

SHA512
90d1b465cc60f24025edb43ac2303db7a67799485f102b6faf2794a5a49bba57df9b772f4f7a18712ec1c008a90a0472b2570bc93e89e4654986684e65d720f6

Download Submit
C:\Windows\System\JpUKYZg.exe

Filesize
5.2MB

MD5
e463fac387286d233bf83e82404b3c9b

SHA1
393532c799cfc844d96876800ae6517f29b99ea9

SHA256
fd95de4abe781f10f5972c460c96057353e5bdc8e99e184922411ca594e6287f

SHA512
08677f63c24ca5d6b7e9b47598b8e478df7283ea9931c06fa39b5d7b0b6d87a6308884376d867370501e9d11d42f8510b7352d197c26bbff0674f6d394ad406f

Download Submit
C:\Windows\System\KQhupDJ.exe

Filesize
5.2MB

MD5
52a3b86e2ab24999bb1e95d0c3f0ed31

SHA1
d14e49c5c303855c6c507ff64b46b56faf36db79

SHA256
df4a4f6cb6ad17303ba941be143219cf5553402f2ccbeb4538d2f7ac585b6fb9

SHA512
344d6bfd6599c3c997d80e7ceaf7a5399dceab1fa56823c1e3dd204460580ee9d3f30b2622d7243b611bb1a9499f3ad595e5ce7de0a399a9d07e16471bb57af7

Download Submit
C:\Windows\System\MsGFGRN.exe

Filesize
5.2MB

MD5
36a731efd9bb90c69b206a8a3a0d69d6

SHA1
48c6c4b86bea8f0b2568bd26df30fa570860fe5e

SHA256
9ae5987a097ffa00189683c19387fc7f7953e6f3b548e1877446ef531702e95b

SHA512
bdc6cbc1c9f5bd33f2469903a308fb117b98029f3c1973a2d905320988cb01b7c4d5ae4471bfd26b7a8486061ff24a9ecb73e6c122bffe85f60f2ad86adbbfbf

Download Submit
C:\Windows\System\NpoFJxM.exe

Filesize
5.2MB

MD5
2acc48ac34066849888a9cd26cc92c44

SHA1
039b2cf926951af3aa269136d13fedaa3328eaca

SHA256
224a4043bac23ef49ef18bb9cf182d5213c05ec187e8753e340d9b4ff40235ca

SHA512
76e217f557ab1e8aa6fdeb9794d0b4dabf99ad67755df157f08432bd2f71f4fee744438242f077c1fe45521cbaec8f9aafeeabead834a77e634db7783e274a1f

Download Submit
C:\Windows\System\OsHyfPK.exe

Filesize
5.2MB

MD5
bc73860f0c986fddc5d5d752977ff9c0

SHA1
45a07abd31b040a3830f640bc7ce629053b7a4ef

SHA256
16315ec747796bacd2f03fce7cc4db273d1f74b21e6d1f85cca491ad71f631f8

SHA512
c75756fa4e158895ac80ffced3dc157c752478eb7e607d46f9b929d298b59cd0398a06d356e0cca747d2d71b440db746b4bf54de837e58764e58af7b0ff44d89

Download Submit
C:\Windows\System\QtISEuY.exe

Filesize
5.2MB

MD5
d659572e1bd3b7901797cc9064116510

SHA1
43b740e7541b5ad3fc0cbe3de05d1dcc71d0dddc

SHA256
0bc5687d86138fad9b01030834d8c04cd881dba2ada11a63b229aa953e159f25

SHA512
225456090afcbac3bb2e2cb0c424cee70f75c3765f2fde03f1a3db55b33b9a5a8d807ce4e570d98ff3fe80351bc183337bee89f1a18225c97b2ee73b35fb9894

Download Submit
C:\Windows\System\dTHLpbZ.exe

Filesize
5.2MB

MD5
f6f292fe5cc7c5d8bbfa6c23cc86df0a

SHA1
11ce211d81ccf15158b8a735a0e9956a52107be2

SHA256
56c5009e607917afa5e0681142be8761afbe39a45a16c23f34468c1278f73238

SHA512
45ccc5bf702cafa336674484fdf60810e498a3b76f4f7be5de735be458bb6462a9ac31a0b11fc7c709f8a868b34f5bf5376b74b7afdd3f9053fadc15dc1bd116

Download Submit
C:\Windows\System\hEVDoGi.exe

Filesize
5.2MB

MD5
2a154ef2535df9345d0a8c0485068093

SHA1
3221cfdc4b6eeedd15179c5169822c12a2be29c7

SHA256
2ef94ff83fc9407f55ae152439c60ea481f643e98d5d47ad52cd1d892abe8bad

SHA512
7a9ec9e00ee6e40ea1734cdf3b0f3159b8155a8aa20df9569f1f08b52b3a40652a60c4f3151b58d5c238c5b89f46e1a13268ffbd2346bd116a548cf3fa66dc74

Download Submit
C:\Windows\System\hnVwRPF.exe

Filesize
5.2MB

MD5
00e1dab3d8b3b7502d63ba8ce04694fd

SHA1
d7aff87f6e8f7bb950650d354b17fe3662585e2c

SHA256
a2b8a7f572d2d6e204880568833d02e1d2788f79ec5dfe899ffb0c70718c1ccd

SHA512
4c8765ab4e61cda55d4208d9ad3f3fe4cae36fe7b8b5e9a2c914d701ae15f7eeb896084434ca5514e65f47a6b041c16e18a9361da2b7223ae7640dc76fe2d97c

Download Submit
C:\Windows\System\iIwAfjv.exe

Filesize
5.2MB

MD5
8345c71ee34af4dae2b4f7949943e64a

SHA1
490e05ece5b36fc0b3faeb7cc775c2858275f5e1

SHA256
eeff53e1f329edc1acb053b20d1140810c7bf7c0bfccc66fb5a43d0bf3a34547

SHA512
003cd7c32f2b15774062352f126989a13c6a6062c39e04b9b87f4e02525b6b400ce0994030ce937d683a666e2bf5cb18d464b0c1f6aea455b3d59b3773dfd1ce

Download Submit
C:\Windows\System\kVcKLrn.exe

Filesize
5.2MB

MD5
9a8e8b2781c2860f571f468413d7f2d3

SHA1
e8df6eed70600f757b03b53d4564955f804a2711

SHA256
9acbdee14b322dfe52a16c5b13c3d13b9d52fce900ac1cad243e5a0b8ed446d8

SHA512
3908807c9a07846045877e0b80b061fb0ec0ec196d9deaa3afc4278d78f62fbbe2768c139add3acbb3c6ce6e17001dcbf24e6497dce4f695c594b9741d6bd1ec

Download Submit
C:\Windows\System\kiHUjGB.exe

Filesize
5.2MB

MD5
a40c48f75771280ebb2333ebef3ad09d

SHA1
91b7944f76bfecf3b177adb08f050c14d5cb456d

SHA256
7561b9931b7b856c5fa451c0ee1cb0c58e6056447f82fc7b824b51cf6d4ee308

SHA512
17af8084fdbfe8a434bca65d98a99bdf091a72c749e477cfebab41ecb320a9c681e577099365b2a09cc5832420596ffb78864172083b8c90f87efce286490e90

Download Submit
C:\Windows\System\mighouY.exe

Filesize
5.2MB

MD5
69b528378e9804d81e20ebab8a9dad40

SHA1
97e96ae84b330c9fd2051f8dc17ea6adf36ccf81

SHA256
7c0892b0a61a357ca551bdedb59f1d5034604f758835eeb613f4045c80bc3c6b

SHA512
4eb94b7b41a92afc93d08dfeb6e61940a816162349f09bae699617cb17cbf68dfa9f1a072a72290ee7d049b8974e4e098939cfeabbac9001e2bd3a78b28e0a60

Download Submit
C:\Windows\System\qiRNwwM.exe

Filesize
5.2MB

MD5
c8448ff7f67a06757847739dd53213d6

SHA1
03534c93204d975c0e35b5e316928a06da85c726

SHA256
407bae896604835516a08ba0cb5072e0f6d8f0323c20480557e71efb948d21fc

SHA512
cddd6e0ff2509c61f93595d5c932ee95f71b527b0b660c333bdd8ebe45899c78248b36b3cd6e76662e680534248f617f2df885db035b20f7791ae10cf1dc2982

Download Submit
C:\Windows\System\sHvyvUB.exe

Filesize
5.2MB

MD5
990637a3e9684331e9380371a79f0125

SHA1
1e8aa23b37786b9149ad6331a3ed64f3e4fefca6

SHA256
03055c6da75ae7432763c44ae93713449a81ccb27c0ac5a448f72a63173e6be5

SHA512
6f94ac5f0856c3baf08ba0d85a7a9f8f84163c701cd202f97936e3ee9742cf8a8aca8332a2cde56e7437b217c0886f3b37fd9ba250c75fedfb125ae321227984

Download Submit
C:\Windows\System\xASUCAp.exe

Filesize
5.2MB

MD5
6606f036d36eb18b98be83ca8532a6bf

SHA1
93475c1b1776f1e90a978298890446e7d1bbbf32

SHA256
65ebf441f28a936b42e6e0b639f37eabb6ac325024071cc8d24c170b4d5fa06c

SHA512
23d657359ee96b8815a5cb4c946bbb3de49c13d142b004705508c702f0f916660f6691c5b8e029807cbe1fee2cad491d0601bca6bd1fa0acafe9b71bb1abc9b2

Download Submit
C:\Windows\System\yRzWGlN.exe

Filesize
5.2MB

MD5
fb005b5b74ef7db970321681bb1b37f5

SHA1
dde1b28d34c91e6cf3139262221bd15f81180c73

SHA256
302e2de2e63277dbb39f463e000a45e93b95d6616538eb95255d7f1db60a6e59

SHA512
e80e9e699423785e9b88dc517a36be7aa163a76a0cd391b1f3793d64027ae1f4842df623a788c0c80ec0717fc8e3ad6d24bac2e2e708c2e6d53748d03afafb58

Download Submit
memory/8-262-0x00007FF774AD0000-0x00007FF774E21000-memory.dmp

Filesize
3.3MB

Download
memory/8-125-0x00007FF774AD0000-0x00007FF774E21000-memory.dmp

Filesize
3.3MB

Download
memory/592-59-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp

Filesize
3.3MB

Download
memory/592-140-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp

Filesize
3.3MB

Download
memory/592-233-0x00007FF6F1F40000-0x00007FF6F2291000-memory.dmp

Filesize
3.3MB

Download
memory/676-258-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp

Filesize
3.3MB

Download
memory/676-113-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp

Filesize
3.3MB

Download
memory/676-148-0x00007FF64E720000-0x00007FF64EA71000-memory.dmp

Filesize
3.3MB

Download
memory/1036-137-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1036-49-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1036-227-0x00007FF73C7B0000-0x00007FF73CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1128-91-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp

Filesize
3.3MB

Download
memory/1128-144-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp

Filesize
3.3MB

Download
memory/1128-245-0x00007FF7CD900000-0x00007FF7CDC51000-memory.dmp

Filesize
3.3MB

Download
memory/1272-241-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-63-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-143-0x00007FF65BC70000-0x00007FF65BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-239-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp

Filesize
3.3MB

Download
memory/1356-146-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp

Filesize
3.3MB

Download
memory/1356-76-0x00007FF684AC0000-0x00007FF684E11000-memory.dmp

Filesize
3.3MB

Download
memory/1496-22-0x00007FF613FB0000-0x00007FF614301000-memory.dmp

Filesize
3.3MB

Download
memory/1496-225-0x00007FF613FB0000-0x00007FF614301000-memory.dmp

Filesize
3.3MB

Download
memory/1496-131-0x00007FF613FB0000-0x00007FF614301000-memory.dmp

Filesize
3.3MB

Download
memory/1504-123-0x00007FF73C0F0000-0x00007FF73C441000-memory.dmp

Filesize
3.3MB

Download
memory/1504-256-0x00007FF73C0F0000-0x00007FF73C441000-memory.dmp

Filesize
3.3MB

Download
memory/1712-216-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp

Filesize
3.3MB

Download
memory/1712-129-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp

Filesize
3.3MB

Download
memory/1712-12-0x00007FF6A4200000-0x00007FF6A4551000-memory.dmp

Filesize
3.3MB

Download
memory/2568-138-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

Filesize
3.3MB

Download
memory/2568-72-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

Filesize
3.3MB

Download
memory/2568-237-0x00007FF6085D0000-0x00007FF608921000-memory.dmp

Filesize
3.3MB

Download
memory/2608-260-0x00007FF66DEB0000-0x00007FF66E201000-memory.dmp

Filesize
3.3MB

Download
memory/2608-124-0x00007FF66DEB0000-0x00007FF66E201000-memory.dmp

Filesize
3.3MB

Download
memory/2688-126-0x00007FF657520000-0x00007FF657871000-memory.dmp

Filesize
3.3MB

Download
memory/2688-244-0x00007FF657520000-0x00007FF657871000-memory.dmp

Filesize
3.3MB

Download
memory/2816-231-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp

Filesize
3.3MB

Download
memory/2816-60-0x00007FF6A6A40000-0x00007FF6A6D91000-memory.dmp

Filesize
3.3MB

Download
memory/2892-145-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-29-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-223-0x00007FF6C19A0000-0x00007FF6C1CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-254-0x00007FF6C1C90000-0x00007FF6C1FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-127-0x00007FF6C1C90000-0x00007FF6C1FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-229-0x00007FF650EE0000-0x00007FF651231000-memory.dmp

Filesize
3.3MB

Download
memory/3016-52-0x00007FF650EE0000-0x00007FF651231000-memory.dmp

Filesize
3.3MB

Download
memory/3136-250-0x00007FF7B3CF0000-0x00007FF7B4041000-memory.dmp

Filesize
3.3MB

Download
memory/3136-121-0x00007FF7B3CF0000-0x00007FF7B4041000-memory.dmp

Filesize
3.3MB

Download
memory/3996-122-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp

Filesize
3.3MB

Download
memory/3996-253-0x00007FF6B2E40000-0x00007FF6B3191000-memory.dmp

Filesize
3.3MB

Download
memory/4024-235-0x00007FF6C6540000-0x00007FF6C6891000-memory.dmp

Filesize
3.3MB

Download
memory/4024-73-0x00007FF6C6540000-0x00007FF6C6891000-memory.dmp

Filesize
3.3MB

Download
memory/4488-130-0x00007FF621080000-0x00007FF6213D1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-221-0x00007FF621080000-0x00007FF6213D1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-19-0x00007FF621080000-0x00007FF6213D1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-0-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4540-155-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4540-132-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4540-128-0x00007FF61A6C0000-0x00007FF61AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4540-1-0x000001F8F1D30000-0x000001F8F1D40000-memory.dmp

Filesize
64KB

Download