cobaltstrike | 966bf2153454ac38d964b05edbcf92bcdfeaf3795093405986fcbb9554c4389e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0cb672eaa35f77f9841998cdb3d16b23
SHA1

9f316a9b75072a6eff4e13a45efbb6058c2fdcc7
SHA256

966bf2153454ac38d964b05edbcf92bcdfeaf3795093405986fcbb9554c4389e
SHA512

9fb52256028956cab1c01ddd3cb965519e0ccd858c73aa679c8e42b556ec062f4486e8b8041b4c05a21d167b2634a90e3a5347557f2077fedad3fbc0aca1f3f0
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBib+56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b23-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-98.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b7b-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2052-93-0x00007FF729690000-0x00007FF7299E1000-memory.dmp	xmrig
behavioral2/memory/3512-103-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp	xmrig
behavioral2/memory/184-104-0x00007FF7CC700000-0x00007FF7CCA51000-memory.dmp	xmrig
behavioral2/memory/1236-102-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp	xmrig
behavioral2/memory/1624-101-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp	xmrig
behavioral2/memory/3792-100-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp	xmrig
behavioral2/memory/1228-97-0x00007FF7B2100000-0x00007FF7B2451000-memory.dmp	xmrig
behavioral2/memory/5000-94-0x00007FF798A10000-0x00007FF798D61000-memory.dmp	xmrig
behavioral2/memory/4428-91-0x00007FF6424B0000-0x00007FF642801000-memory.dmp	xmrig
behavioral2/memory/3068-79-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp	xmrig
behavioral2/memory/5008-71-0x00007FF781530000-0x00007FF781881000-memory.dmp	xmrig
behavioral2/memory/2148-62-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp	xmrig
behavioral2/memory/5060-127-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp	xmrig
behavioral2/memory/4460-126-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp	xmrig
behavioral2/memory/1240-132-0x00007FF798DB0000-0x00007FF799101000-memory.dmp	xmrig
behavioral2/memory/4928-125-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	xmrig
behavioral2/memory/548-129-0x00007FF625530000-0x00007FF625881000-memory.dmp	xmrig
behavioral2/memory/3428-144-0x00007FF75B240000-0x00007FF75B591000-memory.dmp	xmrig
behavioral2/memory/4000-148-0x00007FF7FB9E0000-0x00007FF7FBD31000-memory.dmp	xmrig
behavioral2/memory/3584-147-0x00007FF676650000-0x00007FF6769A1000-memory.dmp	xmrig
behavioral2/memory/2460-143-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp	xmrig
behavioral2/memory/4716-131-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp	xmrig
behavioral2/memory/4928-149-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	xmrig
behavioral2/memory/4928-150-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	xmrig
behavioral2/memory/4460-206-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp	xmrig
behavioral2/memory/5060-208-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp	xmrig
behavioral2/memory/5008-210-0x00007FF781530000-0x00007FF781881000-memory.dmp	xmrig
behavioral2/memory/548-212-0x00007FF625530000-0x00007FF625881000-memory.dmp	xmrig
behavioral2/memory/3068-231-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp	xmrig
behavioral2/memory/4716-230-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp	xmrig
behavioral2/memory/2148-228-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp	xmrig
behavioral2/memory/1240-226-0x00007FF798DB0000-0x00007FF799101000-memory.dmp	xmrig
behavioral2/memory/1236-239-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp	xmrig
behavioral2/memory/3792-249-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp	xmrig
behavioral2/memory/1624-248-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp	xmrig
behavioral2/memory/3512-246-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp	xmrig
behavioral2/memory/4428-244-0x00007FF6424B0000-0x00007FF642801000-memory.dmp	xmrig
behavioral2/memory/184-238-0x00007FF7CC700000-0x00007FF7CCA51000-memory.dmp	xmrig
behavioral2/memory/2052-235-0x00007FF729690000-0x00007FF7299E1000-memory.dmp	xmrig
behavioral2/memory/5000-234-0x00007FF798A10000-0x00007FF798D61000-memory.dmp	xmrig
behavioral2/memory/1228-241-0x00007FF7B2100000-0x00007FF7B2451000-memory.dmp	xmrig
behavioral2/memory/3428-255-0x00007FF75B240000-0x00007FF75B591000-memory.dmp	xmrig
behavioral2/memory/3584-257-0x00007FF676650000-0x00007FF6769A1000-memory.dmp	xmrig
behavioral2/memory/4000-253-0x00007FF7FB9E0000-0x00007FF7FBD31000-memory.dmp	xmrig
behavioral2/memory/2460-256-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4460	hsrbOIv.exe
5060	qMLOAyF.exe
5008	RXZUmdj.exe
548	INogMBB.exe
3068	BXgjQyv.exe
4716	IUOEVAq.exe
4428	fCgGVpB.exe
1240	OEKrVMR.exe
2148	aEhXMFa.exe
2052	XsIONfp.exe
5000	WbbvQBv.exe
1228	HSQVQdD.exe
1236	fjgvjTl.exe
3792	SnHMaBS.exe
1624	RpbtXte.exe
3512	IOlYuCq.exe
184	zrhMeyn.exe
2460	iVTgEMf.exe
3428	TKyxEIB.exe
3584	RpQZibT.exe
4000	LjPikKH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	upx
behavioral2/files/0x000c000000023b23-5.dat	upx
behavioral2/memory/4460-7-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-18.dat	upx
behavioral2/memory/548-27-0x00007FF625530000-0x00007FF625881000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-30.dat	upx
behavioral2/files/0x000a000000023b84-41.dat	upx
behavioral2/files/0x000a000000023b8a-58.dat	upx
behavioral2/files/0x000a000000023b8c-70.dat	upx
behavioral2/files/0x000a000000023b8b-87.dat	upx
behavioral2/memory/2052-93-0x00007FF729690000-0x00007FF7299E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-98.dat	upx
behavioral2/memory/3512-103-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp	upx
behavioral2/files/0x000c000000023b7b-107.dat	upx
behavioral2/files/0x000a000000023b93-122.dat	upx
behavioral2/files/0x000a000000023b92-120.dat	upx
behavioral2/files/0x000a000000023b91-118.dat	upx
behavioral2/memory/184-104-0x00007FF7CC700000-0x00007FF7CCA51000-memory.dmp	upx
behavioral2/memory/1236-102-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp	upx
behavioral2/memory/1624-101-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp	upx
behavioral2/memory/3792-100-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp	upx
behavioral2/memory/1228-97-0x00007FF7B2100000-0x00007FF7B2451000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-95.dat	upx
behavioral2/memory/5000-94-0x00007FF798A10000-0x00007FF798D61000-memory.dmp	upx
behavioral2/memory/4428-91-0x00007FF6424B0000-0x00007FF642801000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-89.dat	upx
behavioral2/files/0x000a000000023b8d-85.dat	upx
behavioral2/memory/3068-79-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp	upx
behavioral2/memory/5008-71-0x00007FF781530000-0x00007FF781881000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-66.dat	upx
behavioral2/memory/2148-62-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp	upx
behavioral2/memory/1240-61-0x00007FF798DB0000-0x00007FF799101000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-54.dat	upx
behavioral2/files/0x000a000000023b87-50.dat	upx
behavioral2/memory/4716-47-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-46.dat	upx
behavioral2/files/0x000a000000023b88-52.dat	upx
behavioral2/files/0x000a000000023b83-33.dat	upx
behavioral2/memory/5060-21-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp	upx
behavioral2/memory/2460-124-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp	upx
behavioral2/memory/5060-127-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp	upx
behavioral2/memory/4460-126-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp	upx
behavioral2/memory/1240-132-0x00007FF798DB0000-0x00007FF799101000-memory.dmp	upx
behavioral2/memory/4928-125-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	upx
behavioral2/memory/548-129-0x00007FF625530000-0x00007FF625881000-memory.dmp	upx
behavioral2/memory/3428-144-0x00007FF75B240000-0x00007FF75B591000-memory.dmp	upx
behavioral2/memory/4000-148-0x00007FF7FB9E0000-0x00007FF7FBD31000-memory.dmp	upx
behavioral2/memory/3584-147-0x00007FF676650000-0x00007FF6769A1000-memory.dmp	upx
behavioral2/memory/2460-143-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp	upx
behavioral2/memory/4716-131-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp	upx
behavioral2/memory/4928-149-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	upx
behavioral2/memory/4928-150-0x00007FF68C630000-0x00007FF68C981000-memory.dmp	upx
behavioral2/memory/4460-206-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp	upx
behavioral2/memory/5060-208-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp	upx
behavioral2/memory/5008-210-0x00007FF781530000-0x00007FF781881000-memory.dmp	upx
behavioral2/memory/548-212-0x00007FF625530000-0x00007FF625881000-memory.dmp	upx
behavioral2/memory/3068-231-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp	upx
behavioral2/memory/4716-230-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp	upx
behavioral2/memory/2148-228-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp	upx
behavioral2/memory/1240-226-0x00007FF798DB0000-0x00007FF799101000-memory.dmp	upx
behavioral2/memory/1236-239-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp	upx
behavioral2/memory/3792-249-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp	upx
behavioral2/memory/1624-248-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp	upx
behavioral2/memory/3512-246-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RXZUmdj.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aEhXMFa.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjgvjTl.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RpbtXte.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TKyxEIB.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qMLOAyF.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fCgGVpB.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IOlYuCq.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zrhMeyn.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXgjQyv.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUOEVAq.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XsIONfp.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RpQZibT.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SnHMaBS.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSQVQdD.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVTgEMf.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjPikKH.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsrbOIv.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\INogMBB.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OEKrVMR.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbbvQBv.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4460	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4928 wrote to memory of 4460	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4928 wrote to memory of 5060	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4928 wrote to memory of 5060	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4928 wrote to memory of 5008	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4928 wrote to memory of 5008	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4928 wrote to memory of 548	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4928 wrote to memory of 548	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4928 wrote to memory of 3068	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4928 wrote to memory of 3068	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4928 wrote to memory of 4716	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4928 wrote to memory of 4716	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4928 wrote to memory of 1240	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4928 wrote to memory of 1240	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4928 wrote to memory of 4428	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4928 wrote to memory of 4428	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4928 wrote to memory of 2148	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4928 wrote to memory of 2148	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4928 wrote to memory of 2052	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4928 wrote to memory of 2052	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4928 wrote to memory of 5000	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4928 wrote to memory of 5000	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4928 wrote to memory of 3792	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4928 wrote to memory of 3792	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4928 wrote to memory of 1228	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4928 wrote to memory of 1228	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4928 wrote to memory of 1236	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4928 wrote to memory of 1236	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4928 wrote to memory of 1624	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4928 wrote to memory of 1624	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4928 wrote to memory of 3512	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4928 wrote to memory of 3512	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4928 wrote to memory of 184	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4928 wrote to memory of 184	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4928 wrote to memory of 2460	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4928 wrote to memory of 2460	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4928 wrote to memory of 3428	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4928 wrote to memory of 3428	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4928 wrote to memory of 3584	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4928 wrote to memory of 3584	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4928 wrote to memory of 4000	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4928 wrote to memory of 4000	4928	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\System\hsrbOIv.exe
  C:\Windows\System\hsrbOIv.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\qMLOAyF.exe
  C:\Windows\System\qMLOAyF.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\RXZUmdj.exe
  C:\Windows\System\RXZUmdj.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\INogMBB.exe
  C:\Windows\System\INogMBB.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\BXgjQyv.exe
  C:\Windows\System\BXgjQyv.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\IUOEVAq.exe
  C:\Windows\System\IUOEVAq.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\OEKrVMR.exe
  C:\Windows\System\OEKrVMR.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\fCgGVpB.exe
  C:\Windows\System\fCgGVpB.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\aEhXMFa.exe
  C:\Windows\System\aEhXMFa.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\XsIONfp.exe
  C:\Windows\System\XsIONfp.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\WbbvQBv.exe
  C:\Windows\System\WbbvQBv.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\SnHMaBS.exe
  C:\Windows\System\SnHMaBS.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\HSQVQdD.exe
  C:\Windows\System\HSQVQdD.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\fjgvjTl.exe
  C:\Windows\System\fjgvjTl.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\RpbtXte.exe
  C:\Windows\System\RpbtXte.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\IOlYuCq.exe
  C:\Windows\System\IOlYuCq.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\zrhMeyn.exe
  C:\Windows\System\zrhMeyn.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\iVTgEMf.exe
  C:\Windows\System\iVTgEMf.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\TKyxEIB.exe
  C:\Windows\System\TKyxEIB.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\RpQZibT.exe
  C:\Windows\System\RpQZibT.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\LjPikKH.exe
  C:\Windows\System\LjPikKH.exe
  2⤵
  - Executes dropped EXE
  PID:4000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXgjQyv.exe

Filesize
5.2MB

MD5
67c5aa507ca439227e51542826d3d3cf

SHA1
8d6429aef0945a61760e20f782fb28653893938f

SHA256
8ad237d251851896761526fabb401dcb590126d7488e75a51687e13331e9a33e

SHA512
b71f33ca4d0c45012e1414d054a40e566a1a7d1090fe679cdb1fda6c1efc2c9feea07248365f047d1397df982a4aed2ecf08daade7b0fdb3ba44a626cecac077

Download Submit
C:\Windows\System\HSQVQdD.exe

Filesize
5.2MB

MD5
14ff25e12d44db3e5b2126f2d2e6acb9

SHA1
f4d62b7de193591a0103c9f0074049baecd37ffd

SHA256
3148dac424ece42a8bdb0673e4aa707a87749c3a27fc56e18bd7cb051fb0acb1

SHA512
6606b8e621c32bc4e6eb1d524fb0da121929d42020e2eb22ab77c209cb131fb51e4aecb6af0c2b7e82e61579dd40519a5494038f3b1264475898b79fad6bd5ff

Download Submit
C:\Windows\System\INogMBB.exe

Filesize
5.2MB

MD5
407e26b270ab8b340458f05e9c11f23d

SHA1
fca2c9ad5c901312cfd8124709582d3af0702757

SHA256
3933c1ff665480a281c19722e46d9c159e0bc299c7390efc6fc38cf4d603f699

SHA512
fd2827e52c30b723f110745fe2a89fcd335963dcc82be1ef46976eaa052abc8e6d017bee88b1208e027b4dbfd27e6a0bdb7936d6c237d70557e8829ade8442c9

Download Submit
C:\Windows\System\IOlYuCq.exe

Filesize
5.2MB

MD5
3a7bc6b87cd648a9a83a3a7cd0dda0fe

SHA1
93a1909c44a7d48faff3418cab582358b61deb46

SHA256
fff680f37db852c6191442c4f4d21ae1684e8ef9003fb74df284cff33dd3129b

SHA512
e2b9f08fa2bb9d0bc3565cfd599dd517b145e39e7529776ca569ebb91ffe3a5e3de00b25f57db40637f88d882b276846eabaec087a2cd69a69ef1774fd64035a

Download Submit
C:\Windows\System\IUOEVAq.exe

Filesize
5.2MB

MD5
a31a8b9605d787ca619e3a5bb6afd824

SHA1
b0681fbb9b67e36b10317bf237421ff402d58c84

SHA256
e3f769902ec03bf3164e029a6fb0b0dab5e6f4c42e6593a942804a42de9c04b1

SHA512
434c83e62e0b4a7d6d2ac2c8fcf3fb4df12c0e9db9882694a1545968b2e87b746b96b0a8278400f353de051c8c9ecb34df3f449f5255e2bfa2a2a7d6b423aacc

Download Submit
C:\Windows\System\LjPikKH.exe

Filesize
5.2MB

MD5
d8d295b7fa51289001799107decec673

SHA1
4e3aefe019db729f5aedd0319bdf05e8e6d1aa6b

SHA256
24c19089c0a4cc9310a6bd547bee22dadd267273428c8b2432836ffa634dc8c1

SHA512
5edabde1026e1c6fc768ae408522cb112612c3737221ad1f758aad9ed287c219c7e414ce7ac704a8fff2aa739f6fe0752c3169baaa64fa81cfcb2919834aa6ca

Download Submit
C:\Windows\System\OEKrVMR.exe

Filesize
5.2MB

MD5
6bb43e329ac26b72a9c5512f30193db0

SHA1
d048ff0ce1de4c0b49e94111396ab263a7ed4bab

SHA256
3693731c89588802a8726c83f016a700645a6d7de3c7b34baa8b2611cd30567d

SHA512
0327073631fdd99dc07b6805f968e783a952ccb3ccec8e1183bb3a047eade0e1cd25137803886547d6a47ffd1cc92b0b3f4df4bf6634e1d5be28e8fd96d62b2c

Download Submit
C:\Windows\System\RXZUmdj.exe

Filesize
5.2MB

MD5
7f2b8a8f33c35a212f1b93285ab2cbd9

SHA1
c4a3615a60a1fc1b58664b8778fd4d3d32d21bb0

SHA256
6326ca143650dc7700410d95ea4dd50adc617f1e21b2af3077a8c11c1d3c5af0

SHA512
a25c0607cbe34380e378d35cdc51668279b47e266bfdb8caa048b4b54bdab366912345ece6d3cbf14c5da23afaa4c3f9c56aec836739d697e01a3b3b3989176b

Download Submit
C:\Windows\System\RpQZibT.exe

Filesize
5.2MB

MD5
c0fdc134b182c027a3f8511f67c83aad

SHA1
35e45721e029cbb1d63796cbaea41bcfe16968d4

SHA256
faf61a5f002633c1d91f122ba45965e516ff191825942dba3c70bb6b619fcef7

SHA512
03d79684953804a086a48d79aebdbe312e8900fca2d37aef7910800863a5b94ef486eb1972a0ed7ddc79c4f211447d7f28d524b0d0889c419169aca7b86509b6

Download Submit
C:\Windows\System\RpbtXte.exe

Filesize
5.2MB

MD5
cad89ac98f7cbbaa84c1d6220e29dbfd

SHA1
a2ad3042ff3187a272e3df392bcba9a30081be1b

SHA256
8061aacb423326970f21389bf285bd6aae115a1b852e75d3a1c496b6c03df4d3

SHA512
e8b5b415ce3ac6c938d0bb375464241a40a3d13fc7649e703182cd6d6dec0ef596cc98adc30a19b09dbdcab9af732b7cbe789145518fc77e0ffc115dfe7feefa

Download Submit
C:\Windows\System\SnHMaBS.exe

Filesize
5.2MB

MD5
9683507a5625ace5dcda221d27dde2d2

SHA1
f68cb43d62a9a6e88cf31ce3b43b2f6bc9b00892

SHA256
9cccc61aadd46c352b47a0ff6cd936901ef01a7d8a7a63fdd2050073bb9e7d93

SHA512
44e5afa83bf663e93fab49cdd1f78d4c3c9d3f90f8c200641c703d1b6dd71b776a2b78391bc89a7d11229fcca66e2bf198842a3cf022ad317f283fc26267a899

Download Submit
C:\Windows\System\TKyxEIB.exe

Filesize
5.2MB

MD5
85c85f88bffcd7ad794ef510565262fd

SHA1
63d5a87bcfeeff2e89ba35efab07aff310247314

SHA256
ad2f292a28fc86a7af9fb2da38ef64a42f27382d8fae7cc799c8c8e86bfb1bd7

SHA512
ca6d3d9bf1220f8966a6b4566659e9abcaf09fcdbb014cbc4708776eaf304bf298a1d14b083c1d945b026301dcd883d128a8bf5deab1709c53670d9955895262

Download Submit
C:\Windows\System\WbbvQBv.exe

Filesize
5.2MB

MD5
fa3db3247026bfcf3d93da2dc4dc8245

SHA1
0eb8d9ab7e07d1e2b4b1fba56d3a0b32915506bf

SHA256
3d5c55e69572a7c5f98dfd7a817fa93259160a2fec448b01a86bb79160b82ee3

SHA512
3d726e9ea3487e92f692bdb8f92ec7e7696b63ab0ee2583999194902180cf14c3db7725749406a971f283d2a4eae2cba5dbb4c771a12c49a3422f59f739faa2b

Download Submit
C:\Windows\System\XsIONfp.exe

Filesize
5.2MB

MD5
232ddc76c2d77fd55e9e4b1951945e20

SHA1
d109356613d616a2120556351abe1c6d5323086f

SHA256
1813e6add1138d22df4998634b27a4ffe971bc64930d6e38cc46ec455e23aa31

SHA512
6edcf7c55a0af4ce50ab5961783e976417f0061c271d70a5cb73b5556f62b6e7911d8174a603f944310653d2b41c891236f848d35d33144579f9b482b7f96009

Download Submit
C:\Windows\System\aEhXMFa.exe

Filesize
5.2MB

MD5
c2d2134fd830be81a6f153e357f2e6b4

SHA1
56966f990a6039754bb03848ffbeeac69f98fceb

SHA256
97acc669f04ddcaa03ea5562ff975ceecd659ef6c2f005d1b53b74d899b0d1a2

SHA512
db4d301d50535c9b7afa5f619cf248cf88a3d473bfd87e14c17275bcce47db65a6a8056f9dfd4716e8bba5084a656bcd65d6428da031d1225beaee66a29c3f4a

Download Submit
C:\Windows\System\fCgGVpB.exe

Filesize
5.2MB

MD5
12eb2fbf1dcd87d7f061060af08648cc

SHA1
55edb4712c991bad09bd8eff8b088cb843b52872

SHA256
168c5dfc8fcdfa1149fd0f478440f6829f6a9a8c109877ce03724bd79d856f0e

SHA512
78669fd983afe555e6fa196e501e3a91f468dea6f9c2138c95f170d52fa74afad71b8fe31c4d6eda669ae37119620fcf25fbe845ef7485ec7a95a98606081246

Download Submit
C:\Windows\System\fjgvjTl.exe

Filesize
5.2MB

MD5
1c9a632a81a098f852addcbd4193646c

SHA1
94b3e652b837c18bc8383715fedf12eac7899868

SHA256
cb12a0d1b5eb66e9979e49a4bc82b69f101704e8ffd38065a8a3951ab4095899

SHA512
95e398b211b3a29f6b9defbc30476a23d3a12299a6c404411c44eac3725d15e6a04489399348f17c151b4fa4dec90a83546c115af003b20ec22a517030b47ecf

Download Submit
C:\Windows\System\hsrbOIv.exe

Filesize
5.2MB

MD5
71a5226cac4420709c57555ea5984f5c

SHA1
31e96b2eb34fcd8aac9ad4bad35f939575f0efde

SHA256
1afea29453ecfdf52b2cc880f77837efcac8e5675824c4522ec721ffe7154af6

SHA512
e974918e9133c37fc29141110ae97b3f4a41548baab359364a8d2919addd70a918279bafe105415738abbf365269f8945bce6597ad27e95d019bdeef00d7df0f

Download Submit
C:\Windows\System\iVTgEMf.exe

Filesize
5.2MB

MD5
ffc1c59c1dcdb17f896d401c525cd977

SHA1
1bcd887a91e809cf0c5becad65d2995355416a6b

SHA256
7003ab7a7375a6771e0b391fb88174eddd14fb68488fea28326bd2dc1be8a1b5

SHA512
215e5563aa04984e0d5a782e8f6750a4102ff705dc3f3d8e5c73ec686d049fda13f9edd8ef30948de895482a28ec264ea84e94fdbfb4808fd783619a3dd99dd3

Download Submit
C:\Windows\System\qMLOAyF.exe

Filesize
5.2MB

MD5
24420c3fe4116dd1047f135c5607d75c

SHA1
39819d1fabd1d8b99bbd2d43e29d1310e45a983a

SHA256
03ae18024518249f12a93b9f33b1670ad78f0bc352ed74e3b488f5c962f6e087

SHA512
3eabf9295ffdeb8f809822d700a68f29085eb3670b7b5330da4513d50b40a31e1e98170c16fe6d621f00593cbfbc7ce675d4b7177724c48c48e8c174063050d4

Download Submit
C:\Windows\System\zrhMeyn.exe

Filesize
5.2MB

MD5
88bafcd4f34e85c30b1a2476823264f9

SHA1
c27b1c91302c14dc8a7099b665e0d8ca36dacb10

SHA256
5cd09fc0a518274703986b5a38943f661eeb8260d8fa53319e04409726c21555

SHA512
55dbb34861e017a97be224d56810a08f8cca1fe12419ca22bd950766a73596a90c165ad9a378068e9e57b225470338c4ee77db8ae8a100152824ca0e9fcb82bf

Download Submit
memory/184-104-0x00007FF7CC700000-0x00007FF7CCA51000-memory.dmp

Filesize
3.3MB

Download
memory/184-238-0x00007FF7CC700000-0x00007FF7CCA51000-memory.dmp

Filesize
3.3MB

Download
memory/548-27-0x00007FF625530000-0x00007FF625881000-memory.dmp

Filesize
3.3MB

Download
memory/548-129-0x00007FF625530000-0x00007FF625881000-memory.dmp

Filesize
3.3MB

Download
memory/548-212-0x00007FF625530000-0x00007FF625881000-memory.dmp

Filesize
3.3MB

Download
memory/1228-241-0x00007FF7B2100000-0x00007FF7B2451000-memory.dmp

Filesize
3.3MB

Download
memory/1228-97-0x00007FF7B2100000-0x00007FF7B2451000-memory.dmp

Filesize
3.3MB

Download
memory/1236-239-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp

Filesize
3.3MB

Download
memory/1236-102-0x00007FF77BFF0000-0x00007FF77C341000-memory.dmp

Filesize
3.3MB

Download
memory/1240-226-0x00007FF798DB0000-0x00007FF799101000-memory.dmp

Filesize
3.3MB

Download
memory/1240-61-0x00007FF798DB0000-0x00007FF799101000-memory.dmp

Filesize
3.3MB

Download
memory/1240-132-0x00007FF798DB0000-0x00007FF799101000-memory.dmp

Filesize
3.3MB

Download
memory/1624-101-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-248-0x00007FF7E3760000-0x00007FF7E3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-93-0x00007FF729690000-0x00007FF7299E1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-235-0x00007FF729690000-0x00007FF7299E1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-228-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp

Filesize
3.3MB

Download
memory/2148-62-0x00007FF7D7CC0000-0x00007FF7D8011000-memory.dmp

Filesize
3.3MB

Download
memory/2460-124-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-256-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-143-0x00007FF6E0F50000-0x00007FF6E12A1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-231-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp

Filesize
3.3MB

Download
memory/3068-79-0x00007FF6D4BF0000-0x00007FF6D4F41000-memory.dmp

Filesize
3.3MB

Download
memory/3428-144-0x00007FF75B240000-0x00007FF75B591000-memory.dmp

Filesize
3.3MB

Download
memory/3428-255-0x00007FF75B240000-0x00007FF75B591000-memory.dmp

Filesize
3.3MB

Download
memory/3512-103-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-246-0x00007FF69C350000-0x00007FF69C6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3584-257-0x00007FF676650000-0x00007FF6769A1000-memory.dmp

Filesize
3.3MB

Download
memory/3584-147-0x00007FF676650000-0x00007FF6769A1000-memory.dmp

Filesize
3.3MB

Download
memory/3792-249-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp

Filesize
3.3MB

Download
memory/3792-100-0x00007FF7FD820000-0x00007FF7FDB71000-memory.dmp

Filesize
3.3MB

Download
memory/4000-253-0x00007FF7FB9E0000-0x00007FF7FBD31000-memory.dmp

Filesize
3.3MB

Download
memory/4000-148-0x00007FF7FB9E0000-0x00007FF7FBD31000-memory.dmp

Filesize
3.3MB

Download
memory/4428-91-0x00007FF6424B0000-0x00007FF642801000-memory.dmp

Filesize
3.3MB

Download
memory/4428-244-0x00007FF6424B0000-0x00007FF642801000-memory.dmp

Filesize
3.3MB

Download
memory/4460-206-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-7-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-126-0x00007FF7B3A70000-0x00007FF7B3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-47-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-131-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-230-0x00007FF7A1E70000-0x00007FF7A21C1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-1-0x0000018AE69D0000-0x0000018AE69E0000-memory.dmp

Filesize
64KB

Download
memory/4928-150-0x00007FF68C630000-0x00007FF68C981000-memory.dmp

Filesize
3.3MB

Download
memory/4928-149-0x00007FF68C630000-0x00007FF68C981000-memory.dmp

Filesize
3.3MB

Download
memory/4928-0-0x00007FF68C630000-0x00007FF68C981000-memory.dmp

Filesize
3.3MB

Download
memory/4928-125-0x00007FF68C630000-0x00007FF68C981000-memory.dmp

Filesize
3.3MB

Download
memory/5000-94-0x00007FF798A10000-0x00007FF798D61000-memory.dmp

Filesize
3.3MB

Download
memory/5000-234-0x00007FF798A10000-0x00007FF798D61000-memory.dmp

Filesize
3.3MB

Download
memory/5008-210-0x00007FF781530000-0x00007FF781881000-memory.dmp

Filesize
3.3MB

Download
memory/5008-71-0x00007FF781530000-0x00007FF781881000-memory.dmp

Filesize
3.3MB

Download
memory/5060-127-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-21-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-208-0x00007FF7F9450000-0x00007FF7F97A1000-memory.dmp

Filesize
3.3MB

Download