cobaltstrike | 96f84bd161b23a5f89147e3d49763d5c2368094d9f686509774b25181126b05e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5bc094c13b7c1efce25cd8c1b7aad886
SHA1

87c6109dd98611a20fdab3fcfb5a2e1cea6d6fa4
SHA256

96f84bd161b23a5f89147e3d49763d5c2368094d9f686509774b25181126b05e
SHA512

96b137509f8c0169c5bfa91527fd0a044f3a6595f9beb35267c0e4d1b4f5ce8be5208448db1d7311a32f9b6f3a9d80785f5cd9d7a0aaad7e478a645c4a9d558c
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBib+56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b47-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-102.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b5c-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-84.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2892-40-0x00007FF665A40000-0x00007FF665D91000-memory.dmp	xmrig
behavioral2/memory/3980-91-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp	xmrig
behavioral2/memory/1616-132-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp	xmrig
behavioral2/memory/1136-130-0x00007FF783960000-0x00007FF783CB1000-memory.dmp	xmrig
behavioral2/memory/1988-129-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp	xmrig
behavioral2/memory/4072-126-0x00007FF747800000-0x00007FF747B51000-memory.dmp	xmrig
behavioral2/memory/1716-117-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp	xmrig
behavioral2/memory/3216-111-0x00007FF713A30000-0x00007FF713D81000-memory.dmp	xmrig
behavioral2/memory/2372-105-0x00007FF656200000-0x00007FF656551000-memory.dmp	xmrig
behavioral2/memory/2284-98-0x00007FF7FEFD0000-0x00007FF7FF321000-memory.dmp	xmrig
behavioral2/memory/2012-76-0x00007FF7B9460000-0x00007FF7B97B1000-memory.dmp	xmrig
behavioral2/memory/2156-74-0x00007FF679F20000-0x00007FF67A271000-memory.dmp	xmrig
behavioral2/memory/4520-61-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	xmrig
behavioral2/memory/2112-136-0x00007FF722630000-0x00007FF722981000-memory.dmp	xmrig
behavioral2/memory/4088-139-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp	xmrig
behavioral2/memory/4776-138-0x00007FF600C00000-0x00007FF600F51000-memory.dmp	xmrig
behavioral2/memory/2140-137-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp	xmrig
behavioral2/memory/3456-140-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp	xmrig
behavioral2/memory/1992-141-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp	xmrig
behavioral2/memory/3736-142-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp	xmrig
behavioral2/memory/1348-146-0x00007FF765450000-0x00007FF7657A1000-memory.dmp	xmrig
behavioral2/memory/4520-143-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	xmrig
behavioral2/memory/1988-164-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp	xmrig
behavioral2/memory/2516-166-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp	xmrig
behavioral2/memory/4520-167-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	xmrig
behavioral2/memory/2156-220-0x00007FF679F20000-0x00007FF67A271000-memory.dmp	xmrig
behavioral2/memory/3980-222-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp	xmrig
behavioral2/memory/2372-224-0x00007FF656200000-0x00007FF656551000-memory.dmp	xmrig
behavioral2/memory/3216-226-0x00007FF713A30000-0x00007FF713D81000-memory.dmp	xmrig
behavioral2/memory/4072-228-0x00007FF747800000-0x00007FF747B51000-memory.dmp	xmrig
behavioral2/memory/2892-230-0x00007FF665A40000-0x00007FF665D91000-memory.dmp	xmrig
behavioral2/memory/1716-246-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp	xmrig
behavioral2/memory/1616-248-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp	xmrig
behavioral2/memory/2140-250-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp	xmrig
behavioral2/memory/2012-253-0x00007FF7B9460000-0x00007FF7B97B1000-memory.dmp	xmrig
behavioral2/memory/2112-254-0x00007FF722630000-0x00007FF722981000-memory.dmp	xmrig
behavioral2/memory/4776-257-0x00007FF600C00000-0x00007FF600F51000-memory.dmp	xmrig
behavioral2/memory/2284-258-0x00007FF7FEFD0000-0x00007FF7FF321000-memory.dmp	xmrig
behavioral2/memory/4088-260-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp	xmrig
behavioral2/memory/3456-264-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp	xmrig
behavioral2/memory/1992-263-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp	xmrig
behavioral2/memory/1348-267-0x00007FF765450000-0x00007FF7657A1000-memory.dmp	xmrig
behavioral2/memory/3736-272-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp	xmrig
behavioral2/memory/2516-274-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp	xmrig
behavioral2/memory/1136-271-0x00007FF783960000-0x00007FF783CB1000-memory.dmp	xmrig
behavioral2/memory/1988-269-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2156	HufBdez.exe
3980	adnSfkP.exe
2372	hUTBYpK.exe
3216	IIYJMki.exe
4072	PxJAMEE.exe
2892	NofmtWb.exe
1716	PTjRoFk.exe
1616	wqJWSxS.exe
2112	RqEYYVn.exe
2140	yKeWFyf.exe
2012	DxciWyk.exe
4776	wyJKJyY.exe
2284	KcumfmH.exe
4088	wvHsclO.exe
3456	AdKcIng.exe
1992	aLWrglm.exe
1348	dvISOkq.exe
3736	hLsgZSh.exe
1988	ybtnfxp.exe
1136	FfTxwEf.exe
2516	lwuSblC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4520-0-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	upx
behavioral2/files/0x000c000000023b47-6.dat	upx
behavioral2/files/0x000a000000023b60-11.dat	upx
behavioral2/files/0x000a000000023b5f-12.dat	upx
behavioral2/memory/3980-14-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp	upx
behavioral2/memory/2156-8-0x00007FF679F20000-0x00007FF67A271000-memory.dmp	upx
behavioral2/memory/2372-20-0x00007FF656200000-0x00007FF656551000-memory.dmp	upx
behavioral2/files/0x000a000000023b61-23.dat	upx
behavioral2/files/0x000a000000023b62-29.dat	upx
behavioral2/files/0x000a000000023b63-34.dat	upx
behavioral2/memory/2892-40-0x00007FF665A40000-0x00007FF665D91000-memory.dmp	upx
behavioral2/files/0x000a000000023b65-44.dat	upx
behavioral2/files/0x000a000000023b64-41.dat	upx
behavioral2/memory/1716-45-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-53.dat	upx
behavioral2/files/0x000a000000023b67-57.dat	upx
behavioral2/files/0x000a000000023b68-65.dat	upx
behavioral2/files/0x000a000000023b69-68.dat	upx
behavioral2/memory/3980-91-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-102.dat	upx
behavioral2/memory/1992-107-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp	upx
behavioral2/files/0x000b000000023b5c-119.dat	upx
behavioral2/files/0x000a000000023b71-131.dat	upx
behavioral2/memory/2516-133-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp	upx
behavioral2/memory/1616-132-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp	upx
behavioral2/memory/1136-130-0x00007FF783960000-0x00007FF783CB1000-memory.dmp	upx
behavioral2/memory/1988-129-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp	upx
behavioral2/memory/4072-126-0x00007FF747800000-0x00007FF747B51000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-125.dat	upx
behavioral2/files/0x000a000000023b70-122.dat	upx
behavioral2/memory/1716-117-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp	upx
behavioral2/memory/3216-111-0x00007FF713A30000-0x00007FF713D81000-memory.dmp	upx
behavioral2/memory/1348-110-0x00007FF765450000-0x00007FF7657A1000-memory.dmp	upx
behavioral2/memory/3736-109-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-106.dat	upx
behavioral2/memory/2372-105-0x00007FF656200000-0x00007FF656551000-memory.dmp	upx
behavioral2/memory/3456-99-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp	upx
behavioral2/memory/2284-98-0x00007FF7FEFD0000-0x00007FF7FF321000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-97.dat	upx
behavioral2/files/0x000a000000023b6b-93.dat	upx
behavioral2/files/0x000a000000023b6a-84.dat	upx
behavioral2/memory/4776-82-0x00007FF600C00000-0x00007FF600F51000-memory.dmp	upx
behavioral2/memory/4088-90-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp	upx
behavioral2/memory/2012-76-0x00007FF7B9460000-0x00007FF7B97B1000-memory.dmp	upx
behavioral2/memory/2156-74-0x00007FF679F20000-0x00007FF67A271000-memory.dmp	upx
behavioral2/memory/2140-62-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp	upx
behavioral2/memory/4520-61-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	upx
behavioral2/memory/2112-56-0x00007FF722630000-0x00007FF722981000-memory.dmp	upx
behavioral2/memory/1616-55-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp	upx
behavioral2/memory/4072-30-0x00007FF747800000-0x00007FF747B51000-memory.dmp	upx
behavioral2/memory/3216-24-0x00007FF713A30000-0x00007FF713D81000-memory.dmp	upx
behavioral2/memory/2112-136-0x00007FF722630000-0x00007FF722981000-memory.dmp	upx
behavioral2/memory/4088-139-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp	upx
behavioral2/memory/4776-138-0x00007FF600C00000-0x00007FF600F51000-memory.dmp	upx
behavioral2/memory/2140-137-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp	upx
behavioral2/memory/3456-140-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp	upx
behavioral2/memory/1992-141-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp	upx
behavioral2/memory/3736-142-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp	upx
behavioral2/memory/1348-146-0x00007FF765450000-0x00007FF7657A1000-memory.dmp	upx
behavioral2/memory/4520-143-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	upx
behavioral2/memory/1988-164-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp	upx
behavioral2/memory/2516-166-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp	upx
behavioral2/memory/4520-167-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp	upx
behavioral2/memory/2156-220-0x00007FF679F20000-0x00007FF67A271000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ybtnfxp.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lwuSblC.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PTjRoFk.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqEYYVn.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxciWyk.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wvHsclO.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxJAMEE.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yKeWFyf.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdKcIng.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KcumfmH.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLWrglm.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dvISOkq.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hLsgZSh.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HufBdez.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hUTBYpK.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IIYJMki.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NofmtWb.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FfTxwEf.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\adnSfkP.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqJWSxS.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wyJKJyY.exe	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 2156	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4520 wrote to memory of 2156	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4520 wrote to memory of 3980	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4520 wrote to memory of 3980	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4520 wrote to memory of 2372	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4520 wrote to memory of 2372	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4520 wrote to memory of 3216	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4520 wrote to memory of 3216	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4520 wrote to memory of 4072	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4520 wrote to memory of 4072	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4520 wrote to memory of 2892	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4520 wrote to memory of 2892	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4520 wrote to memory of 1716	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4520 wrote to memory of 1716	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4520 wrote to memory of 1616	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4520 wrote to memory of 1616	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4520 wrote to memory of 2112	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4520 wrote to memory of 2112	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4520 wrote to memory of 2140	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4520 wrote to memory of 2140	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4520 wrote to memory of 2012	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4520 wrote to memory of 2012	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4520 wrote to memory of 4776	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4520 wrote to memory of 4776	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4520 wrote to memory of 2284	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4520 wrote to memory of 2284	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4520 wrote to memory of 4088	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4520 wrote to memory of 4088	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4520 wrote to memory of 3456	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4520 wrote to memory of 3456	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4520 wrote to memory of 1992	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4520 wrote to memory of 1992	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4520 wrote to memory of 1348	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4520 wrote to memory of 1348	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4520 wrote to memory of 3736	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4520 wrote to memory of 3736	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4520 wrote to memory of 1988	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4520 wrote to memory of 1988	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4520 wrote to memory of 1136	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4520 wrote to memory of 1136	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4520 wrote to memory of 2516	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4520 wrote to memory of 2516	4520	2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_5bc094c13b7c1efce25cd8c1b7aad886_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\System\HufBdez.exe
  C:\Windows\System\HufBdez.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\adnSfkP.exe
  C:\Windows\System\adnSfkP.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\hUTBYpK.exe
  C:\Windows\System\hUTBYpK.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\IIYJMki.exe
  C:\Windows\System\IIYJMki.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\PxJAMEE.exe
  C:\Windows\System\PxJAMEE.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\NofmtWb.exe
  C:\Windows\System\NofmtWb.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\PTjRoFk.exe
  C:\Windows\System\PTjRoFk.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\wqJWSxS.exe
  C:\Windows\System\wqJWSxS.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\RqEYYVn.exe
  C:\Windows\System\RqEYYVn.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\yKeWFyf.exe
  C:\Windows\System\yKeWFyf.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\DxciWyk.exe
  C:\Windows\System\DxciWyk.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\wyJKJyY.exe
  C:\Windows\System\wyJKJyY.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\KcumfmH.exe
  C:\Windows\System\KcumfmH.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\wvHsclO.exe
  C:\Windows\System\wvHsclO.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\AdKcIng.exe
  C:\Windows\System\AdKcIng.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\aLWrglm.exe
  C:\Windows\System\aLWrglm.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\dvISOkq.exe
  C:\Windows\System\dvISOkq.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\hLsgZSh.exe
  C:\Windows\System\hLsgZSh.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\ybtnfxp.exe
  C:\Windows\System\ybtnfxp.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\FfTxwEf.exe
  C:\Windows\System\FfTxwEf.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\lwuSblC.exe
  C:\Windows\System\lwuSblC.exe
  2⤵
  - Executes dropped EXE
  PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdKcIng.exe

Filesize
5.2MB

MD5
1491b0916e4f77abfc4a12dc0e4f8556

SHA1
05e5f8d6264b9567346572b6d2a84700c1aa6a70

SHA256
cd56288312b98624be3ae5a8bd670d92ef01293ffe72ed7ab53360e252026c39

SHA512
7955b4a70545ed5d48730c728e0796f9e8bc33a30f405b01ca25f15259b39e35a22549519c3079dc2d8b37e81aaaa8b738a4dcb9a0602835700f7f6e32ab64eb

Download Submit
C:\Windows\System\DxciWyk.exe

Filesize
5.2MB

MD5
f8779fa2457535e36e2a71a444a6d0e6

SHA1
4589ffdce82cb112717694c27a4e359791ecf329

SHA256
17d2df93eec86570fb9498a9c63daa164cee5c7709b0b9e0df2ace7039015c90

SHA512
991b48609e9cd0adbac97c7c1b770436c19514086e71af09f13da53732c6604ab57148bcd1ed345138f544cfcf25b66f3094b67f1f752e00566d0bddc86f50a9

Download Submit
C:\Windows\System\FfTxwEf.exe

Filesize
5.2MB

MD5
7ba48fbf821a4df9c36d0a35ecf86961

SHA1
42a8825745f4b51e6464c91304b7407e6b3c4922

SHA256
5a2b8c673e7138f627edda6c7972048c37b1f734e169e9a6cfefc271680d7a40

SHA512
8237af693fa2f65188ca00b4fa0e625b1fafcbc762816d8f91e4b700042133562d8063032fe149bb2e1b3dcdd4bddc1cf9bbc3b40d9179a80fab7c6d1f0705e5

Download Submit
C:\Windows\System\HufBdez.exe

Filesize
5.2MB

MD5
e458019b9f0ca6e98f51990e16e6de4d

SHA1
99c8f93dabc12de95299d769fc656d65ade5549e

SHA256
8f65f27712000e9cfc751ad430541503d35ec4ba5cc984792fea6c1d1ea36795

SHA512
81c118ce1f877e9681f6755ef4264069e285f7f99cec45b667d66ccac4a13ea80725822de86798a617f80d358a1e3fc19dea0e7f56b4901d139f58959dd2fa10

Download Submit
C:\Windows\System\IIYJMki.exe

Filesize
5.2MB

MD5
e2f7e6cbc90df02ae8bf8fd562552161

SHA1
cd1f0557cc960ffa1eb7c947b5657b5bec0cc9d8

SHA256
e7bc969a3331cdad1dedf7f97fd218084c195abace7ac6a3b9364577dd9d5d1e

SHA512
cc395bfbd61514f4c11579726827fff502be3afcac72d5b7bdedcd424e5809673fdf9dfae944c31b0367082e17ddec791a3b18462ff44c522cdae59e8aea0891

Download Submit
C:\Windows\System\KcumfmH.exe

Filesize
5.2MB

MD5
b98baa7c52902db317c90e9d5d6f4c85

SHA1
c6e778bdbf8ab5b0c2c1d342e9a3425821a3313d

SHA256
c86f2302eddf5fcf48ed7a2b9ba74275b94f77bf41be07587a177137804622b9

SHA512
204ff9fffe500abce3e220a8024ad6ab9076ed8255d9b944add1063e5156c29c5d7b1060cb3ca3725ae7c94b7bb70015fc6794d0d6ae620ba8589c8aa39db5a9

Download Submit
C:\Windows\System\NofmtWb.exe

Filesize
5.2MB

MD5
5ef4e8160a11fa4c55ac5e895e98aaeb

SHA1
0b7edc447640bc99456b40c73b0b97e3da31941b

SHA256
d6ce57bf809bd3bba9307d8ceb1906cc2987e3c4a6a44a354d40eb3c937cfee7

SHA512
76c4ac823584d3cef02e1727bef87ee695dc46dda90e27c3543092d30a6f667fc6cb4f38028cba5de248bd45d7551bd4c0c444aeccf11a66eb701807f2f4c7f7

Download Submit
C:\Windows\System\PTjRoFk.exe

Filesize
5.2MB

MD5
6b7fb66644ca5c106def5dcbdc7e4be6

SHA1
7d4113e00a670d70776e11f52648fae2f56780f0

SHA256
1446759f2647332484116ef01807e9bffd7fc9bcabf5c770ca07e6e4f9ec1fec

SHA512
e3bed7b337794a6e80fea438dbbced60aabb586deb70fea522c58e7c8df0a1b0d610c897931d3888e6e9383947025de443f4d8d920cdc1a452f8b3110b5377e2

Download Submit
C:\Windows\System\PxJAMEE.exe

Filesize
5.2MB

MD5
2f31472843baa3a6bb4df555ae0c4b54

SHA1
c6b732179033506f4f6ce72c05ff05c4a7d707bb

SHA256
994f885d4048f012d5037a43742288cac0e04fbd55cf69a06d5513f16d242f26

SHA512
2fc338221e163a96b97cee969dcf8decd369b19d4109f0a4b5910c8255eb2d74b689a3dd146711dbc5cb98e22972a740ac4dc4ff9b8f3b363afda035df9520d9

Download Submit
C:\Windows\System\RqEYYVn.exe

Filesize
5.2MB

MD5
5ae4247cfa8660dd7335baaf7a19b774

SHA1
9e4596967b1aec47fe55327133e85b6d36fd6da0

SHA256
7ef86538e375f6c1a07e2a75e9d45095ae947fac10a90f23a863c3a33ebaf253

SHA512
612ecce0ab2e1ac2559e80235430164e2c1b8024c3e12a8b8fabf218ffa3fe7b73e311c0125c198ab6c063c7c0fb1f732c65421ab6516b9db95d97a25e2852ec

Download Submit
C:\Windows\System\aLWrglm.exe

Filesize
5.2MB

MD5
ef90c738e06779d6ed3ec9bb99dcb039

SHA1
4f83493dab71d7c8acd1803a23ac2e8c1459ed68

SHA256
ad8217f383c27e99c8eab9069be79add4994433ff95a0e772d46c1f02b6ed217

SHA512
cd04f8e88201029643ba5bb55c1451ee4d20bddb6f8596e9fe30c1152bf05734e355e50f5f1650e9ba55e5fa41a69dbae1e4eafd65472a1c8400b015a4f68dce

Download Submit
C:\Windows\System\adnSfkP.exe

Filesize
5.2MB

MD5
fc94bb15117f8961d52efb9cdf3a6cd2

SHA1
37f00bc0ed8c58d7af42de2ba164d986a6e7a171

SHA256
f841d496910b17897da1453be1cb43e16673f3d05cb5b09fca12376298fcfc1f

SHA512
61422aa79a45596d4fcc7dea6cc93e8bac7b6872a0b67604b489088ed8fac1f66bc6f6cb6893b2c3100bd8986a29648750d7ef742904d6eda9283c2ee91e9485

Download Submit
C:\Windows\System\dvISOkq.exe

Filesize
5.2MB

MD5
5c72df67afccf940c4ee4945313232ee

SHA1
eb733c48d6683fb65f86f7c1541104616eba481e

SHA256
a7540a582dc47967423884f4ae048cf0838f48d7ce3ea6f4850dc6986f096de7

SHA512
b8488b5f68c30adf4ea9a5939b56ce1b6dd6ec9c2221d3b2d826fe2a3ea1ac55026208dcdc3e02003c66324c804d428dd6caf79269c1258deb7f487668601646

Download Submit
C:\Windows\System\hLsgZSh.exe

Filesize
5.2MB

MD5
8781501b9ff4fddf959a8849b56c94f1

SHA1
244f60179f41d31d26ab4b48cd1bb6b0933cf1b6

SHA256
318b81988011fb38c59b4ea87a432e9a60a93349c61a75aed4bd107b06a978fb

SHA512
c03d68e3eb5efaf183da8e6a1cce31008f24087aa6be6b102894728e0a536d423968e0ecf71a59af14e63bbf9f7322c19923d02a5bb9ba5ecd321fc614a8719e

Download Submit
C:\Windows\System\hUTBYpK.exe

Filesize
5.2MB

MD5
dff5e19b07fa3a3dde95c33211cbe5c1

SHA1
f4eb77c4454eca72edfb4e6f064e2afa6c23a336

SHA256
be31d7d3c33753e615e3fa02dc7a60bbbfd95cd9a397330bca9a56ef62b085d3

SHA512
5070e1d31e57cf7a8d393e46e80db9a5456435f55a60880370d548d6adde65ceb59f67e201b74aa3e4438b13795b8e7e3aa14cdb1c09cd1bf17502951f7feb33

Download Submit
C:\Windows\System\lwuSblC.exe

Filesize
5.2MB

MD5
cb79b5165407f9d2470e4f92b9c970bc

SHA1
e451272013b7f05ad63f1ca7cf97f4d6bc6505b8

SHA256
495b2271054011a7fb6fe9c9e4e9dcae052bf459a49e9fda44ac10e4a1995e5f

SHA512
a25b73062668336bceb84798d182f6bba2875cd285beecc71dbdd99e795fa32897d45e6bb07fcdfdb219a97b60162dd1122c8c7f2abad252985771a68541710d

Download Submit
C:\Windows\System\wqJWSxS.exe

Filesize
5.2MB

MD5
87a058153dcd5b468a728a5809be0f8f

SHA1
bd76855a9bc0fea8434d2f270266cb74fc999701

SHA256
e1522696cf544ba957b38bbb22952005f6eceb44f46601d42506ab8f18308b08

SHA512
b61137472190d5c3f76d28bca3ae400df8d594c1bcfc5eec62affae2f76287bebf92018def1e93c33eca30668ab42ce254d04a22dfc981647bae53db4c55aa19

Download Submit
C:\Windows\System\wvHsclO.exe

Filesize
5.2MB

MD5
b43f9980cb31fd8a0708a049668916de

SHA1
159fbeb677b83bf955c89483429f51f007ece646

SHA256
b7c2d6f5a52fc635ab9b3848c69f2f681f6e42c9a4c10d32f3e3926727b1f27d

SHA512
429a633e8b61eef71c48f76a12064fcf9901b216eadf11f1bc4fbf9fda3859d996b4780da0aaf26347e57e04067569329d08ae6e947786c3a084dad05648869d

Download Submit
C:\Windows\System\wyJKJyY.exe

Filesize
5.2MB

MD5
4d302d7d1daebde35f6fb159bc32371b

SHA1
4ff53d55a5c1beeebfcd7b23dfd88c7a6da9fddd

SHA256
a46367578e87ef042141d214648c1dd3ad531151efcfe3d263576d0794a1af2a

SHA512
85c7c2b2120eccb7ebe0e0bff856e3722a1205d38ca37c36a00eab39ea845bb470a15ed280c25c22f560bfa748c551db4724e0253e5842330f64284c611e598a

Download Submit
C:\Windows\System\yKeWFyf.exe

Filesize
5.2MB

MD5
2f35a7a7510ddb149fca78005b904e4a

SHA1
d4f9ec8bc491c2e567956f1c0485558a4080dc82

SHA256
97bbeefbb88fab40a4ac74948cb5b32dcbfd79b816da130e8d68ed3bafc65c49

SHA512
d63d77295755ba478c86093005f7e6d6020fd52e0faa6aa6eb0a1eaa0a49a9a747607c5a968632d0e16d600c7b6478009de2a4804d23e14d9139eea77a9d224a

Download Submit
C:\Windows\System\ybtnfxp.exe

Filesize
5.2MB

MD5
8e46fc4b757779684fbf9763b0f82435

SHA1
ef1c699b400148c5fad4045b9c2474f6ce64034c

SHA256
8262001cd01234e6fae0eaa34117d7d57f90b5c78f633e21f44db1a2006f1886

SHA512
87ea0262dd4526064f3bea488f07cfc30dded20aa36ee1e47050a20f9bb6e57fa5672e0862ee162785de67ee9be34212b41318857078569bfb089e383abbb0a5

Download Submit
memory/1136-130-0x00007FF783960000-0x00007FF783CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1136-271-0x00007FF783960000-0x00007FF783CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-146-0x00007FF765450000-0x00007FF7657A1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-267-0x00007FF765450000-0x00007FF7657A1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-110-0x00007FF765450000-0x00007FF7657A1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-132-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp

Filesize
3.3MB

Download
memory/1616-248-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp

Filesize
3.3MB

Download
memory/1616-55-0x00007FF7BD6E0000-0x00007FF7BDA31000-memory.dmp

Filesize
3.3MB

Download
memory/1716-45-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp

Filesize
3.3MB

Download
memory/1716-117-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp

Filesize
3.3MB

Download
memory/1716-246-0x00007FF6E16D0000-0x00007FF6E1A21000-memory.dmp

Filesize
3.3MB

Download
memory/1988-269-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp

Filesize
3.3MB

Download
memory/1988-129-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp

Filesize
3.3MB

Download
memory/1988-164-0x00007FF6AF020000-0x00007FF6AF371000-memory.dmp

Filesize
3.3MB

Download
memory/1992-141-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp

Filesize
3.3MB

Download
memory/1992-263-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp

Filesize
3.3MB

Download
memory/1992-107-0x00007FF6E8C20000-0x00007FF6E8F71000-memory.dmp

Filesize
3.3MB

Download
memory/2012-253-0x00007FF7B9460000-0x00007FF7B97B1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-76-0x00007FF7B9460000-0x00007FF7B97B1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-254-0x00007FF722630000-0x00007FF722981000-memory.dmp

Filesize
3.3MB

Download
memory/2112-136-0x00007FF722630000-0x00007FF722981000-memory.dmp

Filesize
3.3MB

Download
memory/2112-56-0x00007FF722630000-0x00007FF722981000-memory.dmp

Filesize
3.3MB

Download
memory/2140-137-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp

Filesize
3.3MB

Download
memory/2140-62-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp

Filesize
3.3MB

Download
memory/2140-250-0x00007FF6B2B00000-0x00007FF6B2E51000-memory.dmp

Filesize
3.3MB

Download
memory/2156-74-0x00007FF679F20000-0x00007FF67A271000-memory.dmp

Filesize
3.3MB

Download
memory/2156-220-0x00007FF679F20000-0x00007FF67A271000-memory.dmp

Filesize
3.3MB

Download
memory/2156-8-0x00007FF679F20000-0x00007FF67A271000-memory.dmp

Filesize
3.3MB

Download
memory/2284-98-0x00007FF7FEFD0000-0x00007FF7FF321000-memory.dmp

Filesize
3.3MB

Download
memory/2284-258-0x00007FF7FEFD0000-0x00007FF7FF321000-memory.dmp

Filesize
3.3MB

Download
memory/2372-224-0x00007FF656200000-0x00007FF656551000-memory.dmp

Filesize
3.3MB

Download
memory/2372-105-0x00007FF656200000-0x00007FF656551000-memory.dmp

Filesize
3.3MB

Download
memory/2372-20-0x00007FF656200000-0x00007FF656551000-memory.dmp

Filesize
3.3MB

Download
memory/2516-166-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp

Filesize
3.3MB

Download
memory/2516-133-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp

Filesize
3.3MB

Download
memory/2516-274-0x00007FF6C9A30000-0x00007FF6C9D81000-memory.dmp

Filesize
3.3MB

Download
memory/2892-230-0x00007FF665A40000-0x00007FF665D91000-memory.dmp

Filesize
3.3MB

Download
memory/2892-40-0x00007FF665A40000-0x00007FF665D91000-memory.dmp

Filesize
3.3MB

Download
memory/3216-24-0x00007FF713A30000-0x00007FF713D81000-memory.dmp

Filesize
3.3MB

Download
memory/3216-111-0x00007FF713A30000-0x00007FF713D81000-memory.dmp

Filesize
3.3MB

Download
memory/3216-226-0x00007FF713A30000-0x00007FF713D81000-memory.dmp

Filesize
3.3MB

Download
memory/3456-140-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp

Filesize
3.3MB

Download
memory/3456-264-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp

Filesize
3.3MB

Download
memory/3456-99-0x00007FF67DF20000-0x00007FF67E271000-memory.dmp

Filesize
3.3MB

Download
memory/3736-272-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-142-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-109-0x00007FF6814A0000-0x00007FF6817F1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-91-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp

Filesize
3.3MB

Download
memory/3980-222-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp

Filesize
3.3MB

Download
memory/3980-14-0x00007FF6178B0000-0x00007FF617C01000-memory.dmp

Filesize
3.3MB

Download
memory/4072-30-0x00007FF747800000-0x00007FF747B51000-memory.dmp

Filesize
3.3MB

Download
memory/4072-228-0x00007FF747800000-0x00007FF747B51000-memory.dmp

Filesize
3.3MB

Download
memory/4072-126-0x00007FF747800000-0x00007FF747B51000-memory.dmp

Filesize
3.3MB

Download
memory/4088-139-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-260-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-90-0x00007FF60D750000-0x00007FF60DAA1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-1-0x000002A3B93E0000-0x000002A3B93F0000-memory.dmp

Filesize
64KB

Download
memory/4520-61-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-167-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-0-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-143-0x00007FF7D0F50000-0x00007FF7D12A1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-257-0x00007FF600C00000-0x00007FF600F51000-memory.dmp

Filesize
3.3MB

Download
memory/4776-82-0x00007FF600C00000-0x00007FF600F51000-memory.dmp

Filesize
3.3MB

Download
memory/4776-138-0x00007FF600C00000-0x00007FF600F51000-memory.dmp

Filesize
3.3MB

Download