cobaltstrike | 56238fb6e0af22f3851c7b5ce0c5ce23a9e5bfcd6488bf512ed2ceb71fe472b8

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4dd2fcce9f2e4457ce54e84134fc324e
SHA1

52db8673a4e4b7e5079eba449f5ff3b3e19a536f
SHA256

56238fb6e0af22f3851c7b5ce0c5ce23a9e5bfcd6488bf512ed2ceb71fe472b8
SHA512

cf6018b4628548faa7434fbf38cc280689c4031655b945d833ac83477f4b7b23c1819bf605ff805967c5264dcbce5acf708abc09e06676e7036c71cb8d3bec3b
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBib+56utgpPFotBER/mQ32lUT

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b93-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-9.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba0-30.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb0-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-42.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-35.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba1-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-15.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-58.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbf-78.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc0-88.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc6-91.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc4-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-66.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b96-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcb-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfb-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfc-131.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-103.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4984-82-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	xmrig
behavioral2/memory/1172-74-0x00007FF60E1F0000-0x00007FF60E541000-memory.dmp	xmrig
behavioral2/memory/3016-69-0x00007FF612D20000-0x00007FF613071000-memory.dmp	xmrig
behavioral2/memory/2372-98-0x00007FF7CFE20000-0x00007FF7D0171000-memory.dmp	xmrig
behavioral2/memory/4392-107-0x00007FF7C6A80000-0x00007FF7C6DD1000-memory.dmp	xmrig
behavioral2/memory/2700-122-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp	xmrig
behavioral2/memory/2036-133-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp	xmrig
behavioral2/memory/3668-132-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp	xmrig
behavioral2/memory/1792-125-0x00007FF794200000-0x00007FF794551000-memory.dmp	xmrig
behavioral2/memory/3932-124-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp	xmrig
behavioral2/memory/4424-123-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp	xmrig
behavioral2/memory/4484-110-0x00007FF797B40000-0x00007FF797E91000-memory.dmp	xmrig
behavioral2/memory/4980-109-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp	xmrig
behavioral2/memory/3384-105-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	xmrig
behavioral2/memory/4664-149-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp	xmrig
behavioral2/memory/2332-152-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	xmrig
behavioral2/memory/1744-151-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp	xmrig
behavioral2/memory/544-150-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp	xmrig
behavioral2/memory/3384-137-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	xmrig
behavioral2/memory/4988-156-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp	xmrig
behavioral2/memory/1140-157-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp	xmrig
behavioral2/memory/4864-155-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp	xmrig
behavioral2/memory/3384-158-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	xmrig
behavioral2/memory/2464-166-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp	xmrig
behavioral2/memory/4980-215-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp	xmrig
behavioral2/memory/4484-217-0x00007FF797B40000-0x00007FF797E91000-memory.dmp	xmrig
behavioral2/memory/2700-219-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp	xmrig
behavioral2/memory/4424-221-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp	xmrig
behavioral2/memory/3016-229-0x00007FF612D20000-0x00007FF613071000-memory.dmp	xmrig
behavioral2/memory/3668-231-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp	xmrig
behavioral2/memory/1172-234-0x00007FF60E1F0000-0x00007FF60E541000-memory.dmp	xmrig
behavioral2/memory/2036-237-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp	xmrig
behavioral2/memory/4984-241-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	xmrig
behavioral2/memory/3932-239-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp	xmrig
behavioral2/memory/1792-235-0x00007FF794200000-0x00007FF794551000-memory.dmp	xmrig
behavioral2/memory/2332-246-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	xmrig
behavioral2/memory/4664-249-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp	xmrig
behavioral2/memory/544-248-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp	xmrig
behavioral2/memory/1744-244-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp	xmrig
behavioral2/memory/2372-256-0x00007FF7CFE20000-0x00007FF7D0171000-memory.dmp	xmrig
behavioral2/memory/4392-258-0x00007FF7C6A80000-0x00007FF7C6DD1000-memory.dmp	xmrig
behavioral2/memory/4864-260-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp	xmrig
behavioral2/memory/4988-262-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp	xmrig
behavioral2/memory/1140-264-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp	xmrig
behavioral2/memory/2464-267-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4980	XTGjHJL.exe
4484	UpEzYhr.exe
2700	uzUojmF.exe
4424	vAMYjko.exe
3932	QDSxYbY.exe
3668	OumDbet.exe
1792	YJffSzX.exe
2036	odvfqZc.exe
3016	CQKaGUi.exe
1172	pHjurpn.exe
4984	lMnZxVQ.exe
4664	mIdcCVW.exe
1744	tfivwQp.exe
544	ZiOQwVD.exe
2332	ZAAtiNz.exe
2372	SDrvQXk.exe
4392	DYhYjBq.exe
4864	JhxahbY.exe
4988	nwdRroi.exe
1140	tRpYqgr.exe
2464	FGPynpv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3384-0-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	upx
behavioral2/files/0x000c000000023b93-4.dat	upx
behavioral2/memory/4980-8-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-9.dat	upx
behavioral2/memory/4484-19-0x00007FF797B40000-0x00007FF797E91000-memory.dmp	upx
behavioral2/files/0x000b000000023ba0-30.dat	upx
behavioral2/memory/1792-47-0x00007FF794200000-0x00007FF794551000-memory.dmp	upx
behavioral2/files/0x000e000000023bb0-46.dat	upx
behavioral2/files/0x000a000000023ba9-42.dat	upx
behavioral2/files/0x000b000000023b9f-41.dat	upx
behavioral2/memory/3932-37-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-35.dat	upx
behavioral2/memory/4424-33-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp	upx
behavioral2/files/0x000b000000023ba1-31.dat	upx
behavioral2/memory/2700-22-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-15.dat	upx
behavioral2/files/0x0009000000023bbe-58.dat	upx
behavioral2/files/0x0009000000023bbf-78.dat	upx
behavioral2/memory/544-84-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp	upx
behavioral2/files/0x0009000000023bc0-88.dat	upx
behavioral2/files/0x0008000000023bc6-91.dat	upx
behavioral2/memory/2332-90-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	upx
behavioral2/files/0x000e000000023bc4-86.dat	upx
behavioral2/memory/1744-85-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp	upx
behavioral2/memory/4984-82-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	upx
behavioral2/memory/1172-74-0x00007FF60E1F0000-0x00007FF60E541000-memory.dmp	upx
behavioral2/memory/4664-73-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp	upx
behavioral2/memory/3016-69-0x00007FF612D20000-0x00007FF613071000-memory.dmp	upx
behavioral2/memory/2036-68-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp	upx
behavioral2/files/0x0008000000023bb9-66.dat	upx
behavioral2/memory/3668-57-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp	upx
behavioral2/files/0x000c000000023b96-94.dat	upx
behavioral2/memory/2372-98-0x00007FF7CFE20000-0x00007FF7D0171000-memory.dmp	upx
behavioral2/memory/4392-107-0x00007FF7C6A80000-0x00007FF7C6DD1000-memory.dmp	upx
behavioral2/files/0x0008000000023bcb-108.dat	upx
behavioral2/files/0x0008000000023bcc-115.dat	upx
behavioral2/memory/2700-122-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp	upx
behavioral2/files/0x0008000000023bfb-126.dat	upx
behavioral2/files/0x0008000000023bfc-131.dat	upx
behavioral2/memory/2036-133-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp	upx
behavioral2/memory/2464-134-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp	upx
behavioral2/memory/3668-132-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp	upx
behavioral2/memory/1140-130-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp	upx
behavioral2/memory/1792-125-0x00007FF794200000-0x00007FF794551000-memory.dmp	upx
behavioral2/memory/3932-124-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp	upx
behavioral2/memory/4424-123-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp	upx
behavioral2/memory/4988-119-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp	upx
behavioral2/memory/4864-114-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp	upx
behavioral2/memory/4484-110-0x00007FF797B40000-0x00007FF797E91000-memory.dmp	upx
behavioral2/memory/4980-109-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp	upx
behavioral2/memory/3384-105-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-103.dat	upx
behavioral2/memory/4664-149-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp	upx
behavioral2/memory/2332-152-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	upx
behavioral2/memory/1744-151-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp	upx
behavioral2/memory/544-150-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp	upx
behavioral2/memory/3384-137-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	upx
behavioral2/memory/4988-156-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp	upx
behavioral2/memory/1140-157-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp	upx
behavioral2/memory/4864-155-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp	upx
behavioral2/memory/3384-158-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp	upx
behavioral2/memory/2464-166-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp	upx
behavioral2/memory/4980-215-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp	upx
behavioral2/memory/4484-217-0x00007FF797B40000-0x00007FF797E91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\QDSxYbY.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHjurpn.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JhxahbY.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZAAtiNz.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDrvQXk.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAMYjko.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OumDbet.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YJffSzX.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZiOQwVD.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tfivwQp.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lMnZxVQ.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mIdcCVW.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGPynpv.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DYhYjBq.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nwdRroi.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tRpYqgr.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTGjHJL.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UpEzYhr.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uzUojmF.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odvfqZc.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQKaGUi.exe	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 4980	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3384 wrote to memory of 4980	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3384 wrote to memory of 4484	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3384 wrote to memory of 4484	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3384 wrote to memory of 2700	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3384 wrote to memory of 2700	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3384 wrote to memory of 4424	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3384 wrote to memory of 4424	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3384 wrote to memory of 3932	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3384 wrote to memory of 3932	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3384 wrote to memory of 3668	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3384 wrote to memory of 3668	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3384 wrote to memory of 1792	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3384 wrote to memory of 1792	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3384 wrote to memory of 2036	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3384 wrote to memory of 2036	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3384 wrote to memory of 3016	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3384 wrote to memory of 3016	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3384 wrote to memory of 1172	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3384 wrote to memory of 1172	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3384 wrote to memory of 4984	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3384 wrote to memory of 4984	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3384 wrote to memory of 4664	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3384 wrote to memory of 4664	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3384 wrote to memory of 544	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3384 wrote to memory of 544	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3384 wrote to memory of 1744	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3384 wrote to memory of 1744	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3384 wrote to memory of 2332	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3384 wrote to memory of 2332	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3384 wrote to memory of 2372	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3384 wrote to memory of 2372	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3384 wrote to memory of 4392	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3384 wrote to memory of 4392	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3384 wrote to memory of 4864	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3384 wrote to memory of 4864	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3384 wrote to memory of 4988	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3384 wrote to memory of 4988	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3384 wrote to memory of 1140	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3384 wrote to memory of 1140	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3384 wrote to memory of 2464	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3384 wrote to memory of 2464	3384	2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_4dd2fcce9f2e4457ce54e84134fc324e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\System\XTGjHJL.exe
  C:\Windows\System\XTGjHJL.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\UpEzYhr.exe
  C:\Windows\System\UpEzYhr.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\uzUojmF.exe
  C:\Windows\System\uzUojmF.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\vAMYjko.exe
  C:\Windows\System\vAMYjko.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\QDSxYbY.exe
  C:\Windows\System\QDSxYbY.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\OumDbet.exe
  C:\Windows\System\OumDbet.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\YJffSzX.exe
  C:\Windows\System\YJffSzX.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\odvfqZc.exe
  C:\Windows\System\odvfqZc.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\CQKaGUi.exe
  C:\Windows\System\CQKaGUi.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\pHjurpn.exe
  C:\Windows\System\pHjurpn.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\lMnZxVQ.exe
  C:\Windows\System\lMnZxVQ.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\mIdcCVW.exe
  C:\Windows\System\mIdcCVW.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\ZiOQwVD.exe
  C:\Windows\System\ZiOQwVD.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\tfivwQp.exe
  C:\Windows\System\tfivwQp.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ZAAtiNz.exe
  C:\Windows\System\ZAAtiNz.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\SDrvQXk.exe
  C:\Windows\System\SDrvQXk.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\DYhYjBq.exe
  C:\Windows\System\DYhYjBq.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\JhxahbY.exe
  C:\Windows\System\JhxahbY.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\nwdRroi.exe
  C:\Windows\System\nwdRroi.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\tRpYqgr.exe
  C:\Windows\System\tRpYqgr.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\FGPynpv.exe
  C:\Windows\System\FGPynpv.exe
  2⤵
  - Executes dropped EXE
  PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CQKaGUi.exe

Filesize
5.2MB

MD5
fb8afb9871d842a0b8fd56cd43d9c1b4

SHA1
3fa8bd4c2a20eb895312ad3b77d2416a7969260e

SHA256
aff9ac12f66f8fa9329d1c381cb344a01e9256e183ac77ffd37402ea6e1f4754

SHA512
6354345f19adc096b2b36b01bfab4b62ee3ced8eb6e8710a2378800525f492d4c35075602dbb215638c8c43f8940950a2b32164e7f48968ff5882f5916f73627

Download Submit
C:\Windows\System\DYhYjBq.exe

Filesize
5.2MB

MD5
2d44af31bf8470ae26122aa6a9ea4dda

SHA1
48c9a5fd5730009453d85f76ec2933ecf6a19f5a

SHA256
f2adda58983f22256438327da5a32c9ced25a424eab1fb07160eaca820578ab3

SHA512
20681ec2d4ac3935080e08833d869abd9d06e41170f1ec8c2b266d074e99bda724b80b114d92b2b3c177fa1daa435c6fbfe127ad199ab74811fc277d813a57fc

Download Submit
C:\Windows\System\FGPynpv.exe

Filesize
5.2MB

MD5
c3de6a136ce774e5c0d3a31cea85b9e9

SHA1
76687dd15f42217bc4462fe5b3d30d3e47e64341

SHA256
00b91fbd825c94ca73961b7fb1634482359dd6bfb37c0e599c578dc2d8038f64

SHA512
41ae508c706cf24f559ef8923fad90d502a97f9fa1904962179a1099643d819cfbb4ef050f6e629c29314086d4ac2138565c79bc518dab00567fe3983e255cac

Download Submit
C:\Windows\System\JhxahbY.exe

Filesize
5.2MB

MD5
22ba8e2b7f2d1e20e68a10ccbf5c43d9

SHA1
2f67828c6955908eee3da963a2767560004cc76d

SHA256
cc40b5a8ceb7a1c9b28d9d9417b0c906933f2eab91c3fe950ed73b943af04e25

SHA512
4fd0dd36e1e1516d9add61b6ba5d884a52ef41e5067630d048c4923987ee6f4db6c9642c27c1ebe83c2f4b631917778b8505b2d98c87cf2af91ffc71a3cfd12a

Download Submit
C:\Windows\System\OumDbet.exe

Filesize
5.2MB

MD5
bb559cad86beae32b7cf182a3d52f4d6

SHA1
32ed9f98e9d433c57a90ee46f5eec24eea9f0e90

SHA256
ebf7347040b1962013ff575e48e734f6e38ab01befb386ea7666e0d399bc73ec

SHA512
f908f8e9d43070b3a0239d4dcb87282a296cf623ccd4b18dd070166bb346f8672e5d1230600fa83875ad76b1862a796f584fd6a7645ec22a1d6b7021851cc510

Download Submit
C:\Windows\System\QDSxYbY.exe

Filesize
5.2MB

MD5
64ef7f48f4623ada73407841e0b90035

SHA1
fa1bbdb2416308c37c4d36522e93af62f2b63e45

SHA256
e77e6fc42b0b99d6a767b11b72a513f538902518d71efaebdfe585704989dce0

SHA512
c49e81ba36be74fced3e5430bf2e29e9ddc07246098147d27b6b1719d703b64ef195bf4f816d4e15c9ae28b880fb4938536eb0fc175df090da5ca79be041dc96

Download Submit
C:\Windows\System\SDrvQXk.exe

Filesize
5.2MB

MD5
7736f9451e6336d426580d1f498757a7

SHA1
5a82fb2d8e60c8595f843e522911fa078c125fd5

SHA256
bf519a1c287d8d8377a9b022d04e5f1658ca1b6ddc1741af35d2a3d33eb24286

SHA512
d67668ea5a2144e0797ea4ecf9c18e6afc5308d8b2fec70a6ad27824f119e20ac206d2a3a79187f18705ec49345d59a2a3e00c093db1a3091f0c8fd5118b6dbf

Download Submit
C:\Windows\System\UpEzYhr.exe

Filesize
5.2MB

MD5
8d9c65a1eef63c3bb5cebb63a0704033

SHA1
5c3d548972f03424ea064df4c5db965f78f9527b

SHA256
adf1bde23887dadde3cf76644d5079bd7ac0b159055f47578049b1b49e3dceb9

SHA512
8b4cc8c3f9797a23dad910e256a61e7c3d29669cec6cd6be9348fc143da4a295a25e1c36e059ccf68da73b130dbbc9d81c2a7a074249919765de0b774e1699c9

Download Submit
C:\Windows\System\XTGjHJL.exe

Filesize
5.2MB

MD5
0961ba5ba293785ed5c813addfa5ffec

SHA1
dc1c057789e12d06fc8002acaca69a0cb80d0181

SHA256
206909dc0a685c00feff5633e708b373541471c7c3517f0e3b1038d423c344dd

SHA512
fa210c0de6248d8babe5cac7cf7085cbcd25b0ee1fb46f0a4e52f8096a1a3287d8f06971979162c9558c636bdf8a1b58108d864188a4df13acc5206c73d74f96

Download Submit
C:\Windows\System\YJffSzX.exe

Filesize
5.2MB

MD5
5eb13bf3338e5469c474567f1c7b15d6

SHA1
748e0a13c676d4f24dfc32e66165c50e3223ce42

SHA256
9e36180823afcb7d26df375647589a9477d4f1b1c3a5ab8164f7641065b1a486

SHA512
b91aafc175ca830320000764f66a2789ca52e6dd73d4d18480bea89ae908a8548541ca002e965f28239ff98b296836771371e0ebaf155f20916ec170e95640b2

Download Submit
C:\Windows\System\ZAAtiNz.exe

Filesize
5.2MB

MD5
d85322f0934064830efbdd254a95c7e3

SHA1
e3db7827db807634b1cbcfd7a3bfb8c2c69c5db4

SHA256
ac53633dd95c3434a962dbd0ae3dc1aebb85d5a49e044386d161cd2b5652f555

SHA512
24de85ca8633d529b094a0eba17d5c0ea8809da91a3fdbd429f32cfb78a9e01acdb01941808a37b87586c7037e53b2266f0aff36e6f73fa76d6b9a44d661bdf0

Download Submit
C:\Windows\System\ZiOQwVD.exe

Filesize
5.2MB

MD5
da01daf342f023dda11f784593554a17

SHA1
4deeb8707db8583a63466094fb12ea7a83118513

SHA256
0a9504f7724df89d5320680c8fe8196e5de8eeee3e3048c1ff8662885c4f11af

SHA512
b7474fd10eeeb4fa02873f5dfafef00c196b9de65ab353bd6167ff3d0e93bad01a6b1ad40f42e0355a4e9cb74f52d1f0adeaedb945fe92e23f6c4a692ecdb462

Download Submit
C:\Windows\System\lMnZxVQ.exe

Filesize
5.2MB

MD5
89071d5b19405693071830961f1f8000

SHA1
eea606e16a3095e30685239cf1b031b1c2f875c9

SHA256
6b744b57029e1d4e74372febea2c5321453a85f6a3876bbd9f25e7bd7e7b57be

SHA512
ef5b9b1ecb28c26331b32e40a09c3deec01158a2709da79b4944336a185802be47f54bebe3c893855225dc4a03eed986c30388e62ccf841949e00feade068d26

Download Submit
C:\Windows\System\mIdcCVW.exe

Filesize
5.2MB

MD5
139895a4a90bdd5fb8626ad46e9992dd

SHA1
85d66bbb3608f47c9276a11c72ec32ee7ece9597

SHA256
e43cf83f12f96aecf710617de38e74ac525528271d24c8380871e846f170fe1d

SHA512
8edb9842cc127c68f479ea74018f06e1f177f323efe79320efe047e5927a727f93ccfb335c0514bad5f061cbe96f9ffd40d30fa936396019ab7b4d7bf64e4943

Download Submit
C:\Windows\System\nwdRroi.exe

Filesize
5.2MB

MD5
158cdb90a8382e46f1f38a071e460b99

SHA1
7fb0f6ef54b60967fb6790e5709cd2102e91849d

SHA256
d534af519d58f92a73e9d3897be11920a949878a2c84dd0cfa35c6b87d99c9cb

SHA512
b7a031713b90354121c029d9859a255ca4e952a98158343ebbe22b73035a7208fa8b5aa12eb5ff9f0efd73e596dc5f8a46aa302edac2f748bbfddb89b910d438

Download Submit
C:\Windows\System\odvfqZc.exe

Filesize
5.2MB

MD5
1eba37661a4dc6d0a363ff8e227a011c

SHA1
27a466403c518f1712b523a32fd1b87173beb0eb

SHA256
9371261c59f3035f1b19fa8e13928868c83ad673150a6eb310c7a9d724ada970

SHA512
c50df7bd91b401d4d8d4bebfda56e67d663166e593dd6aa700388d6932e718fed4929cd7c4fedda58f9591a851ba47befab87ae87762fe4e46b4b6783b513b18

Download Submit
C:\Windows\System\pHjurpn.exe

Filesize
5.2MB

MD5
af3217d5ba95ba5324c3b93991cf2617

SHA1
5eed22550992aa930608eacfb133672ad2212db1

SHA256
88fa8b039092ceadc1caf488cf0bb3e86ecfacdbd0425dcf5e1ac4244edd0370

SHA512
211a622370cdf531cd32f4964952fbe9258653629177e5c5b1c1f21d82e7225799403d19476ebecd8f43d71ec88215e1ec25b073be96632e824eae4fefea9386

Download Submit
C:\Windows\System\tRpYqgr.exe

Filesize
5.2MB

MD5
a4bd8ebca81223d19b36fe3ffea4c6d4

SHA1
01aeeb38b3c00eff7fd9104bf99601f6c992be7f

SHA256
4b558d92eb76862a0bf5149da78f8812184793bacd8b14b88a1a5e7b778e5ed6

SHA512
fd3b3bdc05fbeb2c98bdad93f3e51aeb021e0bb57f0c756f08a37725e5859794f52dda9e494b98f507467a7158950252f1fdbc6d1d77922c1017401ef5c61c5c

Download Submit
C:\Windows\System\tfivwQp.exe

Filesize
5.2MB

MD5
a1c2d2e39473e7a1ab0c30f1bf3ddb67

SHA1
8b416a3215a3cf69e4290ea3312b9b29bdcc0605

SHA256
7bf7c006c8a6210b4d62ea6c7c50a2eeebe8d75b1b6dadf1acb237f389ab4360

SHA512
8ba0a040c72306e3dbce63dc537b5a79a3824d3c7efdc462c9b0e0d95bcb655cdfb856f520f3e6d83fc027199fcc65284847b75406a4442b67e8cd0c7cb29be6

Download Submit
C:\Windows\System\uzUojmF.exe

Filesize
5.2MB

MD5
df4693c226724ea97fa17d2010c2de62

SHA1
7b06a3c3c045fa4ac22ed29ee1d63e5a98446c4c

SHA256
0b77bf236257e9817b582a7bc792e6e3020a85431310aa5d006c74ff3fbfefeb

SHA512
1559a705af4a5758750d8310643deb99eab4c156002ba3a28217b1ec485a5ae4326b7617390f83e1c2696d0925bb4398428de0f904120252b12747ccb942c2aa

Download Submit
C:\Windows\System\vAMYjko.exe

Filesize
5.2MB

MD5
dfe473fb351456f66ddd311f79b162d3

SHA1
d51c4f4075b821af40ffcd398adc677d1b593975

SHA256
014bde17121c593a122daeb93fdb320363b11114bda2e213c552f0584bce3de9

SHA512
6ac286952b396a61c1aab0f11dcfeb2b53965d6f11f69dd8a4bd59f768c672fed0e2147448767f34bed506980ccdd387c8cb6dac4f82b1ad718d1738b8f89f0c

Download Submit
memory/544-248-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp

Filesize
3.3MB

Download
memory/544-84-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp

Filesize
3.3MB

Download
memory/544-150-0x00007FF7E5670000-0x00007FF7E59C1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-264-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-130-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-157-0x00007FF60ED50000-0x00007FF60F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-74-0x00007FF60E1F0000-0x00007FF60E541000-memory.dmp

Filesize
3.3MB

Download
memory/1172-234-0x00007FF60E1F0000-0x00007FF60E541000-memory.dmp

Filesize
3.3MB

Download
memory/1744-151-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp

Filesize
3.3MB

Download
memory/1744-85-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp

Filesize
3.3MB

Download
memory/1744-244-0x00007FF6E7600000-0x00007FF6E7951000-memory.dmp

Filesize
3.3MB

Download
memory/1792-47-0x00007FF794200000-0x00007FF794551000-memory.dmp

Filesize
3.3MB

Download
memory/1792-235-0x00007FF794200000-0x00007FF794551000-memory.dmp

Filesize
3.3MB

Download
memory/1792-125-0x00007FF794200000-0x00007FF794551000-memory.dmp

Filesize
3.3MB

Download
memory/2036-237-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-68-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-133-0x00007FF71E660000-0x00007FF71E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-246-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/2332-90-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/2332-152-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/2372-98-0x00007FF7CFE20000-0x00007FF7D0171000-memory.dmp

Filesize
3.3MB

Download
memory/2372-256-0x00007FF7CFE20000-0x00007FF7D0171000-memory.dmp

Filesize
3.3MB

Download
memory/2464-134-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp

Filesize
3.3MB

Download
memory/2464-166-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp

Filesize
3.3MB

Download
memory/2464-267-0x00007FF6AE5B0000-0x00007FF6AE901000-memory.dmp

Filesize
3.3MB

Download
memory/2700-22-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-219-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-122-0x00007FF66EC80000-0x00007FF66EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-69-0x00007FF612D20000-0x00007FF613071000-memory.dmp

Filesize
3.3MB

Download
memory/3016-229-0x00007FF612D20000-0x00007FF613071000-memory.dmp

Filesize
3.3MB

Download
memory/3384-137-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp

Filesize
3.3MB

Download
memory/3384-105-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp

Filesize
3.3MB

Download
memory/3384-0-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp

Filesize
3.3MB

Download
memory/3384-158-0x00007FF7E7240000-0x00007FF7E7591000-memory.dmp

Filesize
3.3MB

Download
memory/3384-1-0x000002AA36810000-0x000002AA36820000-memory.dmp

Filesize
64KB

Download
memory/3668-57-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-132-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-231-0x00007FF7D1080000-0x00007FF7D13D1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-239-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp

Filesize
3.3MB

Download
memory/3932-124-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp

Filesize
3.3MB

Download
memory/3932-37-0x00007FF6CE820000-0x00007FF6CEB71000-memory.dmp

Filesize
3.3MB

Download
memory/4392-107-0x00007FF7C6A80000-0x00007FF7C6DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-258-0x00007FF7C6A80000-0x00007FF7C6DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-33-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp

Filesize
3.3MB

Download
memory/4424-221-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp

Filesize
3.3MB

Download
memory/4424-123-0x00007FF77D5C0000-0x00007FF77D911000-memory.dmp

Filesize
3.3MB

Download
memory/4484-110-0x00007FF797B40000-0x00007FF797E91000-memory.dmp

Filesize
3.3MB

Download
memory/4484-19-0x00007FF797B40000-0x00007FF797E91000-memory.dmp

Filesize
3.3MB

Download
memory/4484-217-0x00007FF797B40000-0x00007FF797E91000-memory.dmp

Filesize
3.3MB

Download
memory/4664-73-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-149-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-249-0x00007FF69E550000-0x00007FF69E8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-260-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp

Filesize
3.3MB

Download
memory/4864-155-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp

Filesize
3.3MB

Download
memory/4864-114-0x00007FF60CDC0000-0x00007FF60D111000-memory.dmp

Filesize
3.3MB

Download
memory/4980-109-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-8-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-215-0x00007FF70E480000-0x00007FF70E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-82-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp

Filesize
3.3MB

Download
memory/4984-241-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp

Filesize
3.3MB

Download
memory/4988-156-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp

Filesize
3.3MB

Download
memory/4988-262-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp

Filesize
3.3MB

Download
memory/4988-119-0x00007FF72FCE0000-0x00007FF730031000-memory.dmp

Filesize
3.3MB

Download