cobaltstrike | 909d072db72e4bcc9706045ed104d92bcdf3e132eb73ca31e368cf6cea308882

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3c6d0ac862aba1f42aa7ff2ec684a44a
SHA1

e85bb023dd2526b2e8f5e5e2384e49dfad82bcbb
SHA256

909d072db72e4bcc9706045ed104d92bcdf3e132eb73ca31e368cf6cea308882
SHA512

903f36ecd511a8a333afc9ca464c87137d23eb1a7247cadb53340eb53f3c66e8464a1601c6e6d9985fd0ef3a4030eb6d4d7763e5c86296b210af269af24b4a1e
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBib+56utgpPFotBER/mQ32lUS

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b5b-5.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-14.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-45.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-78.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcc-98.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-96.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-82.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1a-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c2c-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c33-136.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c32-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1896-104-0x00007FF6EF420000-0x00007FF6EF771000-memory.dmp	xmrig
behavioral2/memory/2380-101-0x00007FF6E0F30000-0x00007FF6E1281000-memory.dmp	xmrig
behavioral2/memory/3044-100-0x00007FF63D190000-0x00007FF63D4E1000-memory.dmp	xmrig
behavioral2/memory/1600-91-0x00007FF7EEAD0000-0x00007FF7EEE21000-memory.dmp	xmrig
behavioral2/memory/4420-79-0x00007FF744AD0000-0x00007FF744E21000-memory.dmp	xmrig
behavioral2/memory/1840-105-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	xmrig
behavioral2/memory/3304-131-0x00007FF717490000-0x00007FF7177E1000-memory.dmp	xmrig
behavioral2/memory/4076-134-0x00007FF619B10000-0x00007FF619E61000-memory.dmp	xmrig
behavioral2/memory/512-122-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp	xmrig
behavioral2/memory/808-115-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp	xmrig
behavioral2/memory/2952-113-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp	xmrig
behavioral2/memory/2236-112-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp	xmrig
behavioral2/memory/2392-111-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp	xmrig
behavioral2/memory/1952-110-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp	xmrig
behavioral2/memory/2800-108-0x00007FF7862F0000-0x00007FF786641000-memory.dmp	xmrig
behavioral2/memory/3224-107-0x00007FF786020000-0x00007FF786371000-memory.dmp	xmrig
behavioral2/memory/2712-114-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp	xmrig
behavioral2/memory/4028-143-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp	xmrig
behavioral2/memory/4680-145-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp	xmrig
behavioral2/memory/984-139-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp	xmrig
behavioral2/memory/320-146-0x00007FF70CA30000-0x00007FF70CD81000-memory.dmp	xmrig
behavioral2/memory/1840-147-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	xmrig
behavioral2/memory/880-167-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp	xmrig
behavioral2/memory/1840-169-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	xmrig
behavioral2/memory/3224-205-0x00007FF786020000-0x00007FF786371000-memory.dmp	xmrig
behavioral2/memory/2800-207-0x00007FF7862F0000-0x00007FF786641000-memory.dmp	xmrig
behavioral2/memory/1952-209-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp	xmrig
behavioral2/memory/2392-220-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp	xmrig
behavioral2/memory/2952-222-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp	xmrig
behavioral2/memory/2712-225-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp	xmrig
behavioral2/memory/2236-226-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp	xmrig
behavioral2/memory/808-228-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp	xmrig
behavioral2/memory/4420-242-0x00007FF744AD0000-0x00007FF744E21000-memory.dmp	xmrig
behavioral2/memory/3304-240-0x00007FF717490000-0x00007FF7177E1000-memory.dmp	xmrig
behavioral2/memory/512-244-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp	xmrig
behavioral2/memory/1896-246-0x00007FF6EF420000-0x00007FF6EF771000-memory.dmp	xmrig
behavioral2/memory/1600-239-0x00007FF7EEAD0000-0x00007FF7EEE21000-memory.dmp	xmrig
behavioral2/memory/984-236-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp	xmrig
behavioral2/memory/3044-235-0x00007FF63D190000-0x00007FF63D4E1000-memory.dmp	xmrig
behavioral2/memory/2380-232-0x00007FF6E0F30000-0x00007FF6E1281000-memory.dmp	xmrig
behavioral2/memory/4028-231-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp	xmrig
behavioral2/memory/4076-252-0x00007FF619B10000-0x00007FF619E61000-memory.dmp	xmrig
behavioral2/memory/4680-254-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp	xmrig
behavioral2/memory/880-256-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp	xmrig
behavioral2/memory/320-258-0x00007FF70CA30000-0x00007FF70CD81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3224	yYrjrQS.exe
2800	PZgnrLR.exe
1952	BMrKYTF.exe
2392	ZqdcYKh.exe
2236	vgFFqnV.exe
2712	SgrEoHF.exe
2952	VOAtHuP.exe
808	znwjhsH.exe
4420	rftoFAz.exe
512	gNvALRM.exe
3304	iLwHsdQ.exe
984	FCCGEBt.exe
1600	znvAYHs.exe
3044	CYabTWh.exe
2380	rDYCtTu.exe
4028	eeKKMyp.exe
1896	IWIKXhK.exe
4680	DfvVHED.exe
4076	XJkAPFq.exe
880	JqujZJx.exe
320	pDOjGUN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1840-0-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	upx
behavioral2/files/0x000c000000023b5b-5.dat	upx
behavioral2/memory/3224-6-0x00007FF786020000-0x00007FF786371000-memory.dmp	upx
behavioral2/files/0x000e000000023bd7-14.dat	upx
behavioral2/memory/2800-17-0x00007FF7862F0000-0x00007FF786641000-memory.dmp	upx
behavioral2/files/0x0009000000023bd3-22.dat	upx
behavioral2/memory/1952-28-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp	upx
behavioral2/files/0x0008000000023bdd-34.dat	upx
behavioral2/files/0x0008000000023c0f-53.dat	upx
behavioral2/files/0x0008000000023bdc-50.dat	upx
behavioral2/memory/2952-47-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp	upx
behavioral2/files/0x0008000000023bde-45.dat	upx
behavioral2/memory/512-64-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp	upx
behavioral2/files/0x0008000000023c0e-68.dat	upx
behavioral2/files/0x0008000000023c13-78.dat	upx
behavioral2/files/0x0009000000023bcc-98.dat	upx
behavioral2/memory/1896-104-0x00007FF6EF420000-0x00007FF6EF771000-memory.dmp	upx
behavioral2/files/0x0008000000023c19-102.dat	upx
behavioral2/memory/2380-101-0x00007FF6E0F30000-0x00007FF6E1281000-memory.dmp	upx
behavioral2/memory/3044-100-0x00007FF63D190000-0x00007FF63D4E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c18-96.dat	upx
behavioral2/memory/4028-95-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp	upx
behavioral2/memory/1600-91-0x00007FF7EEAD0000-0x00007FF7EEE21000-memory.dmp	upx
behavioral2/files/0x0008000000023c11-85.dat	upx
behavioral2/memory/984-84-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp	upx
behavioral2/files/0x0008000000023c12-82.dat	upx
behavioral2/memory/4420-79-0x00007FF744AD0000-0x00007FF744E21000-memory.dmp	upx
behavioral2/memory/3304-71-0x00007FF717490000-0x00007FF7177E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c10-74.dat	upx
behavioral2/files/0x0008000000023bdf-61.dat	upx
behavioral2/memory/808-58-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp	upx
behavioral2/memory/2712-57-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp	upx
behavioral2/memory/2392-36-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp	upx
behavioral2/files/0x0008000000023bd9-40.dat	upx
behavioral2/memory/2236-31-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp	upx
behavioral2/memory/1840-105-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	upx
behavioral2/files/0x0008000000023c1a-116.dat	upx
behavioral2/files/0x0008000000023c2c-124.dat	upx
behavioral2/memory/3304-131-0x00007FF717490000-0x00007FF7177E1000-memory.dmp	upx
behavioral2/memory/4076-134-0x00007FF619B10000-0x00007FF619E61000-memory.dmp	upx
behavioral2/memory/880-137-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp	upx
behavioral2/files/0x0008000000023c33-136.dat	upx
behavioral2/files/0x0008000000023c32-133.dat	upx
behavioral2/memory/4680-123-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp	upx
behavioral2/memory/512-122-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp	upx
behavioral2/memory/808-115-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp	upx
behavioral2/memory/2952-113-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp	upx
behavioral2/memory/2236-112-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp	upx
behavioral2/memory/2392-111-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp	upx
behavioral2/memory/1952-110-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp	upx
behavioral2/memory/2800-108-0x00007FF7862F0000-0x00007FF786641000-memory.dmp	upx
behavioral2/memory/3224-107-0x00007FF786020000-0x00007FF786371000-memory.dmp	upx
behavioral2/memory/2712-114-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp	upx
behavioral2/memory/4028-143-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp	upx
behavioral2/memory/4680-145-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp	upx
behavioral2/memory/984-139-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp	upx
behavioral2/memory/320-146-0x00007FF70CA30000-0x00007FF70CD81000-memory.dmp	upx
behavioral2/memory/1840-147-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	upx
behavioral2/memory/880-167-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp	upx
behavioral2/memory/1840-169-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp	upx
behavioral2/memory/3224-205-0x00007FF786020000-0x00007FF786371000-memory.dmp	upx
behavioral2/memory/2800-207-0x00007FF7862F0000-0x00007FF786641000-memory.dmp	upx
behavioral2/memory/1952-209-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp	upx
behavioral2/memory/2392-220-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SgrEoHF.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\znwjhsH.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DfvVHED.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pDOjGUN.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqujZJx.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BMrKYTF.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDYCtTu.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eeKKMyp.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWIKXhK.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJkAPFq.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\znvAYHs.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYabTWh.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VOAtHuP.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gNvALRM.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rftoFAz.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iLwHsdQ.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCCGEBt.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYrjrQS.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PZgnrLR.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZqdcYKh.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgFFqnV.exe	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3224	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1840 wrote to memory of 3224	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1840 wrote to memory of 2800	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1840 wrote to memory of 2800	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1840 wrote to memory of 1952	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1840 wrote to memory of 1952	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1840 wrote to memory of 2392	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1840 wrote to memory of 2392	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1840 wrote to memory of 2236	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1840 wrote to memory of 2236	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1840 wrote to memory of 2952	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1840 wrote to memory of 2952	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1840 wrote to memory of 2712	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1840 wrote to memory of 2712	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1840 wrote to memory of 808	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1840 wrote to memory of 808	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1840 wrote to memory of 512	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1840 wrote to memory of 512	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1840 wrote to memory of 4420	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1840 wrote to memory of 4420	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1840 wrote to memory of 3304	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1840 wrote to memory of 3304	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1840 wrote to memory of 984	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1840 wrote to memory of 984	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1840 wrote to memory of 1600	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1840 wrote to memory of 1600	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1840 wrote to memory of 3044	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1840 wrote to memory of 3044	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1840 wrote to memory of 2380	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1840 wrote to memory of 2380	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1840 wrote to memory of 4028	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1840 wrote to memory of 4028	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1840 wrote to memory of 1896	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1840 wrote to memory of 1896	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1840 wrote to memory of 4680	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1840 wrote to memory of 4680	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1840 wrote to memory of 4076	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1840 wrote to memory of 4076	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1840 wrote to memory of 880	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1840 wrote to memory of 880	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1840 wrote to memory of 320	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1840 wrote to memory of 320	1840	2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_3c6d0ac862aba1f42aa7ff2ec684a44a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System\yYrjrQS.exe
  C:\Windows\System\yYrjrQS.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\PZgnrLR.exe
  C:\Windows\System\PZgnrLR.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\BMrKYTF.exe
  C:\Windows\System\BMrKYTF.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\ZqdcYKh.exe
  C:\Windows\System\ZqdcYKh.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\vgFFqnV.exe
  C:\Windows\System\vgFFqnV.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\VOAtHuP.exe
  C:\Windows\System\VOAtHuP.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\SgrEoHF.exe
  C:\Windows\System\SgrEoHF.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\znwjhsH.exe
  C:\Windows\System\znwjhsH.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\gNvALRM.exe
  C:\Windows\System\gNvALRM.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\rftoFAz.exe
  C:\Windows\System\rftoFAz.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\iLwHsdQ.exe
  C:\Windows\System\iLwHsdQ.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\FCCGEBt.exe
  C:\Windows\System\FCCGEBt.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\znvAYHs.exe
  C:\Windows\System\znvAYHs.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\CYabTWh.exe
  C:\Windows\System\CYabTWh.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\rDYCtTu.exe
  C:\Windows\System\rDYCtTu.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\eeKKMyp.exe
  C:\Windows\System\eeKKMyp.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\IWIKXhK.exe
  C:\Windows\System\IWIKXhK.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\DfvVHED.exe
  C:\Windows\System\DfvVHED.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\XJkAPFq.exe
  C:\Windows\System\XJkAPFq.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\JqujZJx.exe
  C:\Windows\System\JqujZJx.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\pDOjGUN.exe
  C:\Windows\System\pDOjGUN.exe
  2⤵
  - Executes dropped EXE
  PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMrKYTF.exe

Filesize
5.2MB

MD5
e554d70d01d3a1cc0b9fe28f86630c2c

SHA1
8fc07825dfa9c4a49c991ae2f9125d1ef1952bf8

SHA256
0695b011b4998a34a22f7440100330df7bfdf8cfe11529c69f50c865e329d2ab

SHA512
6a0132e5ee2ee27b4ebb54e7d57c5231fb5a8d4a14d39ea92e69ef653169167029ca96aabf3c074d25f2d888c5869297810dc30932848b6bcbe2070044c537c4

Download Submit
C:\Windows\System\CYabTWh.exe

Filesize
5.2MB

MD5
bad96307f6cae437eab812d2f03a5669

SHA1
051d20817cff8a047412e397e4af2e4c2ec5c043

SHA256
297b41327fd6c77fc71132b456c9dc2a5dd069b55f14709227560606a0ce1873

SHA512
eaff58923a879da135b9519b1d89393026a49f5d33096ef131149c47bf32e676ef89ec5575e35bbb0f185906613b9c2c391e315f7b4bec2fbab5cad76131bb7c

Download Submit
C:\Windows\System\DfvVHED.exe

Filesize
5.2MB

MD5
d37dd6d6196eb550250085d4bec0dad2

SHA1
779dde926b0e31f77bde0644ebdbe2c4514bbc57

SHA256
d27c0d6be6175e667f10e0eb5cac57b4ba4ad0b07c5cd6c25a2477faab543fe5

SHA512
ac07e20cea62c7aa1a8fe9591b0dfe4144a6c312ce7b71597c6636fd4344b0fb76afdb3697196f10cfcc1cbd57f4d3120e214b969f5f5a55182b1860ee553968

Download Submit
C:\Windows\System\FCCGEBt.exe

Filesize
5.2MB

MD5
9d691986e28907ac58456338eda024e7

SHA1
a44aa026bb571a810aa29aeae0e410d1bc3ba082

SHA256
ef808fe61e664dcd94b4aef5d968151d6df560470403c33388a95210f716c2ef

SHA512
119462e2fa3db6ba5b0a401125738f981a67972820fad60c0d82ad2b7a152469903727405b3018522df1ce4f8b01515357b691ade6e52aa491e661817cbe8db7

Download Submit
C:\Windows\System\IWIKXhK.exe

Filesize
5.2MB

MD5
b13285860dd946c1dc7366902299487a

SHA1
8202ecd5768948167e2e04de3749ab54812c2bb2

SHA256
5c222e38e03162ab1628973a1fe5ebc78032252b5fb53d637f86f30617f1abf1

SHA512
4a89b3c40c7178d5ac2b7dec07c2a64daf5cd3e7cb5ab5cd65b2551cb5e70847eb77c08c33bc650cc94f74e64686135476427556f1420627a6800be7b13befc0

Download Submit
C:\Windows\System\JqujZJx.exe

Filesize
5.2MB

MD5
885e1ab9453a3c1d2878cbe141187a17

SHA1
28e64d2d032f330e5a680e2ac60770626be2f667

SHA256
7a61e6c40682c5f03014371c9770d51cb17b85d4c15e8cf78a9846b5a6735a1c

SHA512
18f3c7a45347223c2ae7e80ca181577552b5447cdad286976901a75c70ea3a76dbdbb112fedc9ed1eb29d45c8bcefda97aa105ec3f3c774a161e8a1128a0e03c

Download Submit
C:\Windows\System\PZgnrLR.exe

Filesize
5.2MB

MD5
b356fd3f6bc5d9e7086440386b9e537b

SHA1
9c7047288a925963ab8b12f78f55923611ec419c

SHA256
42fb0a5dae3b12d06b61b82b8f451ffaa2c9a456a773e4bd0dc2f30ee9746e36

SHA512
718991564f51c2df7ba096c6213706fee5e4d839951674e07badd7a3cc1332ee1a27dbe298959ea9a34683babf1e045f190c8b76e338e325a8ae58ddcd368a56

Download Submit
C:\Windows\System\SgrEoHF.exe

Filesize
5.2MB

MD5
6586c6bf0b0b6907024526103ff6eec0

SHA1
2a759d2e938ffdff9e5b5e611f42dea7b1a10456

SHA256
b93473bcc65b92581b869f76d444ab0b0f7e348878cd170a9ae17b27bb6963a9

SHA512
10d7f1a67bc8497db495430913fedade9ce50f0f91f01e368845cda0de57c734b0d33b9a7ef7dc8408d77376445a0a0eb9c34a0e67f56bde2c6e82d24924e9ae

Download Submit
C:\Windows\System\VOAtHuP.exe

Filesize
5.2MB

MD5
54239710a8c24a9d6eda15a718d8e59a

SHA1
da1083d3a7bb70e9660ad0f4862511ff36a1eb69

SHA256
57e92526d7994b290cd50f8c98264d1f3ffd9b5282c44fa40e18c322d407a8ec

SHA512
44244f074478ef2b340da0f265aa84f9878664e3e4e0b4af4d8e5c1af2a1584990bdfbd74b5de52a275311228592b8df05996f93d408432763864ec5755ca173

Download Submit
C:\Windows\System\XJkAPFq.exe

Filesize
5.2MB

MD5
dc6120f59ea7710d98f67d007326ee2f

SHA1
fd39c28599c2a69c4e62158bf5da0e595c941803

SHA256
359a705d360f0d2b6eb3ecfee6bd137f28625b7e1c47a28fad1e6a9ff4dd5ce6

SHA512
d30aa6ee4954e607a6cd89f1ffc8848f78f021d1afaf3483f1b7070f5379b2c2d9ac14925fe42ad3517f4df3007ee8190b9b31815c3c47ef8883fc5da73dfa82

Download Submit
C:\Windows\System\ZqdcYKh.exe

Filesize
5.2MB

MD5
b15d218757e75e40d74a39d229aec163

SHA1
748db469ca836a8b6463c26d524e3fe894ad9784

SHA256
2bc1bd5161c22ffa5137cf2c7643ddacf766a8faddd1ba87c55845079b733639

SHA512
8769950c06ad1ab32d2e726566005ada711b775083f02c4a6ab03067fd930079b28915f5b32d69ba87f7f3193d6b88ab2129442af5c185773345322a751a8996

Download Submit
C:\Windows\System\eeKKMyp.exe

Filesize
5.2MB

MD5
4a63ff4eb75d7158f0e643027fbca123

SHA1
a64c82a6a8141a3fb3120bca68cfe9974ebc716b

SHA256
81290349351764de322394c0e9f971bc191a2212a9c937a833732f440ffa7e91

SHA512
24284d6f967c219ae87938cecf79b354172694acb1084b84491cb027b8fa1d1db70a94028e078524a177015871edb115564974cf187213a13ac35acca88ec742

Download Submit
C:\Windows\System\gNvALRM.exe

Filesize
5.2MB

MD5
a09b6c1ad1c9fe52c1e64583ffe6f08b

SHA1
255b1486bf33afba16929b7494bc11249e3fef66

SHA256
397b0eb3b73ea2e915925c4434ebf7d379881a8b7dd346a5fc9d84d261ff55b9

SHA512
2b552536395eb8c4066f55440de5b56ce71dc15adfea66c259d038926a1c14d6fe54b76a2d4f58e655f445c4923e261aff06853dd404435c0a97e39a4549904a

Download Submit
C:\Windows\System\iLwHsdQ.exe

Filesize
5.2MB

MD5
b5ef9a9d9e04107fef40f4b4f6994ebe

SHA1
c4103d57f58f139924a15c90d1c253ec9d9ddbf8

SHA256
f2404c8961479acb533b5431b5ed409b82cf50be5c5e67c865b4ed9c014d7f8b

SHA512
a3e6c963d49bc2fbde905ece2d928253c68e1d1286e33d7384b30b081e9556c3e7329608b7411afce4f4eb61a49bd5be169eed94a3cee163821a1168dce6fc1e

Download Submit
C:\Windows\System\pDOjGUN.exe

Filesize
5.2MB

MD5
bfe093ae2f7dca1a29e15360c4275440

SHA1
afb3a1cad25982d57d185b2cad9fcd3c43c0b3e2

SHA256
837c8cb1e93691be716e2c33daf1641203e0c697e1a34a47ec7ff021cc37bf95

SHA512
efba90938de50e462eb7b3e8373e092cde0446eb2e1e9eaa85be1496931c7ad9c90ab96200ff894074002003f859e85b9f00ab0e715cab251c4b35702767717d

Download Submit
C:\Windows\System\rDYCtTu.exe

Filesize
5.2MB

MD5
44271bd2fcf31c8cc06b1409a5fcbc41

SHA1
a125adf7d69cfae773f1757f082df280ab33bf1d

SHA256
5861af8c37bfa6702ac3a2d76ffe9cf12f1433b65f181fa005d77ef71c4f343f

SHA512
97b3cb172ebfdaa4842905b15f30a91b28dad1a5e1e3683ce9bf816d6ac7e08a3a8d2ffacaccdfb91118f4d4cf3c4c6707df9b6cbf70d1fde944ea936950c4e8

Download Submit
C:\Windows\System\rftoFAz.exe

Filesize
5.2MB

MD5
3b2e2da0fdc858097fb46cb0079ee825

SHA1
de580c393078f01eed4e47b4169568274dfd8640

SHA256
5a75529fdcad28870bef7506088d1ee96694e416491cabc69efd8dc738460afa

SHA512
6fb6f8042741b8298f2c5b8af5d3a0120f4179a3d7cead644e0461217351560f7f8260c2ac2c4f6d2a6160f509c5205954236742393fa8ac358c98684a360d55

Download Submit
C:\Windows\System\vgFFqnV.exe

Filesize
5.2MB

MD5
4da2a5fa0493b44a0dc30fc947052f4e

SHA1
694fa15e5b86878bb5ca609073258bf8a11c899d

SHA256
b1186d894924651b2ced7c0c4ee9133cb12bab3ca1d462a459cc9fa2283806c7

SHA512
c94b179ce5e510e49a3249600c45e72736539eb708e87bc88d8a10b5654a2ce60bad71682176b57a11f13cdcf91f61393709294090aa6c42e02f2a75e7b8d96c

Download Submit
C:\Windows\System\yYrjrQS.exe

Filesize
5.2MB

MD5
4f278b88af815d6a7a8dd527b9aa820d

SHA1
e60fa973f8ae11196b61404aa34eb81006e974cc

SHA256
7ec91fb6afe251205b6b8906c429b0f043cb3a2d67379c494fb48cebddc1f316

SHA512
5ea9540e815e53c39d659207f97d7b9b80eb2e5baafc39a1ea3aa04779b087b9c269d7b4387035229402d1338e4e938678c45f13d59d98d3dfc95aeeb3709d07

Download Submit
C:\Windows\System\znvAYHs.exe

Filesize
5.2MB

MD5
360826f9cabed2b6f00e0a0bd47a32f3

SHA1
92429b4a0fb209e15e3c92e58e121ca82f4bbd70

SHA256
7a72b756f14aa2171540f635a55ea08b693f252a6dc69ea63b1172cd15bffca6

SHA512
9dbee1659d7e01f9930805e15136d7491730616c8f263a1549ec5c0a5565e40f8f32ee72385beb1c22375dff8d06a0f7ab4a1bc8c79764d4af28ad23da4eed37

Download Submit
C:\Windows\System\znwjhsH.exe

Filesize
5.2MB

MD5
f0d90bd2cae501edb7cc78a4d08a3465

SHA1
cda5193de2999dd961024c190315083a4fa31b30

SHA256
a3f9b9914ddf6ef04137d9f77d54cf647ebc32f7a1cdf331dbe1462e80cf26b1

SHA512
9d4447d5f37efdfd1c1489cecbd21fae7b1890f83dbf56ae34e1f6751ca1e9b8d9802be0918aadb931000418aebf8f96d8007248c468fb36cf2760c7493e946b

Download Submit
memory/320-258-0x00007FF70CA30000-0x00007FF70CD81000-memory.dmp

Filesize
3.3MB

Download
memory/320-146-0x00007FF70CA30000-0x00007FF70CD81000-memory.dmp

Filesize
3.3MB

Download
memory/512-122-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp

Filesize
3.3MB

Download
memory/512-244-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp

Filesize
3.3MB

Download
memory/512-64-0x00007FF7BDD00000-0x00007FF7BE051000-memory.dmp

Filesize
3.3MB

Download
memory/808-115-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp

Filesize
3.3MB

Download
memory/808-228-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp

Filesize
3.3MB

Download
memory/808-58-0x00007FF6A5790000-0x00007FF6A5AE1000-memory.dmp

Filesize
3.3MB

Download
memory/880-167-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp

Filesize
3.3MB

Download
memory/880-137-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp

Filesize
3.3MB

Download
memory/880-256-0x00007FF75E780000-0x00007FF75EAD1000-memory.dmp

Filesize
3.3MB

Download
memory/984-84-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/984-236-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/984-139-0x00007FF77A790000-0x00007FF77AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-239-0x00007FF7EEAD0000-0x00007FF7EEE21000-memory.dmp

Filesize
3.3MB

Download
memory/1600-91-0x00007FF7EEAD0000-0x00007FF7EEE21000-memory.dmp

Filesize
3.3MB

Download
memory/1840-0-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp

Filesize
3.3MB

Download
memory/1840-169-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp

Filesize
3.3MB

Download
memory/1840-105-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp

Filesize
3.3MB

Download
memory/1840-147-0x00007FF729FD0000-0x00007FF72A321000-memory.dmp

Filesize
3.3MB

Download
memory/1840-1-0x0000018E8A710000-0x0000018E8A720000-memory.dmp

Filesize
64KB

Download
memory/1896-246-0x00007FF6EF420000-0x00007FF6EF771000-memory.dmp

Filesize
3.3MB

Download
memory/1896-104-0x00007FF6EF420000-0x00007FF6EF771000-memory.dmp

Filesize
3.3MB

Download
memory/1952-110-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp

Filesize
3.3MB

Download
memory/1952-209-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp

Filesize
3.3MB

Download
memory/1952-28-0x00007FF6D3BF0000-0x00007FF6D3F41000-memory.dmp

Filesize
3.3MB

Download
memory/2236-31-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp

Filesize
3.3MB

Download
memory/2236-112-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp

Filesize
3.3MB

Download
memory/2236-226-0x00007FF7C93B0000-0x00007FF7C9701000-memory.dmp

Filesize
3.3MB

Download
memory/2380-101-0x00007FF6E0F30000-0x00007FF6E1281000-memory.dmp

Filesize
3.3MB

Download
memory/2380-232-0x00007FF6E0F30000-0x00007FF6E1281000-memory.dmp

Filesize
3.3MB

Download
memory/2392-111-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp

Filesize
3.3MB

Download
memory/2392-220-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp

Filesize
3.3MB

Download
memory/2392-36-0x00007FF7C1FB0000-0x00007FF7C2301000-memory.dmp

Filesize
3.3MB

Download
memory/2712-225-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-57-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-114-0x00007FF7A5AA0000-0x00007FF7A5DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-207-0x00007FF7862F0000-0x00007FF786641000-memory.dmp

Filesize
3.3MB

Download
memory/2800-108-0x00007FF7862F0000-0x00007FF786641000-memory.dmp

Filesize
3.3MB

Download
memory/2800-17-0x00007FF7862F0000-0x00007FF786641000-memory.dmp

Filesize
3.3MB

Download
memory/2952-222-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp

Filesize
3.3MB

Download
memory/2952-47-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp

Filesize
3.3MB

Download
memory/2952-113-0x00007FF7959C0000-0x00007FF795D11000-memory.dmp

Filesize
3.3MB

Download
memory/3044-235-0x00007FF63D190000-0x00007FF63D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-100-0x00007FF63D190000-0x00007FF63D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-205-0x00007FF786020000-0x00007FF786371000-memory.dmp

Filesize
3.3MB

Download
memory/3224-107-0x00007FF786020000-0x00007FF786371000-memory.dmp

Filesize
3.3MB

Download
memory/3224-6-0x00007FF786020000-0x00007FF786371000-memory.dmp

Filesize
3.3MB

Download
memory/3304-131-0x00007FF717490000-0x00007FF7177E1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-240-0x00007FF717490000-0x00007FF7177E1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-71-0x00007FF717490000-0x00007FF7177E1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-95-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-231-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-143-0x00007FF6403A0000-0x00007FF6406F1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-134-0x00007FF619B10000-0x00007FF619E61000-memory.dmp

Filesize
3.3MB

Download
memory/4076-252-0x00007FF619B10000-0x00007FF619E61000-memory.dmp

Filesize
3.3MB

Download
memory/4420-79-0x00007FF744AD0000-0x00007FF744E21000-memory.dmp

Filesize
3.3MB

Download
memory/4420-242-0x00007FF744AD0000-0x00007FF744E21000-memory.dmp

Filesize
3.3MB

Download
memory/4680-123-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-254-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-145-0x00007FF671E70000-0x00007FF6721C1000-memory.dmp

Filesize
3.3MB

Download