cobaltstrike | 91481eaf494d915f61626eb7f6943574488e4d2359d7bcd85f0ba9ccafc2e4c8

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9043af802fcf2caad6a6bbe9f899de82
SHA1

45440550848d38a1957a665871b1f552e8b2e2ee
SHA256

91481eaf494d915f61626eb7f6943574488e4d2359d7bcd85f0ba9ccafc2e4c8
SHA512

c2ef8dbd506eb0a63bf7f4ee7aecedf2418dd3191a5b6fc91ad2ef856aa72077bdfe5e00ad8d67ecab1e83397370bda390fa0d23f0812fea574b9d558c6f8b62
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBib+56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b88-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c6e-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c6f-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2760-73-0x00007FF6FF940000-0x00007FF6FFC91000-memory.dmp	xmrig
behavioral2/memory/5008-87-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	xmrig
behavioral2/memory/4476-95-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp	xmrig
behavioral2/memory/3744-94-0x00007FF777EC0000-0x00007FF778211000-memory.dmp	xmrig
behavioral2/memory/5064-92-0x00007FF793800000-0x00007FF793B51000-memory.dmp	xmrig
behavioral2/memory/2160-129-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp	xmrig
behavioral2/memory/3400-125-0x00007FF7AE950000-0x00007FF7AECA1000-memory.dmp	xmrig
behavioral2/memory/116-124-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp	xmrig
behavioral2/memory/4892-123-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp	xmrig
behavioral2/memory/4576-110-0x00007FF761320000-0x00007FF761671000-memory.dmp	xmrig
behavioral2/memory/1172-109-0x00007FF707510000-0x00007FF707861000-memory.dmp	xmrig
behavioral2/memory/1040-108-0x00007FF772070000-0x00007FF7723C1000-memory.dmp	xmrig
behavioral2/memory/5100-100-0x00007FF776580000-0x00007FF7768D1000-memory.dmp	xmrig
behavioral2/memory/1504-102-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp	xmrig
behavioral2/memory/5008-137-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	xmrig
behavioral2/memory/5024-149-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp	xmrig
behavioral2/memory/1800-153-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp	xmrig
behavioral2/memory/2376-154-0x00007FF72A4F0000-0x00007FF72A841000-memory.dmp	xmrig
behavioral2/memory/2736-151-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp	xmrig
behavioral2/memory/4068-150-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/1040-155-0x00007FF772070000-0x00007FF7723C1000-memory.dmp	xmrig
behavioral2/memory/4412-156-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	xmrig
behavioral2/memory/1920-159-0x00007FF754260000-0x00007FF7545B1000-memory.dmp	xmrig
behavioral2/memory/4152-161-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp	xmrig
behavioral2/memory/5008-162-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	xmrig
behavioral2/memory/5064-217-0x00007FF793800000-0x00007FF793B51000-memory.dmp	xmrig
behavioral2/memory/3744-219-0x00007FF777EC0000-0x00007FF778211000-memory.dmp	xmrig
behavioral2/memory/4476-221-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp	xmrig
behavioral2/memory/1172-223-0x00007FF707510000-0x00007FF707861000-memory.dmp	xmrig
behavioral2/memory/1504-232-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp	xmrig
behavioral2/memory/4576-233-0x00007FF761320000-0x00007FF761671000-memory.dmp	xmrig
behavioral2/memory/116-237-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp	xmrig
behavioral2/memory/4892-239-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp	xmrig
behavioral2/memory/2160-241-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp	xmrig
behavioral2/memory/2760-236-0x00007FF6FF940000-0x00007FF6FFC91000-memory.dmp	xmrig
behavioral2/memory/2736-244-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp	xmrig
behavioral2/memory/4068-249-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/1800-248-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp	xmrig
behavioral2/memory/5024-245-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp	xmrig
behavioral2/memory/5100-257-0x00007FF776580000-0x00007FF7768D1000-memory.dmp	xmrig
behavioral2/memory/1040-259-0x00007FF772070000-0x00007FF7723C1000-memory.dmp	xmrig
behavioral2/memory/4412-261-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	xmrig
behavioral2/memory/3400-263-0x00007FF7AE950000-0x00007FF7AECA1000-memory.dmp	xmrig
behavioral2/memory/4152-265-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp	xmrig
behavioral2/memory/1920-267-0x00007FF754260000-0x00007FF7545B1000-memory.dmp	xmrig
behavioral2/memory/2376-269-0x00007FF72A4F0000-0x00007FF72A841000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5064	YjDBGcx.exe
3744	KIZpCXk.exe
1172	vxDfajx.exe
4476	otqsrHJ.exe
1504	xDeyryB.exe
4576	EbeeLxB.exe
116	tuPbtrt.exe
4892	jiACNDt.exe
2160	pmUsxah.exe
2760	qzGqWbs.exe
1800	dgICEMw.exe
5024	TemTiMy.exe
4068	NZxAuhA.exe
2736	tjjxhNw.exe
5100	VwlnvoP.exe
1040	jYUpyiT.exe
4412	oaYuAiJ.exe
3400	wNelvto.exe
4152	khYJRbJ.exe
1920	JXzpNVm.exe
2376	hLMUkDE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5008-0-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	upx
behavioral2/files/0x000c000000023b88-4.dat	upx
behavioral2/memory/5064-7-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx
behavioral2/files/0x0008000000023c6e-10.dat	upx
behavioral2/files/0x0007000000023c72-11.dat	upx
behavioral2/files/0x0007000000023c73-20.dat	upx
behavioral2/files/0x0007000000023c74-27.dat	upx
behavioral2/memory/3744-18-0x00007FF777EC0000-0x00007FF778211000-memory.dmp	upx
behavioral2/memory/4476-29-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp	upx
behavioral2/memory/1172-31-0x00007FF707510000-0x00007FF707861000-memory.dmp	upx
behavioral2/memory/4576-38-0x00007FF761320000-0x00007FF761671000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-58.dat	upx
behavioral2/files/0x0007000000023c78-64.dat	upx
behavioral2/memory/2760-73-0x00007FF6FF940000-0x00007FF6FFC91000-memory.dmp	upx
behavioral2/memory/5024-80-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-83.dat	upx
behavioral2/files/0x0007000000023c7c-85.dat	upx
behavioral2/memory/4068-82-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx
behavioral2/memory/2736-81-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-77.dat	upx
behavioral2/files/0x0007000000023c79-69.dat	upx
behavioral2/memory/1800-67-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp	upx
behavioral2/files/0x0008000000023c6f-61.dat	upx
behavioral2/memory/2160-60-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-55.dat	upx
behavioral2/memory/116-53-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-46.dat	upx
behavioral2/memory/4892-43-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp	upx
behavioral2/memory/1504-36-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp	upx
behavioral2/memory/5008-87-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-90.dat	upx
behavioral2/memory/4476-95-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp	upx
behavioral2/memory/3744-94-0x00007FF777EC0000-0x00007FF778211000-memory.dmp	upx
behavioral2/memory/5064-92-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-98.dat	upx
behavioral2/files/0x0007000000023c81-105.dat	upx
behavioral2/files/0x0007000000023c82-113.dat	upx
behavioral2/files/0x0007000000023c83-127.dat	upx
behavioral2/memory/2160-129-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-134.dat	upx
behavioral2/files/0x0007000000023c84-132.dat	upx
behavioral2/memory/3400-125-0x00007FF7AE950000-0x00007FF7AECA1000-memory.dmp	upx
behavioral2/memory/116-124-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp	upx
behavioral2/memory/4892-123-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp	upx
behavioral2/memory/4152-118-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp	upx
behavioral2/memory/4412-116-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	upx
behavioral2/memory/4576-110-0x00007FF761320000-0x00007FF761671000-memory.dmp	upx
behavioral2/memory/1172-109-0x00007FF707510000-0x00007FF707861000-memory.dmp	upx
behavioral2/memory/1040-108-0x00007FF772070000-0x00007FF7723C1000-memory.dmp	upx
behavioral2/memory/5100-100-0x00007FF776580000-0x00007FF7768D1000-memory.dmp	upx
behavioral2/memory/1504-102-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp	upx
behavioral2/memory/1920-136-0x00007FF754260000-0x00007FF7545B1000-memory.dmp	upx
behavioral2/memory/5008-137-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	upx
behavioral2/memory/5024-149-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp	upx
behavioral2/memory/1800-153-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp	upx
behavioral2/memory/2376-154-0x00007FF72A4F0000-0x00007FF72A841000-memory.dmp	upx
behavioral2/memory/2736-151-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp	upx
behavioral2/memory/4068-150-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx
behavioral2/memory/1040-155-0x00007FF772070000-0x00007FF7723C1000-memory.dmp	upx
behavioral2/memory/4412-156-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	upx
behavioral2/memory/1920-159-0x00007FF754260000-0x00007FF7545B1000-memory.dmp	upx
behavioral2/memory/4152-161-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp	upx
behavioral2/memory/5008-162-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp	upx
behavioral2/memory/5064-217-0x00007FF793800000-0x00007FF793B51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EbeeLxB.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaYuAiJ.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\khYJRbJ.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hLMUkDE.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otqsrHJ.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xDeyryB.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiACNDt.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmUsxah.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TemTiMy.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wNelvto.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjDBGcx.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxDfajx.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZxAuhA.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYUpyiT.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JXzpNVm.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KIZpCXk.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tuPbtrt.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qzGqWbs.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dgICEMw.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tjjxhNw.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VwlnvoP.exe	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 5064	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5008 wrote to memory of 5064	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5008 wrote to memory of 3744	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5008 wrote to memory of 3744	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5008 wrote to memory of 1172	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5008 wrote to memory of 1172	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5008 wrote to memory of 4476	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5008 wrote to memory of 4476	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5008 wrote to memory of 1504	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5008 wrote to memory of 1504	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5008 wrote to memory of 116	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5008 wrote to memory of 116	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5008 wrote to memory of 4576	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5008 wrote to memory of 4576	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5008 wrote to memory of 4892	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5008 wrote to memory of 4892	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5008 wrote to memory of 2160	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5008 wrote to memory of 2160	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5008 wrote to memory of 2760	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5008 wrote to memory of 2760	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5008 wrote to memory of 1800	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5008 wrote to memory of 1800	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5008 wrote to memory of 5024	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5008 wrote to memory of 5024	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5008 wrote to memory of 4068	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5008 wrote to memory of 4068	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5008 wrote to memory of 2736	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5008 wrote to memory of 2736	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5008 wrote to memory of 5100	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5008 wrote to memory of 5100	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5008 wrote to memory of 1040	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5008 wrote to memory of 1040	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5008 wrote to memory of 4412	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5008 wrote to memory of 4412	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5008 wrote to memory of 3400	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5008 wrote to memory of 3400	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5008 wrote to memory of 4152	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5008 wrote to memory of 4152	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5008 wrote to memory of 1920	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5008 wrote to memory of 1920	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5008 wrote to memory of 2376	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5008 wrote to memory of 2376	5008	2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_9043af802fcf2caad6a6bbe9f899de82_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System\YjDBGcx.exe
  C:\Windows\System\YjDBGcx.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\KIZpCXk.exe
  C:\Windows\System\KIZpCXk.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\vxDfajx.exe
  C:\Windows\System\vxDfajx.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\otqsrHJ.exe
  C:\Windows\System\otqsrHJ.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\xDeyryB.exe
  C:\Windows\System\xDeyryB.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\tuPbtrt.exe
  C:\Windows\System\tuPbtrt.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\EbeeLxB.exe
  C:\Windows\System\EbeeLxB.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\jiACNDt.exe
  C:\Windows\System\jiACNDt.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\pmUsxah.exe
  C:\Windows\System\pmUsxah.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\qzGqWbs.exe
  C:\Windows\System\qzGqWbs.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\dgICEMw.exe
  C:\Windows\System\dgICEMw.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\TemTiMy.exe
  C:\Windows\System\TemTiMy.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\NZxAuhA.exe
  C:\Windows\System\NZxAuhA.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\tjjxhNw.exe
  C:\Windows\System\tjjxhNw.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\VwlnvoP.exe
  C:\Windows\System\VwlnvoP.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\jYUpyiT.exe
  C:\Windows\System\jYUpyiT.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\oaYuAiJ.exe
  C:\Windows\System\oaYuAiJ.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\wNelvto.exe
  C:\Windows\System\wNelvto.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\khYJRbJ.exe
  C:\Windows\System\khYJRbJ.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\JXzpNVm.exe
  C:\Windows\System\JXzpNVm.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\hLMUkDE.exe
  C:\Windows\System\hLMUkDE.exe
  2⤵
  - Executes dropped EXE
  PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EbeeLxB.exe

Filesize
5.2MB

MD5
14f3bd26af994042d0f67ee551a0ee22

SHA1
0f3dea76f814de12f73d4b2f25b06fe95bb1c815

SHA256
da3676ee59602fc2d1a4a4846001c539040f6a128ef0f74751981b131bcfd722

SHA512
6d50038237e2d87fe0912af7d2bbc0c88ffaffb9eddcd70f9327a592976854d6a342d3d2b98ff5a56d88b5d241942598ddd053043664dd6b80dd2b89525291b7

Download Submit
C:\Windows\System\JXzpNVm.exe

Filesize
5.2MB

MD5
3d961f263ef32d5fb3ebab16830d459e

SHA1
a38ee97341f573d64ef2427cd02d37c838738445

SHA256
a957e2ebde28c6a04afb384503afbb519ff6445bb513a238a51f8e6ed4520308

SHA512
68c77af6c1b4421f8a43c9924e5ee92de2a960a3c30c3fda80986e40626035cb94c3c5641bc4e34aab4a2dc2cb37b066c16f22dfb363c1d75a667d626c08c2d2

Download Submit
C:\Windows\System\KIZpCXk.exe

Filesize
5.2MB

MD5
b6cf3e92947d1fd6704743c19e35731c

SHA1
cf9d4530b1353af6149aad1f7936e01f1e2f7b36

SHA256
1b364c539ffa1f0c57831b6f90697408c7ecf0002095642264fc3e6ce7ec721f

SHA512
097e4d353c7684d315409e4e1883c5a74281da6c796e8ae79cc76ca75cc0f28ce65af83df9757039c092f5e00320373a776b71dff3bcc7204d251b293f76bd40

Download Submit
C:\Windows\System\NZxAuhA.exe

Filesize
5.2MB

MD5
9fd8216ffee59e3596cbf519c0575a78

SHA1
cb95cf8a09a33232eb7e9167b191c9d3db1d4532

SHA256
bee362030a70ea17a8eb66104be9eaee023aa778c70c000b218bb150b73d847b

SHA512
2a366d4fdea02566006ef7bfc131abbd4d5a9ffa5ade580f7bc04823cac0cfa05408c09ca5ef44a45c74afd22c5a3840c53735a58a0897de5aff13b1a1148449

Download Submit
C:\Windows\System\TemTiMy.exe

Filesize
5.2MB

MD5
8648f5b070a2f825e54d8c8a5918d4eb

SHA1
55093a592b5c1db750a879d4ae2bfe3323c4fe5b

SHA256
3ca52ddd09d87047ccd017daeaefdd92da3bd7d90342ffd6e9b5b0cdc75d9aeb

SHA512
8d249841d859c14554347d78ee294d8f2918bfd45618f4b17dc11c2ab9ea8125448db2dec4b73e9f74649d717def52d3ffe6256cd0a484c289e1335a375e77c9

Download Submit
C:\Windows\System\VwlnvoP.exe

Filesize
5.2MB

MD5
e8be912a81a3ec4bf9b17c731ff20006

SHA1
09ee00b188189139eb23176dd4672f9e9e4665ec

SHA256
2270dbeb0d6e93f673e510bb9ed25021d641a4f72ed50d1477e9b0dc4719c818

SHA512
efa2aaaeb29a2b282fce02de3c1cc07c235e44035de036f228ce8704dea3ca572bec952f1c6e31bccd69c408a33f3795ff7878c80d6d4484782e604d1acdeaec

Download Submit
C:\Windows\System\YjDBGcx.exe

Filesize
5.2MB

MD5
5d642989660b0f68c61bec304fbafb10

SHA1
aa45449642b3b3473d84825ff6a64cdb1e634d2f

SHA256
10b66ba536ff2e4c4e2c703a3e76ba8038501abf390fc3d53ffddada6cb1111a

SHA512
39f9bb392395aa9ff7d1e4f3858ee15fac5e64ff259c4f8881e777da78632f3894e957c0abc52557c412d34f53cbe7acdddbbe4b2b67c430b30adfd25bf84571

Download Submit
C:\Windows\System\dgICEMw.exe

Filesize
5.2MB

MD5
d3fb81f61e14f12de21b67195b989ab3

SHA1
eb8119801bc97b6a1a8d452437dffd8f61b85343

SHA256
9830b52d28d1d9585f0fe03e98f993511543cbdca48d6a745c058807e0cd8722

SHA512
cdc91c2ff8c813a02a307793afa080323b3ec02aaff3b6ebd585b41be6c3f95ad8b9e4359a945d3f7bfb014f34e9984fca40ef667ef98455b0eb496126799095

Download Submit
C:\Windows\System\hLMUkDE.exe

Filesize
5.2MB

MD5
6dff84d2429a793f9432c7ab4499f74e

SHA1
6390ff03f86c1e949394f6e50501fab8b1889c1a

SHA256
58414eba0e08e9e05f0cf172245f6a8f097428c99a92191c8f6a8159d462cf32

SHA512
7fc7dd10d4f8bdf925e5d9b80fb5526a0d2e7ccc87883efa0143047509b24cf054cbe765b69ce3973d42f6d3102eaa7e9f31186b7ded96f7db4ac788601c6fbf

Download Submit
C:\Windows\System\jYUpyiT.exe

Filesize
5.2MB

MD5
9f757c9ce977a0b334733b609ec6c81b

SHA1
44f6af31732ef4c1a247feef360be097e5fe96a0

SHA256
f49744e966a103d6499770299a08f49c7a3d8b37996d46587e047ad06dbcf25d

SHA512
d1c72d89ca620b5db51150890df038fe383e88f3af987bcfb0c20d8b03468d1ee158715a7ee1d893aa3a7e220ee98c65f9907dd58e287184df8d80ca23352fb4

Download Submit
C:\Windows\System\jiACNDt.exe

Filesize
5.2MB

MD5
3502bab24a28f128fc7b7d137c791b24

SHA1
02e841040295cf071b73a7ca34c25ad7b3052dcb

SHA256
59196d6af26f9e57f4ab17bf0b6dff5b80c8afb9136aba3cd4cee9646c684342

SHA512
40a8cbb84c8f7032e043732678e82ad89f942225a39f14dee134dd31a7199e4262297d9eda5782745adffed0a9bdb4f0fe30e88b4160b7fa1918bc6bf468fd87

Download Submit
C:\Windows\System\khYJRbJ.exe

Filesize
5.2MB

MD5
a3e382d43e344176db7e9518bf6a47fd

SHA1
90bb0c065679a113f966c33ff6537ab2d0e1567f

SHA256
ce60f857aa6baf31865c6665318007428481825840396720dc6a481c8a17ec4f

SHA512
7e5df4dc74582b13e34d936ac172745376aaf22d1a87a400aa21c4475ba7cb4061b77afc3a4a719bf1b99c72eba77cac307bdd3fd1a152d638589a686c31f9a5

Download Submit
C:\Windows\System\oaYuAiJ.exe

Filesize
5.2MB

MD5
e0f615dfe2416c93d5566b34e7233542

SHA1
8b50a0da7bc7165733dd80e200d01a8577cbb434

SHA256
4ab17f1d51a59865a941868dcc1d1a1f4fcde3c635f8fcddb900802c9e39ab9e

SHA512
977048f4d809c36fa002aab946ae090a40f0ad45d88b1648086e963d8702521fceb93703ceecca2dc0ff466e106cccf7e51bebf04e47bdd31a92bb5128d3fd0d

Download Submit
C:\Windows\System\otqsrHJ.exe

Filesize
5.2MB

MD5
22c474a33069da3751be0e9e9d9d87d1

SHA1
77000c01764cb797d7c01365f0dd0459a3a575b0

SHA256
a629e771d9aaf832ead8d9481bb7b25056c1a6607df40b108d94c88bc5fdf321

SHA512
7c319d0a572c4f2f5e04092277ed1acac26e656615538a17a4d829d24afef373c5f72fd5b3870383134262d322ec721b9a2d053fb2a182abab3defcdb70d8fd7

Download Submit
C:\Windows\System\pmUsxah.exe

Filesize
5.2MB

MD5
27196168333dd4b46f949c2954dc70f9

SHA1
c640eb3740c8ffcac35fc460564a5ece4b9685e7

SHA256
c8b32b2f8cc0899b0fa1d4e1f27535993c5f4112aff74d4e81641a2ac75002a5

SHA512
60b17dc8cec5fe95d05098ae0fa57e3e507d9c81d60e06da2d9178e7ec48da145a07262fe7269b61d2bf1e50f18e3a65539ae3049fe19bcb127a3e12b450205b

Download Submit
C:\Windows\System\qzGqWbs.exe

Filesize
5.2MB

MD5
243936e523b6d2981977c38b47a19792

SHA1
c26174eb761fd821572dd807974f4df1bf00b148

SHA256
788ca126709a09b1f249ad60d8b6a64bd54e251cd14ba1c60f1667c0d0c549cf

SHA512
52e85b71bcc3c1653eca9f20ba4c3d1cb9d98a562ed8d3a740fb7bea92b391a9e77c8bdb4fe103f0a4fe22a82d7171f79370ab350e26e40a2a3202900d5ec6aa

Download Submit
C:\Windows\System\tjjxhNw.exe

Filesize
5.2MB

MD5
528b62839039c7d2cf1d897733ceb2b6

SHA1
853e062efd10073faea3cdd737c9e82eaa856005

SHA256
7039351c7d6df1ac2a3c6d4d9b20d3d087c6db1bc6837f99478db4cef7ccbf28

SHA512
b22a2b5f40a4d7c64b409aa5d46a0673aadd7f7183daeedfa26b6f75893a47dc5936819233303e1fbfd5a2f460a0d90f200e3db8cfca92d5238edb273b264072

Download Submit
C:\Windows\System\tuPbtrt.exe

Filesize
5.2MB

MD5
e0fe1fc4750a17a5299a0f207458c6cd

SHA1
db167f76f0791d206dd263ab9cf072c892a4702f

SHA256
266ac0e71b1e7eb4bea488ddc74f139de79222692625e6d6ed82178918901429

SHA512
dd3e27617e35f44c39c5dd8f3d1ec10124126241c3b2ed2db1985235438c0895cb179cb9981d4f747ba375af64d3276d441fcac9d8717f7e4ab90161a9d80a40

Download Submit
C:\Windows\System\vxDfajx.exe

Filesize
5.2MB

MD5
381dc82f47a231e717ed18ad1fee68ae

SHA1
23563c201dd85ef201fbaa54117289d51f6dc19b

SHA256
5dc61a627b4276466f6b869672ee78941efd1a18a28d2564f3754908adefc608

SHA512
6affd1bc52999f981c6d6b525d5fc3ea96e5d3714cc17d2d4d20fee602245284e556558044c093eb8f004b7fbc0c131b4cf79ec96527fb0981df017edbcfbd55

Download Submit
C:\Windows\System\wNelvto.exe

Filesize
5.2MB

MD5
5b71ef7bd84d8c72dc8f574919fe1afb

SHA1
4377a456c8a4e6fc5c1b2c7eb9a6a3a3bb76c195

SHA256
88b6280b14bb2fc3acc5ab8334e4a7188d8b8140a93cd57bf433e115fabb80c4

SHA512
c9b5368d5348d5c7ea733136d5bcdad1ee84ee976dc2ff2da8fd500d37257ac954bac0be774c78df2919640eb19adddc0b8eb157545dd547000668774c8a6c44

Download Submit
C:\Windows\System\xDeyryB.exe

Filesize
5.2MB

MD5
f4486bde4731448f5b5ad5f3bc524e4e

SHA1
7c62b8ba8d76ef4df1cb365a6f852b03ed3b89c4

SHA256
9c6ae69ceb861aa88eaa39bc8cdca90c7b4864886ec9dd159a91a72a0658b96d

SHA512
5ce1b7e27afaf01cf222e3a76ea513f4466e03f1c906a21057efcfd738295a864dc6e27c31297ede3bb9cf5cc56d18eb4b472e8c1e841337bc46e6d9802fbf86

Download Submit
memory/116-124-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp

Filesize
3.3MB

Download
memory/116-237-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp

Filesize
3.3MB

Download
memory/116-53-0x00007FF63F4B0000-0x00007FF63F801000-memory.dmp

Filesize
3.3MB

Download
memory/1040-155-0x00007FF772070000-0x00007FF7723C1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-259-0x00007FF772070000-0x00007FF7723C1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-108-0x00007FF772070000-0x00007FF7723C1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-223-0x00007FF707510000-0x00007FF707861000-memory.dmp

Filesize
3.3MB

Download
memory/1172-31-0x00007FF707510000-0x00007FF707861000-memory.dmp

Filesize
3.3MB

Download
memory/1172-109-0x00007FF707510000-0x00007FF707861000-memory.dmp

Filesize
3.3MB

Download
memory/1504-36-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-232-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-102-0x00007FF66A790000-0x00007FF66AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1800-153-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1800-67-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1800-248-0x00007FF626A90000-0x00007FF626DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-136-0x00007FF754260000-0x00007FF7545B1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-267-0x00007FF754260000-0x00007FF7545B1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-159-0x00007FF754260000-0x00007FF7545B1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-129-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-60-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-241-0x00007FF7E8E70000-0x00007FF7E91C1000-memory.dmp

Filesize
3.3MB

Download
memory/2376-154-0x00007FF72A4F0000-0x00007FF72A841000-memory.dmp

Filesize
3.3MB

Download
memory/2376-269-0x00007FF72A4F0000-0x00007FF72A841000-memory.dmp

Filesize
3.3MB

Download
memory/2736-81-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp

Filesize
3.3MB

Download
memory/2736-244-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp

Filesize
3.3MB

Download
memory/2736-151-0x00007FF64D810000-0x00007FF64DB61000-memory.dmp

Filesize
3.3MB

Download
memory/2760-236-0x00007FF6FF940000-0x00007FF6FFC91000-memory.dmp

Filesize
3.3MB

Download
memory/2760-73-0x00007FF6FF940000-0x00007FF6FFC91000-memory.dmp

Filesize
3.3MB

Download
memory/3400-263-0x00007FF7AE950000-0x00007FF7AECA1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-125-0x00007FF7AE950000-0x00007FF7AECA1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-18-0x00007FF777EC0000-0x00007FF778211000-memory.dmp

Filesize
3.3MB

Download
memory/3744-94-0x00007FF777EC0000-0x00007FF778211000-memory.dmp

Filesize
3.3MB

Download
memory/3744-219-0x00007FF777EC0000-0x00007FF778211000-memory.dmp

Filesize
3.3MB

Download
memory/4068-249-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/4068-82-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/4068-150-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/4152-118-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-265-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-161-0x00007FF756D70000-0x00007FF7570C1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-116-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-261-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-156-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-95-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp

Filesize
3.3MB

Download
memory/4476-29-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp

Filesize
3.3MB

Download
memory/4476-221-0x00007FF7467B0000-0x00007FF746B01000-memory.dmp

Filesize
3.3MB

Download
memory/4576-233-0x00007FF761320000-0x00007FF761671000-memory.dmp

Filesize
3.3MB

Download
memory/4576-38-0x00007FF761320000-0x00007FF761671000-memory.dmp

Filesize
3.3MB

Download
memory/4576-110-0x00007FF761320000-0x00007FF761671000-memory.dmp

Filesize
3.3MB

Download
memory/4892-43-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-123-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-239-0x00007FF6A3080000-0x00007FF6A33D1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-1-0x000002702EFC0000-0x000002702EFD0000-memory.dmp

Filesize
64KB

Download
memory/5008-0-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp

Filesize
3.3MB

Download
memory/5008-137-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp

Filesize
3.3MB

Download
memory/5008-162-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp

Filesize
3.3MB

Download
memory/5008-87-0x00007FF6E9120000-0x00007FF6E9471000-memory.dmp

Filesize
3.3MB

Download
memory/5024-149-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp

Filesize
3.3MB

Download
memory/5024-245-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp

Filesize
3.3MB

Download
memory/5024-80-0x00007FF6D4F40000-0x00007FF6D5291000-memory.dmp

Filesize
3.3MB

Download
memory/5064-217-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/5064-7-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/5064-92-0x00007FF793800000-0x00007FF793B51000-memory.dmp

Filesize
3.3MB

Download
memory/5100-257-0x00007FF776580000-0x00007FF7768D1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-100-0x00007FF776580000-0x00007FF7768D1000-memory.dmp

Filesize
3.3MB

Download