cobaltstrike | d023d1cb6dc3e4ef885e15a357e8bc54db7b94555bc20aa9a2507dee87ef40ce

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bfd79d61ff65b86e55b78f729bfcf3e1
SHA1

b8370bab093ed9a93073384ea10c36a0542d7e3a
SHA256

d023d1cb6dc3e4ef885e15a357e8bc54db7b94555bc20aa9a2507dee87ef40ce
SHA512

c58be2b48357c8dd304d7da16ab8993f6d273b9d47d2a14a2b1ce3f7e9ef5fa9a1f3f7120772c6c8742f7270094effe1c8577e707e8a268ce2356d7d834bf505
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBib+56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023bb1-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c8f-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-76.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2536-56-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	xmrig
behavioral2/memory/3672-60-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	xmrig
behavioral2/memory/916-65-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp	xmrig
behavioral2/memory/1180-74-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp	xmrig
behavioral2/memory/4828-102-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp	xmrig
behavioral2/memory/4684-94-0x00007FF795EF0000-0x00007FF796241000-memory.dmp	xmrig
behavioral2/memory/2056-88-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp	xmrig
behavioral2/memory/3424-112-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	xmrig
behavioral2/memory/1476-111-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp	xmrig
behavioral2/memory/2700-81-0x00007FF651D10000-0x00007FF652061000-memory.dmp	xmrig
behavioral2/memory/2652-135-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp	xmrig
behavioral2/memory/1988-128-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp	xmrig
behavioral2/memory/3192-138-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp	xmrig
behavioral2/memory/3936-116-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	xmrig
behavioral2/memory/556-139-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp	xmrig
behavioral2/memory/1796-140-0x00007FF788260000-0x00007FF7885B1000-memory.dmp	xmrig
behavioral2/memory/5040-141-0x00007FF732420000-0x00007FF732771000-memory.dmp	xmrig
behavioral2/memory/3644-142-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp	xmrig
behavioral2/memory/2552-143-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp	xmrig
behavioral2/memory/3672-144-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	xmrig
behavioral2/memory/696-157-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp	xmrig
behavioral2/memory/4740-162-0x00007FF623730000-0x00007FF623A81000-memory.dmp	xmrig
behavioral2/memory/408-165-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp	xmrig
behavioral2/memory/3192-169-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp	xmrig
behavioral2/memory/3672-170-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	xmrig
behavioral2/memory/916-224-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp	xmrig
behavioral2/memory/1180-226-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp	xmrig
behavioral2/memory/2700-228-0x00007FF651D10000-0x00007FF652061000-memory.dmp	xmrig
behavioral2/memory/2056-230-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp	xmrig
behavioral2/memory/4684-232-0x00007FF795EF0000-0x00007FF796241000-memory.dmp	xmrig
behavioral2/memory/4828-234-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp	xmrig
behavioral2/memory/1476-236-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp	xmrig
behavioral2/memory/3936-242-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	xmrig
behavioral2/memory/2536-244-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	xmrig
behavioral2/memory/1988-246-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp	xmrig
behavioral2/memory/2652-248-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp	xmrig
behavioral2/memory/556-254-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp	xmrig
behavioral2/memory/1796-256-0x00007FF788260000-0x00007FF7885B1000-memory.dmp	xmrig
behavioral2/memory/5040-258-0x00007FF732420000-0x00007FF732771000-memory.dmp	xmrig
behavioral2/memory/3644-260-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp	xmrig
behavioral2/memory/2552-262-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp	xmrig
behavioral2/memory/3424-268-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	xmrig
behavioral2/memory/696-270-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp	xmrig
behavioral2/memory/4740-272-0x00007FF623730000-0x00007FF623A81000-memory.dmp	xmrig
behavioral2/memory/408-275-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp	xmrig
behavioral2/memory/3192-277-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
916	DWxjZEB.exe
1180	jFzjSTb.exe
2700	fhCqIPF.exe
2056	SOBjSZX.exe
4684	PIQgEnC.exe
4828	KFEZTxb.exe
1476	XMQFGIP.exe
3936	NDCyjUj.exe
2536	RDiWlnC.exe
1988	qUjdotK.exe
2652	ElkYStc.exe
556	jCyNeCX.exe
1796	WJDmBGo.exe
5040	TdJeLGo.exe
3644	QaqnHxa.exe
2552	hkOmvXG.exe
3424	MnWbRtx.exe
696	RrozAfT.exe
4740	LEIOJNS.exe
408	ZRLFtAW.exe
3192	tDZGSDu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-0-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	upx
behavioral2/files/0x000b000000023bb1-4.dat	upx
behavioral2/files/0x0007000000023c92-12.dat	upx
behavioral2/files/0x0007000000023c93-19.dat	upx
behavioral2/memory/2700-18-0x00007FF651D10000-0x00007FF652061000-memory.dmp	upx
behavioral2/memory/1180-14-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-25.dat	upx
behavioral2/files/0x0007000000023c95-30.dat	upx
behavioral2/memory/4828-36-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-37.dat	upx
behavioral2/memory/4684-34-0x00007FF795EF0000-0x00007FF796241000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-42.dat	upx
behavioral2/files/0x0007000000023c98-47.dat	upx
behavioral2/memory/3936-48-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	upx
behavioral2/memory/1476-43-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp	upx
behavioral2/memory/2536-56-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-59.dat	upx
behavioral2/memory/3672-60-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	upx
behavioral2/memory/916-65-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-69.dat	upx
behavioral2/memory/2652-66-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp	upx
behavioral2/memory/1988-61-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp	upx
behavioral2/files/0x0008000000023c8f-52.dat	upx
behavioral2/memory/1180-74-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-82.dat	upx
behavioral2/files/0x0007000000023c9e-87.dat	upx
behavioral2/memory/5040-89-0x00007FF732420000-0x00007FF732771000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-96.dat	upx
behavioral2/files/0x0007000000023ca0-104.dat	upx
behavioral2/memory/2552-103-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp	upx
behavioral2/memory/4828-102-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp	upx
behavioral2/memory/3644-95-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp	upx
behavioral2/memory/4684-94-0x00007FF795EF0000-0x00007FF796241000-memory.dmp	upx
behavioral2/memory/2056-88-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp	upx
behavioral2/memory/1796-86-0x00007FF788260000-0x00007FF7885B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-107.dat	upx
behavioral2/memory/3424-112-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp	upx
behavioral2/memory/1476-111-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp	upx
behavioral2/memory/2700-81-0x00007FF651D10000-0x00007FF652061000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-117.dat	upx
behavioral2/files/0x0007000000023ca4-129.dat	upx
behavioral2/files/0x0007000000023ca5-136.dat	upx
behavioral2/memory/2652-135-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp	upx
behavioral2/memory/1988-128-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp	upx
behavioral2/memory/408-131-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-124.dat	upx
behavioral2/memory/3192-138-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp	upx
behavioral2/memory/4740-123-0x00007FF623730000-0x00007FF623A81000-memory.dmp	upx
behavioral2/memory/696-121-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp	upx
behavioral2/memory/3936-116-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-76.dat	upx
behavioral2/memory/556-75-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp	upx
behavioral2/memory/2056-24-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp	upx
behavioral2/memory/916-8-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp	upx
behavioral2/memory/556-139-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp	upx
behavioral2/memory/1796-140-0x00007FF788260000-0x00007FF7885B1000-memory.dmp	upx
behavioral2/memory/5040-141-0x00007FF732420000-0x00007FF732771000-memory.dmp	upx
behavioral2/memory/3644-142-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp	upx
behavioral2/memory/2552-143-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp	upx
behavioral2/memory/3672-144-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp	upx
behavioral2/memory/696-157-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp	upx
behavioral2/memory/4740-162-0x00007FF623730000-0x00007FF623A81000-memory.dmp	upx
behavioral2/memory/408-165-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp	upx
behavioral2/memory/3192-169-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RrozAfT.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFEZTxb.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElkYStc.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TdJeLGo.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LEIOJNS.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRLFtAW.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDZGSDu.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhCqIPF.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QaqnHxa.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnWbRtx.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PIQgEnC.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XMQFGIP.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NDCyjUj.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RDiWlnC.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUjdotK.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DWxjZEB.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFzjSTb.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SOBjSZX.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jCyNeCX.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WJDmBGo.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hkOmvXG.exe	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 916	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3672 wrote to memory of 916	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3672 wrote to memory of 1180	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3672 wrote to memory of 1180	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3672 wrote to memory of 2700	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3672 wrote to memory of 2700	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3672 wrote to memory of 2056	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3672 wrote to memory of 2056	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3672 wrote to memory of 4684	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3672 wrote to memory of 4684	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3672 wrote to memory of 4828	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3672 wrote to memory of 4828	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3672 wrote to memory of 1476	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3672 wrote to memory of 1476	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3672 wrote to memory of 3936	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3672 wrote to memory of 3936	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3672 wrote to memory of 2536	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3672 wrote to memory of 2536	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3672 wrote to memory of 1988	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3672 wrote to memory of 1988	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3672 wrote to memory of 2652	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3672 wrote to memory of 2652	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3672 wrote to memory of 556	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3672 wrote to memory of 556	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3672 wrote to memory of 1796	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3672 wrote to memory of 1796	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3672 wrote to memory of 5040	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3672 wrote to memory of 5040	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3672 wrote to memory of 3644	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3672 wrote to memory of 3644	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3672 wrote to memory of 2552	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3672 wrote to memory of 2552	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3672 wrote to memory of 3424	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3672 wrote to memory of 3424	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3672 wrote to memory of 696	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3672 wrote to memory of 696	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3672 wrote to memory of 4740	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3672 wrote to memory of 4740	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3672 wrote to memory of 408	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3672 wrote to memory of 408	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3672 wrote to memory of 3192	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3672 wrote to memory of 3192	3672	2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_bfd79d61ff65b86e55b78f729bfcf3e1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\System\DWxjZEB.exe
  C:\Windows\System\DWxjZEB.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\jFzjSTb.exe
  C:\Windows\System\jFzjSTb.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\fhCqIPF.exe
  C:\Windows\System\fhCqIPF.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\SOBjSZX.exe
  C:\Windows\System\SOBjSZX.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\PIQgEnC.exe
  C:\Windows\System\PIQgEnC.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\KFEZTxb.exe
  C:\Windows\System\KFEZTxb.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\XMQFGIP.exe
  C:\Windows\System\XMQFGIP.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\NDCyjUj.exe
  C:\Windows\System\NDCyjUj.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\RDiWlnC.exe
  C:\Windows\System\RDiWlnC.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\qUjdotK.exe
  C:\Windows\System\qUjdotK.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\ElkYStc.exe
  C:\Windows\System\ElkYStc.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\jCyNeCX.exe
  C:\Windows\System\jCyNeCX.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\WJDmBGo.exe
  C:\Windows\System\WJDmBGo.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\TdJeLGo.exe
  C:\Windows\System\TdJeLGo.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\QaqnHxa.exe
  C:\Windows\System\QaqnHxa.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\hkOmvXG.exe
  C:\Windows\System\hkOmvXG.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\MnWbRtx.exe
  C:\Windows\System\MnWbRtx.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\RrozAfT.exe
  C:\Windows\System\RrozAfT.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\LEIOJNS.exe
  C:\Windows\System\LEIOJNS.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\ZRLFtAW.exe
  C:\Windows\System\ZRLFtAW.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\tDZGSDu.exe
  C:\Windows\System\tDZGSDu.exe
  2⤵
  - Executes dropped EXE
  PID:3192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DWxjZEB.exe

Filesize
5.2MB

MD5
03ae6f2a7e246c51799d6e7324190b6a

SHA1
2faec86b2025e932d7acc5d64eece7aa8712027f

SHA256
fa8a45086904197f98d3d79391bbd2a05cee3bcc199b7edd904ef2eac2dc2e44

SHA512
d0d261bb9729ffd3da49c005fe23320034a047d08a2ee736f589060c473a9bc8747f2cbe06c1e49d5e33f46b9d6dfc3421008d045b94b2733f22cb09a054763e

Download Submit
C:\Windows\System\ElkYStc.exe

Filesize
5.2MB

MD5
6f7c44e99ab97acf02b6ec638cac6adc

SHA1
1d438218d697a8dd525b416430479c26648bc9c0

SHA256
fd8c533599810c4f2f700963ea3b5dde5b286d2beffb5a06c76a97e3d31dcb25

SHA512
fdb7c1e49ff895b3024f63bd144f97ab08016a1638ad31dc04b9bd60d1570eff100075a2b516f68edf671a2a17b62ace0ffc22771371867f0185f274dd46619f

Download Submit
C:\Windows\System\KFEZTxb.exe

Filesize
5.2MB

MD5
df21543da5894b183b64741c3d2a6487

SHA1
0e0c865e81036fc5bd299f9bab20290d94d6ad90

SHA256
e0f2cea96c642442b201abf306627f83d0097144025f8676e63d488c0628081a

SHA512
972b9e8696bf8688114183adfb06cd5ffb3c366e888eab12b12c36676f935053d3c56f7d94c76d9f06690d8cdbb2399bca8dd37bcec1bf5ae3c92dc43354eb2b

Download Submit
C:\Windows\System\LEIOJNS.exe

Filesize
5.2MB

MD5
d3c0d0a930293d154975d3fc8e2ddf58

SHA1
cc7f0581dbe97956007e67a131595a34ad68e57e

SHA256
c969c7035132c0bb5808a9a689ac055836772aef341000529128e3ba6b7e093b

SHA512
6bdfc2ff5b0e8ffb5e6aaa1ccb21961baf151bcb59978e8e7ed09ac9554169befbf769e52c5ddb9b184aca84cde23039a41e6990ed4f19d7d412a1d612abf5e6

Download Submit
C:\Windows\System\MnWbRtx.exe

Filesize
5.2MB

MD5
63298503a6aa0e7f7aab59859cfeaa6c

SHA1
3e80a64e9835bbe825b2d8b2b822f97680fcceac

SHA256
187fc17c7a1de0d9b0fa9570179d5e30c49721b6ffd7adf95dc50b6818fe9412

SHA512
c7d5ee1bdd88c616092a08336d4a467cfbb9776dba3881cc67d811a4819b1be7f6eacb8629df3846a2e61f8fb5c363fc638bc8dd3fb5db09552af6b7b62453d4

Download Submit
C:\Windows\System\NDCyjUj.exe

Filesize
5.2MB

MD5
bea90eb35313faae63b9962a78214249

SHA1
9e2cddcedc4aae686f043ae01cfd1de2236fc7c2

SHA256
f4ccdb0d365e0f174e5b25f5012d3bfb70159e3051a6d8ca84fa12e6371e75fb

SHA512
9a2ead182f6df6dec66550dd727699837ed8008c10ef3fdc830f833f876d832d81eda3da31c72490bca595024df2be97d276417fe573dd7edbf6ba8a27486aad

Download Submit
C:\Windows\System\PIQgEnC.exe

Filesize
5.2MB

MD5
453bef8ef0e9862dce7bcd2b87098d06

SHA1
b7a7f026bd351a8e1f648fa78b46f19c2f56511d

SHA256
de7416bf9a03402715855389536b00f4b751424319f0234e45ff9f356a38989e

SHA512
0684d9c3716009f645536808e9d6e4b6d5dce1b23d2fac1cbdb1cba980bbc2455555e9ce68e1f898081295a67a0344a8b96b5e81811ff905b97907897497dc2e

Download Submit
C:\Windows\System\QaqnHxa.exe

Filesize
5.2MB

MD5
b9eb939ccde0512d131b23d77d46819e

SHA1
e378e6d3ba55f23a891c5d019b46676472c32341

SHA256
31fc456390791a994bdfe61863f160790e5a2eba8d41a7ba88a500dd9b458fe0

SHA512
dc95218f5b7589a27c7aa06124b37d58b7d5c230a85bebbca372cb5d05da09fa5ceb6c808e10f8ea06bd0117133e5948552da0cafb09f31c6a02281ebc6613cb

Download Submit
C:\Windows\System\RDiWlnC.exe

Filesize
5.2MB

MD5
64e31394cda973c0fc2773f8148d147d

SHA1
638d9cd8b409fa781a813d77f564ff25e55f52f3

SHA256
750ca24093fbff06072dd9ab4fea91ca4e970c784a4127071dd5e7205611edcf

SHA512
69a727f098457e416657844a6851b68e07bce80e9763216e70473199df04c03da6eb6895d88ed941d0208d1a036b02a3bb1a9c19a481cc216aa062e9b9260cdc

Download Submit
C:\Windows\System\RrozAfT.exe

Filesize
5.2MB

MD5
1d8ccbe4d3aacad3ef7d6cca0f602652

SHA1
baa4891f574111c7c9ee476eb25e1a1a437c606a

SHA256
154be26ca3c709fde9086af5937e88d356257d62549e0ad08e94f769feecf51b

SHA512
95077f774a07b51d1ee5fb686cff8213894ca7eac3ff9a4ea16485d55ae59504077a2fd7959fdc7737b5db11ad33326c5a03c4d43d28323c2fcc929b83ca09c6

Download Submit
C:\Windows\System\SOBjSZX.exe

Filesize
5.2MB

MD5
41268e910ddc285cd49eb42b2b0bc6f8

SHA1
8dad2184986f8ed2dab54fc5fb9deeb7e6aa613c

SHA256
c52c6e75cad155b39d33362a805ef9073b6fd8c91c011bf6138fb73474fd3f1d

SHA512
374a60a60ac2da5b7baef017686a04d7810ed0c0d899aa2413594a18cab8b6996c672d9a17e76055b74664e1a8694a3c2b2db6f9521e7270a072be49237831e9

Download Submit
C:\Windows\System\TdJeLGo.exe

Filesize
5.2MB

MD5
9f32b6004db589c57ba1923310a9ef98

SHA1
5a3a2bcac28bd0f42a78f2ecfd9b4736f504d651

SHA256
7dd2bcf0cba07e0a6392bb38fc57aae965647538b85f554953bc99ac32071564

SHA512
70654abb10409856c585a862f922a7a90eb173d0ea6b054624a1ba46fe29616743542bfeecd8116b5c3467ac9dbe5323d7f6300b80241e7bb1bdbb401e14c45a

Download Submit
C:\Windows\System\WJDmBGo.exe

Filesize
5.2MB

MD5
c9edb0d78e2883d38ce18a4a4e9a767c

SHA1
67c49f6146dd99636e9642ac572aa0a8717a89ac

SHA256
b6c00ef96613a282778de9b0aff48a7dc5cad564ed681a3af7c67f3b1eb8199b

SHA512
5d3adea7a22842d7d9080ddf94273266455c1111d5337a81db639953e67c47a79bcf5381b1d46df451036dba9529300dc3c324e6145df0afa50bc4d5b7fdeb20

Download Submit
C:\Windows\System\XMQFGIP.exe

Filesize
5.2MB

MD5
f55f47bf83e92ba7dae73b1640c12bb7

SHA1
3b164ead869e0046833980867023938f53d1a498

SHA256
0cd8508cab434daeb62011cf050fe8d98247dc9602436e8e362a38faa63fb0bb

SHA512
8a48b3fd4809f188bf55d28c1c69701455784e5374dd130f1eb95885eea6604f8e7342cec373675e39321c6627fc96df8639cbe6de48107135ebcbfe7d1ddbbd

Download Submit
C:\Windows\System\ZRLFtAW.exe

Filesize
5.2MB

MD5
b99e03ca83b365cd16185383407f2842

SHA1
1d6905a4378f11065c285b7a56c411e49b0b7e19

SHA256
8c1b1b51d198c782124854f9e515a29cac75b38f2752915c694a37aaeb40b24b

SHA512
dcf265bea04ae84bba79a14cf9a58f56dedb7a53c13af375864154089327a24ad801afa7f48aa62178cbe3b6ff68975769b6f48e6b8bd9c8a39cf22e3b5df6bc

Download Submit
C:\Windows\System\fhCqIPF.exe

Filesize
5.2MB

MD5
c6c69e3e540428a6f46d07eb745c2532

SHA1
9fbd870adf305297e70175985d54321d1ef81742

SHA256
b6655ef4c2622d9e8dd9329d25c381bea8a5e9cb1ddfcabd80b77c2ec8be81a6

SHA512
2678d7b2ca9500a2ddbad072120d376973a39f8923be6aea02ecf89867a33e452fe7107e29b5130bca326215cbcd0a8aece3021fbcc3d93b6959b5f1562b6f09

Download Submit
C:\Windows\System\hkOmvXG.exe

Filesize
5.2MB

MD5
c389e4323b74fdb876f48b06cc31423f

SHA1
356c31a434097138a168ab976fe2892087b064f0

SHA256
a09d2a37ba96735a9142d5bd4e8ad00e874da54a606d404e88fd912089cc5cd8

SHA512
36c6e4a826332bea8634bd9c113e08dba62cbda5551bcfa8f7ee8fb0fbd973762d2502ef09a0cbff1fa3993d79a2b925c57b37db4e2b21faed08dd7a71d0e2e4

Download Submit
C:\Windows\System\jCyNeCX.exe

Filesize
5.2MB

MD5
25585648c368c46920cc432f0c3625cb

SHA1
c16fc118a13c98cf6d826750ec116629ad31bf2a

SHA256
29b1e6c622afd070bad5f7a5b77bb681a87b4a80a05b1cafc8d4c28860d8d8fc

SHA512
1ecca005af4bade9de1b2fa4ceba3b29c8d008893be9a2cfb341b62b98d75449af7ac7801932115479896b281c20f73c54a5251f0a808730db3cb1ed90d16561

Download Submit
C:\Windows\System\jFzjSTb.exe

Filesize
5.2MB

MD5
5ef5e200129e01445cc4601b50713234

SHA1
52d8ca89c46044a3d8238e55226085cd0b27f9b6

SHA256
a36b0359e55128dee2aad9800800637e58444bf30d2f8fbe4727fd18bd484b17

SHA512
a30f11824050ed79b497146f6f49d6deaca365795960a18e2e73a50a45bb5824f584bad7dbba49f4657adef65ce522a71e145c986626e23dc816089e6a558ef9

Download Submit
C:\Windows\System\qUjdotK.exe

Filesize
5.2MB

MD5
6b29af37bcacf959ebc60805bc8bf6f2

SHA1
784a5451608d7a0c9eb83d9c849f11056c4a5f99

SHA256
61feb47b438e0a3189267055ea13be4f07bc22489456058ef027d51f57246e5d

SHA512
553c12e521136a1b178171d4ff9768de1b34ce56b98c675bd911494d9d0adb722c70440d96f72b66986029f9190eeb55f9d9406a94402c4827afa1d6aea04015

Download Submit
C:\Windows\System\tDZGSDu.exe

Filesize
5.2MB

MD5
f648d2d1fc437f7a0d45b4d40cab77fa

SHA1
a4d8d31429622d06f4b0dd308279ba6cffea9790

SHA256
22f43092bbb49de3a161fb7ba2a469ac37778a8dd9a14343196491f1e0d0df9e

SHA512
feff7ad8af8172b616d613a4f327ad7075c206ed1fea903506f01c8b55bb24a0ebc9b2c6d6adb6e1804d73ca8a5fd503868f76ca7c36538dd1a29e9524705c10

Download Submit
memory/408-275-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp

Filesize
3.3MB

Download
memory/408-131-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp

Filesize
3.3MB

Download
memory/408-165-0x00007FF6FA450000-0x00007FF6FA7A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-75-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp

Filesize
3.3MB

Download
memory/556-254-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp

Filesize
3.3MB

Download
memory/556-139-0x00007FF7EB620000-0x00007FF7EB971000-memory.dmp

Filesize
3.3MB

Download
memory/696-270-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp

Filesize
3.3MB

Download
memory/696-121-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp

Filesize
3.3MB

Download
memory/696-157-0x00007FF6F0060000-0x00007FF6F03B1000-memory.dmp

Filesize
3.3MB

Download
memory/916-224-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp

Filesize
3.3MB

Download
memory/916-8-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp

Filesize
3.3MB

Download
memory/916-65-0x00007FF6BA8D0000-0x00007FF6BAC21000-memory.dmp

Filesize
3.3MB

Download
memory/1180-14-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp

Filesize
3.3MB

Download
memory/1180-74-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp

Filesize
3.3MB

Download
memory/1180-226-0x00007FF6ADEB0000-0x00007FF6AE201000-memory.dmp

Filesize
3.3MB

Download
memory/1476-236-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-111-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-43-0x00007FF640F80000-0x00007FF6412D1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-86-0x00007FF788260000-0x00007FF7885B1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-140-0x00007FF788260000-0x00007FF7885B1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-256-0x00007FF788260000-0x00007FF7885B1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-61-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp

Filesize
3.3MB

Download
memory/1988-128-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp

Filesize
3.3MB

Download
memory/1988-246-0x00007FF7C60B0000-0x00007FF7C6401000-memory.dmp

Filesize
3.3MB

Download
memory/2056-88-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp

Filesize
3.3MB

Download
memory/2056-230-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp

Filesize
3.3MB

Download
memory/2056-24-0x00007FF69B820000-0x00007FF69BB71000-memory.dmp

Filesize
3.3MB

Download
memory/2536-244-0x00007FF617460000-0x00007FF6177B1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-56-0x00007FF617460000-0x00007FF6177B1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-262-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp

Filesize
3.3MB

Download
memory/2552-143-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp

Filesize
3.3MB

Download
memory/2552-103-0x00007FF66BDB0000-0x00007FF66C101000-memory.dmp

Filesize
3.3MB

Download
memory/2652-248-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp

Filesize
3.3MB

Download
memory/2652-135-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp

Filesize
3.3MB

Download
memory/2652-66-0x00007FF6F3CF0000-0x00007FF6F4041000-memory.dmp

Filesize
3.3MB

Download
memory/2700-18-0x00007FF651D10000-0x00007FF652061000-memory.dmp

Filesize
3.3MB

Download
memory/2700-228-0x00007FF651D10000-0x00007FF652061000-memory.dmp

Filesize
3.3MB

Download
memory/2700-81-0x00007FF651D10000-0x00007FF652061000-memory.dmp

Filesize
3.3MB

Download
memory/3192-277-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp

Filesize
3.3MB

Download
memory/3192-138-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp

Filesize
3.3MB

Download
memory/3192-169-0x00007FF62F1F0000-0x00007FF62F541000-memory.dmp

Filesize
3.3MB

Download
memory/3424-112-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-268-0x00007FF6E13A0000-0x00007FF6E16F1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-142-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp

Filesize
3.3MB

Download
memory/3644-260-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp

Filesize
3.3MB

Download
memory/3644-95-0x00007FF78E4B0000-0x00007FF78E801000-memory.dmp

Filesize
3.3MB

Download
memory/3672-170-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-1-0x0000023F1A680000-0x0000023F1A690000-memory.dmp

Filesize
64KB

Download
memory/3672-60-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-144-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-0-0x00007FF712A80000-0x00007FF712DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-48-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/3936-242-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/3936-116-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/4684-232-0x00007FF795EF0000-0x00007FF796241000-memory.dmp

Filesize
3.3MB

Download
memory/4684-34-0x00007FF795EF0000-0x00007FF796241000-memory.dmp

Filesize
3.3MB

Download
memory/4684-94-0x00007FF795EF0000-0x00007FF796241000-memory.dmp

Filesize
3.3MB

Download
memory/4740-162-0x00007FF623730000-0x00007FF623A81000-memory.dmp

Filesize
3.3MB

Download
memory/4740-123-0x00007FF623730000-0x00007FF623A81000-memory.dmp

Filesize
3.3MB

Download
memory/4740-272-0x00007FF623730000-0x00007FF623A81000-memory.dmp

Filesize
3.3MB

Download
memory/4828-234-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp

Filesize
3.3MB

Download
memory/4828-36-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp

Filesize
3.3MB

Download
memory/4828-102-0x00007FF6C31B0000-0x00007FF6C3501000-memory.dmp

Filesize
3.3MB

Download
memory/5040-141-0x00007FF732420000-0x00007FF732771000-memory.dmp

Filesize
3.3MB

Download
memory/5040-89-0x00007FF732420000-0x00007FF732771000-memory.dmp

Filesize
3.3MB

Download
memory/5040-258-0x00007FF732420000-0x00007FF732771000-memory.dmp

Filesize
3.3MB

Download