cobaltstrike | 8c6db9e2b0fe125f455bdee2a246a8e55be3df244deb5feaa550f14a109cf4c8

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

dba0fc512c3dac157356ff1e4be9e850
SHA1

216c3cc9b0e169c1a329a9935f16ab9c00a55437
SHA256

8c6db9e2b0fe125f455bdee2a246a8e55be3df244deb5feaa550f14a109cf4c8
SHA512

e1f2a822034fdd9b951f3b82f4972a4c16154a999a68af4edb97a97daa8109588ad7d7c1a9c8ef53674659f0377e91a64b57d26c84c5b680cafa5381601aa065
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBib+56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c7b-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c7c-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-90.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3464-56-0x00007FF67E3D0000-0x00007FF67E721000-memory.dmp	xmrig
behavioral2/memory/3420-69-0x00007FF626900000-0x00007FF626C51000-memory.dmp	xmrig
behavioral2/memory/4144-70-0x00007FF687D20000-0x00007FF688071000-memory.dmp	xmrig
behavioral2/memory/3652-76-0x00007FF7E2620000-0x00007FF7E2971000-memory.dmp	xmrig
behavioral2/memory/4776-61-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	xmrig
behavioral2/memory/2120-83-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	xmrig
behavioral2/memory/3436-88-0x00007FF633180000-0x00007FF6334D1000-memory.dmp	xmrig
behavioral2/memory/4768-97-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp	xmrig
behavioral2/memory/4516-116-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp	xmrig
behavioral2/memory/1624-132-0x00007FF6E6F30000-0x00007FF6E7281000-memory.dmp	xmrig
behavioral2/memory/1492-133-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp	xmrig
behavioral2/memory/3640-130-0x00007FF692260000-0x00007FF6925B1000-memory.dmp	xmrig
behavioral2/memory/1324-125-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	xmrig
behavioral2/memory/344-86-0x00007FF6549B0000-0x00007FF654D01000-memory.dmp	xmrig
behavioral2/memory/2808-82-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp	xmrig
behavioral2/memory/4776-134-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	xmrig
behavioral2/memory/1608-142-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp	xmrig
behavioral2/memory/3060-144-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp	xmrig
behavioral2/memory/644-145-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	xmrig
behavioral2/memory/4900-155-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp	xmrig
behavioral2/memory/1492-156-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp	xmrig
behavioral2/memory/3492-153-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp	xmrig
behavioral2/memory/4516-152-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp	xmrig
behavioral2/memory/4648-150-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp	xmrig
behavioral2/memory/4908-149-0x00007FF766960000-0x00007FF766CB1000-memory.dmp	xmrig
behavioral2/memory/4776-157-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	xmrig
behavioral2/memory/3420-211-0x00007FF626900000-0x00007FF626C51000-memory.dmp	xmrig
behavioral2/memory/4144-213-0x00007FF687D20000-0x00007FF688071000-memory.dmp	xmrig
behavioral2/memory/3436-217-0x00007FF633180000-0x00007FF6334D1000-memory.dmp	xmrig
behavioral2/memory/2808-216-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp	xmrig
behavioral2/memory/1324-220-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	xmrig
behavioral2/memory/4768-223-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp	xmrig
behavioral2/memory/1608-221-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp	xmrig
behavioral2/memory/3464-233-0x00007FF67E3D0000-0x00007FF67E721000-memory.dmp	xmrig
behavioral2/memory/3060-235-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp	xmrig
behavioral2/memory/644-238-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	xmrig
behavioral2/memory/3652-239-0x00007FF7E2620000-0x00007FF7E2971000-memory.dmp	xmrig
behavioral2/memory/2120-241-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	xmrig
behavioral2/memory/344-243-0x00007FF6549B0000-0x00007FF654D01000-memory.dmp	xmrig
behavioral2/memory/4908-245-0x00007FF766960000-0x00007FF766CB1000-memory.dmp	xmrig
behavioral2/memory/4648-252-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp	xmrig
behavioral2/memory/3640-254-0x00007FF692260000-0x00007FF6925B1000-memory.dmp	xmrig
behavioral2/memory/4516-256-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp	xmrig
behavioral2/memory/3492-258-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp	xmrig
behavioral2/memory/1624-260-0x00007FF6E6F30000-0x00007FF6E7281000-memory.dmp	xmrig
behavioral2/memory/4900-262-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp	xmrig
behavioral2/memory/1492-265-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3420	gWxgRSJ.exe
4144	uTRlARV.exe
2808	qbamzNd.exe
3436	sdxkoSa.exe
4768	ZgJlDdf.exe
1324	hQbmUBj.exe
1608	MSHIBCB.exe
3464	wgZBmZK.exe
3060	brRfKPM.exe
644	RkZtqBY.exe
3652	uSXCXRf.exe
2120	AWaBHMD.exe
344	OQXDJTb.exe
4908	rwwYhWO.exe
4648	gLCqvxc.exe
3640	xgEUJgF.exe
4516	LaWDWFW.exe
3492	kxXXIEX.exe
1624	aldBSJW.exe
4900	ZlGmyGX.exe
1492	PZsbwPP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4776-0-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	upx
behavioral2/files/0x0008000000023c7b-5.dat	upx
behavioral2/memory/3420-6-0x00007FF626900000-0x00007FF626C51000-memory.dmp	upx
behavioral2/memory/4144-17-0x00007FF687D20000-0x00007FF688071000-memory.dmp	upx
behavioral2/files/0x0007000000023c81-27.dat	upx
behavioral2/files/0x0007000000023c82-31.dat	upx
behavioral2/files/0x0007000000023c83-35.dat	upx
behavioral2/files/0x0007000000023c84-43.dat	upx
behavioral2/memory/1608-42-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp	upx
behavioral2/memory/1324-38-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	upx
behavioral2/memory/4768-30-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-23.dat	upx
behavioral2/memory/3436-22-0x00007FF633180000-0x00007FF6334D1000-memory.dmp	upx
behavioral2/memory/2808-21-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-15.dat	upx
behavioral2/files/0x0007000000023c85-47.dat	upx
behavioral2/files/0x0007000000023c86-49.dat	upx
behavioral2/memory/3464-56-0x00007FF67E3D0000-0x00007FF67E721000-memory.dmp	upx
behavioral2/memory/3420-69-0x00007FF626900000-0x00007FF626C51000-memory.dmp	upx
behavioral2/memory/4144-70-0x00007FF687D20000-0x00007FF688071000-memory.dmp	upx
behavioral2/memory/3652-76-0x00007FF7E2620000-0x00007FF7E2971000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-73.dat	upx
behavioral2/files/0x0008000000023c7c-71.dat	upx
behavioral2/files/0x0007000000023c87-65.dat	upx
behavioral2/memory/644-63-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	upx
behavioral2/memory/4776-61-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-77.dat	upx
behavioral2/memory/2120-83-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	upx
behavioral2/memory/3436-88-0x00007FF633180000-0x00007FF6334D1000-memory.dmp	upx
behavioral2/memory/4768-97-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-104.dat	upx
behavioral2/files/0x0007000000023c8e-109.dat	upx
behavioral2/memory/4516-116-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-128.dat	upx
behavioral2/memory/1624-132-0x00007FF6E6F30000-0x00007FF6E7281000-memory.dmp	upx
behavioral2/memory/1492-133-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-131.dat	upx
behavioral2/memory/3640-130-0x00007FF692260000-0x00007FF6925B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-126.dat	upx
behavioral2/memory/1324-125-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	upx
behavioral2/memory/4900-124-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp	upx
behavioral2/memory/3492-120-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp	upx
behavioral2/memory/4648-112-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-106.dat	upx
behavioral2/files/0x0007000000023c8b-102.dat	upx
behavioral2/files/0x0007000000023c8a-90.dat	upx
behavioral2/memory/4908-89-0x00007FF766960000-0x00007FF766CB1000-memory.dmp	upx
behavioral2/memory/344-86-0x00007FF6549B0000-0x00007FF654D01000-memory.dmp	upx
behavioral2/memory/2808-82-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp	upx
behavioral2/memory/3060-58-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp	upx
behavioral2/memory/4776-134-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	upx
behavioral2/memory/1608-142-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp	upx
behavioral2/memory/3060-144-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp	upx
behavioral2/memory/644-145-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	upx
behavioral2/memory/4900-155-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp	upx
behavioral2/memory/1492-156-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp	upx
behavioral2/memory/3492-153-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp	upx
behavioral2/memory/4516-152-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp	upx
behavioral2/memory/4648-150-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp	upx
behavioral2/memory/4908-149-0x00007FF766960000-0x00007FF766CB1000-memory.dmp	upx
behavioral2/memory/4776-157-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp	upx
behavioral2/memory/3420-211-0x00007FF626900000-0x00007FF626C51000-memory.dmp	upx
behavioral2/memory/4144-213-0x00007FF687D20000-0x00007FF688071000-memory.dmp	upx
behavioral2/memory/3436-217-0x00007FF633180000-0x00007FF6334D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qbamzNd.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgJlDdf.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgZBmZK.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aldBSJW.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AWaBHMD.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwwYhWO.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLCqvxc.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PZsbwPP.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gWxgRSJ.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTRlARV.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sdxkoSa.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQbmUBj.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LaWDWFW.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxXXIEX.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZlGmyGX.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OQXDJTb.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgEUJgF.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSHIBCB.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brRfKPM.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RkZtqBY.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uSXCXRf.exe	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3420	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4776 wrote to memory of 3420	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4776 wrote to memory of 4144	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4776 wrote to memory of 4144	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4776 wrote to memory of 2808	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4776 wrote to memory of 2808	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4776 wrote to memory of 3436	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4776 wrote to memory of 3436	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4776 wrote to memory of 4768	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4776 wrote to memory of 4768	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4776 wrote to memory of 1324	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4776 wrote to memory of 1324	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4776 wrote to memory of 1608	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4776 wrote to memory of 1608	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4776 wrote to memory of 3464	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4776 wrote to memory of 3464	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4776 wrote to memory of 3060	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4776 wrote to memory of 3060	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4776 wrote to memory of 644	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4776 wrote to memory of 644	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4776 wrote to memory of 3652	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4776 wrote to memory of 3652	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4776 wrote to memory of 2120	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4776 wrote to memory of 2120	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4776 wrote to memory of 344	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4776 wrote to memory of 344	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4776 wrote to memory of 4908	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4776 wrote to memory of 4908	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4776 wrote to memory of 4648	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4776 wrote to memory of 4648	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4776 wrote to memory of 3640	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4776 wrote to memory of 3640	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4776 wrote to memory of 4516	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4776 wrote to memory of 4516	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4776 wrote to memory of 3492	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4776 wrote to memory of 3492	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4776 wrote to memory of 1624	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4776 wrote to memory of 1624	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4776 wrote to memory of 4900	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4776 wrote to memory of 4900	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4776 wrote to memory of 1492	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4776 wrote to memory of 1492	4776	2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_dba0fc512c3dac157356ff1e4be9e850_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\System\gWxgRSJ.exe
  C:\Windows\System\gWxgRSJ.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\uTRlARV.exe
  C:\Windows\System\uTRlARV.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\qbamzNd.exe
  C:\Windows\System\qbamzNd.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\sdxkoSa.exe
  C:\Windows\System\sdxkoSa.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\ZgJlDdf.exe
  C:\Windows\System\ZgJlDdf.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\hQbmUBj.exe
  C:\Windows\System\hQbmUBj.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\MSHIBCB.exe
  C:\Windows\System\MSHIBCB.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\wgZBmZK.exe
  C:\Windows\System\wgZBmZK.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\brRfKPM.exe
  C:\Windows\System\brRfKPM.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\RkZtqBY.exe
  C:\Windows\System\RkZtqBY.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\uSXCXRf.exe
  C:\Windows\System\uSXCXRf.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\AWaBHMD.exe
  C:\Windows\System\AWaBHMD.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\OQXDJTb.exe
  C:\Windows\System\OQXDJTb.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System\rwwYhWO.exe
  C:\Windows\System\rwwYhWO.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\gLCqvxc.exe
  C:\Windows\System\gLCqvxc.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\xgEUJgF.exe
  C:\Windows\System\xgEUJgF.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\LaWDWFW.exe
  C:\Windows\System\LaWDWFW.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\kxXXIEX.exe
  C:\Windows\System\kxXXIEX.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\aldBSJW.exe
  C:\Windows\System\aldBSJW.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\ZlGmyGX.exe
  C:\Windows\System\ZlGmyGX.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\PZsbwPP.exe
  C:\Windows\System\PZsbwPP.exe
  2⤵
  - Executes dropped EXE
  PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AWaBHMD.exe

Filesize
5.2MB

MD5
932a6fa71ae7c2ad8b728b0dd5dd8798

SHA1
557ba8c434aacae16018b5e45737ba3f7bcefd71

SHA256
37096113800fb332170345b85618ded2d995d411bdd2bcefa43ab7185fe24116

SHA512
803a8b539e5ee05dc890d758672defefe0dfbebd6336fb570b3b1c00f0459a7af34a71d56c4f4664c0d861057104027e09575d0ab134e1cbd65f73d3f1d275a4

Download Submit
C:\Windows\System\LaWDWFW.exe

Filesize
5.2MB

MD5
cd14888dfa25139a819bf8812daf7de2

SHA1
f7d93f0860c7e313f281053bd6736a30cd6a0a70

SHA256
85841e82093e40bb440dc74abe32ea548d85d8f247a2b988d1b796f254d90fec

SHA512
065c166ecb71111d788afe07e71395e5e902ba50973818f1bf5ac1b7257d773dcb4bb4dccb7144b65789eed9fc114e6be0fbf6c6bb15256a2f755043eafdbf8f

Download Submit
C:\Windows\System\MSHIBCB.exe

Filesize
5.2MB

MD5
cc3884f32e6a5a5bbc7d35e3a9310ce3

SHA1
798bb9c314913020ed70890eb8de2ca8cf7ffbcc

SHA256
7113fa7a1b6da58d3ff80dfde5725432e694b201e6efd10cfaf6e587d9615e7c

SHA512
f99c44a85b4d81e244d537ca5476e8787e309ed496a21410efce8f45374cb388ff380a3ae0b72e1702a955e5c1fbeaff0198499a0f947c358872a64060b42aff

Download Submit
C:\Windows\System\OQXDJTb.exe

Filesize
5.2MB

MD5
843e9eeb88fdfe94166f4f9fbf008f1e

SHA1
132e6079789ef6881d9a512d55651dccf452055d

SHA256
88e2a40ebf0c87c628aa0d58b8dfb2b16cdb529a62b049eee2ab70f2a39d2e95

SHA512
20d87180890c2406ba4746d71edf1c581e11a9b46b8b48d7a4590166b25b3b256367273f1c582d77f3b9a676c72cedbeb7920c117177c3e94a48917f6cd09b7d

Download Submit
C:\Windows\System\PZsbwPP.exe

Filesize
5.2MB

MD5
fe6ca70d3b618a8aa26b7a1a0a963c6f

SHA1
756610b4527dd32cd462b662d2ea131014f38cde

SHA256
0191603263db142b5326b71ef8b53aef26f40d2ad282946dd7bbd08ea7e9999f

SHA512
b57de739b8c2426934d5e94170af17ac878e9d46be517d46e64ab02164b4efb331caedf81b8a4566e19106038732caa6801748918d7f30dffc462599d73b9d9e

Download Submit
C:\Windows\System\RkZtqBY.exe

Filesize
5.2MB

MD5
c797b711d694e11ab8d57aa5bc24476b

SHA1
a60ea5dfcf1850e924d2f9a1b1b3c07a3fd4fc99

SHA256
2e4d8d38d88c1757be8337bec96bad4f6537b86703a64bab7bc97b0f2a795598

SHA512
a7fae1b950f9e949bec1cb469e856420e707c89f293db29da422b6aab1d3dc7c17d26c4949c1b8486b887a4c307fcfae65b9c432bfebfb9d303af1ccaf136a5b

Download Submit
C:\Windows\System\ZgJlDdf.exe

Filesize
5.2MB

MD5
684e76a9dce92f77687249776d9b690e

SHA1
8348944c3e4079a29d5fd1f938b74c28ee16c349

SHA256
78e27ef20518c96b0abbb3360dc5c0516f81c8e895b0ad5fadc7831b9f133830

SHA512
bb4ea0fd36ce2221ed07beb411b99b758ecda1f147a63c7821dc2b547dc2bf4cbc373069884e112d55487878d7c1ae9eed0e921ec3a95bd0943520d5b10b5a8b

Download Submit
C:\Windows\System\ZlGmyGX.exe

Filesize
5.2MB

MD5
ebbeb026e901e37e5235909bf36cf899

SHA1
77b535dba2d8ff504e2b70dec486ba35682b45ec

SHA256
f8daf342c7296f0ae82bb93d7f9cd285f2ab527f805fa6ef735958ee916a721c

SHA512
2c35615932d27ff840e0efc84f44ffff34447fb06a43b2d7e47230add8c0807d98791e70d8f165fcb38eb1f2022b9aa896aa97d63e24f9b0a26a86f280547194

Download Submit
C:\Windows\System\aldBSJW.exe

Filesize
5.2MB

MD5
a6351aa2a302e758a09d3351875e5fa2

SHA1
01ef9b1efa0aaa074a7d70be894b8c7b3ff36e9f

SHA256
269f0f0698d12cf9de9805ff8bb229c55bd39e4e7ae12b15a19551274c7d7f98

SHA512
0310c49148cd6494b7fbd0229508970c5281ed69b4316208919a2fbad81868fe151c543eae9e3cd56cf62a29a840bdc0e4133595a2360bc2f49557e715a9c518

Download Submit
C:\Windows\System\brRfKPM.exe

Filesize
5.2MB

MD5
b2105d2c782f19a5f3b30981409dc410

SHA1
947c5d0a1c16f992aae36f836179fe9863e43e14

SHA256
963861f176b35d7d1e377f5dc76db0000e3648acef1ef03df59e7e89d07d2765

SHA512
649a89d09e6320854699c61ac2397e7796257304fca6856f7410a5a662fb349f01012237590df62e24ef9cebf76b013ca203ab0396df61221451f13af47c2069

Download Submit
C:\Windows\System\gLCqvxc.exe

Filesize
5.2MB

MD5
f7e01713ea57a25e053a2b6ba5127247

SHA1
506c54777bb2fd011580fd779e57eb67d7925c2c

SHA256
e5922da89b1847c624a20572e4d9ac30a294459d050d0e117c4f79a2455ede76

SHA512
3bed2de71f9bad6711f0f60beab67595ab0acb0fde58bbe82fab3d3b23c8a27264714eb1e835e853744a18d398ba86b249df89a6d584d72ff8eef71cb2ef05e2

Download Submit
C:\Windows\System\gWxgRSJ.exe

Filesize
5.2MB

MD5
7b341c93c61cf773868d6b73db15015c

SHA1
a83e45a6540f6f33e3939bafff5b5596b0ace240

SHA256
93ec620251507bebb6d78b6bbfd4645e4e8c91944ba28688d142df22c3568f7d

SHA512
4b24e0893cca8d7c72eae0a63952a808ce007a9f99395bcbfe04f9ab2e895d21f7e4c2933dbf726578c6b94366a005519fa60266234521e7b14c23b668c551dd

Download Submit
C:\Windows\System\hQbmUBj.exe

Filesize
5.2MB

MD5
8963bb5ac6d713a51c03703bff37f544

SHA1
cf4843ae5a7934f7bf6b881a0ab791937cfa441f

SHA256
d09e1b89be3814b85a63155f2fb4c37a399f2b8a1f75b2a13d9e94e29ac02a5d

SHA512
5090b35e804616f51fc32d731fc5315b7c8c5cac30e890755aef8e2fa946794ec9bfeab57eddc8de8babd2b7762f2d85a664c3543e73ca30f8c4fc34ed2de5e1

Download Submit
C:\Windows\System\kxXXIEX.exe

Filesize
5.2MB

MD5
0652b17d9f5617c17ee09cf29782602d

SHA1
316fad88586ea2c3c212e496034828c0ee1a97f5

SHA256
6dd3cb48b800ee3746fda3f4c496647066111340d186ddd41ff24472a780427d

SHA512
a2efe84d652bf06bdf88118f727ddf3be6b410c40b3891871d04e60319cfecb6c32ead6147d1b51f2f3958d5fc10ffc29d5e3c216381ec6ce652d8924b3ab9b8

Download Submit
C:\Windows\System\qbamzNd.exe

Filesize
5.2MB

MD5
74a003a175f801dee039f99f967f1f75

SHA1
94824cb6b64ff0a1acc9bf1ecf84cc61903f2403

SHA256
48b1c784a2f0eb45164823545578ea8afc3e815d19d1fb463bb4801670c9c32b

SHA512
ef88a15903c10b9bd96a0e8e6f9739bd4fcceac325a22074dba52ccc0c0696e831986c501dbb5c0cb1b9deb9a288d7a398e9352d5e618ad13ff4f54ed233877e

Download Submit
C:\Windows\System\rwwYhWO.exe

Filesize
5.2MB

MD5
4f4399a4ff186a7306eaed6958bb146c

SHA1
0ca1eeefbaaf2a563c9901f6fa41e32aafe61e22

SHA256
3f7ce3fe5eb21ca12cc3e7f5352d54c5f5caa3577830ba6ea7961529a34cede0

SHA512
da9a2c4fb97b4e3923fe9db5fdc1b2e696fc6e12ab7de21cafc147d372bcfdd915e54ccf48a84b96c7f371ee5747f70c6d3e8ed8b918f9dc00694d9e68e6a3cc

Download Submit
C:\Windows\System\sdxkoSa.exe

Filesize
5.2MB

MD5
0fe05fd71b119e84695a24fd79668953

SHA1
cd3c7faca8a212aeea24efe4f08fad270ca797d3

SHA256
5df81aa63a1be12df755a702dc37b5d6e894b26bacd13ffc159292f4e5e1ec69

SHA512
9398cf184b04c45eacae4b4cf7c7369d9d30b1b460246e0b8dde48abb613c45416dd994f24112173fb0c3479c3e4e0ab117e4bcd4bd38724ebcf467f3ee72b12

Download Submit
C:\Windows\System\uSXCXRf.exe

Filesize
5.2MB

MD5
708446be97d06ae25c80f2cc3bf2de52

SHA1
120d23c436e9a2cf7c3300f8599b72f93d987e6a

SHA256
c91f7ca1f19c0fb75b047fe81fa83b3d6a7d6986737413a62c464df219ed26c0

SHA512
7835793d872c97b4f0614500fd382e20e0cd6a643c6a8ba303e6f0e089e29bc1b30672966955fa1a1fadc6340f18e18dcf485d58b9d042f572f10646da36291b

Download Submit
C:\Windows\System\uTRlARV.exe

Filesize
5.2MB

MD5
500f6005992057e4cd02fb524ca430f9

SHA1
beb68e51ce3aa835811421ac348989c78a6a377d

SHA256
cbf9dc520121e4c0888e28db66fec21d026773f261f6edb11787298d2ef7bac8

SHA512
f8a75f22d7d09ee04cc752e406dca31f1657ee1a3034e3dc08e8f7aa53948bf4d4d2528630354fe40b3773973ac595c45ef52e7914b87cc9cf780a9be42b719c

Download Submit
C:\Windows\System\wgZBmZK.exe

Filesize
5.2MB

MD5
cdf18763019daa64610f524a68cb59f8

SHA1
c6d7dbf5c1a36a20fefebf8cb614949a24dd4e3d

SHA256
044a38da8ef086f6770e26eafdfd884053660fef79737cbd02e447e8f6601058

SHA512
7a8bb594d95ff69d54f155147c816751570f5ca1ee3ca8853757070d418b3a0f2f828f93681c1d1de1f9f354231ea68a08376834c67581d5fd8d64ab73786ec9

Download Submit
C:\Windows\System\xgEUJgF.exe

Filesize
5.2MB

MD5
191d90a316624dec037d466c3ae3fb87

SHA1
edf4eb450db4c7e13e78084ece83e94da9752fc0

SHA256
31b1a1816b961ddd50db11d6933c6780dcd0786cacf6b55c44e6588cd87c6a56

SHA512
aa38610a0500ffad243000d9fcf304566acda2f64fe7960fac331af8cc3151edf099eb9b9aa613e93ca8fbb792f54f57525f38d634b8f0fc5c20083f1e76678c

Download Submit
memory/344-243-0x00007FF6549B0000-0x00007FF654D01000-memory.dmp

Filesize
3.3MB

Download
memory/344-86-0x00007FF6549B0000-0x00007FF654D01000-memory.dmp

Filesize
3.3MB

Download
memory/644-145-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/644-238-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/644-63-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-220-0x00007FF751050000-0x00007FF7513A1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-38-0x00007FF751050000-0x00007FF7513A1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-125-0x00007FF751050000-0x00007FF7513A1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-156-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1492-133-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1492-265-0x00007FF7C4720000-0x00007FF7C4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1608-142-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp

Filesize
3.3MB

Download
memory/1608-42-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp

Filesize
3.3MB

Download
memory/1608-221-0x00007FF61E820000-0x00007FF61EB71000-memory.dmp

Filesize
3.3MB

Download
memory/1624-260-0x00007FF6E6F30000-0x00007FF6E7281000-memory.dmp

Filesize
3.3MB

Download
memory/1624-132-0x00007FF6E6F30000-0x00007FF6E7281000-memory.dmp

Filesize
3.3MB

Download
memory/2120-241-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-83-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-21-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-216-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-82-0x00007FF60D160000-0x00007FF60D4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-144-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp

Filesize
3.3MB

Download
memory/3060-235-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp

Filesize
3.3MB

Download
memory/3060-58-0x00007FF6FB210000-0x00007FF6FB561000-memory.dmp

Filesize
3.3MB

Download
memory/3420-211-0x00007FF626900000-0x00007FF626C51000-memory.dmp

Filesize
3.3MB

Download
memory/3420-6-0x00007FF626900000-0x00007FF626C51000-memory.dmp

Filesize
3.3MB

Download
memory/3420-69-0x00007FF626900000-0x00007FF626C51000-memory.dmp

Filesize
3.3MB

Download
memory/3436-88-0x00007FF633180000-0x00007FF6334D1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-22-0x00007FF633180000-0x00007FF6334D1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-217-0x00007FF633180000-0x00007FF6334D1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-56-0x00007FF67E3D0000-0x00007FF67E721000-memory.dmp

Filesize
3.3MB

Download
memory/3464-233-0x00007FF67E3D0000-0x00007FF67E721000-memory.dmp

Filesize
3.3MB

Download
memory/3492-120-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-258-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-153-0x00007FF773B90000-0x00007FF773EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-254-0x00007FF692260000-0x00007FF6925B1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-130-0x00007FF692260000-0x00007FF6925B1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-76-0x00007FF7E2620000-0x00007FF7E2971000-memory.dmp

Filesize
3.3MB

Download
memory/3652-239-0x00007FF7E2620000-0x00007FF7E2971000-memory.dmp

Filesize
3.3MB

Download
memory/4144-17-0x00007FF687D20000-0x00007FF688071000-memory.dmp

Filesize
3.3MB

Download
memory/4144-213-0x00007FF687D20000-0x00007FF688071000-memory.dmp

Filesize
3.3MB

Download
memory/4144-70-0x00007FF687D20000-0x00007FF688071000-memory.dmp

Filesize
3.3MB

Download
memory/4516-116-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp

Filesize
3.3MB

Download
memory/4516-256-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp

Filesize
3.3MB

Download
memory/4516-152-0x00007FF7BE0E0000-0x00007FF7BE431000-memory.dmp

Filesize
3.3MB

Download
memory/4648-252-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-150-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-112-0x00007FF6BADA0000-0x00007FF6BB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-97-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp

Filesize
3.3MB

Download
memory/4768-30-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp

Filesize
3.3MB

Download
memory/4768-223-0x00007FF64CF30000-0x00007FF64D281000-memory.dmp

Filesize
3.3MB

Download
memory/4776-61-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-0-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-134-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-157-0x00007FF77AC20000-0x00007FF77AF71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-1-0x0000024CD0420000-0x0000024CD0430000-memory.dmp

Filesize
64KB

Download
memory/4900-124-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-155-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-262-0x00007FF736D90000-0x00007FF7370E1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-245-0x00007FF766960000-0x00007FF766CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-89-0x00007FF766960000-0x00007FF766CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-149-0x00007FF766960000-0x00007FF766CB1000-memory.dmp

Filesize
3.3MB

Download