cobaltstrike | 24a97b22d8dc9ea8c546228a3e2a3332f3986c8647f77d7c5b8630001088e686

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

eca03fe7b307c971627ac3a3c106bc43
SHA1

e524a8a6705cb9761bfbf436149ac6dfbe71dd2b
SHA256

24a97b22d8dc9ea8c546228a3e2a3332f3986c8647f77d7c5b8630001088e686
SHA512

14e8b72b164456907b38159551cbae1a4b24a1221719188f45060981b5a87c0fcd662e25c46e78222491f49e9121aec610e929f7412e4caa8fcb8f9c4ccb4b50
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibd56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cda-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce9-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-17.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cde-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cea-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ceb-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cec-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cee-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf1-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf2-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf4-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf3-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cef-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ced-96.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4780-56-0x00007FF7C67A0000-0x00007FF7C6AF1000-memory.dmp	xmrig
behavioral2/memory/1328-58-0x00007FF656260000-0x00007FF6565B1000-memory.dmp	xmrig
behavioral2/memory/2024-57-0x00007FF613C10000-0x00007FF613F61000-memory.dmp	xmrig
behavioral2/memory/3088-54-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	xmrig
behavioral2/memory/1256-46-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp	xmrig
behavioral2/memory/2988-37-0x00007FF679370000-0x00007FF6796C1000-memory.dmp	xmrig
behavioral2/memory/3556-83-0x00007FF715A70000-0x00007FF715DC1000-memory.dmp	xmrig
behavioral2/memory/1828-125-0x00007FF79F300000-0x00007FF79F651000-memory.dmp	xmrig
behavioral2/memory/4832-131-0x00007FF787740000-0x00007FF787A91000-memory.dmp	xmrig
behavioral2/memory/3628-121-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp	xmrig
behavioral2/memory/2136-110-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp	xmrig
behavioral2/memory/2360-109-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp	xmrig
behavioral2/memory/2044-106-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp	xmrig
behavioral2/memory/2240-92-0x00007FF67AF20000-0x00007FF67B271000-memory.dmp	xmrig
behavioral2/memory/832-86-0x00007FF675040000-0x00007FF675391000-memory.dmp	xmrig
behavioral2/memory/3124-78-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	xmrig
behavioral2/memory/4804-137-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	xmrig
behavioral2/memory/116-138-0x00007FF694300000-0x00007FF694651000-memory.dmp	xmrig
behavioral2/memory/1828-155-0x00007FF79F300000-0x00007FF79F651000-memory.dmp	xmrig
behavioral2/memory/4460-158-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	xmrig
behavioral2/memory/4624-157-0x00007FF782B10000-0x00007FF782E61000-memory.dmp	xmrig
behavioral2/memory/3628-154-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp	xmrig
behavioral2/memory/704-153-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp	xmrig
behavioral2/memory/3912-152-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp	xmrig
behavioral2/memory/3124-141-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	xmrig
behavioral2/memory/3124-162-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	xmrig
behavioral2/memory/2044-204-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp	xmrig
behavioral2/memory/2136-206-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp	xmrig
behavioral2/memory/2988-209-0x00007FF679370000-0x00007FF6796C1000-memory.dmp	xmrig
behavioral2/memory/2360-210-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp	xmrig
behavioral2/memory/1256-214-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp	xmrig
behavioral2/memory/2024-216-0x00007FF613C10000-0x00007FF613F61000-memory.dmp	xmrig
behavioral2/memory/3088-222-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	xmrig
behavioral2/memory/4804-224-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	xmrig
behavioral2/memory/4780-220-0x00007FF7C67A0000-0x00007FF7C6AF1000-memory.dmp	xmrig
behavioral2/memory/1328-219-0x00007FF656260000-0x00007FF6565B1000-memory.dmp	xmrig
behavioral2/memory/116-236-0x00007FF694300000-0x00007FF694651000-memory.dmp	xmrig
behavioral2/memory/3556-238-0x00007FF715A70000-0x00007FF715DC1000-memory.dmp	xmrig
behavioral2/memory/832-242-0x00007FF675040000-0x00007FF675391000-memory.dmp	xmrig
behavioral2/memory/2240-241-0x00007FF67AF20000-0x00007FF67B271000-memory.dmp	xmrig
behavioral2/memory/3912-248-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp	xmrig
behavioral2/memory/704-247-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp	xmrig
behavioral2/memory/4832-256-0x00007FF787740000-0x00007FF787A91000-memory.dmp	xmrig
behavioral2/memory/1828-255-0x00007FF79F300000-0x00007FF79F651000-memory.dmp	xmrig
behavioral2/memory/4624-252-0x00007FF782B10000-0x00007FF782E61000-memory.dmp	xmrig
behavioral2/memory/3628-251-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp	xmrig
behavioral2/memory/4460-259-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2044	KPeggsy.exe
2360	FiHJQte.exe
2136	TBVTnLa.exe
2988	tfQVSqL.exe
1256	ATCOifV.exe
2024	ndgzavO.exe
1328	cqYNzGR.exe
3088	JiGPyob.exe
4780	hRUaaXw.exe
4804	YTZJXoK.exe
116	ngUYLwn.exe
3556	iYpJUsu.exe
832	tCcYXRx.exe
2240	PTFBfhE.exe
3912	UykvGzh.exe
704	kfUbBLD.exe
3628	yBRCSep.exe
1828	pWBpSWs.exe
4832	BXfkcKe.exe
4624	PoEQYyu.exe
4460	EvWVRln.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3124-0-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/files/0x0008000000023cda-5.dat	upx
behavioral2/files/0x0007000000023ce2-7.dat	upx
behavioral2/memory/2136-29-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce7-38.dat	upx
behavioral2/files/0x0007000000023ce5-41.dat	upx
behavioral2/files/0x0007000000023ce8-47.dat	upx
behavioral2/memory/4780-56-0x00007FF7C67A0000-0x00007FF7C6AF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce9-60.dat	upx
behavioral2/memory/4804-59-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	upx
behavioral2/memory/1328-58-0x00007FF656260000-0x00007FF6565B1000-memory.dmp	upx
behavioral2/memory/2024-57-0x00007FF613C10000-0x00007FF613F61000-memory.dmp	upx
behavioral2/memory/3088-54-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-49.dat	upx
behavioral2/memory/1256-46-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp	upx
behavioral2/memory/2988-37-0x00007FF679370000-0x00007FF6796C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-34.dat	upx
behavioral2/files/0x0007000000023ce3-21.dat	upx
behavioral2/memory/2360-18-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce1-17.dat	upx
behavioral2/memory/2044-10-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp	upx
behavioral2/files/0x0008000000023cde-65.dat	upx
behavioral2/memory/116-66-0x00007FF694300000-0x00007FF694651000-memory.dmp	upx
behavioral2/files/0x0007000000023cea-69.dat	upx
behavioral2/files/0x0007000000023ceb-75.dat	upx
behavioral2/memory/3556-83-0x00007FF715A70000-0x00007FF715DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cec-88.dat	upx
behavioral2/files/0x0007000000023cee-93.dat	upx
behavioral2/memory/704-95-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp	upx
behavioral2/memory/3912-94-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp	upx
behavioral2/files/0x0007000000023cf1-104.dat	upx
behavioral2/files/0x0007000000023cf2-114.dat	upx
behavioral2/memory/1828-125-0x00007FF79F300000-0x00007FF79F651000-memory.dmp	upx
behavioral2/files/0x0007000000023cf4-132.dat	upx
behavioral2/memory/4460-136-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	upx
behavioral2/files/0x0007000000023cf3-133.dat	upx
behavioral2/memory/4832-131-0x00007FF787740000-0x00007FF787A91000-memory.dmp	upx
behavioral2/memory/4624-127-0x00007FF782B10000-0x00007FF782E61000-memory.dmp	upx
behavioral2/memory/3628-121-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp	upx
behavioral2/files/0x0007000000023cef-119.dat	upx
behavioral2/memory/2136-110-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp	upx
behavioral2/memory/2360-109-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp	upx
behavioral2/memory/2044-106-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp	upx
behavioral2/files/0x0007000000023ced-96.dat	upx
behavioral2/memory/2240-92-0x00007FF67AF20000-0x00007FF67B271000-memory.dmp	upx
behavioral2/memory/832-86-0x00007FF675040000-0x00007FF675391000-memory.dmp	upx
behavioral2/memory/3124-78-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/memory/4804-137-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	upx
behavioral2/memory/116-138-0x00007FF694300000-0x00007FF694651000-memory.dmp	upx
behavioral2/memory/1828-155-0x00007FF79F300000-0x00007FF79F651000-memory.dmp	upx
behavioral2/memory/4460-158-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	upx
behavioral2/memory/4624-157-0x00007FF782B10000-0x00007FF782E61000-memory.dmp	upx
behavioral2/memory/3628-154-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp	upx
behavioral2/memory/704-153-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp	upx
behavioral2/memory/3912-152-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp	upx
behavioral2/memory/3124-141-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/memory/3124-162-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/memory/2044-204-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp	upx
behavioral2/memory/2136-206-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp	upx
behavioral2/memory/2988-209-0x00007FF679370000-0x00007FF6796C1000-memory.dmp	upx
behavioral2/memory/2360-210-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp	upx
behavioral2/memory/1256-214-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp	upx
behavioral2/memory/2024-216-0x00007FF613C10000-0x00007FF613F61000-memory.dmp	upx
behavioral2/memory/3088-222-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PoEQYyu.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndgzavO.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FiHJQte.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tfQVSqL.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiGPyob.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pWBpSWs.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXfkcKe.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EvWVRln.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPeggsy.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tCcYXRx.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iYpJUsu.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ATCOifV.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqYNzGR.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hRUaaXw.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTZJXoK.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ngUYLwn.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PTFBfhE.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UykvGzh.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TBVTnLa.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yBRCSep.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfUbBLD.exe	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 2044	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3124 wrote to memory of 2044	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3124 wrote to memory of 2360	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3124 wrote to memory of 2360	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3124 wrote to memory of 2136	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3124 wrote to memory of 2136	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3124 wrote to memory of 2988	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3124 wrote to memory of 2988	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3124 wrote to memory of 1256	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3124 wrote to memory of 1256	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3124 wrote to memory of 2024	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3124 wrote to memory of 2024	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3124 wrote to memory of 3088	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3124 wrote to memory of 3088	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3124 wrote to memory of 1328	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3124 wrote to memory of 1328	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3124 wrote to memory of 4780	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3124 wrote to memory of 4780	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3124 wrote to memory of 4804	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3124 wrote to memory of 4804	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3124 wrote to memory of 116	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3124 wrote to memory of 116	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3124 wrote to memory of 3556	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3124 wrote to memory of 3556	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3124 wrote to memory of 832	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3124 wrote to memory of 832	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3124 wrote to memory of 2240	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3124 wrote to memory of 2240	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3124 wrote to memory of 3912	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3124 wrote to memory of 3912	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3124 wrote to memory of 704	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3124 wrote to memory of 704	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3124 wrote to memory of 3628	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3124 wrote to memory of 3628	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3124 wrote to memory of 1828	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3124 wrote to memory of 1828	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3124 wrote to memory of 4832	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3124 wrote to memory of 4832	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3124 wrote to memory of 4624	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3124 wrote to memory of 4624	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3124 wrote to memory of 4460	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3124 wrote to memory of 4460	3124	2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_eca03fe7b307c971627ac3a3c106bc43_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\System\KPeggsy.exe
  C:\Windows\System\KPeggsy.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\FiHJQte.exe
  C:\Windows\System\FiHJQte.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\TBVTnLa.exe
  C:\Windows\System\TBVTnLa.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\tfQVSqL.exe
  C:\Windows\System\tfQVSqL.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\ATCOifV.exe
  C:\Windows\System\ATCOifV.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\ndgzavO.exe
  C:\Windows\System\ndgzavO.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\JiGPyob.exe
  C:\Windows\System\JiGPyob.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\cqYNzGR.exe
  C:\Windows\System\cqYNzGR.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\hRUaaXw.exe
  C:\Windows\System\hRUaaXw.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\YTZJXoK.exe
  C:\Windows\System\YTZJXoK.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\ngUYLwn.exe
  C:\Windows\System\ngUYLwn.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\iYpJUsu.exe
  C:\Windows\System\iYpJUsu.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\tCcYXRx.exe
  C:\Windows\System\tCcYXRx.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\PTFBfhE.exe
  C:\Windows\System\PTFBfhE.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\UykvGzh.exe
  C:\Windows\System\UykvGzh.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\kfUbBLD.exe
  C:\Windows\System\kfUbBLD.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\yBRCSep.exe
  C:\Windows\System\yBRCSep.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\pWBpSWs.exe
  C:\Windows\System\pWBpSWs.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\BXfkcKe.exe
  C:\Windows\System\BXfkcKe.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\PoEQYyu.exe
  C:\Windows\System\PoEQYyu.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\EvWVRln.exe
  C:\Windows\System\EvWVRln.exe
  2⤵
  - Executes dropped EXE
  PID:4460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ATCOifV.exe

Filesize
5.2MB

MD5
49c9e8043e9259b405f1801d2d677879

SHA1
ae2ef9d8f99920fdbade33d183f25325ffa70648

SHA256
ce6f7cb7e67dc0bbbf5704020f607a9711b6589f9d1dfcac7830a267bd5599b3

SHA512
92df38fd99cf46ab6d1cf219ada39337a0ae4eb8954262364ad5af090b4ecf70c3267e5970ed0026ca0f96ce28952f54c67abda6d8944d626539299c4a6957b5

Download Submit
C:\Windows\System\BXfkcKe.exe

Filesize
5.2MB

MD5
22650c49b8cf2e8cd12597354b695beb

SHA1
1fdf8143e6593f8c136c2c0db3dfab02ecb08c5b

SHA256
959c461314d81afe0bd6dcca1217e14b95b1aa2822d16181fd39e730d8bd8c2c

SHA512
a766d804d62ca0f1c674d73de1404110bd3646c059724aa8986c515660a1568675f2b0430b36ca34398d47b17052d133791a5946100bd22f5587384411791399

Download Submit
C:\Windows\System\EvWVRln.exe

Filesize
5.2MB

MD5
e7dc3b6dd3900f379bd2fcf76ed21de6

SHA1
6b1225485366f2cf8dcc93e451ad9211a2989833

SHA256
ce4fcf9a6321bb5a466063b5d28bd0b6016523caa12d61f4c6f1cfd9229af94b

SHA512
77597f8bcdf77468b529b8225983fbc5d2c18904df2d72575919e3109585f98352c153b5e468a5f749a853c1569c3200e2113ba3d7e0f93f737a6aac4b655713

Download Submit
C:\Windows\System\FiHJQte.exe

Filesize
5.2MB

MD5
f68403eb6f3c917967838f8199047ab1

SHA1
ad60cb46facf0f3061392ceb99a4df4d04ed4df2

SHA256
572ad447dda4cbf059ddd607d986174da26790934be111d5aaf42d3a972dbe2c

SHA512
31dfee9d139f07ea8bceb79d4de0a86514b34d4ecc53a87d5126cb14e265d8d51aa65a70f794609a9c43ae1c57badb9945565e9959dbb37bc1d22f2d1e4b4be1

Download Submit
C:\Windows\System\JiGPyob.exe

Filesize
5.2MB

MD5
bf8838e11b003fa752cdfaa1a9d976b0

SHA1
10f2fd4a480cb5796090e8871d2505fd4b4f04a6

SHA256
d7d50a9f78d6e9d5ea245d320edfc2c10910bfe2ca667aba39b4f568f2d02cf5

SHA512
0df70c35d6da248e8e8a59c78405ef8903cb6df0e3020cab5e2614b7ca00c538574c77f95edaf8f53c1f851855d7522b880460e2d60e9f9f15c0da36718dcc00

Download Submit
C:\Windows\System\KPeggsy.exe

Filesize
5.2MB

MD5
af7d7c0a598222d6de4e769dac8d86f0

SHA1
a19d631884a68969d34541b148d360c3eb69cae2

SHA256
93ade0c38f4a3df79db4713f8c00fee9a13dc34e322c1c59ae6455c1e0b51a5a

SHA512
5d495f40e855b0568ab1fdf1fa3804aa50bae796e4c7dc48aa67e0e0c8a225de9f102159caab9232fda686929b261f3491fc03a19cbea51b5679506f9e45f594

Download Submit
C:\Windows\System\PTFBfhE.exe

Filesize
5.2MB

MD5
1d67799cf886d703214e8c56de84ca5d

SHA1
c7c5740fed1d64f8af40008e2a51f11ba83335e5

SHA256
860f334e8ee384186b21dc0da0cd697e369009e5f49ea60d928f76f6427c44b6

SHA512
7474569ef55b0e6154393bd59f3cdce73158b243f5f9829476eb4268185a1b8a86431f2b0bd4f6b66214d5756ef6ef162299f9cb133548bb07235b3132bda1e8

Download Submit
C:\Windows\System\PoEQYyu.exe

Filesize
5.2MB

MD5
8d1852c402cfd0afb1b7bb656a9bf888

SHA1
2765b22899c0be2aaf38870f4b6383174d1b12a3

SHA256
20ed2e6d677048861f89ca96e9ef738ab7e8a499f0f625ff5d942afb8f5ff8b4

SHA512
5a5dc6ee80eaa2524494c01d6d4b71e24f6e8cb189a042b6018bca9ebea19ef23a7fc34e1b7a182685b0227606135bfeb7745d8904e1e1d3da9831d332c9e4dc

Download Submit
C:\Windows\System\TBVTnLa.exe

Filesize
5.2MB

MD5
2c35aaa98a00363fd77d917514d9622c

SHA1
2a1202c72c6d75d4e566f26237628faf8f66a39f

SHA256
84fea15740163d1395ebc2bb066715c3bb5cc0c0aa49f24e0f5e70175295af54

SHA512
6de79dc54c6c657ba1c866b2edf2926e1783e27746aceb83aae78bef43c2aa025205213c3e9e94a0094900c94a00b7bd4805f1595a22b4ad785b1235bffe48ed

Download Submit
C:\Windows\System\UykvGzh.exe

Filesize
5.2MB

MD5
cd04eaf0b008469e3f07d33b9271c2b7

SHA1
4fc0055e4e78356c1697caa7d647bd3134a32330

SHA256
7008e3ef6af860588abe727107939889783413b42559f6637c7d57e4646b0ad7

SHA512
3d8c3469d4664b2a63971cc5f89806e6ba4886b20ae15369942d4ac3087c2be312dd1f448d03f51d934e6b6b699139475732a15eff2359e04f08940cf1a3c16e

Download Submit
C:\Windows\System\YTZJXoK.exe

Filesize
5.2MB

MD5
15467b3ec05013d147b8bba1bad3e520

SHA1
252c24f10494fb26f6d120fbd5edfd5360b30187

SHA256
674c47c20124c473327596076f602b204d0f34d668098acab4661e94af288112

SHA512
f4c486373d6d8127a5c326e9466a5da858d0cc6b6b38d7c75f01f1214a1b174cca20a89134f42a891f80f4adc5bd198ad97b2fb3eb27650e329958498844c3f8

Download Submit
C:\Windows\System\cqYNzGR.exe

Filesize
5.2MB

MD5
aa644b0edabf71a05397cee65ccebbe2

SHA1
eeffe13c3b513cbc33ceb458b756e584be26181e

SHA256
5ebff2a8042045a62e25a3214dcf6ec9b7c5b3062ce1c05d9b89f6a862d8815b

SHA512
688929ab7f376175a8092eebca663d36c98ab0d32a6f844628f3ec893a8249eccc6ace02b43bc4a3bbc4de0058d3d714a08b897c35feabe45ba7ef1b3e202c67

Download Submit
C:\Windows\System\hRUaaXw.exe

Filesize
5.2MB

MD5
845528e7e0231102f7271044e6ccd4d1

SHA1
86887a5b1a7c89146b483f990ce32a782dc7d982

SHA256
db8da5771309b90ca7030517d4898b212473d8b7f65c9c700269b8e725349faf

SHA512
857e281c3b4183fd4793f8ffb894ed796e4ddaa7e3960974bdff7343132d8c04a625acc15fd6f1281b8faa90da31dffebbae7c8c978cf345925caa0a1118ceae

Download Submit
C:\Windows\System\iYpJUsu.exe

Filesize
5.2MB

MD5
372d0c0fdd051e0f7275c27673a577a3

SHA1
3aa4a40921368b9c4bc498e4e0b70ce8fd1fda8c

SHA256
2435370d3a8d936cf74561d9e391e6ef25633c95aa6fc119b69fad55b9c300f1

SHA512
371f7938dd945ebd67a3404590c04f1033612f88f36b7015cf55ef75ce2583f7bca562836a547d7e94522218d6f98147a4fc9122b480d5b1642856f81b73a955

Download Submit
C:\Windows\System\kfUbBLD.exe

Filesize
5.2MB

MD5
cefbfe3c68f0f6a4bde9a1af16d6d583

SHA1
28d3868a3fe86d3b04d56c4a05820f5cb1e3e493

SHA256
f46243c66cae3d05ccccb7fe036b3819f5511d2eb521da2721371bc952b2ef7d

SHA512
bbf648f1c0354102246f82cbfdba9341ece34edc0cc3d939ddb89e12f23346f7bb53f621ca5b49ccb107f970dce97a86538465a5daaf49179b5fc8f4a0073878

Download Submit
C:\Windows\System\ndgzavO.exe

Filesize
5.2MB

MD5
7e850d5d64efa0ab8b718399834dd58e

SHA1
28396dfa780089926758f1a6c2b063cf148cbe3a

SHA256
f0191e2e8beab0b1bb8ba886bce5b5d08d56b30931c1082514505c6b408b3518

SHA512
7f1c74d59879819b5575652c2db52b9309ace5c4ca44bd97df20083fe4ef98e1544b1b96f90589f7815de40857dcd3ccba925444ab9bcdae985e2ac1d567a660

Download Submit
C:\Windows\System\ngUYLwn.exe

Filesize
5.2MB

MD5
93cf4322dfcc80481524a9524f4ee18d

SHA1
c113ea7ade62e9993a41288d4d31d88a789bb3bb

SHA256
f5a7eb039f99120770e4fb98c2c9d93df7ab2e1705892721d18e1f2cb75651e8

SHA512
377ab60d4a742770b3b74eeecc314c23a59b4f1058cdd601adb234531eb753132c0a9cceedf7e80f17313d8067c79222a6af09f70c7535334f33cee46037d6df

Download Submit
C:\Windows\System\pWBpSWs.exe

Filesize
5.2MB

MD5
b1c86c18ee64fd4791282fef9a6ce16a

SHA1
5b5112b76f3ae967949ee1b7e8d44dd346fac781

SHA256
4119c0c36ba31e5a8bdb5dc49585f8dd21bbe156fffe6d8dfffce8be17940b7d

SHA512
3ad507a70bbf62098a8b983bc9fbdce987f5ba8035b61734f6ef0d72151dec2537b3a95ef1f85b3a51136e2dd3fecbef765370d3900e24dbfba5564596f30a3d

Download Submit
C:\Windows\System\tCcYXRx.exe

Filesize
5.2MB

MD5
71d8eb6708533cdaefe8233dedaa95c3

SHA1
33f57a37514d747f4b692249fd65e9481b1d382a

SHA256
a635aac9fe8b48f4844cc78f7d545a8fb319801f902dce3bd697c46aba3cc59e

SHA512
cd2660b57bc81fb171c37096234b4119a8baee18ad68b9d6a03de30a4ab35095e11943bf85212bba59a9f406763ea8b06c5d0f1bd6212816b0040d87076af33f

Download Submit
C:\Windows\System\tfQVSqL.exe

Filesize
5.2MB

MD5
d5a4d3662c960a913f4e9b38a6e4d049

SHA1
6b4ea7f367628c8080f1bc338a1607b20f55c2d9

SHA256
320de9ea015f19f7e4755d00abf30e9161cc1785dccad11a4481386336ce8a41

SHA512
4d1237fad5dc00f7f79b1ab58b1bd4a3e63437baed1e0afb27163eae3a9a6588196e72d25c70ccad6b41fe36e99b34a75b8fa7f60d013618964c653963464366

Download Submit
C:\Windows\System\yBRCSep.exe

Filesize
5.2MB

MD5
9ff7def3393144804b7b6a8c22fb9836

SHA1
34ec0dc98fb0f925ca6767c10a10383bb1811ea7

SHA256
8c91b01e887ab7afaa716c06920070f1dbc4d1895aeea88bbf39161a1809b22a

SHA512
90014ddcb336ae501399d51f1bf0f82c43407164aafd6fe3ee0a95b4838b021b2e83373d04d8715bfd6381339ea27b0c2c04ed89407c89d8a373da747826ef83

Download Submit
memory/116-236-0x00007FF694300000-0x00007FF694651000-memory.dmp

Filesize
3.3MB

Download
memory/116-66-0x00007FF694300000-0x00007FF694651000-memory.dmp

Filesize
3.3MB

Download
memory/116-138-0x00007FF694300000-0x00007FF694651000-memory.dmp

Filesize
3.3MB

Download
memory/704-95-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp

Filesize
3.3MB

Download
memory/704-247-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp

Filesize
3.3MB

Download
memory/704-153-0x00007FF6F7790000-0x00007FF6F7AE1000-memory.dmp

Filesize
3.3MB

Download
memory/832-86-0x00007FF675040000-0x00007FF675391000-memory.dmp

Filesize
3.3MB

Download
memory/832-242-0x00007FF675040000-0x00007FF675391000-memory.dmp

Filesize
3.3MB

Download
memory/1256-214-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp

Filesize
3.3MB

Download
memory/1256-46-0x00007FF6C0840000-0x00007FF6C0B91000-memory.dmp

Filesize
3.3MB

Download
memory/1328-58-0x00007FF656260000-0x00007FF6565B1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-219-0x00007FF656260000-0x00007FF6565B1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-255-0x00007FF79F300000-0x00007FF79F651000-memory.dmp

Filesize
3.3MB

Download
memory/1828-125-0x00007FF79F300000-0x00007FF79F651000-memory.dmp

Filesize
3.3MB

Download
memory/1828-155-0x00007FF79F300000-0x00007FF79F651000-memory.dmp

Filesize
3.3MB

Download
memory/2024-216-0x00007FF613C10000-0x00007FF613F61000-memory.dmp

Filesize
3.3MB

Download
memory/2024-57-0x00007FF613C10000-0x00007FF613F61000-memory.dmp

Filesize
3.3MB

Download
memory/2044-204-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp

Filesize
3.3MB

Download
memory/2044-106-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp

Filesize
3.3MB

Download
memory/2044-10-0x00007FF7F4430000-0x00007FF7F4781000-memory.dmp

Filesize
3.3MB

Download
memory/2136-206-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-29-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-110-0x00007FF7FC590000-0x00007FF7FC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-241-0x00007FF67AF20000-0x00007FF67B271000-memory.dmp

Filesize
3.3MB

Download
memory/2240-92-0x00007FF67AF20000-0x00007FF67B271000-memory.dmp

Filesize
3.3MB

Download
memory/2360-210-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-109-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-18-0x00007FF700E70000-0x00007FF7011C1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-209-0x00007FF679370000-0x00007FF6796C1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-37-0x00007FF679370000-0x00007FF6796C1000-memory.dmp

Filesize
3.3MB

Download
memory/3088-222-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp

Filesize
3.3MB

Download
memory/3088-54-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-141-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/3124-78-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/3124-1-0x000001F1CA2C0000-0x000001F1CA2D0000-memory.dmp

Filesize
64KB

Download
memory/3124-0-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/3124-162-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/3556-83-0x00007FF715A70000-0x00007FF715DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3556-238-0x00007FF715A70000-0x00007FF715DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-154-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-121-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-251-0x00007FF66B980000-0x00007FF66BCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3912-248-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp

Filesize
3.3MB

Download
memory/3912-94-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp

Filesize
3.3MB

Download
memory/3912-152-0x00007FF7B2420000-0x00007FF7B2771000-memory.dmp

Filesize
3.3MB

Download
memory/4460-259-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp

Filesize
3.3MB

Download
memory/4460-136-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp

Filesize
3.3MB

Download
memory/4460-158-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp

Filesize
3.3MB

Download
memory/4624-127-0x00007FF782B10000-0x00007FF782E61000-memory.dmp

Filesize
3.3MB

Download
memory/4624-252-0x00007FF782B10000-0x00007FF782E61000-memory.dmp

Filesize
3.3MB

Download
memory/4624-157-0x00007FF782B10000-0x00007FF782E61000-memory.dmp

Filesize
3.3MB

Download
memory/4780-220-0x00007FF7C67A0000-0x00007FF7C6AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-56-0x00007FF7C67A0000-0x00007FF7C6AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-59-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/4804-224-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/4804-137-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/4832-256-0x00007FF787740000-0x00007FF787A91000-memory.dmp

Filesize
3.3MB

Download
memory/4832-131-0x00007FF787740000-0x00007FF787A91000-memory.dmp

Filesize
3.3MB

Download