cobaltstrike | 7051580a73a83ad565f1446cd385d26b72faab3b9217a3f461ff75e47f0ac5ee

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3334ffb21ecc2955109d7f06bfd115c8
SHA1

4963962167591ae187dfd022b024705e2da4510d
SHA256

7051580a73a83ad565f1446cd385d26b72faab3b9217a3f461ff75e47f0ac5ee
SHA512

f929e1a19b87df852727962121d68fed6d271b7a756f22b1ea17eb4ead9638181b2f2b125e727d45c9ec624b717258c811bc8efc59c305afa701b7b4e317ddb6
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibd56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cd1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-20.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cd2-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cde-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdf-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce0-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdd-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdc-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cda-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdb-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-16.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2140-73-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/3008-111-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	xmrig
behavioral2/memory/2008-122-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	xmrig
behavioral2/memory/1488-115-0x00007FF7C76C0000-0x00007FF7C7A11000-memory.dmp	xmrig
behavioral2/memory/3048-85-0x00007FF73F2C0000-0x00007FF73F611000-memory.dmp	xmrig
behavioral2/memory/2008-129-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	xmrig
behavioral2/memory/3932-132-0x00007FF704FE0000-0x00007FF705331000-memory.dmp	xmrig
behavioral2/memory/4148-131-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp	xmrig
behavioral2/memory/4260-140-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp	xmrig
behavioral2/memory/824-146-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp	xmrig
behavioral2/memory/2476-143-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp	xmrig
behavioral2/memory/4488-141-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp	xmrig
behavioral2/memory/5080-136-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp	xmrig
behavioral2/memory/5028-138-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp	xmrig
behavioral2/memory/2108-137-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp	xmrig
behavioral2/memory/1900-135-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp	xmrig
behavioral2/memory/5040-134-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	xmrig
behavioral2/memory/4872-133-0x00007FF670760000-0x00007FF670AB1000-memory.dmp	xmrig
behavioral2/memory/916-148-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp	xmrig
behavioral2/memory/3972-151-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp	xmrig
behavioral2/memory/4896-150-0x00007FF683920000-0x00007FF683C71000-memory.dmp	xmrig
behavioral2/memory/1280-149-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp	xmrig
behavioral2/memory/3704-147-0x00007FF637970000-0x00007FF637CC1000-memory.dmp	xmrig
behavioral2/memory/2008-152-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	xmrig
behavioral2/memory/3932-207-0x00007FF704FE0000-0x00007FF705331000-memory.dmp	xmrig
behavioral2/memory/4148-209-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp	xmrig
behavioral2/memory/4872-211-0x00007FF670760000-0x00007FF670AB1000-memory.dmp	xmrig
behavioral2/memory/5040-213-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	xmrig
behavioral2/memory/1900-229-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp	xmrig
behavioral2/memory/5080-228-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp	xmrig
behavioral2/memory/2140-231-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/4260-236-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp	xmrig
behavioral2/memory/3008-243-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	xmrig
behavioral2/memory/1488-245-0x00007FF7C76C0000-0x00007FF7C7A11000-memory.dmp	xmrig
behavioral2/memory/824-247-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp	xmrig
behavioral2/memory/2476-249-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp	xmrig
behavioral2/memory/2108-242-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp	xmrig
behavioral2/memory/5028-240-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp	xmrig
behavioral2/memory/3048-238-0x00007FF73F2C0000-0x00007FF73F611000-memory.dmp	xmrig
behavioral2/memory/4488-234-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp	xmrig
behavioral2/memory/916-258-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp	xmrig
behavioral2/memory/3972-251-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp	xmrig
behavioral2/memory/3704-259-0x00007FF637970000-0x00007FF637CC1000-memory.dmp	xmrig
behavioral2/memory/1280-256-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp	xmrig
behavioral2/memory/4896-253-0x00007FF683920000-0x00007FF683C71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3932	hjCggGf.exe
4148	NEFIzdO.exe
4872	cIMvAYo.exe
5040	vPQEBDj.exe
1900	jCsJncZ.exe
5080	MrKnyJl.exe
2108	hhekjUb.exe
5028	AulBYMa.exe
2140	zoSlXWj.exe
4260	GhPnAsA.exe
4488	HrjmiZZ.exe
3048	NNNGAgG.exe
3008	vRwiAZd.exe
1488	izAaarU.exe
824	qWQHauh.exe
2476	rqkysLk.exe
3704	rafaDFb.exe
916	NCYZtcm.exe
1280	cavpaSy.exe
4896	PpjYiDI.exe
3972	krKTVoY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2008-0-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	upx
behavioral2/files/0x0008000000023cd1-5.dat	upx
behavioral2/memory/3932-6-0x00007FF704FE0000-0x00007FF705331000-memory.dmp	upx
behavioral2/files/0x0007000000023cd6-23.dat	upx
behavioral2/files/0x0007000000023cd7-20.dat	upx
behavioral2/memory/5040-36-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	upx
behavioral2/files/0x0008000000023cd2-41.dat	upx
behavioral2/files/0x0007000000023cd9-44.dat	upx
behavioral2/memory/2108-61-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cde-64.dat	upx
behavioral2/memory/2140-73-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	upx
behavioral2/memory/824-95-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp	upx
behavioral2/files/0x0007000000023cdf-103.dat	upx
behavioral2/memory/3008-111-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce7-121.dat	upx
behavioral2/memory/3972-126-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-124.dat	upx
behavioral2/memory/4896-123-0x00007FF683920000-0x00007FF683C71000-memory.dmp	upx
behavioral2/memory/2008-122-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	upx
behavioral2/files/0x0007000000023ce5-119.dat	upx
behavioral2/memory/1280-118-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp	upx
behavioral2/memory/1488-115-0x00007FF7C76C0000-0x00007FF7C7A11000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-107.dat	upx
behavioral2/files/0x0007000000023ce3-105.dat	upx
behavioral2/files/0x0007000000023ce2-101.dat	upx
behavioral2/files/0x0007000000023ce1-99.dat	upx
behavioral2/memory/916-98-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp	upx
behavioral2/memory/3704-97-0x00007FF637970000-0x00007FF637CC1000-memory.dmp	upx
behavioral2/memory/2476-96-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp	upx
behavioral2/files/0x0007000000023ce0-92.dat	upx
behavioral2/memory/3048-85-0x00007FF73F2C0000-0x00007FF73F611000-memory.dmp	upx
behavioral2/files/0x0007000000023cdd-79.dat	upx
behavioral2/files/0x0007000000023cdc-78.dat	upx
behavioral2/memory/4488-69-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp	upx
behavioral2/memory/4260-62-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp	upx
behavioral2/files/0x0007000000023cda-55.dat	upx
behavioral2/files/0x0007000000023cdb-51.dat	upx
behavioral2/memory/5080-42-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp	upx
behavioral2/memory/5028-47-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp	upx
behavioral2/files/0x0007000000023cd8-35.dat	upx
behavioral2/memory/1900-27-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp	upx
behavioral2/memory/4872-26-0x00007FF670760000-0x00007FF670AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd5-16.dat	upx
behavioral2/memory/4148-14-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp	upx
behavioral2/memory/2008-129-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	upx
behavioral2/memory/3932-132-0x00007FF704FE0000-0x00007FF705331000-memory.dmp	upx
behavioral2/memory/4148-131-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp	upx
behavioral2/memory/4260-140-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp	upx
behavioral2/memory/824-146-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp	upx
behavioral2/memory/2476-143-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp	upx
behavioral2/memory/4488-141-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp	upx
behavioral2/memory/5080-136-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp	upx
behavioral2/memory/5028-138-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp	upx
behavioral2/memory/2108-137-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp	upx
behavioral2/memory/1900-135-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp	upx
behavioral2/memory/5040-134-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	upx
behavioral2/memory/4872-133-0x00007FF670760000-0x00007FF670AB1000-memory.dmp	upx
behavioral2/memory/916-148-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp	upx
behavioral2/memory/3972-151-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp	upx
behavioral2/memory/4896-150-0x00007FF683920000-0x00007FF683C71000-memory.dmp	upx
behavioral2/memory/1280-149-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp	upx
behavioral2/memory/3704-147-0x00007FF637970000-0x00007FF637CC1000-memory.dmp	upx
behavioral2/memory/2008-152-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp	upx
behavioral2/memory/3932-207-0x00007FF704FE0000-0x00007FF705331000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rqkysLk.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWQHauh.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PpjYiDI.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izAaarU.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rafaDFb.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCYZtcm.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPQEBDj.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HrjmiZZ.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vRwiAZd.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zoSlXWj.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GhPnAsA.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjCggGf.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jCsJncZ.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrKnyJl.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AulBYMa.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNNGAgG.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cavpaSy.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krKTVoY.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NEFIzdO.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cIMvAYo.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhekjUb.exe	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3932	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2008 wrote to memory of 3932	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2008 wrote to memory of 4148	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2008 wrote to memory of 4148	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2008 wrote to memory of 4872	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2008 wrote to memory of 4872	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2008 wrote to memory of 5040	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2008 wrote to memory of 5040	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2008 wrote to memory of 1900	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2008 wrote to memory of 1900	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2008 wrote to memory of 5080	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2008 wrote to memory of 5080	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2008 wrote to memory of 2108	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2008 wrote to memory of 2108	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2008 wrote to memory of 5028	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2008 wrote to memory of 5028	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2008 wrote to memory of 2140	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2008 wrote to memory of 2140	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2008 wrote to memory of 4260	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2008 wrote to memory of 4260	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2008 wrote to memory of 4488	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2008 wrote to memory of 4488	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2008 wrote to memory of 3048	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2008 wrote to memory of 3048	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2008 wrote to memory of 2476	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2008 wrote to memory of 2476	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2008 wrote to memory of 3008	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2008 wrote to memory of 3008	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2008 wrote to memory of 1488	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2008 wrote to memory of 1488	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2008 wrote to memory of 824	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2008 wrote to memory of 824	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2008 wrote to memory of 3704	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2008 wrote to memory of 3704	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2008 wrote to memory of 916	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2008 wrote to memory of 916	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2008 wrote to memory of 1280	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2008 wrote to memory of 1280	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2008 wrote to memory of 4896	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2008 wrote to memory of 4896	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2008 wrote to memory of 3972	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2008 wrote to memory of 3972	2008	2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_3334ffb21ecc2955109d7f06bfd115c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System\hjCggGf.exe
  C:\Windows\System\hjCggGf.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\NEFIzdO.exe
  C:\Windows\System\NEFIzdO.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\cIMvAYo.exe
  C:\Windows\System\cIMvAYo.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\vPQEBDj.exe
  C:\Windows\System\vPQEBDj.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\jCsJncZ.exe
  C:\Windows\System\jCsJncZ.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\MrKnyJl.exe
  C:\Windows\System\MrKnyJl.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\hhekjUb.exe
  C:\Windows\System\hhekjUb.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\AulBYMa.exe
  C:\Windows\System\AulBYMa.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\zoSlXWj.exe
  C:\Windows\System\zoSlXWj.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\GhPnAsA.exe
  C:\Windows\System\GhPnAsA.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\HrjmiZZ.exe
  C:\Windows\System\HrjmiZZ.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\NNNGAgG.exe
  C:\Windows\System\NNNGAgG.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\rqkysLk.exe
  C:\Windows\System\rqkysLk.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\vRwiAZd.exe
  C:\Windows\System\vRwiAZd.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\izAaarU.exe
  C:\Windows\System\izAaarU.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\qWQHauh.exe
  C:\Windows\System\qWQHauh.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\rafaDFb.exe
  C:\Windows\System\rafaDFb.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\NCYZtcm.exe
  C:\Windows\System\NCYZtcm.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\cavpaSy.exe
  C:\Windows\System\cavpaSy.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\PpjYiDI.exe
  C:\Windows\System\PpjYiDI.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\krKTVoY.exe
  C:\Windows\System\krKTVoY.exe
  2⤵
  - Executes dropped EXE
  PID:3972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AulBYMa.exe

Filesize
5.2MB

MD5
5810091cbc24b078d55fc534f9ab57d1

SHA1
de1627548cc83396796fbd44962a5266fb6c9b2f

SHA256
4cf1a27794aeb921135db4fb8cbef154973fc8e6fd9f1c2941d615113168c21b

SHA512
e39aead64a11a4b00a5b6bd04f72b4bdd3fc64a116ad9fdc73be7e09b888ef5f3e256a2f96a1400659a7b0d140e7d5e212ec9652c57e85123fea8068ea586b29

Download Submit
C:\Windows\System\GhPnAsA.exe

Filesize
5.2MB

MD5
0f35cee40e3bd44fe69766b8694ebf5e

SHA1
4723a5a9558961873b7750d800217986af130dc2

SHA256
923f1aeed2b6ba7571531ea6839a1c35019a10015a4b3e89d94d45e24856acbd

SHA512
a0d9415a1b2210a16a6372af95f6b89c78b723ed597e6de17843077e444b75fab8c14a8634d47450412bf202a0f533cd9d717ec479eda805ddfc5a9e620a748b

Download Submit
C:\Windows\System\HrjmiZZ.exe

Filesize
5.2MB

MD5
a91eaa5b52223b12eb3ba6cb43c25f14

SHA1
dac0ce5b64d4b473861deff7976ac74792851a30

SHA256
c72cf103c2d30b417d3b75985a949b98d192fa1688c2074b9712e7f2a1a35fd0

SHA512
c45329e5965955587f1aceab36d4eda9ef87f01cf931172b0ede987f13b7ab13c515203fa6159c2ea850b00d92a11099263321ad3589ad6d0d5f2340cb74fda9

Download Submit
C:\Windows\System\MrKnyJl.exe

Filesize
5.2MB

MD5
db41fcf5c3c806bdebdc76774559aae4

SHA1
2d4755de68b80e65771007444c303ea1c05b7dd5

SHA256
e463ee7997a081eece8e42db5c8688f6eb24099510305543caf21520e16d0b16

SHA512
5acc9a715d2463e6978cea0173e3a13713b3fe52668e9b5bfd9f9e571cfcc798936570e36296364d833390672ce7ea82353062cadb84906f7f46836fac27dfb9

Download Submit
C:\Windows\System\NCYZtcm.exe

Filesize
5.2MB

MD5
3df52bc8b69223a88873b12c8cfb8777

SHA1
27877b37830a5bb0b62dd777990216f143f32833

SHA256
b4422e9b608697cef47dd9770e7bfeabd302c019f7f5068411a0ce7dec64b32b

SHA512
bb83c451c44cbcc34c01a0b976f46dd7405bfff01c103c0087a2ddaf1a47dd9b93a37f03c4c8fb5787d3f2f8178a77d5fc0c8cc14aaceeb466e2e7214b702370

Download Submit
C:\Windows\System\NEFIzdO.exe

Filesize
5.2MB

MD5
729947f37f140101753d2c1dbea128b1

SHA1
af011bfb2bd2a64a6eb4ca93daa8c9671c1d4b8e

SHA256
04fa06ad0e37ff1cc5cb7714b2e1ec36bbceb8b9f82b49c5dab2775f782aacb9

SHA512
e375510c0ab50ccab046c0a40286616b9f1c30b87e70da2bf543b7b92f30fd50f48455fec99c0609d3e43d80abac94f84e7373a0cc79570aac11f97f06723ff4

Download Submit
C:\Windows\System\NNNGAgG.exe

Filesize
5.2MB

MD5
a49a276e6daf5f2c541830246c9d0094

SHA1
cfbaaec3da8e2ede1c98518365bce26b5a05ce29

SHA256
b3b85356162f20b9a4c7fff1392d9e5ef261b4e522c20c6fb4bc3e97e3df3692

SHA512
417b8804bd0c5799d5109636675264b69703588bf4ce7efe8ce6bce83600c038ca75d2977f86dbec3816c569daf35298233db5db696ea81bd6ecf3015a57423f

Download Submit
C:\Windows\System\PpjYiDI.exe

Filesize
5.2MB

MD5
19624ba0d2aa0b471ba8977656efdd00

SHA1
b742e2c3e0a3e2c7b72040fa2faca4e8421527a8

SHA256
0e915e8e98f8b229d926ed87b8078a805307f8be78a4b2dc6fc4dbb47043a8ad

SHA512
8c90187be8a0110a310e0d22ab836328090e66d37977e852abb8a2d4773125a8616c71696e744acaed5fcbbe2a091236d1baa9ef99c14e26b08608d56395c602

Download Submit
C:\Windows\System\cIMvAYo.exe

Filesize
5.2MB

MD5
5600aab3791c36707d8d599ebb33c921

SHA1
ef1f9a137b91ad536fdcfc1cb2360d5689c58fea

SHA256
fbc619c2f2dd65c67e12e9dd3927d794fc0de99a1eb8bd3444ba05b30eb0f7ee

SHA512
7e2c46544ffded3b32431eff4f2f96e28add2be6f061db1af96c7abb54660062c9e111017af0ae0161cabd235a55d6a6e8739f79df328e4f20d2401893f9c276

Download Submit
C:\Windows\System\cavpaSy.exe

Filesize
5.2MB

MD5
a80f8e7c4dc8aabd5f76cd6da7d148b9

SHA1
0e503b1badc6ed81d44ca45ce753f3cea77a1cbe

SHA256
9eabedb44569a907dda7cc5508919de3338bacee0d5743133dbfff6104f4818f

SHA512
0d0ebc6965f2e6aac10ffca13560706b51c9467bbdcee5de7f8cd58dc2d8e746c5520792acad333c4cbbaab84cc11a63438366e7925f21eb46296484a95325ba

Download Submit
C:\Windows\System\hhekjUb.exe

Filesize
5.2MB

MD5
9da62f00ea24adc4b2390241b10bc030

SHA1
c71556c73cf3a4b6a067f3a676b143815d4d213f

SHA256
63cae0adf38625e1452f4e8598d1603a0ee6601f07af05db3b82886ca46315e0

SHA512
1954a025ab74bbde8b60979333a7d69f9e30a2cfa44acace3ebf6cba73a9e71b8d7726b9d719c95f130cb5a0bb500f9a7bfccf5d29caf8ff4591239f46ced51a

Download Submit
C:\Windows\System\hjCggGf.exe

Filesize
5.2MB

MD5
5e2d3e43940c938eb0846a65e363d8f8

SHA1
794ca78eb3ffdd01d21d9164481412f698f4ee47

SHA256
3c59744052cc1d82d194dc5de2d42d87faa0c381005b80fc21ee5901b5ff77f8

SHA512
197e8ce6501867236fcfcc9f74068d90e788483ba9361d468f114295b2b5410eb057c8022910284dcffa49f0d5d0eec1ff17cf6e2be74ae192dc7c121baf69ca

Download Submit
C:\Windows\System\izAaarU.exe

Filesize
5.2MB

MD5
d42015c0235d654eb2d0be07338fba2d

SHA1
74a43b10f0c0b43a6a22ac14fdc0c2d7958b644e

SHA256
0b972c889796552d6b2dc87a18411e41ee416027d876c997788ec32b78eef4c7

SHA512
0cc552b65386794ac8c8d692c0431bef753e89b9ffcb5e6209daeef33461fad0a5105201931201b95cf272c1e7435891a6f34d41f44a218dadf04847c3532520

Download Submit
C:\Windows\System\jCsJncZ.exe

Filesize
5.2MB

MD5
0abb73ef0c70fc6d8d3d7c24baf803f5

SHA1
d792b9cca11ab55f9d37ec8441041c4fcfdae8d4

SHA256
ab15c394772a77aaef4ea2c4c4b984cbcd4b69a3e19872c09eae4fb06be48e08

SHA512
f16c7e21c021f39974474f8b406da4ae0797992fe6791f9e818dc1b77f973ded9b45e8b2cc459448b69a54e3bf21578c4acf0695bade006c06cb43ef5e11ec7a

Download Submit
C:\Windows\System\krKTVoY.exe

Filesize
5.2MB

MD5
4f47d6e840c91ea8be53f8452be25bcd

SHA1
467d88707540246ecc3a123fd633a4dac048c147

SHA256
d40322f58c02fe4f6d41945937ad3a03fdde5f5618f18e898a386bd2e475ab1e

SHA512
0d4317fb30d5f6c2b2b67ca2d3278a851409ae1a90f82292ff8fbb41262eb0b35e0f32ea4fea750eb58c322daba4b6ae32eb241306b7ba8419938c1cd8372248

Download Submit
C:\Windows\System\qWQHauh.exe

Filesize
5.2MB

MD5
0e501253a02f4f274318ae976fa8cbfa

SHA1
14cf2db98028a02465487e908fa3edd5dadd763d

SHA256
26b27ec467c4102d6fa3dcc69191358900ff4147da436242f08cd0095060838f

SHA512
e60fb4b1fac3c63b6570075a884f6d311e92c3ee7f476a6291a537fa5492c57bcd442688a86561a3bc44b458c7e3887453c74b302c2455a512cacdc5699e87d9

Download Submit
C:\Windows\System\rafaDFb.exe

Filesize
5.2MB

MD5
e9f81b314b82fd82c3f359f7ef4ae0fc

SHA1
81e3d2ad839e5471a4c7766ac27642a4bf5653a0

SHA256
8a5ed3b82c4f6aabcd74ea5cee5d559200e0c196bf2a5acd20e78f8f625bc574

SHA512
865a4d523140bbc4bd15934f7a06a5b0c25d1196aef5e5b5be1b773be6cd543fe2e41d3dfdc6e39fcbedb6c683665af1382acb6fa6ffb3a81e1a234b94836a76

Download Submit
C:\Windows\System\rqkysLk.exe

Filesize
5.2MB

MD5
e47fe66be3be92c01b33e305e41714ac

SHA1
8a881f085b47b9e6dc97dd51560229cc1d393cf1

SHA256
2b87e77e5d5f0a9c39fc9da5642c89b9d9ca8e658493152fa29d82bff2772184

SHA512
5f3ea4079c95b1243547a46838a76eab959bef13356d1c27dcdd56194aa09f6f2bb04dd1f1dadb08dad560add753edb444bfcd1dced73f7da88cbb8678e9dc9e

Download Submit
C:\Windows\System\vPQEBDj.exe

Filesize
5.2MB

MD5
6c6600ca8adb1ea5c2fa320414c46685

SHA1
f3c809aabb481bc7143e837808e3a8df15bc5b00

SHA256
34570d0f1a28ffd0188602f2231bba57ca8eb3e801757dc24d519fa5706b47e5

SHA512
9ce83fedf53dff3e0974fb12a6032111d9686e04e20b8ecbc5aa29e3de91b6537c56a85d6535077e5099cd393c764f49123759fc47633df1425acf565fced1db

Download Submit
C:\Windows\System\vRwiAZd.exe

Filesize
5.2MB

MD5
fc3b5c57dd75ce8375cf860ad290457e

SHA1
ed7b196291257784c4a6230290438eb77e488d6c

SHA256
7227b4d597235216bd24b1d5b750ba0071689ab3a1c171f0349b09d74ff4b0f1

SHA512
df9724e23272d4c1e8ee5bd82da709f5bf57523b6e74a9a3ded99dc7fb1f783bf012a1d5018b24d37cf7612e20ab27bcdc00df1d44f3ce994593c21df67d0f6d

Download Submit
C:\Windows\System\zoSlXWj.exe

Filesize
5.2MB

MD5
a04f0fdf01418a71d0ded75bf261dab3

SHA1
43d2e294dda85e51f3a95543219bb1e7cf53921c

SHA256
0bb9791681dd9e64be69ffba446c916011f855622ecfc098946c30f6f1aa2460

SHA512
edaa798cafa2e6d4b2a94ed9b2ddee2dbd235318e4f419ecf8fd77e407f0b53c0ae72f5f1ff83271e18bffb5503b9c83fc271c89df5ce622a53e205e0d60df55

Download Submit
memory/824-95-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp

Filesize
3.3MB

Download
memory/824-247-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp

Filesize
3.3MB

Download
memory/824-146-0x00007FF6F19C0000-0x00007FF6F1D11000-memory.dmp

Filesize
3.3MB

Download
memory/916-98-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp

Filesize
3.3MB

Download
memory/916-258-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp

Filesize
3.3MB

Download
memory/916-148-0x00007FF6ED0D0000-0x00007FF6ED421000-memory.dmp

Filesize
3.3MB

Download
memory/1280-149-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp

Filesize
3.3MB

Download
memory/1280-118-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp

Filesize
3.3MB

Download
memory/1280-256-0x00007FF78C3D0000-0x00007FF78C721000-memory.dmp

Filesize
3.3MB

Download
memory/1488-115-0x00007FF7C76C0000-0x00007FF7C7A11000-memory.dmp

Filesize
3.3MB

Download
memory/1488-245-0x00007FF7C76C0000-0x00007FF7C7A11000-memory.dmp

Filesize
3.3MB

Download
memory/1900-27-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-229-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-135-0x00007FF7C5D50000-0x00007FF7C60A1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-122-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp

Filesize
3.3MB

Download
memory/2008-1-0x0000026E9A290000-0x0000026E9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2008-152-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp

Filesize
3.3MB

Download
memory/2008-129-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp

Filesize
3.3MB

Download
memory/2008-0-0x00007FF7E2EF0000-0x00007FF7E3241000-memory.dmp

Filesize
3.3MB

Download
memory/2108-61-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-137-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-242-0x00007FF68A870000-0x00007FF68ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2140-231-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2140-73-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2476-143-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp

Filesize
3.3MB

Download
memory/2476-96-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp

Filesize
3.3MB

Download
memory/2476-249-0x00007FF7B0410000-0x00007FF7B0761000-memory.dmp

Filesize
3.3MB

Download
memory/3008-243-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-111-0x00007FF72D9A0000-0x00007FF72DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-85-0x00007FF73F2C0000-0x00007FF73F611000-memory.dmp

Filesize
3.3MB

Download
memory/3048-238-0x00007FF73F2C0000-0x00007FF73F611000-memory.dmp

Filesize
3.3MB

Download
memory/3704-97-0x00007FF637970000-0x00007FF637CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3704-259-0x00007FF637970000-0x00007FF637CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3704-147-0x00007FF637970000-0x00007FF637CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-132-0x00007FF704FE0000-0x00007FF705331000-memory.dmp

Filesize
3.3MB

Download
memory/3932-6-0x00007FF704FE0000-0x00007FF705331000-memory.dmp

Filesize
3.3MB

Download
memory/3932-207-0x00007FF704FE0000-0x00007FF705331000-memory.dmp

Filesize
3.3MB

Download
memory/3972-126-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp

Filesize
3.3MB

Download
memory/3972-251-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp

Filesize
3.3MB

Download
memory/3972-151-0x00007FF6DA5C0000-0x00007FF6DA911000-memory.dmp

Filesize
3.3MB

Download
memory/4148-131-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-209-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-14-0x00007FF6D6F70000-0x00007FF6D72C1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-140-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp

Filesize
3.3MB

Download
memory/4260-62-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp

Filesize
3.3MB

Download
memory/4260-236-0x00007FF64C0C0000-0x00007FF64C411000-memory.dmp

Filesize
3.3MB

Download
memory/4488-69-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-141-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-234-0x00007FF685B50000-0x00007FF685EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-211-0x00007FF670760000-0x00007FF670AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-133-0x00007FF670760000-0x00007FF670AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-26-0x00007FF670760000-0x00007FF670AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-150-0x00007FF683920000-0x00007FF683C71000-memory.dmp

Filesize
3.3MB

Download
memory/4896-253-0x00007FF683920000-0x00007FF683C71000-memory.dmp

Filesize
3.3MB

Download
memory/4896-123-0x00007FF683920000-0x00007FF683C71000-memory.dmp

Filesize
3.3MB

Download
memory/5028-240-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp

Filesize
3.3MB

Download
memory/5028-47-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp

Filesize
3.3MB

Download
memory/5028-138-0x00007FF78DB20000-0x00007FF78DE71000-memory.dmp

Filesize
3.3MB

Download
memory/5040-36-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp

Filesize
3.3MB

Download
memory/5040-134-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp

Filesize
3.3MB

Download
memory/5040-213-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp

Filesize
3.3MB

Download
memory/5080-42-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp

Filesize
3.3MB

Download
memory/5080-228-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp

Filesize
3.3MB

Download
memory/5080-136-0x00007FF7EE1C0000-0x00007FF7EE511000-memory.dmp

Filesize
3.3MB

Download