cobaltstrike | e48b40f21510f5d5e67c9b5dd3911b000d68fdba433c0b7074ffb2ec1771e48d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

522c94ab509bbf04ecb03696a11b33a2
SHA1

36e92c74d4c174f0cb2b2b53c8cdb011b0e26945
SHA256

e48b40f21510f5d5e67c9b5dd3911b000d68fdba433c0b7074ffb2ec1771e48d
SHA512

cd64dbe484b5db2a47e3f6ef4a57381517d4f99e4c32321f8d4169ae6fefe3d4517679624086c5969162d6a7ebfb373ad87fa0b0daf16925ebc275c84beeb61f
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibd56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b91-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-38.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-53.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba3-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-72.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-87.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc2-96.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b93-101.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc4-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-121.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc8-119.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc3-117.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-85.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3412-95-0x00007FF648110000-0x00007FF648461000-memory.dmp	xmrig
behavioral2/memory/3664-94-0x00007FF795A60000-0x00007FF795DB1000-memory.dmp	xmrig
behavioral2/memory/1496-92-0x00007FF665B50000-0x00007FF665EA1000-memory.dmp	xmrig
behavioral2/memory/5116-91-0x00007FF778660000-0x00007FF7789B1000-memory.dmp	xmrig
behavioral2/memory/2296-78-0x00007FF69DF30000-0x00007FF69E281000-memory.dmp	xmrig
behavioral2/memory/2920-135-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp	xmrig
behavioral2/memory/1616-137-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp	xmrig
behavioral2/memory/1576-145-0x00007FF79B790000-0x00007FF79BAE1000-memory.dmp	xmrig
behavioral2/memory/1624-144-0x00007FF76BB40000-0x00007FF76BE91000-memory.dmp	xmrig
behavioral2/memory/3968-146-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	xmrig
behavioral2/memory/4108-143-0x00007FF7BE000000-0x00007FF7BE351000-memory.dmp	xmrig
behavioral2/memory/5088-142-0x00007FF7628C0000-0x00007FF762C11000-memory.dmp	xmrig
behavioral2/memory/2936-141-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp	xmrig
behavioral2/memory/3220-140-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	xmrig
behavioral2/memory/1516-139-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp	xmrig
behavioral2/memory/3396-132-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp	xmrig
behavioral2/memory/1356-130-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp	xmrig
behavioral2/memory/1348-129-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	xmrig
behavioral2/memory/4684-128-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp	xmrig
behavioral2/memory/3892-127-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp	xmrig
behavioral2/memory/4640-125-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp	xmrig
behavioral2/memory/3548-126-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp	xmrig
behavioral2/memory/3968-124-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	xmrig
behavioral2/memory/3968-147-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	xmrig
behavioral2/memory/4640-208-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp	xmrig
behavioral2/memory/3548-210-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp	xmrig
behavioral2/memory/3892-212-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp	xmrig
behavioral2/memory/1356-215-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp	xmrig
behavioral2/memory/1348-218-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	xmrig
behavioral2/memory/4684-217-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp	xmrig
behavioral2/memory/3664-232-0x00007FF795A60000-0x00007FF795DB1000-memory.dmp	xmrig
behavioral2/memory/3412-242-0x00007FF648110000-0x00007FF648461000-memory.dmp	xmrig
behavioral2/memory/3220-244-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	xmrig
behavioral2/memory/2296-240-0x00007FF69DF30000-0x00007FF69E281000-memory.dmp	xmrig
behavioral2/memory/1516-239-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp	xmrig
behavioral2/memory/3396-236-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp	xmrig
behavioral2/memory/1496-230-0x00007FF665B50000-0x00007FF665EA1000-memory.dmp	xmrig
behavioral2/memory/5116-234-0x00007FF778660000-0x00007FF7789B1000-memory.dmp	xmrig
behavioral2/memory/2920-228-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp	xmrig
behavioral2/memory/1616-227-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp	xmrig
behavioral2/memory/4108-253-0x00007FF7BE000000-0x00007FF7BE351000-memory.dmp	xmrig
behavioral2/memory/2936-254-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp	xmrig
behavioral2/memory/5088-251-0x00007FF7628C0000-0x00007FF762C11000-memory.dmp	xmrig
behavioral2/memory/1624-248-0x00007FF76BB40000-0x00007FF76BE91000-memory.dmp	xmrig
behavioral2/memory/1576-246-0x00007FF79B790000-0x00007FF79BAE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4640	uMFcohV.exe
3548	ilHxOmP.exe
3892	XnmHevv.exe
4684	dCciVPN.exe
1348	kIpuKTv.exe
1356	IKRRKBS.exe
5116	mMPcpKR.exe
3396	uqFiZvu.exe
1496	VhjFICm.exe
2920	nCMtZHi.exe
2296	qsPWDCx.exe
3664	yfgyvEe.exe
1616	cTtUWyl.exe
3412	DsBNNfl.exe
1516	desaPuy.exe
3220	XMMJbzS.exe
2936	yTSgnKB.exe
5088	XHmSpDJ.exe
4108	GdqggbO.exe
1624	ChOhSeJ.exe
1576	YeKYifv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/files/0x000c000000023b91-5.dat	upx
behavioral2/files/0x000a000000023b9c-9.dat	upx
behavioral2/memory/4640-7-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-15.dat	upx
behavioral2/files/0x000a000000023b9e-38.dat	upx
behavioral2/files/0x000b000000023ba4-53.dat	upx
behavioral2/files/0x000b000000023ba3-52.dat	upx
behavioral2/memory/2920-73-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-72.dat	upx
behavioral2/files/0x000b000000023ba5-71.dat	upx
behavioral2/files/0x000a000000023ba1-62.dat	upx
behavioral2/files/0x000a000000023ba2-60.dat	upx
behavioral2/memory/3396-59-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-51.dat	upx
behavioral2/files/0x000a000000023b9f-41.dat	upx
behavioral2/memory/1356-40-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp	upx
behavioral2/memory/1348-30-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-34.dat	upx
behavioral2/memory/4684-27-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp	upx
behavioral2/memory/3892-20-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp	upx
behavioral2/memory/3548-16-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp	upx
behavioral2/memory/1616-79-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp	upx
behavioral2/files/0x0008000000023bbd-87.dat	upx
behavioral2/files/0x0009000000023bc2-96.dat	upx
behavioral2/files/0x000d000000023b93-101.dat	upx
behavioral2/files/0x0009000000023bc4-115.dat	upx
behavioral2/files/0x0008000000023bca-121.dat	upx
behavioral2/files/0x000e000000023bc8-119.dat	upx
behavioral2/files/0x0009000000023bc3-117.dat	upx
behavioral2/memory/3220-98-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	upx
behavioral2/memory/3412-95-0x00007FF648110000-0x00007FF648461000-memory.dmp	upx
behavioral2/memory/3664-94-0x00007FF795A60000-0x00007FF795DB1000-memory.dmp	upx
behavioral2/memory/1496-92-0x00007FF665B50000-0x00007FF665EA1000-memory.dmp	upx
behavioral2/memory/5116-91-0x00007FF778660000-0x00007FF7789B1000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-85.dat	upx
behavioral2/memory/1516-84-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp	upx
behavioral2/memory/2296-78-0x00007FF69DF30000-0x00007FF69E281000-memory.dmp	upx
behavioral2/memory/2936-123-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp	upx
behavioral2/memory/2920-135-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp	upx
behavioral2/memory/1616-137-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp	upx
behavioral2/memory/1576-145-0x00007FF79B790000-0x00007FF79BAE1000-memory.dmp	upx
behavioral2/memory/1624-144-0x00007FF76BB40000-0x00007FF76BE91000-memory.dmp	upx
behavioral2/memory/3968-146-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/memory/4108-143-0x00007FF7BE000000-0x00007FF7BE351000-memory.dmp	upx
behavioral2/memory/5088-142-0x00007FF7628C0000-0x00007FF762C11000-memory.dmp	upx
behavioral2/memory/2936-141-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp	upx
behavioral2/memory/3220-140-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	upx
behavioral2/memory/1516-139-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp	upx
behavioral2/memory/3396-132-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp	upx
behavioral2/memory/1356-130-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp	upx
behavioral2/memory/1348-129-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	upx
behavioral2/memory/4684-128-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp	upx
behavioral2/memory/3892-127-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp	upx
behavioral2/memory/4640-125-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp	upx
behavioral2/memory/3548-126-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp	upx
behavioral2/memory/3968-124-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/memory/3968-147-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/memory/4640-208-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp	upx
behavioral2/memory/3548-210-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp	upx
behavioral2/memory/3892-212-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp	upx
behavioral2/memory/1356-215-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp	upx
behavioral2/memory/1348-218-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp	upx
behavioral2/memory/4684-217-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kIpuKTv.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsPWDCx.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ChOhSeJ.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GdqggbO.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCMtZHi.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cTtUWyl.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\desaPuy.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XMMJbzS.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHmSpDJ.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uMFcohV.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XnmHevv.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VhjFICm.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMPcpKR.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uqFiZvu.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfgyvEe.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DsBNNfl.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yTSgnKB.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilHxOmP.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dCciVPN.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IKRRKBS.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YeKYifv.exe	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4640	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3968 wrote to memory of 4640	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3968 wrote to memory of 3548	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3968 wrote to memory of 3548	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3968 wrote to memory of 3892	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3968 wrote to memory of 3892	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3968 wrote to memory of 4684	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3968 wrote to memory of 4684	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3968 wrote to memory of 1348	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3968 wrote to memory of 1348	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3968 wrote to memory of 1356	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3968 wrote to memory of 1356	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3968 wrote to memory of 5116	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3968 wrote to memory of 5116	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3968 wrote to memory of 3396	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3968 wrote to memory of 3396	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3968 wrote to memory of 2296	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3968 wrote to memory of 2296	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3968 wrote to memory of 1496	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3968 wrote to memory of 1496	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3968 wrote to memory of 2920	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3968 wrote to memory of 2920	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3968 wrote to memory of 3664	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3968 wrote to memory of 3664	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3968 wrote to memory of 1616	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3968 wrote to memory of 1616	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3968 wrote to memory of 3412	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3968 wrote to memory of 3412	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3968 wrote to memory of 1516	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3968 wrote to memory of 1516	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3968 wrote to memory of 3220	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3968 wrote to memory of 3220	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3968 wrote to memory of 2936	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3968 wrote to memory of 2936	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3968 wrote to memory of 5088	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3968 wrote to memory of 5088	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3968 wrote to memory of 4108	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3968 wrote to memory of 4108	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3968 wrote to memory of 1624	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3968 wrote to memory of 1624	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3968 wrote to memory of 1576	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3968 wrote to memory of 1576	3968	2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_522c94ab509bbf04ecb03696a11b33a2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\System\uMFcohV.exe
  C:\Windows\System\uMFcohV.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\ilHxOmP.exe
  C:\Windows\System\ilHxOmP.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\XnmHevv.exe
  C:\Windows\System\XnmHevv.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\dCciVPN.exe
  C:\Windows\System\dCciVPN.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\kIpuKTv.exe
  C:\Windows\System\kIpuKTv.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\IKRRKBS.exe
  C:\Windows\System\IKRRKBS.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\mMPcpKR.exe
  C:\Windows\System\mMPcpKR.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\uqFiZvu.exe
  C:\Windows\System\uqFiZvu.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\qsPWDCx.exe
  C:\Windows\System\qsPWDCx.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\VhjFICm.exe
  C:\Windows\System\VhjFICm.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\nCMtZHi.exe
  C:\Windows\System\nCMtZHi.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\yfgyvEe.exe
  C:\Windows\System\yfgyvEe.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\cTtUWyl.exe
  C:\Windows\System\cTtUWyl.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\DsBNNfl.exe
  C:\Windows\System\DsBNNfl.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\desaPuy.exe
  C:\Windows\System\desaPuy.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\XMMJbzS.exe
  C:\Windows\System\XMMJbzS.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\yTSgnKB.exe
  C:\Windows\System\yTSgnKB.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\XHmSpDJ.exe
  C:\Windows\System\XHmSpDJ.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\GdqggbO.exe
  C:\Windows\System\GdqggbO.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\ChOhSeJ.exe
  C:\Windows\System\ChOhSeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\YeKYifv.exe
  C:\Windows\System\YeKYifv.exe
  2⤵
  - Executes dropped EXE
  PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ChOhSeJ.exe

Filesize
5.2MB

MD5
f7524e98f83bbdc069892188fafdac89

SHA1
a0dd2e1162a3fa285f2967f1301ffe3493e0dca0

SHA256
9a06f95739b43c186dae5a78ec0b12fc7dc3604ab534b257c7bed2c9d71110a5

SHA512
545277db635a26ab48e2f80e0cd42b34a4ca7d486c0864bc3e8afb3422d32f0045a10f270dd086f2007e5898fecdfb3cf313caa9f8a81e53d6cf062d193cccec

Download Submit
C:\Windows\System\DsBNNfl.exe

Filesize
5.2MB

MD5
d053c7656afb14e540c553f0f9e3d616

SHA1
b5cb2592a4c6cf9c3d7f60222f8aff099a29e255

SHA256
e4f6b7c08394fe6161eba35ca65a1d980de4f55d8aee90ccecc6c66491a61cf8

SHA512
d32cbc368f4b982d21c28b96b224caeec0c2477dfeff77a4a7b801fde2653682bf3dbddac475223572f6097a9aa41c285b94adbacd26c568c94c74e080268361

Download Submit
C:\Windows\System\GdqggbO.exe

Filesize
5.2MB

MD5
6e64cf5d967fe8300cd9bf19137951b0

SHA1
7bdb0097d8aebc05dcbbc9fe2ca40fd0b6f96f26

SHA256
cba3758b9321ab60800f113703b32882b285946204a07063d963e66f4baf1374

SHA512
f619f909c54122e90530735ae105befbb3caab75840e9ed1a18c3ace88e1faee3f16c5a9b8e1ff7162665c65e60ca9052203063abcd8c6ba3dabb6128d2da38c

Download Submit
C:\Windows\System\IKRRKBS.exe

Filesize
5.2MB

MD5
5b5565780733c42200c328a3bb77be9b

SHA1
acbdb503b696c4fcb506d707045230d6fed24967

SHA256
f611677cf5e484c60dd74f2c3ed3bcdbfe85436bd20d24d023675bc8426a1a32

SHA512
87ab4fd09c64ac083b2364a4d91b56c68a5b638d83b6a7a1fd597de7dc62515d4b30aaf319ecb5c9088cf88eb7be588e2f1d45e8660213b530072b44b2197daf

Download Submit
C:\Windows\System\VhjFICm.exe

Filesize
5.2MB

MD5
c8bd2560a496b630bc336ff68d6eaab4

SHA1
9f84c2a4dbf0529adad9c7cf629f2aef9185115e

SHA256
593b6ffab9f055e2a27439c147df90d5700a49ddcade9a3aa20b442c0b6c71f6

SHA512
53f17879fee081d847fe261035e3bc50d664993d944ef5dd7708fff0ff3a0cdf6d231d7ec4835efe5e592acd91e9ea0aeb15f770e254093b0fc502bd64a7849e

Download Submit
C:\Windows\System\XHmSpDJ.exe

Filesize
5.2MB

MD5
0a1efd60c11f06e6636b6f7b23ae338f

SHA1
f65c35385de758d054fb118428acf29c973c9416

SHA256
cf56ba4b5a3884c90187464936605e4fac3f7dd9d9c510ae3483b468149bb996

SHA512
d54a8b054ede46001476dafce26a598b66b6d19e16f19e21ef55b83ed1b7fc64b92fe12715a6b6b67f81c6e037eb73561517ef296da435e43a45fe8ec80acfe7

Download Submit
C:\Windows\System\XMMJbzS.exe

Filesize
5.2MB

MD5
cde62bebb805b1495848a5d855c59015

SHA1
9f8045999066aee4ca153beacc25871f27f9ed3b

SHA256
04285d3750dbed9f763fb021684fc012b6cff6664fc75a2f45c6216ccea9a45a

SHA512
79e38f2498193be50687a3de1a577af66ccd162560b9ba2c588fe5e2a27880ec6c4ba62034d46223060442750e716fc7c3f5c5304a0e054439c031d600c1ccfd

Download Submit
C:\Windows\System\XnmHevv.exe

Filesize
5.2MB

MD5
3c7674d062593dd59528bfadec08e8c2

SHA1
0cd1ba9c8fe60375b4ca891f71dec3ce75b4d2d3

SHA256
be840f36dbafbcf2f39597276d0507277a8b38289e0b494241c8a42e0330f85f

SHA512
eb02d01c823a01dd63b715413d9f74c77649868d46ed6a1d84d1cb18a2f19eedc62e5a05d5c62b948aa393ec371b4e06d672be3b74cc6e5a2f13d356a5cee2bf

Download Submit
C:\Windows\System\YeKYifv.exe

Filesize
5.2MB

MD5
0647654fe1354e52f03c2434352ae1df

SHA1
2777985bc41beef7ce235078c47ae85be04388f7

SHA256
5b365ab7768311b3d4fd34011c31f9546452daeccbf997434ce2192a19183866

SHA512
535be09e109d278509fdafe407ee77e5a46b6142eabcd90bc5f02ec2717c79c54c66c516f3c9d38d31708cc589274a74b84cf00cbb6207cd182e7400b1ad3f61

Download Submit
C:\Windows\System\cTtUWyl.exe

Filesize
5.2MB

MD5
9400158cced5aae14465f4df50169f05

SHA1
244c2508fb6f7723e2cadd8d79fc679be011c376

SHA256
a99b57aa0b751af7d166af8c2a80ea627a1dcf362d9d3fd57413b0d33c1378a5

SHA512
4b11a5c9520aea1496c1785c7ed8972d333322fb9e0d7c32ccad2c6631b751a5c8d1f75cc696af41677f08a46f9584345e02f3bb5a5af68b5b19fa106e2275b1

Download Submit
C:\Windows\System\dCciVPN.exe

Filesize
5.2MB

MD5
1a927a587a79794aaa89450462bca574

SHA1
0ffce73783be00464e7bd6e976032cf12d2c43b1

SHA256
b93d6897178aac557985b05c2f5eb24b0b0f790126ea8b34cacc0af4d2987843

SHA512
0a49f2946ec17a5bd796038951db276c971f72a8f9a8c544a15014df22cfca34ab26a536d71a7e462192dfc69564c911e8e47ae3096302da9fb811d1559a9a3f

Download Submit
C:\Windows\System\desaPuy.exe

Filesize
5.2MB

MD5
4f217c1d12d80c9f2d73da9c5669240d

SHA1
94a8aab41b20f8d0a90434fb6ee2e5707f5dacdf

SHA256
bfaa469956b918a21f80e3269a788ba01b24f4dc157d397d1b2ef34ddfa5a484

SHA512
fa60e89b816ee98b648288563438aeb58e05050a15b2004e03a8bdd1f491ec19ec5556efabef2f6f92ae9da55b224a8c63412e11d5edf00a44d43ce6a48d7b82

Download Submit
C:\Windows\System\ilHxOmP.exe

Filesize
5.2MB

MD5
d0664c4490922bfb2982ff294d42c7e6

SHA1
d73b8c60f3871c743e7ceabad1878d1cdd607ca3

SHA256
c34e85287923a821a48f48358d8b3abf6a9e1aea409b9daa98da96dabef1377d

SHA512
ea9cc6aeef4b18557276e3bc14d5f27b882c60b11477ab6712bcbe51613726183bc318f87ce97293f44114e1bcae7d73f33f796b4452b375a4545ef89953a25e

Download Submit
C:\Windows\System\kIpuKTv.exe

Filesize
5.2MB

MD5
39b83c2d59941f6c7a221786913f66a9

SHA1
baeb45deb103a9f7b24febc82e6d3f61a21f2c04

SHA256
f2dd808c0109e79641830dd9b6432fe5a312ecd31c891114641bff90eb8cf865

SHA512
5eb595f1bf7e536ab6380ea572eec4022557142ab68b9de8282b5ca5b2f2333ccacc00dd132fdc6d52160206e2d90fbdf9de20abeb379131fd1067784caf2164

Download Submit
C:\Windows\System\mMPcpKR.exe

Filesize
5.2MB

MD5
0b52ed6f3bf7f1674448932da2b91f96

SHA1
205744808540746937ca857e14668cef971fe8fe

SHA256
d32b4a79007c1d14fcb7abcbf63b93097f60aa7351e3b1b8b778fa0fb28b9150

SHA512
d0b4bbf0c4d302a67ecf7a87bd59bf6cef9d2f60b1c42693ca7c2887a28a8a390378c841413b2fdecab3877c83a7c7e447044d149733633ea87e6be2633467dc

Download Submit
C:\Windows\System\nCMtZHi.exe

Filesize
5.2MB

MD5
64bf0844a2a0c6701a6b83ec99667987

SHA1
17fd02644609edf6b913cd3f902257500e571d6c

SHA256
f47f49e3e9c3f2771c89a125b9dbe17eb6a64fa577698536e5c6a3558bc5ac7a

SHA512
48ebacd27e5d7149f894a20cc56076dca03f9822cd478b4ed43ae9ee557dd302b6ea448b2e5f2b6363694d31c89ac7180e9f969820e52b6587bb7082f22eec38

Download Submit
C:\Windows\System\qsPWDCx.exe

Filesize
5.2MB

MD5
932e55927311125c32faee9a9910e390

SHA1
80b9d1cb75650927691cc0d7be30ac4a57720642

SHA256
b51376b9da2a0ab959c6f04256bd73d52259fa046a6eb899d3d0473107b6bdb7

SHA512
1aed09596e9818cc7edb94328e5c30c3105700a77c97c5880eb8397960d149385b11a558238b238482f35ab02c0e3d17052a12c3c77882e6798cab8b3e89361e

Download Submit
C:\Windows\System\uMFcohV.exe

Filesize
5.2MB

MD5
930333dc485915c2a0d44b0fc7217dac

SHA1
48c6103daff27de6cf91b8843ab224b78b895540

SHA256
29809a1fd955f6ae6a8b75ba8fd419b1ca72ff90f82bfac17c63d331f8f0aea5

SHA512
b9b5f1e554bd69571bae8cd9de165d97a6b88b901d64d666e31eba011869a059afda81731294759db84d4ab2fa64ae471edcd97b79892df3b793896c9ef440c9

Download Submit
C:\Windows\System\uqFiZvu.exe

Filesize
5.2MB

MD5
64d90a4d6fc955afb6a534c9f448bcf2

SHA1
810390a257560093a9cab55e27464f00c95723f6

SHA256
ccd80f88d0b2c646ebc4353abaee915b833a393b863bce6df0ff0760f96c994a

SHA512
9c75e46dc14224f2980a4ff239327eae6772ff270e9a3ccfee3af99594ac423c931de8abd574dbffea7315fe92b727e4efb2dd869255298c07466dce5be80c12

Download Submit
C:\Windows\System\yTSgnKB.exe

Filesize
5.2MB

MD5
37ca8f59187d45ef00cc87e14fa74f67

SHA1
64f31074dc358153b0410a57e35e68657b656ce8

SHA256
f3a9646b7455a82b034695d23828835f029266f033360abae8bc7c419ee76daa

SHA512
573b2d2707ce8567101f05616269a91908138c98dcc034f061d6bd74b89fa0bdd4e274e591506ca3733a5dbf52c9e1d07c512ed6383182870f56390a41dc175b

Download Submit
C:\Windows\System\yfgyvEe.exe

Filesize
5.2MB

MD5
829af8d9c6b33becd32f07627b7c03f8

SHA1
66a4e3f1e7b2dbdc034c0386991fa8620e5a3d76

SHA256
f4e024d9c9e468e3a7b683fcb6788d58b6cf1974592031f8b1df009312b19bba

SHA512
1b63c1e401c6ec027b7fd8a4471fae4f47ab01eb901fb1d16d71db05253478edd5a8a411b5e36bb71347a6176904c10572a590660f2ea6c52ecc61269f6ce60e

Download Submit
memory/1348-30-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/1348-129-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/1348-218-0x00007FF7277E0000-0x00007FF727B31000-memory.dmp

Filesize
3.3MB

Download
memory/1356-130-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-40-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-215-0x00007FF78EA80000-0x00007FF78EDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-230-0x00007FF665B50000-0x00007FF665EA1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-92-0x00007FF665B50000-0x00007FF665EA1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-84-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp

Filesize
3.3MB

Download
memory/1516-239-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp

Filesize
3.3MB

Download
memory/1516-139-0x00007FF6EE610000-0x00007FF6EE961000-memory.dmp

Filesize
3.3MB

Download
memory/1576-145-0x00007FF79B790000-0x00007FF79BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-246-0x00007FF79B790000-0x00007FF79BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-79-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-227-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-137-0x00007FF7EF870000-0x00007FF7EFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-144-0x00007FF76BB40000-0x00007FF76BE91000-memory.dmp

Filesize
3.3MB

Download
memory/1624-248-0x00007FF76BB40000-0x00007FF76BE91000-memory.dmp

Filesize
3.3MB

Download
memory/2296-78-0x00007FF69DF30000-0x00007FF69E281000-memory.dmp

Filesize
3.3MB

Download
memory/2296-240-0x00007FF69DF30000-0x00007FF69E281000-memory.dmp

Filesize
3.3MB

Download
memory/2920-73-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp

Filesize
3.3MB

Download
memory/2920-135-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp

Filesize
3.3MB

Download
memory/2920-228-0x00007FF7F9120000-0x00007FF7F9471000-memory.dmp

Filesize
3.3MB

Download
memory/2936-141-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-123-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-254-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-244-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/3220-140-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/3220-98-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/3396-132-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp

Filesize
3.3MB

Download
memory/3396-236-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp

Filesize
3.3MB

Download
memory/3396-59-0x00007FF6A0F00000-0x00007FF6A1251000-memory.dmp

Filesize
3.3MB

Download
memory/3412-95-0x00007FF648110000-0x00007FF648461000-memory.dmp

Filesize
3.3MB

Download
memory/3412-242-0x00007FF648110000-0x00007FF648461000-memory.dmp

Filesize
3.3MB

Download
memory/3548-210-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-126-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-16-0x00007FF6AF870000-0x00007FF6AFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-232-0x00007FF795A60000-0x00007FF795DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-94-0x00007FF795A60000-0x00007FF795DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-20-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-212-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-127-0x00007FF70EA90000-0x00007FF70EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3968-0-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3968-147-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3968-1-0x000002412A700000-0x000002412A710000-memory.dmp

Filesize
64KB

Download
memory/3968-124-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3968-146-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/4108-143-0x00007FF7BE000000-0x00007FF7BE351000-memory.dmp

Filesize
3.3MB

Download
memory/4108-253-0x00007FF7BE000000-0x00007FF7BE351000-memory.dmp

Filesize
3.3MB

Download
memory/4640-125-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp

Filesize
3.3MB

Download
memory/4640-7-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp

Filesize
3.3MB

Download
memory/4640-208-0x00007FF7DB9B0000-0x00007FF7DBD01000-memory.dmp

Filesize
3.3MB

Download
memory/4684-128-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-27-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-217-0x00007FF7533A0000-0x00007FF7536F1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-142-0x00007FF7628C0000-0x00007FF762C11000-memory.dmp

Filesize
3.3MB

Download
memory/5088-251-0x00007FF7628C0000-0x00007FF762C11000-memory.dmp

Filesize
3.3MB

Download
memory/5116-91-0x00007FF778660000-0x00007FF7789B1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-234-0x00007FF778660000-0x00007FF7789B1000-memory.dmp

Filesize
3.3MB

Download