cobaltstrike | b5d3be6cba78aee7ba3df63bfb8b2c6a84024c2718969866e9061ce58e54616a

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bcf1415bacf01105d7ddad34bc6b69d1
SHA1

0084f4c8996a69b7eea02abb74f49c4d9b41863c
SHA256

b5d3be6cba78aee7ba3df63bfb8b2c6a84024c2718969866e9061ce58e54616a
SHA512

0540bbd2a39debffc8aa5da0a1e6a1af383f7912f2e5306750dc0e6ebab2070ea32c58b44c29e11625107a660f8a0ee526b869527294db75bf42329a70c93c49
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibd56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8e-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-14.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-128.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-113.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4872-119-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	xmrig
behavioral2/memory/3776-126-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp	xmrig
behavioral2/memory/2216-125-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	xmrig
behavioral2/memory/3784-123-0x00007FF608550000-0x00007FF6088A1000-memory.dmp	xmrig
behavioral2/memory/4808-107-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp	xmrig
behavioral2/memory/320-101-0x00007FF7C0480000-0x00007FF7C07D1000-memory.dmp	xmrig
behavioral2/memory/812-44-0x00007FF6A6AA0000-0x00007FF6A6DF1000-memory.dmp	xmrig
behavioral2/memory/2764-39-0x00007FF72F450000-0x00007FF72F7A1000-memory.dmp	xmrig
behavioral2/memory/2584-131-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp	xmrig
behavioral2/memory/4888-133-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp	xmrig
behavioral2/memory/1160-132-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	xmrig
behavioral2/memory/4872-134-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	xmrig
behavioral2/memory/4968-140-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp	xmrig
behavioral2/memory/2264-142-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp	xmrig
behavioral2/memory/1440-143-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp	xmrig
behavioral2/memory/4764-146-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp	xmrig
behavioral2/memory/2360-151-0x00007FF79D210000-0x00007FF79D561000-memory.dmp	xmrig
behavioral2/memory/3068-150-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp	xmrig
behavioral2/memory/1460-155-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp	xmrig
behavioral2/memory/3500-148-0x00007FF768E00000-0x00007FF769151000-memory.dmp	xmrig
behavioral2/memory/32-156-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp	xmrig
behavioral2/memory/2772-158-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp	xmrig
behavioral2/memory/3080-157-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp	xmrig
behavioral2/memory/4872-159-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	xmrig
behavioral2/memory/2216-220-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	xmrig
behavioral2/memory/3776-222-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp	xmrig
behavioral2/memory/2764-224-0x00007FF72F450000-0x00007FF72F7A1000-memory.dmp	xmrig
behavioral2/memory/2584-226-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp	xmrig
behavioral2/memory/812-228-0x00007FF6A6AA0000-0x00007FF6A6DF1000-memory.dmp	xmrig
behavioral2/memory/4888-230-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp	xmrig
behavioral2/memory/1160-232-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	xmrig
behavioral2/memory/4968-234-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp	xmrig
behavioral2/memory/4764-242-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp	xmrig
behavioral2/memory/2264-244-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp	xmrig
behavioral2/memory/3500-246-0x00007FF768E00000-0x00007FF769151000-memory.dmp	xmrig
behavioral2/memory/2360-248-0x00007FF79D210000-0x00007FF79D561000-memory.dmp	xmrig
behavioral2/memory/320-252-0x00007FF7C0480000-0x00007FF7C07D1000-memory.dmp	xmrig
behavioral2/memory/4808-251-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp	xmrig
behavioral2/memory/1440-258-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp	xmrig
behavioral2/memory/3784-256-0x00007FF608550000-0x00007FF6088A1000-memory.dmp	xmrig
behavioral2/memory/32-264-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp	xmrig
behavioral2/memory/2772-263-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp	xmrig
behavioral2/memory/3068-260-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp	xmrig
behavioral2/memory/1460-255-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp	xmrig
behavioral2/memory/3080-266-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2216	YcAsEDg.exe
3776	mpNmIYm.exe
2584	TKexWtw.exe
2764	rEDSAAu.exe
1160	pftNCCp.exe
812	ttAVUDn.exe
4888	pXPrLrn.exe
4968	CNkAvTM.exe
4764	rWKkosM.exe
2264	pgUHqpL.exe
3500	tJYiVUk.exe
1440	tvwiGmB.exe
3068	DYieKEp.exe
2360	xhrnXxq.exe
320	HioSlDg.exe
4808	zjBXhNd.exe
3784	AoaxGZY.exe
1460	EEguWJl.exe
32	HgxSlcA.exe
3080	MSSUYII.exe
2772	Jbjndtc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-0-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-5.dat	upx
behavioral2/memory/2216-6-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-14.dat	upx
behavioral2/files/0x000a000000023b92-11.dat	upx
behavioral2/files/0x000a000000023b94-22.dat	upx
behavioral2/files/0x000a000000023b96-34.dat	upx
behavioral2/files/0x000a000000023b99-48.dat	upx
behavioral2/files/0x000a000000023b98-58.dat	upx
behavioral2/memory/2264-66-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp	upx
behavioral2/memory/1440-74-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp	upx
behavioral2/memory/3500-81-0x00007FF768E00000-0x00007FF769151000-memory.dmp	upx
behavioral2/memory/3068-82-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp	upx
behavioral2/memory/2360-83-0x00007FF79D210000-0x00007FF79D561000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-79.dat	upx
behavioral2/files/0x000a000000023b9e-77.dat	upx
behavioral2/files/0x000a000000023b9a-70.dat	upx
behavioral2/files/0x000a000000023b9c-65.dat	upx
behavioral2/files/0x000a000000023ba2-106.dat	upx
behavioral2/memory/1460-111-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp	upx
behavioral2/memory/4872-119-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	upx
behavioral2/memory/3776-126-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-128.dat	upx
behavioral2/memory/2772-127-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp	upx
behavioral2/memory/2216-125-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	upx
behavioral2/memory/3080-124-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp	upx
behavioral2/memory/3784-123-0x00007FF608550000-0x00007FF6088A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-120.dat	upx
behavioral2/files/0x000a000000023ba1-114.dat	upx
behavioral2/files/0x000a000000023ba0-113.dat	upx
behavioral2/memory/32-112-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp	upx
behavioral2/memory/4808-107-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp	upx
behavioral2/memory/320-101-0x00007FF7C0480000-0x00007FF7C07D1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-96.dat	upx
behavioral2/files/0x000a000000023b9f-94.dat	upx
behavioral2/files/0x000a000000023b9d-89.dat	upx
behavioral2/memory/4764-62-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp	upx
behavioral2/memory/4968-52-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-47.dat	upx
behavioral2/memory/812-44-0x00007FF6A6AA0000-0x00007FF6A6DF1000-memory.dmp	upx
behavioral2/memory/4888-42-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-46.dat	upx
behavioral2/memory/2764-39-0x00007FF72F450000-0x00007FF72F7A1000-memory.dmp	upx
behavioral2/memory/1160-29-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	upx
behavioral2/memory/2584-28-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp	upx
behavioral2/memory/3776-17-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp	upx
behavioral2/memory/2584-131-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp	upx
behavioral2/memory/4888-133-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp	upx
behavioral2/memory/1160-132-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	upx
behavioral2/memory/4872-134-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	upx
behavioral2/memory/4968-140-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp	upx
behavioral2/memory/2264-142-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp	upx
behavioral2/memory/1440-143-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp	upx
behavioral2/memory/4764-146-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp	upx
behavioral2/memory/2360-151-0x00007FF79D210000-0x00007FF79D561000-memory.dmp	upx
behavioral2/memory/3068-150-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp	upx
behavioral2/memory/1460-155-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp	upx
behavioral2/memory/3500-148-0x00007FF768E00000-0x00007FF769151000-memory.dmp	upx
behavioral2/memory/32-156-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp	upx
behavioral2/memory/2772-158-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp	upx
behavioral2/memory/3080-157-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp	upx
behavioral2/memory/4872-159-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp	upx
behavioral2/memory/2216-220-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	upx
behavioral2/memory/3776-222-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pftNCCp.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xhrnXxq.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EEguWJl.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ttAVUDn.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rWKkosM.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pgUHqpL.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AoaxGZY.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HgxSlcA.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEDSAAu.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvwiGmB.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Jbjndtc.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YcAsEDg.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpNmIYm.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TKexWtw.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pXPrLrn.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CNkAvTM.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tJYiVUk.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DYieKEp.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zjBXhNd.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HioSlDg.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSSUYII.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2216	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4872 wrote to memory of 2216	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4872 wrote to memory of 3776	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4872 wrote to memory of 3776	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4872 wrote to memory of 2584	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4872 wrote to memory of 2584	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4872 wrote to memory of 2764	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4872 wrote to memory of 2764	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4872 wrote to memory of 1160	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4872 wrote to memory of 1160	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4872 wrote to memory of 812	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4872 wrote to memory of 812	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4872 wrote to memory of 4888	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4872 wrote to memory of 4888	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4872 wrote to memory of 4968	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4872 wrote to memory of 4968	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4872 wrote to memory of 4764	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4872 wrote to memory of 4764	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4872 wrote to memory of 2264	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4872 wrote to memory of 2264	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4872 wrote to memory of 3500	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4872 wrote to memory of 3500	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4872 wrote to memory of 1440	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4872 wrote to memory of 1440	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4872 wrote to memory of 3068	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4872 wrote to memory of 3068	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4872 wrote to memory of 2360	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4872 wrote to memory of 2360	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4872 wrote to memory of 4808	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4872 wrote to memory of 4808	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4872 wrote to memory of 320	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4872 wrote to memory of 320	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4872 wrote to memory of 3784	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4872 wrote to memory of 3784	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4872 wrote to memory of 1460	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4872 wrote to memory of 1460	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4872 wrote to memory of 32	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4872 wrote to memory of 32	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4872 wrote to memory of 3080	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4872 wrote to memory of 3080	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4872 wrote to memory of 2772	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4872 wrote to memory of 2772	4872	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\System\YcAsEDg.exe
  C:\Windows\System\YcAsEDg.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\mpNmIYm.exe
  C:\Windows\System\mpNmIYm.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\TKexWtw.exe
  C:\Windows\System\TKexWtw.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\rEDSAAu.exe
  C:\Windows\System\rEDSAAu.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\pftNCCp.exe
  C:\Windows\System\pftNCCp.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\ttAVUDn.exe
  C:\Windows\System\ttAVUDn.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\pXPrLrn.exe
  C:\Windows\System\pXPrLrn.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\CNkAvTM.exe
  C:\Windows\System\CNkAvTM.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\rWKkosM.exe
  C:\Windows\System\rWKkosM.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\pgUHqpL.exe
  C:\Windows\System\pgUHqpL.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\tJYiVUk.exe
  C:\Windows\System\tJYiVUk.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\tvwiGmB.exe
  C:\Windows\System\tvwiGmB.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\DYieKEp.exe
  C:\Windows\System\DYieKEp.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\xhrnXxq.exe
  C:\Windows\System\xhrnXxq.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\zjBXhNd.exe
  C:\Windows\System\zjBXhNd.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\HioSlDg.exe
  C:\Windows\System\HioSlDg.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\AoaxGZY.exe
  C:\Windows\System\AoaxGZY.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\EEguWJl.exe
  C:\Windows\System\EEguWJl.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\HgxSlcA.exe
  C:\Windows\System\HgxSlcA.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\MSSUYII.exe
  C:\Windows\System\MSSUYII.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\Jbjndtc.exe
  C:\Windows\System\Jbjndtc.exe
  2⤵
  - Executes dropped EXE
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AoaxGZY.exe

Filesize
5.2MB

MD5
b2412e2e49df4385affd879ee29021cd

SHA1
cdaa8d9f255285fa118c2630f0365648edfc5827

SHA256
031d21e2a5a88963bcd4a310c4077a434119206acea091e26ba05e4885986f86

SHA512
1cc9336ea658df0851946f0565bc3253b6a6059f00826e040c68ec4a5858d122c8672d5898095e2a2f501f9ede0038acbb3f458a5b2d88266951af1755905276

Download Submit
C:\Windows\System\CNkAvTM.exe

Filesize
5.2MB

MD5
1946e25f2287886fefda4c3384f97e6e

SHA1
0b1a1ba7abf51c0dd510176c7cb11eb3fa22c178

SHA256
08d48d585096df71004c35620de0b344c208cd95645a16cb6d3272da717fbe38

SHA512
8108af3414ad8669c4117d315269d8b7044f981dd634bc90e1cea04e69938b5b2015e875f692bfaa111c53e119a7d3997301689f78be73f40c5edb01f5250ae6

Download Submit
C:\Windows\System\DYieKEp.exe

Filesize
5.2MB

MD5
faee07b28822710cb2b446f8c1b9145c

SHA1
e9d1de1aa911cda2a5f97debf446ff67136273a3

SHA256
2f07fa34540063ff9cad5f7d28116b13a7882a1f58ac22d530e4f8e72e05bd7a

SHA512
162cd47f8d82be9c6b27aa497a9daa669c2584cec5e9d0d405fe3a4548b0c57710de7b17451ec268de0e29410646ff16cc7bdf702f0b0263728e3ec7641891a8

Download Submit
C:\Windows\System\EEguWJl.exe

Filesize
5.2MB

MD5
5982483eebc0204846c22a0a5719b25e

SHA1
5ba931453f4aea79e1403e64aa60e6110d914e84

SHA256
432dab810ecee6b5bc6cb6080e54d7564104d7368f967c7fdc11f6bdbc49b7b3

SHA512
e7efa98bcc6e6b3f8353f4ce5d4c339b6b7ae2c898f26b83a5bf540a679860843e4fcbb8dd025af416a4dec863d5f33df6ebddc256c050179022e5c61700c4b7

Download Submit
C:\Windows\System\HgxSlcA.exe

Filesize
5.2MB

MD5
de43c29e7f3381d93025fe31e0a32aa3

SHA1
0c2bfc87a1cd11de78a80354a79b7e2cc84b112f

SHA256
2c2fef8a07c204b850eeb6fa502ff1ac97fd63984a4bb5e28c43addef4e12700

SHA512
1fef74ef05cdf40389c9d4aa2989b520967082d2105cc2fb2966c4bd2ce00021a2a60678e3cfe4d637e26a7376fe20c79edaec5dea08c5bbc0cc9b1ac18a86b7

Download Submit
C:\Windows\System\HioSlDg.exe

Filesize
5.2MB

MD5
ef4a2b00db076c0187eb6f35d770654c

SHA1
4a0939adff42e77da43e0d7e758da88d5d7f7cc6

SHA256
6ee929e15e43ab1e6b806e646565cc789e7d70c2a550eda044dce42f1f86944c

SHA512
281437f0b1b902d5474e508d7fa392e078ec6eb29dd8053e87fab6f2258e962a2bb25c5720c8811e36fac51974bb780b919fb00950594ce193ed18feae85a7c1

Download Submit
C:\Windows\System\Jbjndtc.exe

Filesize
5.2MB

MD5
8a5678897b9487ff7660db8fc47d3154

SHA1
ac07bdab748e225ed1a6fe4393e5402e7e77d3ca

SHA256
140ed61751c2907b195418db7c1ef3fd337893d18857a14d8112edec5f85aa1a

SHA512
974d9daff2343d5ba5bc9ca4d627034848fcf5c4e78433aecee3e4f2c585a6c7c70b83f1c5701a1e970a0b232c094d999d2983aa05a2a92fc6700f799aee0c14

Download Submit
C:\Windows\System\MSSUYII.exe

Filesize
5.2MB

MD5
eca68a2f0b3808eff49351803713e9ff

SHA1
fad6a60d861c320c39a783c652fa458320c67c81

SHA256
7bfefde6c3313996c77287d8820d299b92c9267528635b23fd7399a774db62f5

SHA512
c682839528728eb7b9a6f1d14eeed738d783bb6a74a5d6868cab2fd3aee39362bbdcb8b7587c0abe8d2f0f544322f0749a231a57de836f12c622d7f3572184c0

Download Submit
C:\Windows\System\TKexWtw.exe

Filesize
5.2MB

MD5
9f063442304a783599ac3c43f368c3af

SHA1
f5e2dc31803f3872d2068b0207b06033a83c0efb

SHA256
c4cfd743cf3fdbc36bf82595787d75580754825427c4b97b720e38271ad723c8

SHA512
84e7e0e70485aa08d28659f1af930ae0c2357eae8e44f0869ed78c2802dca0fdc2ebe5555200b5962c316a51a6aee848f9db56fa6a12239895e0f1786edde36f

Download Submit
C:\Windows\System\YcAsEDg.exe

Filesize
5.2MB

MD5
bd6bbf4e819d447ea9f3ffb5e76dc6a0

SHA1
0afdb1e359f5d2e13ff48fe24b34c908ce51e275

SHA256
29ddb3c661a3f3d3b4b8229086b6c4fefb057e680a2641b1b7f976d5e88e24af

SHA512
2a257286bb99e4933392312ef484efdd114480a9bc39ac9b66d80f8cc92aacdf395629c6f07695e37c1f371ff66bd5733ab92fca99bf611562fe80168b4de284

Download Submit
C:\Windows\System\mpNmIYm.exe

Filesize
5.2MB

MD5
7c86194897a861c3e04238bce44a3f83

SHA1
5fecba25b8b9efafb93df0c21ad9be8baa8fa334

SHA256
9e891273a65041a351a30f14ce53d72a827a230998227bf43795e2e07dc59b60

SHA512
b890789cec8862c689b9c5ffa357046b48d6901b5f1e2f3103f8edb27fb9af6ea5dc5c87142de624996f0008b7d3f63cbf59de172cfc18a9bed38b1c7f1c9f57

Download Submit
C:\Windows\System\pXPrLrn.exe

Filesize
5.2MB

MD5
c6061820bf7a038686d2d04e0f3463d5

SHA1
a8c9628ff9435746d0d53e8622dea7e52cf64649

SHA256
86fd42027c448fa95b83f23e004b6b0e4a8f4c5caf41e3381a90685688f1b47a

SHA512
ee138dc0a73c31520ac5482ba233c68a28ebba1ea8b75463c680323f3070b31795edf0cc3ba5d4b0254f7ff1cbeb14518e2b2dabe42755a7a01a1b845050c65f

Download Submit
C:\Windows\System\pftNCCp.exe

Filesize
5.2MB

MD5
206901e3603904dd481ecf769760d2b9

SHA1
dc0cae603a2b50d889887e99bfad2eb1ac2160b9

SHA256
e6e7eb4c27526218846475818a4d5c3e7bd4b6dfa220801c8c70c8b6480c13ba

SHA512
1d5a212f40c2c4731eae6c9f0758ae629b8e2aeb3dd453cd13d422d0f0da55098bb638af1d09332aa3cceac2769c9fcfc90cfc12f440d160971ab24b38dee9f6

Download Submit
C:\Windows\System\pgUHqpL.exe

Filesize
5.2MB

MD5
74b50430b7e41a954d43bbc25f1a5d55

SHA1
e61784eda6ec84924dc717207419972cbc8bb143

SHA256
3abcf9a9164ecf547f5c932fcba62c6b4e2099c1b7b2afe7427fc39397e9d241

SHA512
229e4b7228f6b0d9e8da233d8e9295f311443c1ebd7344e41258b52be40ff635d4e61c39779b2eb26c2bd17300f1ba22bf1933ec31f6ccf0809f251995b65c38

Download Submit
C:\Windows\System\rEDSAAu.exe

Filesize
5.2MB

MD5
040611d9f400c62686c3ef01c61c0baf

SHA1
c219276387ff9f5acae3ae59e0379825543a2544

SHA256
3bbd4c273b2d5f17347f089e3c4c41b7efcd5a8815b704401bce7b50d2b2b05a

SHA512
e0a35785826b872342b733b652b85b2938d00385d8753df73edc66de65fafdac8af89859a74a9797b61e8f2332493d6d28f32fad25214fc82523b5dd9beb8b4f

Download Submit
C:\Windows\System\rWKkosM.exe

Filesize
5.2MB

MD5
68d73d8b4be6b00aed137f551e25c836

SHA1
bd8f21cc14809b83cbb51f1635ba19c5f1aa78e8

SHA256
cb2209f8bb3079ae48dc2164d44476519ca3985348c6a8f06fc372583fbcc164

SHA512
c5f189fb45c0b63e949b50a0df5e5c7b46bab52b09f4f969750bf91a38fa7555a6526af4a4691e3b7b156fa5a5e266e15bec4cde8c7c07c1d18dc52b9e5049f8

Download Submit
C:\Windows\System\tJYiVUk.exe

Filesize
5.2MB

MD5
d03a008109d2c49b5bf88a52eca87d5c

SHA1
ba5c11d258744c76f07c627c6c9025dec2675151

SHA256
5a1c9a404d4aa01729564250af667901658064394bf3fb2f448d30391ac15b6f

SHA512
3e49a7b1818126775d63636937b53e76aafb84a6c90f684f8eb44e0e8d839eb4120f174185ed7d832ef4bf6a2d24106d729744bbb7bda91460a595e92cbc0fa3

Download Submit
C:\Windows\System\ttAVUDn.exe

Filesize
5.2MB

MD5
80b00d8997ebfcf6353c7a4c2a1c2fdd

SHA1
310f1f9f41e2041d02548be2be712fbf3fef9bab

SHA256
e513f39c3819f53fd61c5e57d21487f4212abe8a4cf6dc15aa6129c61052771d

SHA512
1d2d959887d26b610a70b0dd0fc280129450473cbe0dba5a98d4ba48b5a228c78e18280b6d75911e128628150f2db061da4d0e68d318589689a5eb39cf838e61

Download Submit
C:\Windows\System\tvwiGmB.exe

Filesize
5.2MB

MD5
0cd3c86a9f85c61e029112c35d3975a3

SHA1
404166be7d1b296ab0b85d8811d91e03e22325bc

SHA256
f1b796034c4a7b26c8d1c5849180d78ac07cf57378c06fd5a199a2c51893408a

SHA512
99f62dbaf9504f4a40434ba5837cdc028c08b95de1a3743f172c7990f269df46dd44cbfb40eb960ee92deafac370157f6ec8c7e57effd509b8faf9e5db47bc95

Download Submit
C:\Windows\System\xhrnXxq.exe

Filesize
5.2MB

MD5
ec39ed162df0b4cca359aecd5245a3bb

SHA1
631882e9a114fdd22578e65bf4a2425320a2554c

SHA256
08ffdeee52eb892c1b6b5608204875e414d68a01c0bd1a209e4730a25ed52d1d

SHA512
d33237fa8de791a90c3a47eeebcb294e19621486395c076863620f534995154236ab2d7204b670b8326394d94328751f04f29c78f1975433ae277460af26ca4a

Download Submit
C:\Windows\System\zjBXhNd.exe

Filesize
5.2MB

MD5
ac909744ae3aee246e9c38dc6890d08f

SHA1
352473143094f8102c6f05e8c73da8f857af4006

SHA256
78645e8ebc94763dbe6c0e051f228eec284077249020662d5a5faa00e00ecdcc

SHA512
c1270abc2e0de29f4b1b4baae91d24817b20552dfd16d9e4dc3f03546ee7a432aada67fe6cf979db03d1b27b6a24a2117a14f9d0f63ab5c3bb3bbb92fe8984ba

Download Submit
memory/32-112-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp

Filesize
3.3MB

Download
memory/32-156-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp

Filesize
3.3MB

Download
memory/32-264-0x00007FF7ABAE0000-0x00007FF7ABE31000-memory.dmp

Filesize
3.3MB

Download
memory/320-252-0x00007FF7C0480000-0x00007FF7C07D1000-memory.dmp

Filesize
3.3MB

Download
memory/320-101-0x00007FF7C0480000-0x00007FF7C07D1000-memory.dmp

Filesize
3.3MB

Download
memory/812-228-0x00007FF6A6AA0000-0x00007FF6A6DF1000-memory.dmp

Filesize
3.3MB

Download
memory/812-44-0x00007FF6A6AA0000-0x00007FF6A6DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-232-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-29-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-132-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-143-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-74-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-258-0x00007FF76CE70000-0x00007FF76D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-155-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-255-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-111-0x00007FF7DFC80000-0x00007FF7DFFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-125-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-220-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-6-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-66-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-244-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-142-0x00007FF7BED60000-0x00007FF7BF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-151-0x00007FF79D210000-0x00007FF79D561000-memory.dmp

Filesize
3.3MB

Download
memory/2360-248-0x00007FF79D210000-0x00007FF79D561000-memory.dmp

Filesize
3.3MB

Download
memory/2360-83-0x00007FF79D210000-0x00007FF79D561000-memory.dmp

Filesize
3.3MB

Download
memory/2584-131-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp

Filesize
3.3MB

Download
memory/2584-226-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp

Filesize
3.3MB

Download
memory/2584-28-0x00007FF7459B0000-0x00007FF745D01000-memory.dmp

Filesize
3.3MB

Download
memory/2764-224-0x00007FF72F450000-0x00007FF72F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-39-0x00007FF72F450000-0x00007FF72F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-158-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-263-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-127-0x00007FF6A4D50000-0x00007FF6A50A1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-260-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-82-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-150-0x00007FF79EB50000-0x00007FF79EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-266-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp

Filesize
3.3MB

Download
memory/3080-124-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp

Filesize
3.3MB

Download
memory/3080-157-0x00007FF65E7C0000-0x00007FF65EB11000-memory.dmp

Filesize
3.3MB

Download
memory/3500-148-0x00007FF768E00000-0x00007FF769151000-memory.dmp

Filesize
3.3MB

Download
memory/3500-81-0x00007FF768E00000-0x00007FF769151000-memory.dmp

Filesize
3.3MB

Download
memory/3500-246-0x00007FF768E00000-0x00007FF769151000-memory.dmp

Filesize
3.3MB

Download
memory/3776-126-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3776-17-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3776-222-0x00007FF7D3AA0000-0x00007FF7D3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-123-0x00007FF608550000-0x00007FF6088A1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-256-0x00007FF608550000-0x00007FF6088A1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-146-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp

Filesize
3.3MB

Download
memory/4764-62-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp

Filesize
3.3MB

Download
memory/4764-242-0x00007FF7B4FE0000-0x00007FF7B5331000-memory.dmp

Filesize
3.3MB

Download
memory/4808-107-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-251-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-134-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp

Filesize
3.3MB

Download
memory/4872-159-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp

Filesize
3.3MB

Download
memory/4872-0-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp

Filesize
3.3MB

Download
memory/4872-119-0x00007FF6A7100000-0x00007FF6A7451000-memory.dmp

Filesize
3.3MB

Download
memory/4872-1-0x00000218867E0000-0x00000218867F0000-memory.dmp

Filesize
64KB

Download
memory/4888-42-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-133-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-230-0x00007FF647A80000-0x00007FF647DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-52-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp

Filesize
3.3MB

Download
memory/4968-234-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp

Filesize
3.3MB

Download
memory/4968-140-0x00007FF64E4D0000-0x00007FF64E821000-memory.dmp

Filesize
3.3MB

Download