cobaltstrike | 496a4733531c551caa1e3659e5c3ee88d78053305c2cc545612cacd68a7fcb44

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

41a476b64a37f603908fb34b355ea90a
SHA1

009bef4ea9312b73212d3f929b818e6abdd46643
SHA256

496a4733531c551caa1e3659e5c3ee88d78053305c2cc545612cacd68a7fcb44
SHA512

a66ec728fc288b122cd1c50c800c231c434446436e635dd8e7e4d426b1ebac3bf7f3e80217e176da767b2054cf28838f5aa1e8462f738dcfe9f7232c5ad3cf9b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibf56utgpPFotBER/mQ32lUb

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b9a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-31.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bbf-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb8-50.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bce-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-91.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ba8-93.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd3-88.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcf-82.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcd-68.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bb0-52.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023baf-48.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bae-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-37.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd8-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-135.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0b-137.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdb-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-108.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2424-86-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	xmrig
behavioral2/memory/1940-97-0x00007FF7E0E40000-0x00007FF7E1191000-memory.dmp	xmrig
behavioral2/memory/2472-95-0x00007FF78BDD0000-0x00007FF78C121000-memory.dmp	xmrig
behavioral2/memory/1928-90-0x00007FF69B110000-0x00007FF69B461000-memory.dmp	xmrig
behavioral2/memory/4772-87-0x00007FF6BB5D0000-0x00007FF6BB921000-memory.dmp	xmrig
behavioral2/memory/2056-81-0x00007FF731710000-0x00007FF731A61000-memory.dmp	xmrig
behavioral2/memory/3160-102-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	xmrig
behavioral2/memory/400-105-0x00007FF607C10000-0x00007FF607F61000-memory.dmp	xmrig
behavioral2/memory/3520-114-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp	xmrig
behavioral2/memory/3808-120-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp	xmrig
behavioral2/memory/1688-127-0x00007FF6114D0000-0x00007FF611821000-memory.dmp	xmrig
behavioral2/memory/724-132-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp	xmrig
behavioral2/memory/3992-141-0x00007FF7F16B0000-0x00007FF7F1A01000-memory.dmp	xmrig
behavioral2/memory/4924-143-0x00007FF781190000-0x00007FF7814E1000-memory.dmp	xmrig
behavioral2/memory/4208-144-0x00007FF652800000-0x00007FF652B51000-memory.dmp	xmrig
behavioral2/memory/3548-142-0x00007FF66C480000-0x00007FF66C7D1000-memory.dmp	xmrig
behavioral2/memory/4704-139-0x00007FF72F170000-0x00007FF72F4C1000-memory.dmp	xmrig
behavioral2/memory/448-131-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp	xmrig
behavioral2/memory/64-118-0x00007FF6000F0000-0x00007FF600441000-memory.dmp	xmrig
behavioral2/memory/4852-116-0x00007FF756830000-0x00007FF756B81000-memory.dmp	xmrig
behavioral2/memory/3184-113-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp	xmrig
behavioral2/memory/3280-112-0x00007FF658740000-0x00007FF658A91000-memory.dmp	xmrig
behavioral2/memory/3160-145-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	xmrig
behavioral2/memory/3160-146-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	xmrig
behavioral2/memory/400-159-0x00007FF607C10000-0x00007FF607F61000-memory.dmp	xmrig
behavioral2/memory/3160-168-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	xmrig
behavioral2/memory/3280-212-0x00007FF658740000-0x00007FF658A91000-memory.dmp	xmrig
behavioral2/memory/3184-214-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp	xmrig
behavioral2/memory/4852-216-0x00007FF756830000-0x00007FF756B81000-memory.dmp	xmrig
behavioral2/memory/3520-219-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp	xmrig
behavioral2/memory/2056-220-0x00007FF731710000-0x00007FF731A61000-memory.dmp	xmrig
behavioral2/memory/448-234-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp	xmrig
behavioral2/memory/1928-235-0x00007FF69B110000-0x00007FF69B461000-memory.dmp	xmrig
behavioral2/memory/724-237-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp	xmrig
behavioral2/memory/64-232-0x00007FF6000F0000-0x00007FF600441000-memory.dmp	xmrig
behavioral2/memory/3808-230-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp	xmrig
behavioral2/memory/2424-228-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	xmrig
behavioral2/memory/4772-224-0x00007FF6BB5D0000-0x00007FF6BB921000-memory.dmp	xmrig
behavioral2/memory/1688-226-0x00007FF6114D0000-0x00007FF611821000-memory.dmp	xmrig
behavioral2/memory/1940-242-0x00007FF7E0E40000-0x00007FF7E1191000-memory.dmp	xmrig
behavioral2/memory/2472-243-0x00007FF78BDD0000-0x00007FF78C121000-memory.dmp	xmrig
behavioral2/memory/4924-240-0x00007FF781190000-0x00007FF7814E1000-memory.dmp	xmrig
behavioral2/memory/400-248-0x00007FF607C10000-0x00007FF607F61000-memory.dmp	xmrig
behavioral2/memory/4704-253-0x00007FF72F170000-0x00007FF72F4C1000-memory.dmp	xmrig
behavioral2/memory/3992-255-0x00007FF7F16B0000-0x00007FF7F1A01000-memory.dmp	xmrig
behavioral2/memory/4208-257-0x00007FF652800000-0x00007FF652B51000-memory.dmp	xmrig
behavioral2/memory/3548-259-0x00007FF66C480000-0x00007FF66C7D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3280	FFGppHX.exe
3184	XmXpvYQ.exe
3520	dWKoAWT.exe
4852	tlpwDkm.exe
2056	gsqYVvX.exe
64	NoIvCdO.exe
2424	wyZBULM.exe
3808	vXDNfwV.exe
1688	xapFeDR.exe
4772	ZaUqYtS.exe
1928	ImOCwIz.exe
448	JlIijqh.exe
724	rIPneUd.exe
2472	AKoSvvm.exe
1940	xjgiyUc.exe
4924	lsaQJaw.exe
400	nPMwbrQ.exe
4704	QMlLcAx.exe
3992	tVeLezc.exe
3548	EVkSaOz.exe
4208	orBNdSo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3160-0-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	upx
behavioral2/files/0x000c000000023b9a-5.dat	upx
behavioral2/files/0x000a000000023bab-11.dat	upx
behavioral2/files/0x000a000000023bac-31.dat	upx
behavioral2/files/0x000e000000023bbf-47.dat	upx
behavioral2/files/0x000a000000023bb8-50.dat	upx
behavioral2/files/0x0009000000023bce-63.dat	upx
behavioral2/files/0x0008000000023bc8-70.dat	upx
behavioral2/memory/2424-86-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-91.dat	upx
behavioral2/memory/1940-97-0x00007FF7E0E40000-0x00007FF7E1191000-memory.dmp	upx
behavioral2/memory/2472-95-0x00007FF78BDD0000-0x00007FF78C121000-memory.dmp	upx
behavioral2/memory/4924-94-0x00007FF781190000-0x00007FF7814E1000-memory.dmp	upx
behavioral2/files/0x000c000000023ba8-93.dat	upx
behavioral2/memory/1928-90-0x00007FF69B110000-0x00007FF69B461000-memory.dmp	upx
behavioral2/files/0x000e000000023bd3-88.dat	upx
behavioral2/memory/4772-87-0x00007FF6BB5D0000-0x00007FF6BB921000-memory.dmp	upx
behavioral2/files/0x0009000000023bcf-82.dat	upx
behavioral2/memory/2056-81-0x00007FF731710000-0x00007FF731A61000-memory.dmp	upx
behavioral2/memory/724-73-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp	upx
behavioral2/memory/448-72-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp	upx
behavioral2/files/0x0009000000023bcd-68.dat	upx
behavioral2/memory/1688-66-0x00007FF6114D0000-0x00007FF611821000-memory.dmp	upx
behavioral2/memory/3808-57-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp	upx
behavioral2/files/0x000b000000023bb0-52.dat	upx
behavioral2/memory/64-49-0x00007FF6000F0000-0x00007FF600441000-memory.dmp	upx
behavioral2/files/0x000b000000023baf-48.dat	upx
behavioral2/files/0x000b000000023bae-43.dat	upx
behavioral2/files/0x000a000000023bad-37.dat	upx
behavioral2/memory/3520-29-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp	upx
behavioral2/memory/4852-24-0x00007FF756830000-0x00007FF756B81000-memory.dmp	upx
behavioral2/memory/3184-21-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp	upx
behavioral2/memory/3280-9-0x00007FF658740000-0x00007FF658A91000-memory.dmp	upx
behavioral2/files/0x0008000000023bd8-100.dat	upx
behavioral2/memory/3160-102-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	upx
behavioral2/memory/400-105-0x00007FF607C10000-0x00007FF607F61000-memory.dmp	upx
behavioral2/memory/3520-114-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp	upx
behavioral2/memory/3808-120-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp	upx
behavioral2/memory/1688-127-0x00007FF6114D0000-0x00007FF611821000-memory.dmp	upx
behavioral2/memory/724-132-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0a-135.dat	upx
behavioral2/memory/3992-141-0x00007FF7F16B0000-0x00007FF7F1A01000-memory.dmp	upx
behavioral2/memory/4924-143-0x00007FF781190000-0x00007FF7814E1000-memory.dmp	upx
behavioral2/memory/4208-144-0x00007FF652800000-0x00007FF652B51000-memory.dmp	upx
behavioral2/memory/3548-142-0x00007FF66C480000-0x00007FF66C7D1000-memory.dmp	upx
behavioral2/memory/4704-139-0x00007FF72F170000-0x00007FF72F4C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0b-137.dat	upx
behavioral2/memory/448-131-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp	upx
behavioral2/files/0x0008000000023bdb-124.dat	upx
behavioral2/memory/64-118-0x00007FF6000F0000-0x00007FF600441000-memory.dmp	upx
behavioral2/memory/4852-116-0x00007FF756830000-0x00007FF756B81000-memory.dmp	upx
behavioral2/memory/3184-113-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp	upx
behavioral2/memory/3280-112-0x00007FF658740000-0x00007FF658A91000-memory.dmp	upx
behavioral2/files/0x0008000000023bd9-108.dat	upx
behavioral2/memory/3160-145-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	upx
behavioral2/memory/3160-146-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	upx
behavioral2/memory/400-159-0x00007FF607C10000-0x00007FF607F61000-memory.dmp	upx
behavioral2/memory/3160-168-0x00007FF736A20000-0x00007FF736D71000-memory.dmp	upx
behavioral2/memory/3280-212-0x00007FF658740000-0x00007FF658A91000-memory.dmp	upx
behavioral2/memory/3184-214-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp	upx
behavioral2/memory/4852-216-0x00007FF756830000-0x00007FF756B81000-memory.dmp	upx
behavioral2/memory/3520-219-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp	upx
behavioral2/memory/2056-220-0x00007FF731710000-0x00007FF731A61000-memory.dmp	upx
behavioral2/memory/448-234-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\JlIijqh.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rIPneUd.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lsaQJaw.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVeLezc.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FFGppHX.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XmXpvYQ.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vXDNfwV.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImOCwIz.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\orBNdSo.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWKoAWT.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AKoSvvm.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjgiyUc.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nPMwbrQ.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tlpwDkm.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xapFeDR.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QMlLcAx.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVkSaOz.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsqYVvX.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NoIvCdO.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wyZBULM.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZaUqYtS.exe	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3280	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3160 wrote to memory of 3280	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3160 wrote to memory of 3184	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3160 wrote to memory of 3184	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3160 wrote to memory of 3520	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3160 wrote to memory of 3520	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3160 wrote to memory of 4852	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3160 wrote to memory of 4852	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3160 wrote to memory of 2056	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3160 wrote to memory of 2056	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3160 wrote to memory of 64	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3160 wrote to memory of 64	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3160 wrote to memory of 2424	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 2424	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 3808	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 3808	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 1688	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 1688	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 4772	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 4772	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 1928	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 1928	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 448	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 448	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 724	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 724	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 2472	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 2472	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 1940	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 1940	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 4924	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 4924	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 400	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 400	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 4704	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 4704	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 3992	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 3992	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 4208	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3160 wrote to memory of 4208	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3160 wrote to memory of 3548	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3160 wrote to memory of 3548	3160	2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_41a476b64a37f603908fb34b355ea90a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\System\FFGppHX.exe
  C:\Windows\System\FFGppHX.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\XmXpvYQ.exe
  C:\Windows\System\XmXpvYQ.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\dWKoAWT.exe
  C:\Windows\System\dWKoAWT.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\tlpwDkm.exe
  C:\Windows\System\tlpwDkm.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\gsqYVvX.exe
  C:\Windows\System\gsqYVvX.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\NoIvCdO.exe
  C:\Windows\System\NoIvCdO.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\wyZBULM.exe
  C:\Windows\System\wyZBULM.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\vXDNfwV.exe
  C:\Windows\System\vXDNfwV.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\xapFeDR.exe
  C:\Windows\System\xapFeDR.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\ZaUqYtS.exe
  C:\Windows\System\ZaUqYtS.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\ImOCwIz.exe
  C:\Windows\System\ImOCwIz.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\JlIijqh.exe
  C:\Windows\System\JlIijqh.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\rIPneUd.exe
  C:\Windows\System\rIPneUd.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\AKoSvvm.exe
  C:\Windows\System\AKoSvvm.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\xjgiyUc.exe
  C:\Windows\System\xjgiyUc.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\lsaQJaw.exe
  C:\Windows\System\lsaQJaw.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\nPMwbrQ.exe
  C:\Windows\System\nPMwbrQ.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\QMlLcAx.exe
  C:\Windows\System\QMlLcAx.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\tVeLezc.exe
  C:\Windows\System\tVeLezc.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\orBNdSo.exe
  C:\Windows\System\orBNdSo.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\EVkSaOz.exe
  C:\Windows\System\EVkSaOz.exe
  2⤵
  - Executes dropped EXE
  PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AKoSvvm.exe

Filesize
5.2MB

MD5
e71772ef2683db141fe1dd0c40deaee5

SHA1
fcdb8a3c20d8f35aef82808cf33309aa1468e352

SHA256
1813ef07b2fcc8ccfd755cde534f8fc1e950229391d8fd6384d9da75f780d2d5

SHA512
19f52bf1c98e77f8565a3716a953a8e84222c44e91866a076754a9eb7ab12c6693042d869f00d99bcb72f491d6407a0123ab9b05b9142531313c3b84e33e71d5

Download Submit
C:\Windows\System\EVkSaOz.exe

Filesize
5.2MB

MD5
26a741efaed3971f4c607dcaf5eccdb6

SHA1
be7e5a2765a321a3be8c61f02b2b079ad308394d

SHA256
b7996e8f0180ec2bc75f7185bbdff3feff240fbf2cb633e2236f9355b0e9860c

SHA512
a8cce340f4e8d430a26e2ec10a084bcdd3fc40c8879298c2bb54d19fbd6a12d464900b13b2e6e762c93d3f20c50ae76676093817eaf0c71efe0a3e3169b5bf8f

Download Submit
C:\Windows\System\FFGppHX.exe

Filesize
5.2MB

MD5
957ac4973abc5391b1d270f4e1d0ac8d

SHA1
a05d33a40a5d26ef35a8621c08a123c91cb8f543

SHA256
6a19b7bf903d37b906ffb5057934c305fcf6db69351d8e8f46ed8e99daf0944b

SHA512
895469c8758cb5d4642a87d5d192ef659f0f1b6b5c12231ab89dfa6089cb42076adadefc8f2ba3a85b82a6ce512813b17af9c95fb9f0600d7aba8a89e5253212

Download Submit
C:\Windows\System\ImOCwIz.exe

Filesize
5.2MB

MD5
ecaff6d0df37185cdb44e6cb6a01d7f0

SHA1
9492425a16e09c6be598520769e3c23188741b45

SHA256
9b9e2b5066ec5f805861cff8ceecac38340254d0db1a573744c4d2f7b273bb7e

SHA512
7aefca4cdd1d5b8c292f815438902064bdbe20cb80765e0861eba545cfb4cec65130978be1092c9ff01ec96e8fbf95592abbd15a790040e01c774a07331167a2

Download Submit
C:\Windows\System\JlIijqh.exe

Filesize
5.2MB

MD5
5cf54d49c84d59a7247fd5cb6fcfe2e5

SHA1
41f149f7ba4f4ee1920ade024b59d88cf99ab61f

SHA256
8920536e6d84674e099c812bcced23a912241ad3ec4e1a30c913cb452556f5a8

SHA512
eaffe716f63d755ec0a34ec7b825c24287306b2a8cdf1d0dc6021f091d8fa59e389886c46258c82bb4cd69de2fa4a351551e5ab638a246e4ba831329d4e0f03b

Download Submit
C:\Windows\System\NoIvCdO.exe

Filesize
5.2MB

MD5
61bad10ae8c8c68b6e5f5355d9b2bdb4

SHA1
d3bd79937af0f686de9897852a5fcb336e790e67

SHA256
f0ecdbe67d6fec3ef776cf5e128acfb230fb0bb23553c5057cd626fffd498235

SHA512
e4611066683c7980cb114cba1528ea9bf91a652d759c9c0994cdd60bfd92436e40faec1f223d0d0b04830cea3c28941bee3d15b0c8d4b5efaf307a8bdb14f872

Download Submit
C:\Windows\System\QMlLcAx.exe

Filesize
5.2MB

MD5
7ac751bb95b9ecc7986838ce1af0c74b

SHA1
86fc9db4ea97e7067ff4f57092010e84d4dac980

SHA256
d3e569f87fbea06e8914b86f31430c77e3b1f8931053c055f2330266422d9a46

SHA512
2355bffd3a027402207c9af12c311538a3b8c091ae2e19fdfb90ba17a564b4ac8a649d23aabc7a400acba30c4e2f980fbe6617b5f79e6830ef7d04798ff460cc

Download Submit
C:\Windows\System\XmXpvYQ.exe

Filesize
5.2MB

MD5
72cde996e203a75cef2cd7b28eb08835

SHA1
b76224341be66348c404d7b8978aad9b3dde00ba

SHA256
6b6375cf0e545070dabb16b56ad4b6fa65b1ee6e0a49f7864c19049df0ea1ba8

SHA512
4fba183b3f8f1967bf9db56675464449181920a619d9f53199dc2ca160665cab4957f57335d471eda01220401a3aa17de681d0f1cb8173e79e7d4e15c87c92fb

Download Submit
C:\Windows\System\ZaUqYtS.exe

Filesize
5.2MB

MD5
bbf40715920b3d528ad950d610672aa1

SHA1
d7f6ca62ed4e046e9e34c69d81588d3afb1715bd

SHA256
de592bd1953943bed0eec545849fdb334d7fbffa25dda0641f289ea14b15f6a0

SHA512
d01c7376f46d035048993e6112c078f7383c1030f60d5ba950d058c66f6398fd9529b9c57d359f9f2183aa54c261df2d11356e4cc54fda6e21aa163570b32480

Download Submit
C:\Windows\System\dWKoAWT.exe

Filesize
5.2MB

MD5
6f2982f5698db1af6d0bc9ba5048d2b4

SHA1
67027a30f892f9208402668e9ca6fef370cf43d2

SHA256
97445faa05390d4996f5fb787b0884e2e214bf1582211dd0499d34356206ced4

SHA512
5617474e90a2871d2a0e1e08f09be9f45b7534d985327cb3c732b4b812be7ba4bb3fc1463db6393b74ee8615474dcc0eb0d6f52fc8f38423d45fbff620afa300

Download Submit
C:\Windows\System\gsqYVvX.exe

Filesize
5.2MB

MD5
9db5365b615ac97f3c96fb0d6e9e7fc3

SHA1
a80f0c8bd99e64de30ebb9198f167857e46eccc2

SHA256
5ce6a6d169cd316e51f9b7e1384b5a611db496c8bbb8b81f235295dbd71ea85f

SHA512
50579a16a70743f3688381c6de77ca3bc74068ab2a4dc9339be2b18e45d034f2c32a79c7ce86b40122bd9702a41b65aa5c987e85632f4b2795ad6e2aa213115f

Download Submit
C:\Windows\System\lsaQJaw.exe

Filesize
5.2MB

MD5
8a22b5044cb7a2576a44aca7cd9ff500

SHA1
c8951cafe0a4440832deb3a3a1f9cfce75c73a64

SHA256
f114e215c0719e846df7e86fca8bb76a01197476ca91288b082a7fa3af43861c

SHA512
7f6e2e98b32ee8ae3b799193b45f0d352da07cadc10200df4dfafc61d2a59dae035a40f3ad3bf9131f04025daac80f59f8258cee05579e9fc36044464ecbdc10

Download Submit
C:\Windows\System\nPMwbrQ.exe

Filesize
5.2MB

MD5
8404449d9266a29678ca44f681979db3

SHA1
16da120b85eb2aa608c4c0a54d12cf6c5dd3edfc

SHA256
f7719d89e56d87c3d28c47c2c083d1eb490308ca7afb9de3221c4217af84119f

SHA512
956e2c5df667ccf5a6efd315d2650f2c1296aac9fe86b8323bf99901c45ee28c5e5ae431228d3575194b2b94ed5de358db806b6a8f6c681cf684fa914b7b949f

Download Submit
C:\Windows\System\orBNdSo.exe

Filesize
5.2MB

MD5
dddb57fa2f0bc00b4aa9c15289efefc0

SHA1
653c9b5ff72efa7d543cdbc8950861ffc59e298e

SHA256
af4884192cbd53d01ca296136bbde9b2266d8855a96df19a1d9896261aeef33b

SHA512
a6a103add09d44e64a77d5936fbd02a728bc2ddcb24912583afc2e9ddb8e75445fc1da340d8c85d4c53a8d773c4018bb0c60880e4b566f4be11d4b9531055e56

Download Submit
C:\Windows\System\rIPneUd.exe

Filesize
5.2MB

MD5
0117b9e141f91bc2de458e51711ea59f

SHA1
e5cdb5d6e976ce066c99dfd2eb37e3aff73d191e

SHA256
200a099645574333831e4e97db27f698720cf7d06fa156c2896c73f41ae9dce2

SHA512
a7e972ba6714fa4fc40aab202eef00f97273e48189e2ab3e036921ce31d30706d7d3591b1f2002ad421ca075d720b393785c9c94a08226c88d88b799cf7c4fcf

Download Submit
C:\Windows\System\tVeLezc.exe

Filesize
5.2MB

MD5
edb2a159ba39d1203062479c53b7b8f0

SHA1
d66b39c0a107bef1ca9bd18cf10f889bf8b0709d

SHA256
12052e3568bff9c955f03293b17d4f48b8d53f380f07bdb732060c53c30b18a2

SHA512
14f9a9d8f0447e49381b60f0a84ec70b74a2a6d0e44066f7eb3ff9ef2fa7b494f7a79302767e9181a42357e0421b8b9b6c8b6f6ac68b04aa843ca64be2bdc9ac

Download Submit
C:\Windows\System\tlpwDkm.exe

Filesize
5.2MB

MD5
45a10a239d3f5799efaf546af1507fa7

SHA1
bebb3110e68e6749479431afe3deb7d45700dd7d

SHA256
b1448c0f9da8105bdbe8b22a450fe81eecfdbac08607893bf85ddfbb3f015dce

SHA512
aca101a6e5f7b23defd2eedfcb742736f6f453cb8d9b69a402ce49932cf2237c3038fd206acc36fce43d640b568bd682b7d8b585ed55ee97d0dac5e33c00d3aa

Download Submit
C:\Windows\System\vXDNfwV.exe

Filesize
5.2MB

MD5
8f355afb9c8d262d7ec8496825225594

SHA1
716d7e7f69938e71df60419b9f3315c83d75d570

SHA256
6eb5a37751d337619682f0102f95e1784832915d7db97743dd2dc0fe11ee6e9a

SHA512
4a67bfce11d426bc922e781c06be227eccbab03920df748bd050d7fd9a25d60d5444420d01538d71450d94cb1dde0d9e64419fc0fa6d15eb22b3a80042a3559d

Download Submit
C:\Windows\System\wyZBULM.exe

Filesize
5.2MB

MD5
e1ea7511f634efcec26c782375641c70

SHA1
172dfccb7ac501246eec778912188373fea6396d

SHA256
950fb980e7f1ea9cacef09e02a338f046e1d09aec961b7a24e88512cb4e08b3c

SHA512
bdf7872204de0c1e226b7b13f35c6e0009efab10e235a74e6e81ad7a116aba6c0570ecc202d7062e8cbbb3e247872fff14e12084f30cb6228a02267c127d6259

Download Submit
C:\Windows\System\xapFeDR.exe

Filesize
5.2MB

MD5
804c439de22debb6934b683b54c77bcd

SHA1
a1fdc683de0ff149c36d2ec3d85306260ee475be

SHA256
6558ed7e6ff745249663588bc1191a48d95edffaf505aafa56095d63f86e6dd0

SHA512
bd3140ba132cf5bd90ac1610cbb22451bdb996d839625929ff63302edc447cc40207d190c952f465867e4a3bc4d02d5d96ee1c2d7cc103d77769faad16cf0a22

Download Submit
C:\Windows\System\xjgiyUc.exe

Filesize
5.2MB

MD5
10758a87b26d93659da19065c4847791

SHA1
1111f5f081556c9b8048114c71a1b76ddfe7b047

SHA256
409a0226dda228c1468fb0db10edfb32dfe93c0aece78398acbe2e49caead2b1

SHA512
f8d1fb59395620c456968ed24244077aacc1212a995fbe9c2fd900a05389dd630a7e7093d5be932aa824392ca2e5f0bf50d9e8156722038a931193eb7e3030b5

Download Submit
memory/64-232-0x00007FF6000F0000-0x00007FF600441000-memory.dmp

Filesize
3.3MB

Download
memory/64-49-0x00007FF6000F0000-0x00007FF600441000-memory.dmp

Filesize
3.3MB

Download
memory/64-118-0x00007FF6000F0000-0x00007FF600441000-memory.dmp

Filesize
3.3MB

Download
memory/400-159-0x00007FF607C10000-0x00007FF607F61000-memory.dmp

Filesize
3.3MB

Download
memory/400-105-0x00007FF607C10000-0x00007FF607F61000-memory.dmp

Filesize
3.3MB

Download
memory/400-248-0x00007FF607C10000-0x00007FF607F61000-memory.dmp

Filesize
3.3MB

Download
memory/448-72-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/448-131-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/448-234-0x00007FF63F560000-0x00007FF63F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/724-132-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp

Filesize
3.3MB

Download
memory/724-73-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp

Filesize
3.3MB

Download
memory/724-237-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-226-0x00007FF6114D0000-0x00007FF611821000-memory.dmp

Filesize
3.3MB

Download
memory/1688-127-0x00007FF6114D0000-0x00007FF611821000-memory.dmp

Filesize
3.3MB

Download
memory/1688-66-0x00007FF6114D0000-0x00007FF611821000-memory.dmp

Filesize
3.3MB

Download
memory/1928-235-0x00007FF69B110000-0x00007FF69B461000-memory.dmp

Filesize
3.3MB

Download
memory/1928-90-0x00007FF69B110000-0x00007FF69B461000-memory.dmp

Filesize
3.3MB

Download
memory/1940-242-0x00007FF7E0E40000-0x00007FF7E1191000-memory.dmp

Filesize
3.3MB

Download
memory/1940-97-0x00007FF7E0E40000-0x00007FF7E1191000-memory.dmp

Filesize
3.3MB

Download
memory/2056-220-0x00007FF731710000-0x00007FF731A61000-memory.dmp

Filesize
3.3MB

Download
memory/2056-81-0x00007FF731710000-0x00007FF731A61000-memory.dmp

Filesize
3.3MB

Download
memory/2424-228-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp

Filesize
3.3MB

Download
memory/2424-86-0x00007FF6C4EC0000-0x00007FF6C5211000-memory.dmp

Filesize
3.3MB

Download
memory/2472-243-0x00007FF78BDD0000-0x00007FF78C121000-memory.dmp

Filesize
3.3MB

Download
memory/2472-95-0x00007FF78BDD0000-0x00007FF78C121000-memory.dmp

Filesize
3.3MB

Download
memory/3160-145-0x00007FF736A20000-0x00007FF736D71000-memory.dmp

Filesize
3.3MB

Download
memory/3160-146-0x00007FF736A20000-0x00007FF736D71000-memory.dmp

Filesize
3.3MB

Download
memory/3160-0-0x00007FF736A20000-0x00007FF736D71000-memory.dmp

Filesize
3.3MB

Download
memory/3160-1-0x000001DC96500000-0x000001DC96510000-memory.dmp

Filesize
64KB

Download
memory/3160-168-0x00007FF736A20000-0x00007FF736D71000-memory.dmp

Filesize
3.3MB

Download
memory/3160-102-0x00007FF736A20000-0x00007FF736D71000-memory.dmp

Filesize
3.3MB

Download
memory/3184-214-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp

Filesize
3.3MB

Download
memory/3184-21-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp

Filesize
3.3MB

Download
memory/3184-113-0x00007FF7A2CF0000-0x00007FF7A3041000-memory.dmp

Filesize
3.3MB

Download
memory/3280-212-0x00007FF658740000-0x00007FF658A91000-memory.dmp

Filesize
3.3MB

Download
memory/3280-9-0x00007FF658740000-0x00007FF658A91000-memory.dmp

Filesize
3.3MB

Download
memory/3280-112-0x00007FF658740000-0x00007FF658A91000-memory.dmp

Filesize
3.3MB

Download
memory/3520-29-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-114-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-219-0x00007FF7FE990000-0x00007FF7FECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-259-0x00007FF66C480000-0x00007FF66C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-142-0x00007FF66C480000-0x00007FF66C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3808-230-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3808-57-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3808-120-0x00007FF7AB080000-0x00007FF7AB3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-141-0x00007FF7F16B0000-0x00007FF7F1A01000-memory.dmp

Filesize
3.3MB

Download
memory/3992-255-0x00007FF7F16B0000-0x00007FF7F1A01000-memory.dmp

Filesize
3.3MB

Download
memory/4208-144-0x00007FF652800000-0x00007FF652B51000-memory.dmp

Filesize
3.3MB

Download
memory/4208-257-0x00007FF652800000-0x00007FF652B51000-memory.dmp

Filesize
3.3MB

Download
memory/4704-139-0x00007FF72F170000-0x00007FF72F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-253-0x00007FF72F170000-0x00007FF72F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-224-0x00007FF6BB5D0000-0x00007FF6BB921000-memory.dmp

Filesize
3.3MB

Download
memory/4772-87-0x00007FF6BB5D0000-0x00007FF6BB921000-memory.dmp

Filesize
3.3MB

Download
memory/4852-116-0x00007FF756830000-0x00007FF756B81000-memory.dmp

Filesize
3.3MB

Download
memory/4852-24-0x00007FF756830000-0x00007FF756B81000-memory.dmp

Filesize
3.3MB

Download
memory/4852-216-0x00007FF756830000-0x00007FF756B81000-memory.dmp

Filesize
3.3MB

Download
memory/4924-240-0x00007FF781190000-0x00007FF7814E1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-94-0x00007FF781190000-0x00007FF7814E1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-143-0x00007FF781190000-0x00007FF7814E1000-memory.dmp

Filesize
3.3MB

Download