cobaltstrike | 6a8dce4d3a22006b99d9d52b36efb9b9e3c0d60db18629de2eb3be7b01df4d6d

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a6fe0a4316b283b5d3b449f59cd130d4
SHA1

c1c2aad25819d63f3d03d29b7ddf9b74895f31df
SHA256

6a8dce4d3a22006b99d9d52b36efb9b9e3c0d60db18629de2eb3be7b01df4d6d
SHA512

05cae500945d2c7bf3ea1abcd2e3f5ff38636fe052607311a675ce1e5be5902d9003d2f3adf24185de868bc2c208236b1b3993df803120103416b035a8aaa960
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBib+56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b84-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-14.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-48.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-75.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b94-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bac-122.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb2-126.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb1-124.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023ba3-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-102.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b85-92.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b93-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-44.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb3-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4240-61-0x00007FF640E00000-0x00007FF641151000-memory.dmp	xmrig
behavioral2/memory/1136-116-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp	xmrig
behavioral2/memory/1160-115-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp	xmrig
behavioral2/memory/4484-107-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp	xmrig
behavioral2/memory/3672-105-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp	xmrig
behavioral2/memory/2016-71-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	xmrig
behavioral2/memory/400-70-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	xmrig
behavioral2/memory/1860-47-0x00007FF6EA300000-0x00007FF6EA651000-memory.dmp	xmrig
behavioral2/memory/728-128-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp	xmrig
behavioral2/memory/2452-132-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp	xmrig
behavioral2/memory/4360-136-0x00007FF794FB0000-0x00007FF795301000-memory.dmp	xmrig
behavioral2/memory/2952-142-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp	xmrig
behavioral2/memory/400-137-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	xmrig
behavioral2/memory/3956-156-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp	xmrig
behavioral2/memory/1652-155-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp	xmrig
behavioral2/memory/4672-153-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp	xmrig
behavioral2/memory/3896-152-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp	xmrig
behavioral2/memory/3248-154-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp	xmrig
behavioral2/memory/4600-159-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp	xmrig
behavioral2/memory/1400-158-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp	xmrig
behavioral2/memory/3484-157-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	xmrig
behavioral2/memory/1172-160-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp	xmrig
behavioral2/memory/4856-161-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp	xmrig
behavioral2/memory/400-162-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	xmrig
behavioral2/memory/2016-216-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	xmrig
behavioral2/memory/3672-218-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp	xmrig
behavioral2/memory/4484-220-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp	xmrig
behavioral2/memory/1160-222-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp	xmrig
behavioral2/memory/1860-226-0x00007FF6EA300000-0x00007FF6EA651000-memory.dmp	xmrig
behavioral2/memory/1136-225-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp	xmrig
behavioral2/memory/728-242-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp	xmrig
behavioral2/memory/2452-241-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp	xmrig
behavioral2/memory/4240-244-0x00007FF640E00000-0x00007FF641151000-memory.dmp	xmrig
behavioral2/memory/4360-247-0x00007FF794FB0000-0x00007FF795301000-memory.dmp	xmrig
behavioral2/memory/2952-252-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp	xmrig
behavioral2/memory/1652-251-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp	xmrig
behavioral2/memory/3956-249-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp	xmrig
behavioral2/memory/3248-258-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp	xmrig
behavioral2/memory/4672-257-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp	xmrig
behavioral2/memory/3896-255-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp	xmrig
behavioral2/memory/4600-263-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp	xmrig
behavioral2/memory/3484-266-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	xmrig
behavioral2/memory/1400-265-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp	xmrig
behavioral2/memory/1172-261-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp	xmrig
behavioral2/memory/4856-269-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2016	KEdpORa.exe
3672	DmFCXJl.exe
4484	VCZFOCG.exe
1160	JBSpWxI.exe
1136	HxjOACG.exe
1860	LsEAKGl.exe
728	aeNCVxW.exe
2452	YpWhaWQ.exe
4240	stHrdus.exe
4360	xxiZDFw.exe
2952	CeHkqen.exe
1652	zmgzUux.exe
3956	nkutskw.exe
3896	RUEeAhK.exe
4672	DNseRhm.exe
3248	zmhynMg.exe
3484	KgEoMfW.exe
1400	FGHXVOJ.exe
4600	BXYtQNZ.exe
1172	McvqyEd.exe
4856	fyNQaXo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx
behavioral2/files/0x000b000000023b84-4.dat	upx
behavioral2/files/0x000a000000023b89-9.dat	upx
behavioral2/files/0x000a000000023b88-14.dat	upx
behavioral2/memory/3672-15-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-19.dat	upx
behavioral2/memory/4484-24-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-33.dat	upx
behavioral2/files/0x000a000000023b8b-37.dat	upx
behavioral2/memory/728-41-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-45.dat	upx
behavioral2/files/0x000a000000023b8f-48.dat	upx
behavioral2/memory/4240-61-0x00007FF640E00000-0x00007FF641151000-memory.dmp	upx
behavioral2/memory/4360-63-0x00007FF794FB0000-0x00007FF795301000-memory.dmp	upx
behavioral2/memory/2952-65-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b92-69.dat	upx
behavioral2/files/0x000a000000023b91-75.dat	upx
behavioral2/files/0x000b000000023b94-99.dat	upx
behavioral2/memory/1136-116-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp	upx
behavioral2/files/0x0008000000023bac-122.dat	upx
behavioral2/files/0x0009000000023bb2-126.dat	upx
behavioral2/files/0x0009000000023bb1-124.dat	upx
behavioral2/memory/1400-121-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp	upx
behavioral2/files/0x000e000000023ba3-119.dat	upx
behavioral2/memory/1172-118-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp	upx
behavioral2/memory/4600-117-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp	upx
behavioral2/memory/1160-115-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp	upx
behavioral2/memory/3484-114-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	upx
behavioral2/memory/4672-108-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp	upx
behavioral2/memory/4484-107-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp	upx
behavioral2/memory/3672-105-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-102.dat	upx
behavioral2/memory/3248-96-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp	upx
behavioral2/memory/3896-93-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp	upx
behavioral2/files/0x000b000000023b85-92.dat	upx
behavioral2/memory/3956-90-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp	upx
behavioral2/files/0x000b000000023b93-87.dat	upx
behavioral2/memory/1652-74-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp	upx
behavioral2/memory/2016-71-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	upx
behavioral2/memory/400-70-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-64.dat	upx
behavioral2/memory/2452-56-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-44.dat	upx
behavioral2/memory/1860-47-0x00007FF6EA300000-0x00007FF6EA651000-memory.dmp	upx
behavioral2/memory/1136-36-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp	upx
behavioral2/memory/1160-30-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp	upx
behavioral2/memory/2016-11-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	upx
behavioral2/memory/728-128-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp	upx
behavioral2/files/0x0009000000023bb3-131.dat	upx
behavioral2/memory/4856-134-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp	upx
behavioral2/memory/2452-132-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp	upx
behavioral2/memory/4360-136-0x00007FF794FB0000-0x00007FF795301000-memory.dmp	upx
behavioral2/memory/2952-142-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp	upx
behavioral2/memory/400-137-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp	upx
behavioral2/memory/3956-156-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp	upx
behavioral2/memory/1652-155-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp	upx
behavioral2/memory/4672-153-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp	upx
behavioral2/memory/3896-152-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp	upx
behavioral2/memory/3248-154-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp	upx
behavioral2/memory/4600-159-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp	upx
behavioral2/memory/1400-158-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp	upx
behavioral2/memory/3484-157-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	upx
behavioral2/memory/1172-160-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp	upx
behavioral2/memory/4856-161-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VCZFOCG.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JBSpWxI.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\stHrdus.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CeHkqen.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkutskw.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DNseRhm.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zmhynMg.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyNQaXo.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LsEAKGl.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YpWhaWQ.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xxiZDFw.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zmgzUux.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXYtQNZ.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KEdpORa.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aeNCVxW.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUEeAhK.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGHXVOJ.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DmFCXJl.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HxjOACG.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KgEoMfW.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\McvqyEd.exe	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2016	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 400 wrote to memory of 2016	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 400 wrote to memory of 3672	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 400 wrote to memory of 3672	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 400 wrote to memory of 4484	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 400 wrote to memory of 4484	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 400 wrote to memory of 1160	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 400 wrote to memory of 1160	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 400 wrote to memory of 1136	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 400 wrote to memory of 1136	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 400 wrote to memory of 1860	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 400 wrote to memory of 1860	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 400 wrote to memory of 728	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 400 wrote to memory of 728	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 400 wrote to memory of 2452	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 400 wrote to memory of 2452	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 400 wrote to memory of 4240	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 400 wrote to memory of 4240	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 400 wrote to memory of 4360	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 400 wrote to memory of 4360	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 400 wrote to memory of 2952	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 400 wrote to memory of 2952	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 400 wrote to memory of 1652	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 400 wrote to memory of 1652	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 400 wrote to memory of 3956	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 400 wrote to memory of 3956	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 400 wrote to memory of 3896	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 400 wrote to memory of 3896	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 400 wrote to memory of 4672	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 400 wrote to memory of 4672	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 400 wrote to memory of 3248	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 400 wrote to memory of 3248	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 400 wrote to memory of 3484	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 400 wrote to memory of 3484	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 400 wrote to memory of 1400	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 400 wrote to memory of 1400	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 400 wrote to memory of 4600	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 400 wrote to memory of 4600	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 400 wrote to memory of 1172	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 400 wrote to memory of 1172	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 400 wrote to memory of 4856	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 400 wrote to memory of 4856	400	2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_a6fe0a4316b283b5d3b449f59cd130d4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System\KEdpORa.exe
  C:\Windows\System\KEdpORa.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\DmFCXJl.exe
  C:\Windows\System\DmFCXJl.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\VCZFOCG.exe
  C:\Windows\System\VCZFOCG.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\JBSpWxI.exe
  C:\Windows\System\JBSpWxI.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\HxjOACG.exe
  C:\Windows\System\HxjOACG.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\LsEAKGl.exe
  C:\Windows\System\LsEAKGl.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\aeNCVxW.exe
  C:\Windows\System\aeNCVxW.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\YpWhaWQ.exe
  C:\Windows\System\YpWhaWQ.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\stHrdus.exe
  C:\Windows\System\stHrdus.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\xxiZDFw.exe
  C:\Windows\System\xxiZDFw.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\CeHkqen.exe
  C:\Windows\System\CeHkqen.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\zmgzUux.exe
  C:\Windows\System\zmgzUux.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\nkutskw.exe
  C:\Windows\System\nkutskw.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\RUEeAhK.exe
  C:\Windows\System\RUEeAhK.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\DNseRhm.exe
  C:\Windows\System\DNseRhm.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\zmhynMg.exe
  C:\Windows\System\zmhynMg.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\KgEoMfW.exe
  C:\Windows\System\KgEoMfW.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\FGHXVOJ.exe
  C:\Windows\System\FGHXVOJ.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\BXYtQNZ.exe
  C:\Windows\System\BXYtQNZ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\McvqyEd.exe
  C:\Windows\System\McvqyEd.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\fyNQaXo.exe
  C:\Windows\System\fyNQaXo.exe
  2⤵
  - Executes dropped EXE
  PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXYtQNZ.exe

Filesize
5.2MB

MD5
c66f00cb1778b1826195166032a6b500

SHA1
2f67343b0e1fb071180360a6eaf95c866fe235c2

SHA256
c702563d9f9a6012359918f864aa096211083f20a01b5ef660d5440d7740f94d

SHA512
429bd2260d5af9f2d00d94bd61fcc8aa1329262ac76673e62506c6d49c087c2773ebff7079777144c3ef7914789e33cd8bacf79b238f2560a73a7f7c22810acc

Download Submit
C:\Windows\System\CeHkqen.exe

Filesize
5.2MB

MD5
00aa87b65412e1561b52ad7d18a0e148

SHA1
3cef1aec10bb8c64d3562ccf5f7b68c3d489b9be

SHA256
24cbff424b697b3748a7321778caef8f2d36bd144b36a7fd6e14f5eedcc364db

SHA512
2c03b06e8aa9275ea0f5186af6d66e41a59a71db2665e704811ede121b09a78437cffb41999fde851032b840642a853441dc7fd1bb58a6bec0c1435b611dd69e

Download Submit
C:\Windows\System\DNseRhm.exe

Filesize
5.2MB

MD5
372b124dee3c128f5ccae480733f4b20

SHA1
aee01d3a98450c9d523c1cf95bc559569d308a8b

SHA256
97c39af57322824e74a0fd8fe28ecfaa2099fa271e3b4c3b30fb7d18042fea47

SHA512
87ed92b33b5bf26cd0ada1844d3619ffe7fa0d032a3d2a1bcbddcf944d2e256e51685abf835019f007d40b558fe6124de117a11e28aad93626e122c845d3047b

Download Submit
C:\Windows\System\DmFCXJl.exe

Filesize
5.2MB

MD5
41c593f53e0318ce242a095f74f952d7

SHA1
a30c0ba4207887285c9761f31a413e6cb40ee090

SHA256
889a6584548046fd2de1a1c88d3d17836261e73c877b2dc5638d2c8622774d50

SHA512
62a47910667082c20546d52f28b99ac4f1a4290461939f3c9207622cc2abd98659bf76d5b153b77ed9a35c973f7214d7fb1dbcc3959d2ceae4506a1199c7c820

Download Submit
C:\Windows\System\FGHXVOJ.exe

Filesize
5.2MB

MD5
866ca4afb2b23a15473183c0858f39e5

SHA1
68c7aa2adbbafb79804c8a3bcbf8ef571336c02a

SHA256
09b9d59211ddaca45204e73a1700274aa08b23ddfa3af4aaf5968bb2be481fac

SHA512
6cdb918bd689617e54d04070ddeeb167209eee168e78fa59af1a2a82acb125db029ec5b011aae849126304d31ab6e1af69770808d0ad20adf1eb8a64bd00b614

Download Submit
C:\Windows\System\HxjOACG.exe

Filesize
5.2MB

MD5
2b7a9892f5b64c34c31c54da7df33bb3

SHA1
13af056b640de031b3eefed9c679264dc047249c

SHA256
45676fc62175490eefb91b246bd4d34f24e25235bdbdcd7bf1a7feb88d18292d

SHA512
4bb6d9e5b9644f9ab5eb6e25b811173891dc853e55a6a6c3591df48354b2286d3661787f70d8aaf8ab23d0e2aacb7ee0984a7e16e74275d727f609a68c574ef2

Download Submit
C:\Windows\System\JBSpWxI.exe

Filesize
5.2MB

MD5
6bfa9fbe107044eea42f71da17bf57fc

SHA1
ae1c3df1639bc5427f42fa3b685acc70e75a9a93

SHA256
9a2c3774504eaea05a1261f88c5627f99e9b16ed85d1824af4247006b80ff904

SHA512
2498dc09c1b256ff5184ab3280fd05ce6fe39fca7a6a4ff8e92b9ff59b90e77a62bd3a5c780487603797d68cff81983fe846ca77b21efa0a634056c730c34947

Download Submit
C:\Windows\System\KEdpORa.exe

Filesize
5.2MB

MD5
be3dc8711576b203895b3dc31415e00a

SHA1
40b92355195aa5ed250d77a08790d6199ed99f11

SHA256
275cd7ab86e37c36f051ee90cacd7f34e556b6c5042cd6fb45509d49b93fdf11

SHA512
97339f2711b638b1c2f27e755b29bab547a67d83d41b4ad8e4a3e1174100ecf3390feafa3ef505bded3fed6928819895dd1eba3a480395a6b22b7b298c119d0a

Download Submit
C:\Windows\System\KgEoMfW.exe

Filesize
5.2MB

MD5
ad99ec1d7139fca79ec34f848e859712

SHA1
8de393fce10d1bdc24bf1d6b36735ac45e17124a

SHA256
c9a3f2a3f385d4790229f31dfcff125077741dcf94c364ab21acfc17eea9c2c1

SHA512
d638ddd3b40013e7be243bdb82e74d344c42264e12f5d785c8828b9ace52e08e27c02632495bad929f2c0902327deb7ff204496f3f3a97bbc3365cf83e243be5

Download Submit
C:\Windows\System\LsEAKGl.exe

Filesize
5.2MB

MD5
f1fd6a3b3ee2ea6781b7452390939b83

SHA1
96a0710759698105c3e0c0b03288ff9423227268

SHA256
92e41cead40b4eebdd8bf78f7d6c1a4113d9476a9b7916e1b04d5993f0d506fb

SHA512
a3e5080aed215ace711d6bec6a6c367fcb7eaf7a8227a1bf5043806931ae65da7fae98f0b3b4485ba71101f3754d5319253b980f39e674454ae58b6656fbdd6c

Download Submit
C:\Windows\System\McvqyEd.exe

Filesize
5.2MB

MD5
225ac20ef5318b368ac5c81a35db8519

SHA1
92d19eccdb6f8a9ecd6c2a35e21290c864e7de16

SHA256
c1b4b478051e08a3a2faa895d847e7c6e886e50a1e0f49ca8372f746dc6743b6

SHA512
03c965b1ecc3ea660ff9e2318656f6b66ac218c4a8a19c682aff86d6addf5cb12c9e5195dcf18acea07f5fcc988d5cde975d402be4b2fa5a29b415311fb3d103

Download Submit
C:\Windows\System\RUEeAhK.exe

Filesize
5.2MB

MD5
7394b71cc62db3417487cba01dd122e1

SHA1
ef0a0fddc046f318f809f7600dc5fe26397f04aa

SHA256
6eb822807da3dcdefb769001a362d5ab393cbc874404227daae12ff788952a93

SHA512
dc7049dbf08a8741c49ce1d43d6b27aadce7f6106aac08ccc22460688c3f42f3cda5a9e8a03e8c00b08f47eea7f848e9a50c17d712d86d48b07ad87e81a22305

Download Submit
C:\Windows\System\VCZFOCG.exe

Filesize
5.2MB

MD5
5fdc9eb48a5d205cdc4bc14137d74032

SHA1
0bc6721e120abc06249f1f32576ab76e013fdade

SHA256
baaf4f08beba5884a83fc908f8fb71f3e58d90a5af79e41466f9d0bf0c9df4b6

SHA512
b072cba02e8af77ebc5ceb2981d88436a8c6ea3f33dbd6c7fb3a9b06c917b8453474d5b3be96f2ae97669d9263fb0763332e592e212f446b8e77e942507b0b83

Download Submit
C:\Windows\System\YpWhaWQ.exe

Filesize
5.2MB

MD5
a35d1658cc481b773c7716ef220eedda

SHA1
58bdbb681b43de60b28c5125778f201a17c535dc

SHA256
8bd6df32b315936a1ebfed6ee39966c434c06a939856576756c0fbadbdc2f5fc

SHA512
1eef01e6dce49d2745b9b99f36bef3072252c11aef85b3e356cb0bab368db70e500cb27e88a315260c25c925af397703c59c06f09aa62d49fe3973f632272ea7

Download Submit
C:\Windows\System\aeNCVxW.exe

Filesize
5.2MB

MD5
0d1bf5aa30b12c1edd08322bc029c1f4

SHA1
4446e9e628318d1ebbc6df7abccf46b09fc3f8b4

SHA256
c91937d09c6d19815e23c86e4ee25b9daf5dbf89b6643fe70898633d744aea94

SHA512
311b75276110c845cee21238b4fb4ba81410c37553c7e20b24b83a696181b2db6de39a69ad5ac58e65c21f08c71809bdc91f4955c7ba24c44303847f53f9cea9

Download Submit
C:\Windows\System\fyNQaXo.exe

Filesize
5.2MB

MD5
d174c7dfba5efe1fe269ba1a6e0cbc6c

SHA1
25e2fc076b86974b72755c542a58fa6ae2bcb39a

SHA256
ac96331ac18907bdf00759064c0ec3350fc993946856de7730dea8da92111ca1

SHA512
b5b027d521134c2db80dd8d70cf8024b3e0d820a51b187367878cfef94706f592523e840d44b7047c74650e2547095a8a439568037e0eaf9b743afc87ea326af

Download Submit
C:\Windows\System\nkutskw.exe

Filesize
5.2MB

MD5
e3653e78c6a9a34b812f2937dda94068

SHA1
85b94ee33311544ff77db91c3ad1277c11e74c73

SHA256
02aa0523ab1d8ae3b2ca6ec9c2a45e2390a79dd0bd78d0bd8e578e5db0b1fd55

SHA512
077e81b4be35004439196ba744ff902daa104d4e57414c06952954fb2ffde14a1013cbd49a4f9769b88f6ca9b3158a3c32aed7a8cecb990d9324d6885b0866b5

Download Submit
C:\Windows\System\stHrdus.exe

Filesize
5.2MB

MD5
71cf22eef4422d8a19c28183a87d1cdf

SHA1
70ae4c328741894ceb0969ecdfe7f87d0ac60cd4

SHA256
53db89bb757f42ed9f112dc598bfe9970e2a187e2f18546e03162fa2c1c453df

SHA512
04b536bdfe7976513537ecb3ac5a9ec1b741ff6274c62736311d6aca8dc370eecda2b099449d50681f59bb8634f7257b1656d7e431d018d1163058416ec96da4

Download Submit
C:\Windows\System\xxiZDFw.exe

Filesize
5.2MB

MD5
1e7de5903a32a5c13b4aba1323a4a419

SHA1
ab3986008a0d9405eda0e6b044c246a4293f6cb1

SHA256
599108b58cafcf8a2f2f777365fcd3f76399d02261c04e7247799fca5c3ef6a9

SHA512
c907cd797e3c56a8a1e4826f99aa87e5852ecec66421b0a661e0c8f9653c3dc2aab4e3c24fe8c1d3c93acfb9ce476d4cf8070e3e9be523589314843c6426b8e8

Download Submit
C:\Windows\System\zmgzUux.exe

Filesize
5.2MB

MD5
c26a0ee0e5e323eefc19287584130124

SHA1
00dc699e83c2250a3a314a289a7f33b52ce2d18b

SHA256
04a9edc664613deeb21ed2edbfb97bd84712da3fc4a151ce99810aaf3dc4d1f6

SHA512
ec861aec0d90d3bc88dbd1d861ccca802a0ad196c81a74d82b1f0fd50b4980bdef38ca06fc19cd47d915bf03098724539af35d5612db6bfea0ef3de924ef4550

Download Submit
C:\Windows\System\zmhynMg.exe

Filesize
5.2MB

MD5
31e40b146dccbb6637eb672b1af89200

SHA1
ea3f5f4a737aea1f60dc544237535e9a71b51eee

SHA256
e4444a38b2f7270fad98b385ac29e6a36f3aacd3feac3d9960023e368d620266

SHA512
d39da6616a787ecd471fe10f9ad70602f40ae286f931ef1e936db86551d796462fa506966bc2d236534d894662fb34eb2cdd2f44d6eed8f6c62b0a06dfbc629e

Download Submit
memory/400-0-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/400-1-0x000002BEF5BF0000-0x000002BEF5C00000-memory.dmp

Filesize
64KB

Download
memory/400-137-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/400-70-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/400-162-0x00007FF7E2EA0000-0x00007FF7E31F1000-memory.dmp

Filesize
3.3MB

Download
memory/728-128-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp

Filesize
3.3MB

Download
memory/728-242-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp

Filesize
3.3MB

Download
memory/728-41-0x00007FF6E3750000-0x00007FF6E3AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1136-36-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1136-116-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1136-225-0x00007FF69E700000-0x00007FF69EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1160-115-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-222-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-30-0x00007FF7AE760000-0x00007FF7AEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-118-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp

Filesize
3.3MB

Download
memory/1172-261-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp

Filesize
3.3MB

Download
memory/1172-160-0x00007FF78AE40000-0x00007FF78B191000-memory.dmp

Filesize
3.3MB

Download
memory/1400-158-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-121-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-265-0x00007FF68E060000-0x00007FF68E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-251-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp

Filesize
3.3MB

Download
memory/1652-155-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp

Filesize
3.3MB

Download
memory/1652-74-0x00007FF6A8DE0000-0x00007FF6A9131000-memory.dmp

Filesize
3.3MB

Download
memory/1860-47-0x00007FF6EA300000-0x00007FF6EA651000-memory.dmp

Filesize
3.3MB

Download
memory/1860-226-0x00007FF6EA300000-0x00007FF6EA651000-memory.dmp

Filesize
3.3MB

Download
memory/2016-71-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/2016-216-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/2016-11-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/2452-56-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-241-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-132-0x00007FF770FA0000-0x00007FF7712F1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-142-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-65-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-252-0x00007FF7F5270000-0x00007FF7F55C1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-154-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-96-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-258-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-266-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-114-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-157-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-15-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-218-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-105-0x00007FF658C60000-0x00007FF658FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-152-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-255-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-93-0x00007FF65F770000-0x00007FF65FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-90-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp

Filesize
3.3MB

Download
memory/3956-249-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp

Filesize
3.3MB

Download
memory/3956-156-0x00007FF70A0B0000-0x00007FF70A401000-memory.dmp

Filesize
3.3MB

Download
memory/4240-61-0x00007FF640E00000-0x00007FF641151000-memory.dmp

Filesize
3.3MB

Download
memory/4240-244-0x00007FF640E00000-0x00007FF641151000-memory.dmp

Filesize
3.3MB

Download
memory/4360-247-0x00007FF794FB0000-0x00007FF795301000-memory.dmp

Filesize
3.3MB

Download
memory/4360-63-0x00007FF794FB0000-0x00007FF795301000-memory.dmp

Filesize
3.3MB

Download
memory/4360-136-0x00007FF794FB0000-0x00007FF795301000-memory.dmp

Filesize
3.3MB

Download
memory/4484-24-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp

Filesize
3.3MB

Download
memory/4484-220-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp

Filesize
3.3MB

Download
memory/4484-107-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp

Filesize
3.3MB

Download
memory/4600-117-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-159-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-263-0x00007FF7C8580000-0x00007FF7C88D1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-108-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp

Filesize
3.3MB

Download
memory/4672-257-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp

Filesize
3.3MB

Download
memory/4672-153-0x00007FF63CED0000-0x00007FF63D221000-memory.dmp

Filesize
3.3MB

Download
memory/4856-161-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp

Filesize
3.3MB

Download
memory/4856-134-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp

Filesize
3.3MB

Download
memory/4856-269-0x00007FF7D86F0000-0x00007FF7D8A41000-memory.dmp

Filesize
3.3MB

Download