cobaltstrike | a0c9469b5cc607662e11ae3cce0f52bac719459ce53fdbddc9348faaf10f2650

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c35f772778347c519ee30bee5df7b598
SHA1

0b39f5d0d3c68d0ee05a0754c0a77dabad804f48
SHA256

a0c9469b5cc607662e11ae3cce0f52bac719459ce53fdbddc9348faaf10f2650
SHA512

f8c95a1c718184ff7549f17f3637eaf2601922e81bcd076d9e557e5780e647e7b807826b59af478eee2abb342cdcef4683b183b3645cd94a1e4a0d90917de83e
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBib+56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c62-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-39.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb3-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-26.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb2-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-73.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2620-70-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp	xmrig
behavioral2/memory/4624-81-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp	xmrig
behavioral2/memory/2452-136-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp	xmrig
behavioral2/memory/3900-135-0x00007FF637280000-0x00007FF6375D1000-memory.dmp	xmrig
behavioral2/memory/4592-129-0x00007FF76D240000-0x00007FF76D591000-memory.dmp	xmrig
behavioral2/memory/3708-120-0x00007FF7935C0000-0x00007FF793911000-memory.dmp	xmrig
behavioral2/memory/2852-115-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp	xmrig
behavioral2/memory/2104-109-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp	xmrig
behavioral2/memory/3344-104-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp	xmrig
behavioral2/memory/4336-97-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	xmrig
behavioral2/memory/2472-88-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp	xmrig
behavioral2/memory/628-71-0x00007FF727180000-0x00007FF7274D1000-memory.dmp	xmrig
behavioral2/memory/988-60-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	xmrig
behavioral2/memory/988-140-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	xmrig
behavioral2/memory/1904-155-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp	xmrig
behavioral2/memory/2228-158-0x00007FF7242C0000-0x00007FF724611000-memory.dmp	xmrig
behavioral2/memory/1220-162-0x00007FF671250000-0x00007FF6715A1000-memory.dmp	xmrig
behavioral2/memory/700-160-0x00007FF627CC0000-0x00007FF628011000-memory.dmp	xmrig
behavioral2/memory/2888-161-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp	xmrig
behavioral2/memory/3644-159-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	xmrig
behavioral2/memory/2556-157-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp	xmrig
behavioral2/memory/2168-156-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	xmrig
behavioral2/memory/1108-163-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp	xmrig
behavioral2/memory/988-164-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	xmrig
behavioral2/memory/2620-212-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp	xmrig
behavioral2/memory/628-221-0x00007FF727180000-0x00007FF7274D1000-memory.dmp	xmrig
behavioral2/memory/4624-223-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp	xmrig
behavioral2/memory/2472-225-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp	xmrig
behavioral2/memory/3344-229-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp	xmrig
behavioral2/memory/4336-227-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	xmrig
behavioral2/memory/2852-233-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp	xmrig
behavioral2/memory/2104-231-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp	xmrig
behavioral2/memory/3708-239-0x00007FF7935C0000-0x00007FF793911000-memory.dmp	xmrig
behavioral2/memory/4592-241-0x00007FF76D240000-0x00007FF76D591000-memory.dmp	xmrig
behavioral2/memory/3900-243-0x00007FF637280000-0x00007FF6375D1000-memory.dmp	xmrig
behavioral2/memory/2452-245-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp	xmrig
behavioral2/memory/1904-247-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp	xmrig
behavioral2/memory/2168-257-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	xmrig
behavioral2/memory/2556-259-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp	xmrig
behavioral2/memory/3644-261-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	xmrig
behavioral2/memory/700-263-0x00007FF627CC0000-0x00007FF628011000-memory.dmp	xmrig
behavioral2/memory/2888-265-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp	xmrig
behavioral2/memory/1220-267-0x00007FF671250000-0x00007FF6715A1000-memory.dmp	xmrig
behavioral2/memory/1108-269-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp	xmrig
behavioral2/memory/2228-272-0x00007FF7242C0000-0x00007FF724611000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2620	cQSyIRu.exe
628	SNZjfiv.exe
4624	lQQsETl.exe
2472	xBSUUYS.exe
4336	RRFXJGl.exe
3344	rBIEqzj.exe
2104	YexbsEs.exe
2852	naruaeE.exe
3708	XVIYaLP.exe
4592	GNmRPiU.exe
3900	HRPAEHJ.exe
2452	XjfXfdo.exe
1904	mCwnSFS.exe
2168	HAgBRux.exe
2556	yEyFhBy.exe
2228	uKzhTZd.exe
3644	GMRiUjJ.exe
700	FJYFExL.exe
2888	baTATjb.exe
1220	mAqJMTa.exe
1108	PKeTpdE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/988-0-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	upx
behavioral2/files/0x0009000000023c62-5.dat	upx
behavioral2/memory/2620-7-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-10.dat	upx
behavioral2/files/0x0007000000023cb9-29.dat	upx
behavioral2/files/0x0007000000023cba-39.dat	upx
behavioral2/files/0x0008000000023cb3-41.dat	upx
behavioral2/files/0x0007000000023cbb-49.dat	upx
behavioral2/memory/2852-48-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp	upx
behavioral2/memory/2104-44-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp	upx
behavioral2/memory/3344-36-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp	upx
behavioral2/memory/4336-32-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-26.dat	upx
behavioral2/memory/2472-23-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp	upx
behavioral2/memory/4624-17-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp	upx
behavioral2/memory/628-16-0x00007FF727180000-0x00007FF7274D1000-memory.dmp	upx
behavioral2/files/0x0008000000023cb2-15.dat	upx
behavioral2/files/0x0007000000023cbc-58.dat	upx
behavioral2/files/0x0007000000023cbd-57.dat	upx
behavioral2/memory/2620-70-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp	upx
behavioral2/memory/3900-72-0x00007FF637280000-0x00007FF6375D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-75.dat	upx
behavioral2/files/0x0007000000023cc1-83.dat	upx
behavioral2/memory/1904-82-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp	upx
behavioral2/memory/4624-81-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp	upx
behavioral2/memory/2168-89-0x00007FF69D240000-0x00007FF69D591000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-94.dat	upx
behavioral2/memory/2228-108-0x00007FF7242C0000-0x00007FF724611000-memory.dmp	upx
behavioral2/memory/700-116-0x00007FF627CC0000-0x00007FF628011000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-124.dat	upx
behavioral2/files/0x0007000000023cc9-134.dat	upx
behavioral2/memory/1108-137-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp	upx
behavioral2/memory/2452-136-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp	upx
behavioral2/memory/3900-135-0x00007FF637280000-0x00007FF6375D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-132.dat	upx
behavioral2/memory/1220-130-0x00007FF671250000-0x00007FF6715A1000-memory.dmp	upx
behavioral2/memory/4592-129-0x00007FF76D240000-0x00007FF76D591000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-122.dat	upx
behavioral2/memory/2888-121-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp	upx
behavioral2/memory/3708-120-0x00007FF7935C0000-0x00007FF793911000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-118.dat	upx
behavioral2/memory/2852-115-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp	upx
behavioral2/memory/3644-114-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-110.dat	upx
behavioral2/memory/2104-109-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp	upx
behavioral2/memory/3344-104-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp	upx
behavioral2/memory/2556-98-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp	upx
behavioral2/memory/4336-97-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-92.dat	upx
behavioral2/memory/2472-88-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp	upx
behavioral2/memory/2452-74-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-73.dat	upx
behavioral2/memory/628-71-0x00007FF727180000-0x00007FF7274D1000-memory.dmp	upx
behavioral2/memory/4592-65-0x00007FF76D240000-0x00007FF76D591000-memory.dmp	upx
behavioral2/memory/988-60-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	upx
behavioral2/memory/3708-54-0x00007FF7935C0000-0x00007FF793911000-memory.dmp	upx
behavioral2/memory/988-140-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp	upx
behavioral2/memory/1904-155-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp	upx
behavioral2/memory/2228-158-0x00007FF7242C0000-0x00007FF724611000-memory.dmp	upx
behavioral2/memory/1220-162-0x00007FF671250000-0x00007FF6715A1000-memory.dmp	upx
behavioral2/memory/700-160-0x00007FF627CC0000-0x00007FF628011000-memory.dmp	upx
behavioral2/memory/2888-161-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp	upx
behavioral2/memory/3644-159-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp	upx
behavioral2/memory/2556-157-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XjfXfdo.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAgBRux.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEyFhBy.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\baTATjb.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SNZjfiv.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XVIYaLP.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naruaeE.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GNmRPiU.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cQSyIRu.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lQQsETl.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YexbsEs.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKzhTZd.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMRiUjJ.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PKeTpdE.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xBSUUYS.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBIEqzj.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mCwnSFS.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJYFExL.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAqJMTa.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRFXJGl.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HRPAEHJ.exe	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2620	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 988 wrote to memory of 2620	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 988 wrote to memory of 628	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 988 wrote to memory of 628	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 988 wrote to memory of 4624	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 988 wrote to memory of 4624	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 988 wrote to memory of 2472	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 988 wrote to memory of 2472	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 988 wrote to memory of 4336	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 988 wrote to memory of 4336	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 988 wrote to memory of 3344	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 988 wrote to memory of 3344	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 988 wrote to memory of 2104	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 988 wrote to memory of 2104	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 988 wrote to memory of 2852	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 988 wrote to memory of 2852	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 988 wrote to memory of 3708	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 988 wrote to memory of 3708	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 988 wrote to memory of 4592	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 988 wrote to memory of 4592	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 988 wrote to memory of 3900	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 988 wrote to memory of 3900	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 988 wrote to memory of 2452	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 988 wrote to memory of 2452	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 988 wrote to memory of 1904	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 988 wrote to memory of 1904	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 988 wrote to memory of 2168	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 988 wrote to memory of 2168	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 988 wrote to memory of 2556	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 988 wrote to memory of 2556	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 988 wrote to memory of 2228	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 988 wrote to memory of 2228	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 988 wrote to memory of 3644	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 988 wrote to memory of 3644	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 988 wrote to memory of 700	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 988 wrote to memory of 700	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 988 wrote to memory of 2888	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 988 wrote to memory of 2888	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 988 wrote to memory of 1220	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 988 wrote to memory of 1220	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 988 wrote to memory of 1108	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 988 wrote to memory of 1108	988	2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_c35f772778347c519ee30bee5df7b598_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\System\cQSyIRu.exe
  C:\Windows\System\cQSyIRu.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\SNZjfiv.exe
  C:\Windows\System\SNZjfiv.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\lQQsETl.exe
  C:\Windows\System\lQQsETl.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\xBSUUYS.exe
  C:\Windows\System\xBSUUYS.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\RRFXJGl.exe
  C:\Windows\System\RRFXJGl.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\rBIEqzj.exe
  C:\Windows\System\rBIEqzj.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\YexbsEs.exe
  C:\Windows\System\YexbsEs.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\naruaeE.exe
  C:\Windows\System\naruaeE.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\XVIYaLP.exe
  C:\Windows\System\XVIYaLP.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\GNmRPiU.exe
  C:\Windows\System\GNmRPiU.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\HRPAEHJ.exe
  C:\Windows\System\HRPAEHJ.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\XjfXfdo.exe
  C:\Windows\System\XjfXfdo.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\mCwnSFS.exe
  C:\Windows\System\mCwnSFS.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\HAgBRux.exe
  C:\Windows\System\HAgBRux.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\yEyFhBy.exe
  C:\Windows\System\yEyFhBy.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\uKzhTZd.exe
  C:\Windows\System\uKzhTZd.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\GMRiUjJ.exe
  C:\Windows\System\GMRiUjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\FJYFExL.exe
  C:\Windows\System\FJYFExL.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\baTATjb.exe
  C:\Windows\System\baTATjb.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\mAqJMTa.exe
  C:\Windows\System\mAqJMTa.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\PKeTpdE.exe
  C:\Windows\System\PKeTpdE.exe
  2⤵
  - Executes dropped EXE
  PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FJYFExL.exe

Filesize
5.2MB

MD5
9c3a18bd2e1b7dfc1771d50271b3f4b2

SHA1
f3068bb021a3b63750c98497769ad7e7c3565136

SHA256
21f5043708d04c2ce2093b8068c5afd107b1f26e052a1da28e5a95faa9f8c30a

SHA512
4b137514ea3ee7641a49e9f7b1103bfb3a3900f68c838ce113cd1248e2788ddca093a673dc5ac49f811f2de3903cdfa3be2287741dc8fc4d65bd027f41c2f67b

Download Submit
C:\Windows\System\GMRiUjJ.exe

Filesize
5.2MB

MD5
91d7c9db404fddfb5ecabffa4570b416

SHA1
e1cc7662ee3ff50031ccc1d8ab11968af1a43601

SHA256
8a0ca393f9075f44f9f72b9843a9265a00985a62f9d9aad3ea4e8d974a190202

SHA512
6ed6a1ee2831d628e8966caae3d134e7fc5e9f3e024e2d7697d2083f5a4710afb64f79667b815c82bcc791e2e80f1ce597fb79b7c09b370673bc4907043ca729

Download Submit
C:\Windows\System\GNmRPiU.exe

Filesize
5.2MB

MD5
4e36b0c13f67ccb32857041342676a06

SHA1
642b671fad0d31ff698538876eabb000c52297e8

SHA256
2272b1f18bd82ba57983875d5712441fa39193ce76c48d3eecdae3b1099952e1

SHA512
396ae257866ee30301888470d9d0c838b9c30b82a74ba36683e198528b284d25afd000ec08d1c13ffbe4c3db569f1b2baf6960d67cd447aab190cb633125ec84

Download Submit
C:\Windows\System\HAgBRux.exe

Filesize
5.2MB

MD5
2a46e5d94c401eb5f07d49254146ef07

SHA1
bc7ae1392d401346ec49be53ab1515b037286a16

SHA256
e414d715b54136835ac0f30e1c8482ecb50a4d0b16bc83dd4a1cc5451ecdf07c

SHA512
442fecd103ae0a72321babbb8e22cbd10de4c3731a8429b10fecb8007128e10caa2157798cf37c0b014ca53a32661df6fad1f4c72bbf74780b6beec76ba541ee

Download Submit
C:\Windows\System\HRPAEHJ.exe

Filesize
5.2MB

MD5
ade94aeea91817245aa99151d58b9b44

SHA1
e25f074efff8937e5679667d878972e42e74c69a

SHA256
13d0388ce47f6d174a06ba35322f0d64df9dbbcf0adfd2c1184c3ee4c9bb687e

SHA512
de8940819271578c9dc3e5e0fac932b6a179e7a4edbf18d46a84684c2367e1a35fe30328e56e87366413a82fff2ddde5029ecb6f50e64ffd36908022b07d86f0

Download Submit
C:\Windows\System\PKeTpdE.exe

Filesize
5.2MB

MD5
75488d8c5cd2f61b232a37a652bf5f4b

SHA1
c6d33b1043661b93a2f9e550cd30971aca597eb2

SHA256
cd5594019a9de25f5fcac9a05b845e2567b44ed21da480232c9f5fe6a594b427

SHA512
ae615c0c9ee8786e091a1c13775023d0e6d9e4359514aee80c9d832f53c12f66ab9ea05ea8233fdffd3709c5fc12cedd453caa09c3519f748be693a9d44db666

Download Submit
C:\Windows\System\RRFXJGl.exe

Filesize
5.2MB

MD5
b7d69788280779063dc3ee6a411be7e7

SHA1
277a3798131758c74abbd488be7248c5d0f14691

SHA256
87453d3bb75ce5aea3e5ea147a8ebf592203477e2e19d0c852874494178d2ceb

SHA512
a934dd63203de9d053037df00f5aa7f711680d5d0730b076975dd800a70ce7f537e7a1873c556ddcd3af8054ff2263d510eb6164454945e8ad28dae151c97b1b

Download Submit
C:\Windows\System\SNZjfiv.exe

Filesize
5.2MB

MD5
e5ddb973293b06d3691b6c22de5b6a80

SHA1
5bf70c4703952fbd3a3d702aa918c67d2cf253fe

SHA256
9092cb3df5be599e7a02fe0aac954a9e458c9a3cf7fcf4f69ecbd9e6867062e4

SHA512
f3c9e6167a4569682fdf5ab66f331f8ac5bdca7281988ae74a0494a6c3a54834350cb89b7f53f2d3400be2a51f9db7c3301450f11243a6909f10e7f1c046a6fe

Download Submit
C:\Windows\System\XVIYaLP.exe

Filesize
5.2MB

MD5
a403bf98e7cf1d2fc0f8434782f4f289

SHA1
85af53ed07dc3c300d0b95fa9fe0c9e7e3cbd587

SHA256
4a699c6cb51ab4f048d9b1f81b9b882f0fdd9f492c82dafdc55e71272f130253

SHA512
4ba73d01d57da1c2068b255995763dafdd2bb215f1f6a41e035db41fa510769c619915a6539de1e922b0de7cd410832bfeb0940728a67daa96fd7837357103de

Download Submit
C:\Windows\System\XjfXfdo.exe

Filesize
5.2MB

MD5
83a0d755352352eab9ff93e7cd61022c

SHA1
56305ee64c14411a4b4b6989a3a05d184e6459b1

SHA256
ec31fb82fb9b36dbd8dc13633d8958d120e96d0760a8bf3b45f98734fddd9a89

SHA512
637193e270cb3ee52cdb24cfbf81a9be4c6de93270f9c534f99933e9fa9c9b79cb028b8c307732254f2d5f0bd67046b7be06969f2bac6bef963f7bd3d804e68f

Download Submit
C:\Windows\System\YexbsEs.exe

Filesize
5.2MB

MD5
a361d986a6db1eea87c0766dac064a98

SHA1
104eef2976188622e61a395d8c3855688da4e9c6

SHA256
4507a18797f223f151765e129fee0abf370a1d9f827c243889794c067408ffd9

SHA512
c4520dbd38eb831985f1e31ed2c7e303424b6019e26ca984a27ca3cd7185d473c12079293ede11e62b41e69ad19682dde5ed9604519eb6e92d8b7bdc8d0fbe41

Download Submit
C:\Windows\System\baTATjb.exe

Filesize
5.2MB

MD5
e1056d9353c5237b374bc256bd287523

SHA1
4545e242d3693cec2eab2e50f0aac450e8b93bc0

SHA256
f17135f1f9ecc6eac0d843350161040dbb966b24683d194d773763ee63341c5b

SHA512
edb645165bc7bb32435269b8e252364c3c1ddaf54532efcfce964bcc47a069e23296f20c1ba54166c67deab109d8e251598b2e25859c6500133ca07181ab7dd3

Download Submit
C:\Windows\System\cQSyIRu.exe

Filesize
5.2MB

MD5
8bf5eebc4ec65d8076b908f77d78110d

SHA1
aa6ac248c77da96a8a603e9614b19ef1b9db91cb

SHA256
e85375467801a24a6574d5e917ef98b8e4a17b5c243388e65a315c6655e1b6ed

SHA512
bbb4d3d6c30fc613ab3d4e38186d5c038d329f3ad26e9b2a9706a13a9fef00da604601a05bf7fc742f949108d07b0610a12d584d0aa0bd59f543b2338a6c4b70

Download Submit
C:\Windows\System\lQQsETl.exe

Filesize
5.2MB

MD5
f7ea7c66098fbd13472b71a5972536eb

SHA1
644b650cc866487a3ab25b329fd0d0fb5e4c60ba

SHA256
66b09d49a3e71ae9ada53f4b30a5a2d6b345b7e5c0f40679fe8a9f8c984df5cb

SHA512
ef7c9735bc4e0309f5c5cae2d7ef7736feca4392e16b728a9ab7dd130ef982bd6ac562e8056403b7d426b535c16b0fc138584daa237492f238b88a4dcb6004c5

Download Submit
C:\Windows\System\mAqJMTa.exe

Filesize
5.2MB

MD5
8e8cba49d0674eb12b2315b942d60ce7

SHA1
4e1435a8f109674f8b17042cde09222bd7b2ff5f

SHA256
718aed50ca0517d0f264c855cacd9087942a2d5cdc23c89cc34610cdea3c50ee

SHA512
93a0e6dc8e8a197c75bf31372db7ae39d78d14c53b24b97b29f357aa2e8b032a3466f6fe5aef1aebf3462964253b0f488ef41ce043847fb6a79fc34159c44eae

Download Submit
C:\Windows\System\mCwnSFS.exe

Filesize
5.2MB

MD5
3c373b41ce818e73885c49f758c4b5f3

SHA1
5388e712ced523ef7f31df8e7a90eee223cd3ac4

SHA256
84fbbd2d839c60097e73e0cbf434aa73770a80066a7596e38f4e1563bfce2cc0

SHA512
04025c481ccf1e0ccb8c33da6d68ab83357678fac17cc2325cf436252c646ce71bd053185395110a2235f63b8ce13ec29aba0aaf06a0a0c215c3474632ff1266

Download Submit
C:\Windows\System\naruaeE.exe

Filesize
5.2MB

MD5
7f4529f5252bcc79612418f4ed81a34d

SHA1
9b86f58372ec011518dd35ba988e017b25e9a95a

SHA256
0e580ee63fe5dfc27790ee094b4f8d20d85f1899afd67497664cbf3df5f74b2e

SHA512
3b0d1296341c09b8e637c00715a866c214df3ebbba0caf40028f07ff8eadc8a29beacbc7a6abe2adb44c77f8845fe71b8b7e5dc3acf53db4656f660e989de454

Download Submit
C:\Windows\System\rBIEqzj.exe

Filesize
5.2MB

MD5
852ffdd941c468add6439188f3d06abc

SHA1
53fb196508c26004a0d5c00f65619ac4b0851e81

SHA256
fecd879984132e5ae6cb8cf1dfb6a866167e49e79cb8b62da9e88668003e6de5

SHA512
551c449c6dc43767f070b0873ff71734cecddd343cc7397e9657542c1248826a7820eefd2e1e1d57d5b9fd8caa8e8c78255ae50f571f5656fe54a42408558832

Download Submit
C:\Windows\System\uKzhTZd.exe

Filesize
5.2MB

MD5
71ec3c9d1487cd298ca0d01fd17ed25a

SHA1
44d7fcf3591247aadf8fa6bed17b5ee640a8f31f

SHA256
506892700d54c7da3bacd81afd006b32d2ca86459fbe5f82e7419cf2c14e8106

SHA512
3ea661b34033983f9aef1c7bff6e0ee878c1251f2c04e80d30ba4d4d1152407ae40f65687ef2a4d7e2911c276ffcd60dc615df85e2f80f677603b28b90a0e0ca

Download Submit
C:\Windows\System\xBSUUYS.exe

Filesize
5.2MB

MD5
873be4f7643265434d15ec9a40ca5894

SHA1
1eca1a5715d352e7469ea51fefcc0bb6e80d33b0

SHA256
426419b38a678a617fe2cd7f3b0e0d6636a0412a9d91c8f2da14079cced4d352

SHA512
e206163ab2cf6038779a1b99dec08f037d1b18ab7537e3b228b5f67f2fee77692e4cb73e59a04c2c74b75a27665e6166f3d72665a5efdb6f88e7eed04e6d4367

Download Submit
C:\Windows\System\yEyFhBy.exe

Filesize
5.2MB

MD5
2172e7e2f1dde50894811bff46df516e

SHA1
3b011dad748e464fa97da6cc02c4b95533c674aa

SHA256
1644bbc5ea61f614e504cf3bf64debeec7e87818c09be779e195f6e8ead98dc6

SHA512
4ce5241489333a75a51689bb8ac7d49e0e80f5d0e00bb691b5b44045685a51c446591c73f46be6482cbf6ba54c7130ccb818faff67867a19b18ca8d7c24080c2

Download Submit
memory/628-221-0x00007FF727180000-0x00007FF7274D1000-memory.dmp

Filesize
3.3MB

Download
memory/628-71-0x00007FF727180000-0x00007FF7274D1000-memory.dmp

Filesize
3.3MB

Download
memory/628-16-0x00007FF727180000-0x00007FF7274D1000-memory.dmp

Filesize
3.3MB

Download
memory/700-160-0x00007FF627CC0000-0x00007FF628011000-memory.dmp

Filesize
3.3MB

Download
memory/700-116-0x00007FF627CC0000-0x00007FF628011000-memory.dmp

Filesize
3.3MB

Download
memory/700-263-0x00007FF627CC0000-0x00007FF628011000-memory.dmp

Filesize
3.3MB

Download
memory/988-0-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp

Filesize
3.3MB

Download
memory/988-164-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp

Filesize
3.3MB

Download
memory/988-140-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp

Filesize
3.3MB

Download
memory/988-60-0x00007FF7A22B0000-0x00007FF7A2601000-memory.dmp

Filesize
3.3MB

Download
memory/988-1-0x000001F420DB0000-0x000001F420DC0000-memory.dmp

Filesize
64KB

Download
memory/1108-163-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-137-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-269-0x00007FF79FA50000-0x00007FF79FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-130-0x00007FF671250000-0x00007FF6715A1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-162-0x00007FF671250000-0x00007FF6715A1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-267-0x00007FF671250000-0x00007FF6715A1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-155-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-82-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-247-0x00007FF645FA0000-0x00007FF6462F1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-109-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-44-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-231-0x00007FF7A9C90000-0x00007FF7A9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-89-0x00007FF69D240000-0x00007FF69D591000-memory.dmp

Filesize
3.3MB

Download
memory/2168-257-0x00007FF69D240000-0x00007FF69D591000-memory.dmp

Filesize
3.3MB

Download
memory/2168-156-0x00007FF69D240000-0x00007FF69D591000-memory.dmp

Filesize
3.3MB

Download
memory/2228-158-0x00007FF7242C0000-0x00007FF724611000-memory.dmp

Filesize
3.3MB

Download
memory/2228-272-0x00007FF7242C0000-0x00007FF724611000-memory.dmp

Filesize
3.3MB

Download
memory/2228-108-0x00007FF7242C0000-0x00007FF724611000-memory.dmp

Filesize
3.3MB

Download
memory/2452-136-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp

Filesize
3.3MB

Download
memory/2452-245-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp

Filesize
3.3MB

Download
memory/2452-74-0x00007FF63CDF0000-0x00007FF63D141000-memory.dmp

Filesize
3.3MB

Download
memory/2472-88-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-225-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-23-0x00007FF77A980000-0x00007FF77ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-98-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp

Filesize
3.3MB

Download
memory/2556-259-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp

Filesize
3.3MB

Download
memory/2556-157-0x00007FF73EAF0000-0x00007FF73EE41000-memory.dmp

Filesize
3.3MB

Download
memory/2620-7-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-70-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-212-0x00007FF67EB50000-0x00007FF67EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-233-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-48-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-115-0x00007FF7FC7A0000-0x00007FF7FCAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-161-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp

Filesize
3.3MB

Download
memory/2888-121-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp

Filesize
3.3MB

Download
memory/2888-265-0x00007FF62DEF0000-0x00007FF62E241000-memory.dmp

Filesize
3.3MB

Download
memory/3344-36-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3344-229-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3344-104-0x00007FF7A0480000-0x00007FF7A07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-159-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/3644-261-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/3644-114-0x00007FF7E29F0000-0x00007FF7E2D41000-memory.dmp

Filesize
3.3MB

Download
memory/3708-239-0x00007FF7935C0000-0x00007FF793911000-memory.dmp

Filesize
3.3MB

Download
memory/3708-54-0x00007FF7935C0000-0x00007FF793911000-memory.dmp

Filesize
3.3MB

Download
memory/3708-120-0x00007FF7935C0000-0x00007FF793911000-memory.dmp

Filesize
3.3MB

Download
memory/3900-72-0x00007FF637280000-0x00007FF6375D1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-243-0x00007FF637280000-0x00007FF6375D1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-135-0x00007FF637280000-0x00007FF6375D1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-97-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-227-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-32-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-65-0x00007FF76D240000-0x00007FF76D591000-memory.dmp

Filesize
3.3MB

Download
memory/4592-241-0x00007FF76D240000-0x00007FF76D591000-memory.dmp

Filesize
3.3MB

Download
memory/4592-129-0x00007FF76D240000-0x00007FF76D591000-memory.dmp

Filesize
3.3MB

Download
memory/4624-17-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-81-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-223-0x00007FF64D780000-0x00007FF64DAD1000-memory.dmp

Filesize
3.3MB

Download