cobaltstrike | e8f5710e58d782e89e0be2946e455b93039bc0b0eb2231e7fff2fffb21289872

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1de191c82f3e204c5fd32b43ecec08cb
SHA1

4272caa5ff8957cd04c7f9bb6de4e8230e375a78
SHA256

e8f5710e58d782e89e0be2946e455b93039bc0b0eb2231e7fff2fffb21289872
SHA512

e76c632a877a0f6696c50443de4e45d02a9f4386a4c3d8711a858fe5718b34ad2b806cc05d2f933b4d8c9280a021dd120f719b5234aff38d7ac34631ca257d69
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibd56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bef-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c92-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1672-70-0x00007FF620690000-0x00007FF6209E1000-memory.dmp	xmrig
behavioral2/memory/2236-101-0x00007FF699020000-0x00007FF699371000-memory.dmp	xmrig
behavioral2/memory/3984-112-0x00007FF6351C0000-0x00007FF635511000-memory.dmp	xmrig
behavioral2/memory/2856-111-0x00007FF6CE210000-0x00007FF6CE561000-memory.dmp	xmrig
behavioral2/memory/2524-109-0x00007FF7E3F20000-0x00007FF7E4271000-memory.dmp	xmrig
behavioral2/memory/3224-106-0x00007FF6C7BA0000-0x00007FF6C7EF1000-memory.dmp	xmrig
behavioral2/memory/2208-92-0x00007FF683390000-0x00007FF6836E1000-memory.dmp	xmrig
behavioral2/memory/4944-79-0x00007FF68A7A0000-0x00007FF68AAF1000-memory.dmp	xmrig
behavioral2/memory/4112-54-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp	xmrig
behavioral2/memory/2480-127-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp	xmrig
behavioral2/memory/3516-129-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp	xmrig
behavioral2/memory/1492-128-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	xmrig
behavioral2/memory/3732-130-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp	xmrig
behavioral2/memory/2004-136-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp	xmrig
behavioral2/memory/5056-137-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp	xmrig
behavioral2/memory/3592-142-0x00007FF675300000-0x00007FF675651000-memory.dmp	xmrig
behavioral2/memory/1156-139-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp	xmrig
behavioral2/memory/2300-141-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp	xmrig
behavioral2/memory/1492-131-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	xmrig
behavioral2/memory/2392-151-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp	xmrig
behavioral2/memory/2968-152-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp	xmrig
behavioral2/memory/3988-148-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	xmrig
behavioral2/memory/4428-153-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp	xmrig
behavioral2/memory/2480-156-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp	xmrig
behavioral2/memory/1492-157-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	xmrig
behavioral2/memory/3516-219-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp	xmrig
behavioral2/memory/3732-221-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp	xmrig
behavioral2/memory/2300-223-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp	xmrig
behavioral2/memory/3592-225-0x00007FF675300000-0x00007FF675651000-memory.dmp	xmrig
behavioral2/memory/4112-227-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp	xmrig
behavioral2/memory/1672-229-0x00007FF620690000-0x00007FF6209E1000-memory.dmp	xmrig
behavioral2/memory/5056-231-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp	xmrig
behavioral2/memory/1156-233-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp	xmrig
behavioral2/memory/4944-235-0x00007FF68A7A0000-0x00007FF68AAF1000-memory.dmp	xmrig
behavioral2/memory/2004-237-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp	xmrig
behavioral2/memory/2236-240-0x00007FF699020000-0x00007FF699371000-memory.dmp	xmrig
behavioral2/memory/2524-243-0x00007FF7E3F20000-0x00007FF7E4271000-memory.dmp	xmrig
behavioral2/memory/2208-242-0x00007FF683390000-0x00007FF6836E1000-memory.dmp	xmrig
behavioral2/memory/2856-248-0x00007FF6CE210000-0x00007FF6CE561000-memory.dmp	xmrig
behavioral2/memory/3224-250-0x00007FF6C7BA0000-0x00007FF6C7EF1000-memory.dmp	xmrig
behavioral2/memory/3984-252-0x00007FF6351C0000-0x00007FF635511000-memory.dmp	xmrig
behavioral2/memory/2968-255-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp	xmrig
behavioral2/memory/2392-258-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp	xmrig
behavioral2/memory/3988-257-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	xmrig
behavioral2/memory/4428-262-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp	xmrig
behavioral2/memory/2480-264-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3516	lhrONUh.exe
3732	DqLRbFc.exe
3592	KvAxECl.exe
2300	JZRlAAw.exe
2004	tKNTRDn.exe
5056	EkyReGj.exe
4112	XPXOcTX.exe
1156	JXaVdbl.exe
1672	OcLJXFN.exe
4944	nzAQOAi.exe
2524	cOTsXcT.exe
2208	ybQCbiT.exe
2236	AOduamo.exe
2856	DxZtCvR.exe
3988	PUbyiVl.exe
3224	mszzqSx.exe
3984	DnLGOWY.exe
2392	PinOiKy.exe
2968	DfgcnsO.exe
4428	OAGRAzS.exe
2480	jOSmKXs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1492-0-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	upx
behavioral2/files/0x000a000000023bef-4.dat	upx
behavioral2/files/0x0007000000023c95-11.dat	upx
behavioral2/memory/3516-8-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-18.dat	upx
behavioral2/files/0x0007000000023c97-24.dat	upx
behavioral2/memory/3592-34-0x00007FF675300000-0x00007FF675651000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-50.dat	upx
behavioral2/files/0x0007000000023c9d-63.dat	upx
behavioral2/memory/1672-70-0x00007FF620690000-0x00007FF6209E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c92-91.dat	upx
behavioral2/memory/2236-101-0x00007FF699020000-0x00007FF699371000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-108.dat	upx
behavioral2/memory/2968-113-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp	upx
behavioral2/memory/3984-112-0x00007FF6351C0000-0x00007FF635511000-memory.dmp	upx
behavioral2/memory/2856-111-0x00007FF6CE210000-0x00007FF6CE561000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-110.dat	upx
behavioral2/memory/2524-109-0x00007FF7E3F20000-0x00007FF7E4271000-memory.dmp	upx
behavioral2/memory/2392-107-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp	upx
behavioral2/memory/3224-106-0x00007FF6C7BA0000-0x00007FF6C7EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-103.dat	upx
behavioral2/memory/3988-102-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-99.dat	upx
behavioral2/memory/2208-92-0x00007FF683390000-0x00007FF6836E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-87.dat	upx
behavioral2/memory/4944-79-0x00007FF68A7A0000-0x00007FF68AAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-69.dat	upx
behavioral2/memory/1156-67-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-75.dat	upx
behavioral2/files/0x0007000000023c9e-73.dat	upx
behavioral2/files/0x0007000000023c9b-60.dat	upx
behavioral2/files/0x0007000000023c98-59.dat	upx
behavioral2/memory/4112-54-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp	upx
behavioral2/memory/2004-48-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-47.dat	upx
behavioral2/memory/5056-40-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-38.dat	upx
behavioral2/memory/2300-23-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp	upx
behavioral2/memory/3732-20-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-120.dat	upx
behavioral2/memory/4428-121-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-125.dat	upx
behavioral2/memory/2480-127-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp	upx
behavioral2/memory/3516-129-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp	upx
behavioral2/memory/1492-128-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	upx
behavioral2/memory/3732-130-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp	upx
behavioral2/memory/2004-136-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp	upx
behavioral2/memory/5056-137-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp	upx
behavioral2/memory/3592-142-0x00007FF675300000-0x00007FF675651000-memory.dmp	upx
behavioral2/memory/1156-139-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp	upx
behavioral2/memory/2300-141-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp	upx
behavioral2/memory/1492-131-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	upx
behavioral2/memory/2392-151-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp	upx
behavioral2/memory/2968-152-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp	upx
behavioral2/memory/3988-148-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	upx
behavioral2/memory/4428-153-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp	upx
behavioral2/memory/2480-156-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp	upx
behavioral2/memory/1492-157-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp	upx
behavioral2/memory/3516-219-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp	upx
behavioral2/memory/3732-221-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp	upx
behavioral2/memory/2300-223-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp	upx
behavioral2/memory/3592-225-0x00007FF675300000-0x00007FF675651000-memory.dmp	upx
behavioral2/memory/4112-227-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp	upx
behavioral2/memory/1672-229-0x00007FF620690000-0x00007FF6209E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KvAxECl.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XPXOcTX.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzAQOAi.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DfgcnsO.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jOSmKXs.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EkyReGj.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybQCbiT.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AOduamo.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxZtCvR.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mszzqSx.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OAGRAzS.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JXaVdbl.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUbyiVl.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnLGOWY.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lhrONUh.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DqLRbFc.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JZRlAAw.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tKNTRDn.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcLJXFN.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cOTsXcT.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PinOiKy.exe	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3516	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1492 wrote to memory of 3516	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1492 wrote to memory of 3732	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1492 wrote to memory of 3732	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1492 wrote to memory of 3592	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1492 wrote to memory of 3592	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1492 wrote to memory of 2300	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1492 wrote to memory of 2300	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1492 wrote to memory of 2004	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1492 wrote to memory of 2004	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1492 wrote to memory of 5056	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1492 wrote to memory of 5056	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1492 wrote to memory of 4112	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1492 wrote to memory of 4112	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1492 wrote to memory of 1156	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1492 wrote to memory of 1156	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1492 wrote to memory of 1672	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1492 wrote to memory of 1672	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1492 wrote to memory of 4944	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1492 wrote to memory of 4944	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1492 wrote to memory of 2524	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1492 wrote to memory of 2524	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1492 wrote to memory of 2208	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1492 wrote to memory of 2208	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1492 wrote to memory of 2236	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1492 wrote to memory of 2236	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1492 wrote to memory of 2856	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1492 wrote to memory of 2856	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1492 wrote to memory of 3988	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1492 wrote to memory of 3988	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1492 wrote to memory of 3224	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1492 wrote to memory of 3224	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1492 wrote to memory of 3984	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1492 wrote to memory of 3984	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1492 wrote to memory of 2392	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1492 wrote to memory of 2392	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1492 wrote to memory of 2968	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1492 wrote to memory of 2968	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1492 wrote to memory of 4428	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1492 wrote to memory of 4428	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1492 wrote to memory of 2480	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1492 wrote to memory of 2480	1492	2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_1de191c82f3e204c5fd32b43ecec08cb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\System\lhrONUh.exe
  C:\Windows\System\lhrONUh.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\DqLRbFc.exe
  C:\Windows\System\DqLRbFc.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\KvAxECl.exe
  C:\Windows\System\KvAxECl.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\JZRlAAw.exe
  C:\Windows\System\JZRlAAw.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\tKNTRDn.exe
  C:\Windows\System\tKNTRDn.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\EkyReGj.exe
  C:\Windows\System\EkyReGj.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\XPXOcTX.exe
  C:\Windows\System\XPXOcTX.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\JXaVdbl.exe
  C:\Windows\System\JXaVdbl.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\OcLJXFN.exe
  C:\Windows\System\OcLJXFN.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\nzAQOAi.exe
  C:\Windows\System\nzAQOAi.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\cOTsXcT.exe
  C:\Windows\System\cOTsXcT.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\ybQCbiT.exe
  C:\Windows\System\ybQCbiT.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\AOduamo.exe
  C:\Windows\System\AOduamo.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\DxZtCvR.exe
  C:\Windows\System\DxZtCvR.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\PUbyiVl.exe
  C:\Windows\System\PUbyiVl.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\mszzqSx.exe
  C:\Windows\System\mszzqSx.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\DnLGOWY.exe
  C:\Windows\System\DnLGOWY.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\PinOiKy.exe
  C:\Windows\System\PinOiKy.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\DfgcnsO.exe
  C:\Windows\System\DfgcnsO.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\OAGRAzS.exe
  C:\Windows\System\OAGRAzS.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\jOSmKXs.exe
  C:\Windows\System\jOSmKXs.exe
  2⤵
  - Executes dropped EXE
  PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOduamo.exe

Filesize
5.2MB

MD5
d1f72dd525c2e241bd003a8d6eb77432

SHA1
3cef628a4134025ff450dd0ac45e5974841c2faf

SHA256
3fa8053a70e8de35caa41ef2f2cf5740c074f19cfd6a5b2015dcd0532f0f61ff

SHA512
4e7abbdb4ab8b1c9696693e2b13e8789db2e7f9629c1b23c3f6c4984f067e253f13034d0e8b635526b351ce1a65894b42d60b1c4d9df506f47fe4d2d71b6882b

Download Submit
C:\Windows\System\DfgcnsO.exe

Filesize
5.2MB

MD5
2156433ce547d35630c72c703c0c656e

SHA1
4a15e2267d81546bf9c7e5010c2895ea5915aa14

SHA256
0c39d2410b501582d609f878ca2681188d51c674f1acc679063b97b679a98924

SHA512
37900af4a8dff25f8bdb43da9dbff874e32129b3130ea233a0ba71caa8b48e91f997aaceed1303f6f78997ad450ce92e857d6235e2191f547433cfe9aed849c5

Download Submit
C:\Windows\System\DnLGOWY.exe

Filesize
5.2MB

MD5
f1d9b842d12003238245b063562e94b0

SHA1
1d75da83ccab537380b90557c036df02b274f36f

SHA256
bb102cee6853f61d0dc545297c9c73b3f32863c0913b801ad50cdb1ae439fc20

SHA512
78b9be68e7f6363bc8d1965080c1fbd01eadcc84cae3a7b452bd0aee02d8a5904cbe6cb9d0cac15531b3a48f5ee4366f460c032bc2504308f566a0e5299f0c2a

Download Submit
C:\Windows\System\DqLRbFc.exe

Filesize
5.2MB

MD5
dae0d254f4749b5c87ae284e56411b62

SHA1
57ef36c9e27b6da657aa590315167c2d031ffbdd

SHA256
b77437bb3e7ab5feb665fd1879320f6c17a9a59a86d140a906e10a710fbf6397

SHA512
5cad73a0ff92b07530d9b726b12b8a1bc4251d895c0cf45c931368b0958d14c89b0ba157b5a3105111753296aaf2fce2cba6dcecdf58eb6bf0bdc40c3b49254e

Download Submit
C:\Windows\System\DxZtCvR.exe

Filesize
5.2MB

MD5
b897fc076b346d0be306cf19b7c0e177

SHA1
89c1a82e13da54fb01042d16e35b09cb31486912

SHA256
1bd327ce083d73acb7d42ed7f5e58ca231f19ba36ae88fcc17c5c155a1d7400d

SHA512
0c17a02da111313653b1bd7de72ebfd2ee794140283e2ed3cd7641c74c55884697af282b61bec0167fc9ab39b530c5df0ccd45ae6a5cebccabf4dad6a3945eb1

Download Submit
C:\Windows\System\EkyReGj.exe

Filesize
5.2MB

MD5
edb1d77ee309472ee1cfdfbb57eb7bbd

SHA1
8705f3fc743cc48d7b02edb5719a8a9a726a7e29

SHA256
f8c008a4fb2c8a86cc6a61c89e81d40bd1200cc84a65b655589d9ba190a9d579

SHA512
419feea1dd48eb528a41c913a9a16dcac652df942bbc9f7670a091ed189b58c5fa3c9d96021aa1f192036dd8b8faad44f8741de7ad81c0197c875ee30ba71575

Download Submit
C:\Windows\System\JXaVdbl.exe

Filesize
5.2MB

MD5
2ca123102230afa8dc0efc37a325551d

SHA1
377b32eed2700ff3c1ae80a97f183f63b9d9af5c

SHA256
9d7da48904fc9a95632c492ba0d4ad5f540e9c5ff22b2f212bc59227f6aaa371

SHA512
4ec7fe0dfc0337376cc0f1c46fea9bb50fdf9258a77e38b760c5b9070d57e513c763dd68df8f5816a0816e206f96553b603748a5141935e7fce28cfd24926b17

Download Submit
C:\Windows\System\JZRlAAw.exe

Filesize
5.2MB

MD5
fce08e6b463bee5dc2e9f4519be6ca1d

SHA1
ad455b095f2230d298d689a9a7c65a0a67332d03

SHA256
8b93a71b2d9dc0e329248673aaa7b7c99cab11f0f8efe735ce2ea92cca5e21fc

SHA512
70c0c10967bb671240401334667dc6621a3716174bc2f57227c1a535fc18284c9ec825d03e55409378f39361c043de06a87c8a1d7596056fe9c2032a0d7c1136

Download Submit
C:\Windows\System\KvAxECl.exe

Filesize
5.2MB

MD5
0cccbcb28a3e36c1f6d8680359d5a684

SHA1
d43eda9b346d9b121b0e4ca2fe1da2081b3ac111

SHA256
d90607bc82314c5928470f1e4d71b6c79b46796ec8d89bbb15b6d13af48d8635

SHA512
be628745e4f3c4f3177f3be3cd99e21fa415e16b242b5fcb1632809f30589aacb4590b3c13d1d422cb0c6b3db77a5b1ada4e47f9e0b87b9d544792aea2d68af4

Download Submit
C:\Windows\System\OAGRAzS.exe

Filesize
5.2MB

MD5
0958f9116a51d542ac0f999c0a4d1de0

SHA1
10cf8fcda04fed17bc9c4510fe9f14c7e566ea8b

SHA256
45a986e649fb1c1b789af9307a775487e0eb19265ff2e8d16665bb32801df11e

SHA512
092fb06a9341e973bf06e1444aa45560ad4240873ca562a1820e4fae29a532d07787bad44fcac839351b8ef6814b51e0b866fafccb6775256bde277a005cd960

Download Submit
C:\Windows\System\OcLJXFN.exe

Filesize
5.2MB

MD5
456dd7e8476ff0d34c91147404ea701c

SHA1
4667e948714fa250b3ab91c2e3ec4ce85d59a169

SHA256
f89f8022345dd64690911b4ab8105b3bb3eb1b59a08407d5a2148a622ed7ed9c

SHA512
bc4aa2e9c0262bcff1061e6b52a1de82c264765990eb69ca5b089512849ec83231faabfc5b93ecb88fc303f2129318f30a6985f74db452b9e2698fb89459e33b

Download Submit
C:\Windows\System\PUbyiVl.exe

Filesize
5.2MB

MD5
c622a750ca8914d1d4f873e5356764f7

SHA1
07aa72f4821c7deb4df272575fcaaae3ad3fce52

SHA256
78a4a98f2c4753ff33bef1633f430d17842deaac57df74ebb5dc8e3e1317ee25

SHA512
527e9e36ca38e85b27133bb99df8b57acfca13b2e4d53d9f9b83812d312d5dcc6a01de5b7e200a55fe164ca3865ea57b527578c5181aaabd01cb030d672f65f9

Download Submit
C:\Windows\System\PinOiKy.exe

Filesize
5.2MB

MD5
8b30f8483a442da590ab2b889908bd8c

SHA1
363089e5bb0aa0d2d79e739b01204d6ca68e62ae

SHA256
8b10854a0a1192a17fd4d731c32138418ffa2806d6539561872b11e866789507

SHA512
89827cdf4d7fcd160e259be40414c40475be4f9fe7ea3d54f2358a0f122f8de072baa5625d2d0548ccfb26143d514965128ba3d16eb91946988a651ae0244041

Download Submit
C:\Windows\System\XPXOcTX.exe

Filesize
5.2MB

MD5
2920ac7aa17492bbec842a584778dabf

SHA1
0dd0655004ea8ff1528817c4a6afc23e5d74d46c

SHA256
7e624afc45ecf7e59319a0e20781d437d6c957dfe5b381b811f3c73642e65551

SHA512
7c543481a38256a117ae11b0f8039d4ac57270c09d34b1f7e0e6bbe70996826496b1875e7c1326d2b84e4ac1fc7661190448b4d444b7c79d679e9178c7cbcc29

Download Submit
C:\Windows\System\cOTsXcT.exe

Filesize
5.2MB

MD5
5d2fd13bb7144e341d656ed3c04a3c7e

SHA1
0cd40d2dbcd9f5d7982933aa119f65081529bc65

SHA256
4e59d3405609f420101d9357e55cfe81f365ecb82be56c2936feda08c9468e1a

SHA512
0f41fef88c80496f0e57f32f1f1de454ee0104bc5437798ad4ab54b44680c8302fa0e7108f982f8e9f571890aa57559f0c7d52c3316822435f528c432e0d2e53

Download Submit
C:\Windows\System\jOSmKXs.exe

Filesize
5.2MB

MD5
1fcf9a8b55de297d75e1eb16d7254881

SHA1
756ef94ee2230d24ba5e79d4f51b41c0c83c1344

SHA256
3a3331cfadf1e26e1ab391ff22a9e4b2ef9a0ed8df4f7f83bb8a18c588b8b3c6

SHA512
f97cbecbcf3099c9f146774b9c84c2312bdde66318134fb194cdbb5f16b43a3939ea65aaba6e3fa0dd75ac82df882aecc5c866c4467e6e22720bcdbff4214e52

Download Submit
C:\Windows\System\lhrONUh.exe

Filesize
5.2MB

MD5
5623be9c79d46315a1045873ed9fbc1c

SHA1
73fde13302cc69f23077f622e6c8930179899cf7

SHA256
4526046b10bc4459e7467c99e41c88c27f085a53d4b84d78027fa3893b91477b

SHA512
034a413ec1e30f64eba4e21616a690c3a4b9eb9b13b6ada55218a77e116e93ccd3cf44ebbb2ab5f1fcfb12dc2d434c22b6b34ca37a9cd19939edcaf1451dc160

Download Submit
C:\Windows\System\mszzqSx.exe

Filesize
5.2MB

MD5
236ac813b8259e8917401815ec2b23a0

SHA1
1fc55e3da89e399a9aa3b586a57f8513cc3cb32d

SHA256
1748dc15e629a2f759498f5fb27ed0439b53bb6dd062d48ede235a22bd900493

SHA512
b0089a7e6b7e8fb6350bbf119f5ee618b64ff9ff9d09b307421c8902ae70784ba196d11ba257b5f425e143532667b7db6263abe8fd64fe3817d980a6e285d92f

Download Submit
C:\Windows\System\nzAQOAi.exe

Filesize
5.2MB

MD5
a37994da301aacf2c32166eadd3abf3b

SHA1
4b554dcca45a1ebf0a8b97504b8c838f37a35a30

SHA256
62bcd844a4627f03b3ddac55dc28698cf5fea78d07d239b5e09b8712140c6c86

SHA512
f11bcb5c46e3aa1a8fd55d7767cf4a9590f399d097e38969b1634beba0acda7f4e0c52e339298e45de1b96f91e73a28bc2e61e018416a18324ac6273edb9057a

Download Submit
C:\Windows\System\tKNTRDn.exe

Filesize
5.2MB

MD5
53d3212cd4fcd0a2e922bcbe92adaa1f

SHA1
dc6b48c71a060eeaca575bd78168ecfb167bc626

SHA256
8bdb6c914d72beefb313aa1873039ff96c0a5480143dcba43ef9a07c35c9ba63

SHA512
206b87e0e8ab87cde4db84f2e97b39afa017e07a425f783b56a76db6cdcf982cc8b1e821facf22d1c6a3f9b30fab3c3152bb6485ecc020c3e0cf27053f57a08f

Download Submit
C:\Windows\System\ybQCbiT.exe

Filesize
5.2MB

MD5
815b2db637aadc6df7c644794391f259

SHA1
4a254d496e758371335737574648cead8d928841

SHA256
e1cab7b6a443cac24c05fc5265fe536b94f6a781b829cfd1dd1e12d99d2cb23d

SHA512
4d2a63a3500e00cf2b691884c60e482b2b6350af5289e097d1640114480ef627d0ae1823021177949bb1a8d05a56e4b12dca94d8aea1378fabbf9bb51be43051

Download Submit
memory/1156-139-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp

Filesize
3.3MB

Download
memory/1156-233-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp

Filesize
3.3MB

Download
memory/1156-67-0x00007FF7F16C0000-0x00007FF7F1A11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-131-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-128-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-0-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-157-0x00007FF7F7BC0000-0x00007FF7F7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-1-0x0000020A87BD0000-0x0000020A87BE0000-memory.dmp

Filesize
64KB

Download
memory/1672-229-0x00007FF620690000-0x00007FF6209E1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-70-0x00007FF620690000-0x00007FF6209E1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-237-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-48-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-136-0x00007FF63DC90000-0x00007FF63DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-242-0x00007FF683390000-0x00007FF6836E1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-92-0x00007FF683390000-0x00007FF6836E1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-240-0x00007FF699020000-0x00007FF699371000-memory.dmp

Filesize
3.3MB

Download
memory/2236-101-0x00007FF699020000-0x00007FF699371000-memory.dmp

Filesize
3.3MB

Download
memory/2300-23-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-223-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-141-0x00007FF69F7A0000-0x00007FF69FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-151-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-258-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-107-0x00007FF648C70000-0x00007FF648FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-127-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp

Filesize
3.3MB

Download
memory/2480-156-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp

Filesize
3.3MB

Download
memory/2480-264-0x00007FF7DA1D0000-0x00007FF7DA521000-memory.dmp

Filesize
3.3MB

Download
memory/2524-109-0x00007FF7E3F20000-0x00007FF7E4271000-memory.dmp

Filesize
3.3MB

Download
memory/2524-243-0x00007FF7E3F20000-0x00007FF7E4271000-memory.dmp

Filesize
3.3MB

Download
memory/2856-111-0x00007FF6CE210000-0x00007FF6CE561000-memory.dmp

Filesize
3.3MB

Download
memory/2856-248-0x00007FF6CE210000-0x00007FF6CE561000-memory.dmp

Filesize
3.3MB

Download
memory/2968-255-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-113-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-152-0x00007FF7DF570000-0x00007FF7DF8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-250-0x00007FF6C7BA0000-0x00007FF6C7EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-106-0x00007FF6C7BA0000-0x00007FF6C7EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-219-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp

Filesize
3.3MB

Download
memory/3516-129-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp

Filesize
3.3MB

Download
memory/3516-8-0x00007FF7AC8E0000-0x00007FF7ACC31000-memory.dmp

Filesize
3.3MB

Download
memory/3592-225-0x00007FF675300000-0x00007FF675651000-memory.dmp

Filesize
3.3MB

Download
memory/3592-34-0x00007FF675300000-0x00007FF675651000-memory.dmp

Filesize
3.3MB

Download
memory/3592-142-0x00007FF675300000-0x00007FF675651000-memory.dmp

Filesize
3.3MB

Download
memory/3732-20-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp

Filesize
3.3MB

Download
memory/3732-130-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp

Filesize
3.3MB

Download
memory/3732-221-0x00007FF76BBE0000-0x00007FF76BF31000-memory.dmp

Filesize
3.3MB

Download
memory/3984-112-0x00007FF6351C0000-0x00007FF635511000-memory.dmp

Filesize
3.3MB

Download
memory/3984-252-0x00007FF6351C0000-0x00007FF635511000-memory.dmp

Filesize
3.3MB

Download
memory/3988-257-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp

Filesize
3.3MB

Download
memory/3988-148-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp

Filesize
3.3MB

Download
memory/3988-102-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp

Filesize
3.3MB

Download
memory/4112-227-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-54-0x00007FF62EA50000-0x00007FF62EDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-262-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp

Filesize
3.3MB

Download
memory/4428-153-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp

Filesize
3.3MB

Download
memory/4428-121-0x00007FF6E7FB0000-0x00007FF6E8301000-memory.dmp

Filesize
3.3MB

Download
memory/4944-235-0x00007FF68A7A0000-0x00007FF68AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-79-0x00007FF68A7A0000-0x00007FF68AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-40-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp

Filesize
3.3MB

Download
memory/5056-231-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp

Filesize
3.3MB

Download
memory/5056-137-0x00007FF78A2B0000-0x00007FF78A601000-memory.dmp

Filesize
3.3MB

Download