cobaltstrike | e66e5a15b0d1be993098ef8cdfa43c5820eb290295660b8ac7cef894110f1450

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2514ab29a21b597f42f202c60b99a018
SHA1

d17c94bed1d8255d819696c83646f1ac8b6c7c45
SHA256

e66e5a15b0d1be993098ef8cdfa43c5820eb290295660b8ac7cef894110f1450
SHA512

88f80de7c596428dce91a7626f15a1e207a8413597b7b459f2695ca5a3ea3ec6d85e03cbc4091972b37528eb4b6d640ea193a15b6983254b3e4691208e45fb9d
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibd56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b88-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-37.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c6f-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-20.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c6e-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-108.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3188-58-0x00007FF781A60000-0x00007FF781DB1000-memory.dmp	xmrig
behavioral2/memory/1004-59-0x00007FF7BCAA0000-0x00007FF7BCDF1000-memory.dmp	xmrig
behavioral2/memory/4576-57-0x00007FF630980000-0x00007FF630CD1000-memory.dmp	xmrig
behavioral2/memory/3740-31-0x00007FF731170000-0x00007FF7314C1000-memory.dmp	xmrig
behavioral2/memory/5064-92-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	xmrig
behavioral2/memory/1700-85-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	xmrig
behavioral2/memory/4204-78-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp	xmrig
behavioral2/memory/4476-117-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp	xmrig
behavioral2/memory/2280-120-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp	xmrig
behavioral2/memory/572-130-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp	xmrig
behavioral2/memory/4412-132-0x00007FF669020000-0x00007FF669371000-memory.dmp	xmrig
behavioral2/memory/3616-131-0x00007FF603850000-0x00007FF603BA1000-memory.dmp	xmrig
behavioral2/memory/3508-129-0x00007FF7AA910000-0x00007FF7AAC61000-memory.dmp	xmrig
behavioral2/memory/4884-126-0x00007FF7CA220000-0x00007FF7CA571000-memory.dmp	xmrig
behavioral2/memory/2300-125-0x00007FF6ECF50000-0x00007FF6ED2A1000-memory.dmp	xmrig
behavioral2/memory/4968-122-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp	xmrig
behavioral2/memory/1700-134-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	xmrig
behavioral2/memory/1276-144-0x00007FF6592B0000-0x00007FF659601000-memory.dmp	xmrig
behavioral2/memory/4364-145-0x00007FF636280000-0x00007FF6365D1000-memory.dmp	xmrig
behavioral2/memory/536-146-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp	xmrig
behavioral2/memory/672-147-0x00007FF647000000-0x00007FF647351000-memory.dmp	xmrig
behavioral2/memory/572-154-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp	xmrig
behavioral2/memory/4472-149-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp	xmrig
behavioral2/memory/2236-148-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp	xmrig
behavioral2/memory/1700-156-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	xmrig
behavioral2/memory/5064-209-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	xmrig
behavioral2/memory/4204-211-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp	xmrig
behavioral2/memory/3740-213-0x00007FF731170000-0x00007FF7314C1000-memory.dmp	xmrig
behavioral2/memory/4476-215-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp	xmrig
behavioral2/memory/2280-223-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp	xmrig
behavioral2/memory/4576-222-0x00007FF630980000-0x00007FF630CD1000-memory.dmp	xmrig
behavioral2/memory/1004-226-0x00007FF7BCAA0000-0x00007FF7BCDF1000-memory.dmp	xmrig
behavioral2/memory/1276-231-0x00007FF6592B0000-0x00007FF659601000-memory.dmp	xmrig
behavioral2/memory/3188-230-0x00007FF781A60000-0x00007FF781DB1000-memory.dmp	xmrig
behavioral2/memory/4968-228-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp	xmrig
behavioral2/memory/536-239-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp	xmrig
behavioral2/memory/4364-241-0x00007FF636280000-0x00007FF6365D1000-memory.dmp	xmrig
behavioral2/memory/672-243-0x00007FF647000000-0x00007FF647351000-memory.dmp	xmrig
behavioral2/memory/4472-246-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp	xmrig
behavioral2/memory/2236-247-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp	xmrig
behavioral2/memory/4412-253-0x00007FF669020000-0x00007FF669371000-memory.dmp	xmrig
behavioral2/memory/2300-255-0x00007FF6ECF50000-0x00007FF6ED2A1000-memory.dmp	xmrig
behavioral2/memory/4884-257-0x00007FF7CA220000-0x00007FF7CA571000-memory.dmp	xmrig
behavioral2/memory/3508-259-0x00007FF7AA910000-0x00007FF7AAC61000-memory.dmp	xmrig
behavioral2/memory/3616-262-0x00007FF603850000-0x00007FF603BA1000-memory.dmp	xmrig
behavioral2/memory/572-264-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5064	MwVQZFe.exe
4204	EsODBWI.exe
3740	jywjnDP.exe
4476	BEIYBnK.exe
2280	fGiXlQw.exe
4576	OImTyEX.exe
3188	ZFRyDDQ.exe
4968	JUQLjiR.exe
1004	oviadrT.exe
1276	cHfssjY.exe
4364	MIRInQp.exe
536	SycyCFv.exe
672	jTVJfos.exe
2236	GpSxaDr.exe
4472	ylITgpS.exe
2300	dDwysVr.exe
4412	UiaVQvj.exe
4884	Hknbipl.exe
3508	LENvMDS.exe
572	IMlIxeE.exe
3616	LqsNlWn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1700-0-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	upx
behavioral2/files/0x000c000000023b88-6.dat	upx
behavioral2/memory/5064-8-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-10.dat	upx
behavioral2/memory/4204-21-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp	upx
behavioral2/memory/4476-26-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-37.dat	upx
behavioral2/files/0x0008000000023c6f-44.dat	upx
behavioral2/memory/4968-54-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp	upx
behavioral2/memory/3188-58-0x00007FF781A60000-0x00007FF781DB1000-memory.dmp	upx
behavioral2/memory/1276-62-0x00007FF6592B0000-0x00007FF659601000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-60.dat	upx
behavioral2/memory/1004-59-0x00007FF7BCAA0000-0x00007FF7BCDF1000-memory.dmp	upx
behavioral2/memory/4576-57-0x00007FF630980000-0x00007FF630CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-51.dat	upx
behavioral2/files/0x0007000000023c74-39.dat	upx
behavioral2/memory/2280-35-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-34.dat	upx
behavioral2/memory/3740-31-0x00007FF731170000-0x00007FF7314C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-20.dat	upx
behavioral2/files/0x0008000000023c6e-14.dat	upx
behavioral2/files/0x0007000000023c79-65.dat	upx
behavioral2/files/0x0007000000023c7b-69.dat	upx
behavioral2/files/0x0007000000023c7c-80.dat	upx
behavioral2/files/0x0007000000023c7d-84.dat	upx
behavioral2/files/0x0007000000023c7e-94.dat	upx
behavioral2/files/0x0007000000023c7f-97.dat	upx
behavioral2/files/0x0007000000023c80-104.dat	upx
behavioral2/files/0x0007000000023c84-114.dat	upx
behavioral2/files/0x0007000000023c85-116.dat	upx
behavioral2/files/0x0007000000023c83-111.dat	upx
behavioral2/files/0x0007000000023c81-108.dat	upx
behavioral2/memory/4472-93-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp	upx
behavioral2/memory/5064-92-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	upx
behavioral2/memory/2236-86-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp	upx
behavioral2/memory/1700-85-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	upx
behavioral2/memory/672-79-0x00007FF647000000-0x00007FF647351000-memory.dmp	upx
behavioral2/memory/4204-78-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp	upx
behavioral2/memory/536-73-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp	upx
behavioral2/memory/4364-67-0x00007FF636280000-0x00007FF6365D1000-memory.dmp	upx
behavioral2/memory/4476-117-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp	upx
behavioral2/memory/2280-120-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp	upx
behavioral2/memory/572-130-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp	upx
behavioral2/memory/4412-132-0x00007FF669020000-0x00007FF669371000-memory.dmp	upx
behavioral2/memory/3616-131-0x00007FF603850000-0x00007FF603BA1000-memory.dmp	upx
behavioral2/memory/3508-129-0x00007FF7AA910000-0x00007FF7AAC61000-memory.dmp	upx
behavioral2/memory/4884-126-0x00007FF7CA220000-0x00007FF7CA571000-memory.dmp	upx
behavioral2/memory/2300-125-0x00007FF6ECF50000-0x00007FF6ED2A1000-memory.dmp	upx
behavioral2/memory/4968-122-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp	upx
behavioral2/memory/1700-134-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	upx
behavioral2/memory/1276-144-0x00007FF6592B0000-0x00007FF659601000-memory.dmp	upx
behavioral2/memory/4364-145-0x00007FF636280000-0x00007FF6365D1000-memory.dmp	upx
behavioral2/memory/536-146-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp	upx
behavioral2/memory/672-147-0x00007FF647000000-0x00007FF647351000-memory.dmp	upx
behavioral2/memory/572-154-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp	upx
behavioral2/memory/4472-149-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp	upx
behavioral2/memory/2236-148-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp	upx
behavioral2/memory/1700-156-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp	upx
behavioral2/memory/5064-209-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	upx
behavioral2/memory/4204-211-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp	upx
behavioral2/memory/3740-213-0x00007FF731170000-0x00007FF7314C1000-memory.dmp	upx
behavioral2/memory/4476-215-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp	upx
behavioral2/memory/2280-223-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp	upx
behavioral2/memory/4576-222-0x00007FF630980000-0x00007FF630CD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MwVQZFe.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LENvMDS.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IMlIxeE.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UiaVQvj.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fGiXlQw.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZFRyDDQ.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JUQLjiR.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oviadrT.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SycyCFv.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDwysVr.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Hknbipl.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqsNlWn.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEIYBnK.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jywjnDP.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jTVJfos.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpSxaDr.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ylITgpS.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EsODBWI.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OImTyEX.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cHfssjY.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIRInQp.exe	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 5064	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1700 wrote to memory of 5064	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1700 wrote to memory of 4204	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1700 wrote to memory of 4204	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1700 wrote to memory of 4476	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1700 wrote to memory of 4476	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1700 wrote to memory of 3740	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1700 wrote to memory of 3740	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1700 wrote to memory of 2280	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1700 wrote to memory of 2280	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1700 wrote to memory of 4576	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1700 wrote to memory of 4576	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1700 wrote to memory of 3188	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1700 wrote to memory of 3188	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1700 wrote to memory of 4968	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1700 wrote to memory of 4968	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1700 wrote to memory of 1004	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1700 wrote to memory of 1004	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1700 wrote to memory of 1276	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1700 wrote to memory of 1276	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1700 wrote to memory of 4364	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1700 wrote to memory of 4364	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1700 wrote to memory of 536	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1700 wrote to memory of 536	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1700 wrote to memory of 672	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1700 wrote to memory of 672	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1700 wrote to memory of 2236	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1700 wrote to memory of 2236	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1700 wrote to memory of 4472	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1700 wrote to memory of 4472	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1700 wrote to memory of 2300	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1700 wrote to memory of 2300	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1700 wrote to memory of 4412	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1700 wrote to memory of 4412	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1700 wrote to memory of 4884	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1700 wrote to memory of 4884	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1700 wrote to memory of 3508	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1700 wrote to memory of 3508	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1700 wrote to memory of 572	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1700 wrote to memory of 572	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1700 wrote to memory of 3616	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1700 wrote to memory of 3616	1700	2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_2514ab29a21b597f42f202c60b99a018_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System\MwVQZFe.exe
  C:\Windows\System\MwVQZFe.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\EsODBWI.exe
  C:\Windows\System\EsODBWI.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\BEIYBnK.exe
  C:\Windows\System\BEIYBnK.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\jywjnDP.exe
  C:\Windows\System\jywjnDP.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\fGiXlQw.exe
  C:\Windows\System\fGiXlQw.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\OImTyEX.exe
  C:\Windows\System\OImTyEX.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\ZFRyDDQ.exe
  C:\Windows\System\ZFRyDDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\JUQLjiR.exe
  C:\Windows\System\JUQLjiR.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\oviadrT.exe
  C:\Windows\System\oviadrT.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\cHfssjY.exe
  C:\Windows\System\cHfssjY.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\MIRInQp.exe
  C:\Windows\System\MIRInQp.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\SycyCFv.exe
  C:\Windows\System\SycyCFv.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\jTVJfos.exe
  C:\Windows\System\jTVJfos.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\GpSxaDr.exe
  C:\Windows\System\GpSxaDr.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\ylITgpS.exe
  C:\Windows\System\ylITgpS.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\dDwysVr.exe
  C:\Windows\System\dDwysVr.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\UiaVQvj.exe
  C:\Windows\System\UiaVQvj.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\Hknbipl.exe
  C:\Windows\System\Hknbipl.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\LENvMDS.exe
  C:\Windows\System\LENvMDS.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\IMlIxeE.exe
  C:\Windows\System\IMlIxeE.exe
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\System\LqsNlWn.exe
  C:\Windows\System\LqsNlWn.exe
  2⤵
  - Executes dropped EXE
  PID:3616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BEIYBnK.exe

Filesize
5.2MB

MD5
fcf4cbe737413cc2e9d6284736b55613

SHA1
2f5b5c97dbdc94844de6c9884c7c706208f8cf1b

SHA256
7c349d80a8d4ef97ac84b885442a6a44c32a6535e952ee61698eca2d1d675e7a

SHA512
1777c8519ce10c1881cf26a19de1af436c8322ee6b6d100644677d83f95baf4f8610f11d6f2ab659b8c84e200d7b06b8438ff265c85e3bdd1b0673b179bf3ecb

Download Submit
C:\Windows\System\EsODBWI.exe

Filesize
5.2MB

MD5
6f5939749474336d8f37d13fd8b6d4cc

SHA1
bf5b2b4e081caad435f9d632de88adea1581a18c

SHA256
1e73a4cb828e943bc07f2632a34db60e85a94f83a190b6dbb4776b62b890590c

SHA512
0f2bab04e9afbbf0d02b787712c16eb4e397f407738cc97116c6dfb193c0c4c6a3b8755377e77a1b19ebd51e5f3dc1846e10a758ff619ff79870fa196042b936

Download Submit
C:\Windows\System\GpSxaDr.exe

Filesize
5.2MB

MD5
8ae4fe485bd1e956032b666fffbdacda

SHA1
94ea9f52aeaebb46062979bcde88dd501bfe362c

SHA256
50a1b0eb0f0cf0f1d450578c8c47daa6f99561d73afbe8019ed7de2fdd4ee703

SHA512
daabb4689c0436ad8c39ea18a3ef16775acecc89b8515f392946d33421042de1538d2aab4cf2ac8d23121ad79cf506a799c066d5c89a9c094907c0d2dd2a2be1

Download Submit
C:\Windows\System\Hknbipl.exe

Filesize
5.2MB

MD5
730fb28a87945c6ae26000abe658ff2c

SHA1
aca0393b9334334a3d920528e2b5fcb1b05a70b3

SHA256
646384d24722bfd92d5505345cf30ede8dd4545dc552cb9de6f4ab74afaa0fe3

SHA512
659d260ed4632430eda5dac281cb050954dae1bef988989050b9a84a8e83980d1a66e9b45b521eaaccde41bc358dab3a99b460b5ab53aa7440f5a9fabac74206

Download Submit
C:\Windows\System\IMlIxeE.exe

Filesize
5.2MB

MD5
77e887449c99f1cff3708bca7c611cb2

SHA1
53b24bd9275e6ec46184674991fc3505d2617acd

SHA256
6cf46262d3f59efef050152424e13ef5b185c8b4f61be8a4d826cbc5dce13f4a

SHA512
60edcaeee25eccc42e0a1cf889ad3d00c0095d17b7e713385e65afd10784dc4ed5742011340848e00495e3405501bdb15e0a635b4309596eed3c9bca26b2535a

Download Submit
C:\Windows\System\JUQLjiR.exe

Filesize
5.2MB

MD5
224eb9e56077d640bbe3021b2926c1f6

SHA1
e271f17385cd83f1830d36f88efb329ff41698b9

SHA256
7719f3161e2d5fb2919068d42329f6ff210199335cd2ea9172e54d4bf1c95052

SHA512
8063664a0b212daae78f147e5cc5ccd208ea9b91859f79f73d771d7ada5311310cdcf2c5918cddc79cdcead21742d55412e816cd6e4f83b2266756735100ddd2

Download Submit
C:\Windows\System\LENvMDS.exe

Filesize
5.2MB

MD5
4a95d4fb932e9e5879866d90d073818e

SHA1
db86f9ae306d5e8a8086323514574f6f71d0c96b

SHA256
f685aace3d248aeb4b07e335b5e6b93496f08b7950bc2c2c3ffad7f9ca7e93ec

SHA512
b77190110f3c418c2a9deaf62df76e520fdbba57291f319d0fe6f7ecc86de0b139a93d65dad90196c6e2b71ac63d238458f982a28d85d39917fa762de9d90b14

Download Submit
C:\Windows\System\LqsNlWn.exe

Filesize
5.2MB

MD5
5b9dc42a82001feed0128d50133cb00d

SHA1
e03c7b6e56dfd4817f63e40817b45abe1129e797

SHA256
f424e4a5adf14aba04d2504934d514e2d09a6d8557b3dc485a3d0910afe95f78

SHA512
b10ad786b50b4efb090a1721dbf4f8717558894efba480e8d9aa36a3086fc7425df14fddf19ed3c94c557e85dd64b982447139916e6b02d727549e8d09b55105

Download Submit
C:\Windows\System\MIRInQp.exe

Filesize
5.2MB

MD5
9dca34d19d5f111be573cfcc5ea844eb

SHA1
2f9c18bcc0c2699b4a6bd9deaf1c0057d7bbe902

SHA256
7ebb868cbc772099d379ef670fff364eae7140c7ac9de72453849457a8900ba8

SHA512
baa53c669700d138bd4a4f4a5e79efaa2acf78923c1c816ee0eb91bc4cdb1eb2d61bf7de1df7640b07e82afc3ac3778ee897ac031b6a4fe378d268002217e058

Download Submit
C:\Windows\System\MwVQZFe.exe

Filesize
5.2MB

MD5
ce182cb279d62d693c4e471ec00b593c

SHA1
2628b73aaa7947157ecb049695191ed67134c0bd

SHA256
10da18518761363586bcf118602af93085c13e0f1df5842e76ef924199fe53b8

SHA512
fd362f0d6ef17de752d95c977ecc247894232f4c10e7f6a64af207ae3196c7a52bcbb2d7543b99fde9149d182b0884129b93c32c84edcff0abab27c00d3bd416

Download Submit
C:\Windows\System\OImTyEX.exe

Filesize
5.2MB

MD5
901805bbff5c1a5209768a6a87acdde8

SHA1
bfafe2ebeeeef4b04835b68770b2d3fae8a29d87

SHA256
4a70a537b0ec5a3f975c0b00ad39dd6c1e28e26f1e102b7142b0448cbdd4c717

SHA512
d1026d8ea48d03787643c44ca69a4a753ed484e609bed70ce542831975f58640fe57d010a9b5cec9303ebbe30c7e3eb47e756f09397c5815dc8bea6121f10cce

Download Submit
C:\Windows\System\SycyCFv.exe

Filesize
5.2MB

MD5
41d8d13ee1aadb0c0deddd7b38e4e5e6

SHA1
34441a34bc5bf1bf5d6f945e2c8f7b9b489e7eb0

SHA256
42d9eb7a9de9af552b3bc28cb3cc609728f87c968e94eb9b545812f03ee69d28

SHA512
43d09b27912965330b6c427b083e493c9958ea088d1a18969c16622dea5aa57ff815cdafd8d56b827725c0240f10f9de74a473b0b8f1773244d75cfc0aa6dc71

Download Submit
C:\Windows\System\UiaVQvj.exe

Filesize
5.2MB

MD5
136b3e3777983d5c24c600f93fe050d4

SHA1
06ef3fa2a829919bd92066231a43f3600305193b

SHA256
ba102cc0be6a03bdd15ccd8f64440ea865a2c02f204451f8f80d0de062cea9fb

SHA512
7e9544f3f428b7b8141bf82b295e34bee27b2ee8d330e68009dcadf796795b8552cf4adf0c4a0b49d088a7d138ec541a9b92010a9b901cf8d222c9bed81b87b2

Download Submit
C:\Windows\System\ZFRyDDQ.exe

Filesize
5.2MB

MD5
b5ae0a4b08deda559f50f93203734e5a

SHA1
9cee4c043874e322efe6431bfb5f5c9116c7715b

SHA256
a86c32794ba4a37dcce0ba2f5bf932fc97249c15f801d2f7495eb73657c683b6

SHA512
18a1dfdefff53924a34b5e380903c7c1b89401696a371f4d8fb8bbeac1682eba50f0b1d1e0b1310c888c519dcc7b13c8ffb33568e83c831e67359c8bf58c9460

Download Submit
C:\Windows\System\cHfssjY.exe

Filesize
5.2MB

MD5
0733ec184afea7d4d1ec8921b4d7f5c1

SHA1
cf00a5cd669802a070c2d9d72a9dcc4a1c001acd

SHA256
fcc09ac93f7aec80801e28d5c24e759aec76a30dd253958993eb669809f4bbf4

SHA512
9f73dbf6ed0e91f10a52d8914641d942d02299a7cf08a54aaed8dc02481c906e72b10806c8a88c035bbca949f61e57a318bc2259f6c4081eca8a26148f23c0ce

Download Submit
C:\Windows\System\dDwysVr.exe

Filesize
5.2MB

MD5
44cc9c85a9588b96c167fd41e92f711f

SHA1
63c96f180c152fe465fd48fbb048496c7c450104

SHA256
51a4df1a2456adb03019430bfab192d7ed0b7576a5bdd13f2ae188399972a88a

SHA512
48ed2e24aa444f033f015b7ef2472e219c9a34c5877c04fa65f751a9b245d56e6a5686ab446f81c850ee163f8866f37b16073906f4a6fd268277aa5b7ee40fec

Download Submit
C:\Windows\System\fGiXlQw.exe

Filesize
5.2MB

MD5
37a92fba77a3b68efabbf721c3fb4773

SHA1
61dfdae64d64406e4e42e8266552fe8684a9d7c0

SHA256
4727bca8b4b914f7dfdf21c6048fbb33f45968efb4007e8b92504a41801140bf

SHA512
5a2fd7aae613d1b19481a2d2d60d8ca7d2d7eafc9253a7150add161fece89f1b315f91cc4eb388085091b048de49c55d48decc1ac79222f0886773489d7689f4

Download Submit
C:\Windows\System\jTVJfos.exe

Filesize
5.2MB

MD5
98b3e68c1cf25d4858fc8b6b1be5ddcd

SHA1
acbe17af47de6ace7577c95f8001dea12e687e59

SHA256
90908c9776a0de99925d8c9e85985acfb0ba4c15ebaf35ebd5e3f4ab5adc9a87

SHA512
cba78076a5bfdf1e6744399a4f8eb98d94b57353f979e901428cfe144d99fb58d93c94da22b802a6a35f788fdd7bcf67a346645523fcfff49c7795baffe247e6

Download Submit
C:\Windows\System\jywjnDP.exe

Filesize
5.2MB

MD5
6934bbcc9c09b81462279c1ef0299054

SHA1
fe160eb351f8de14747f8edcccef21f0c07bb9d5

SHA256
3ee213dfaec8485b295ef4a509ca53df2088fd7ea48c1a0b57aa9351bc0a1fed

SHA512
e6a9d3a632afa59f2101d7503e28afe5ac41a2ce709a6b6745fbd92608413ba9b18dcc9852d80fb045e925fa376d141a47d69883eae854779c8b79cb1120aaa9

Download Submit
C:\Windows\System\oviadrT.exe

Filesize
5.2MB

MD5
37c9627f6d8431876ed494e1c76b750c

SHA1
b72fb3e8bf005139865623902930e8c95265f362

SHA256
2ca9f926374d421e9ea4b7a497a4f575bfad678ee99fcfad55c6999f6677888f

SHA512
914544900fcdf049aff52e9422800a25efd9ad8e16708f1cc3889d353ed79fd0b802de57de230bf2403175a3e0db1bb6548f7140386feafe10376490eafd5bbc

Download Submit
C:\Windows\System\ylITgpS.exe

Filesize
5.2MB

MD5
4e5ef2b9764b62d59990df959f9fccad

SHA1
f1df2032deba90e44c57f76dedb04ac3609bbb33

SHA256
e73fd7de0e2b029c7fded76bbe01137fc03d105deaa76257034bcae25b4db136

SHA512
185d859e056a033df3c95c13799a07469dc56b676493df3bf3b748f6d252c665b8a77deea7046d257724adc5958a1ade543c5f6689296314f2fc50d9a6fe4150

Download Submit
memory/536-73-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp

Filesize
3.3MB

Download
memory/536-146-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp

Filesize
3.3MB

Download
memory/536-239-0x00007FF74F6B0000-0x00007FF74FA01000-memory.dmp

Filesize
3.3MB

Download
memory/572-130-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp

Filesize
3.3MB

Download
memory/572-264-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp

Filesize
3.3MB

Download
memory/572-154-0x00007FF7BE400000-0x00007FF7BE751000-memory.dmp

Filesize
3.3MB

Download
memory/672-79-0x00007FF647000000-0x00007FF647351000-memory.dmp

Filesize
3.3MB

Download
memory/672-147-0x00007FF647000000-0x00007FF647351000-memory.dmp

Filesize
3.3MB

Download
memory/672-243-0x00007FF647000000-0x00007FF647351000-memory.dmp

Filesize
3.3MB

Download
memory/1004-59-0x00007FF7BCAA0000-0x00007FF7BCDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1004-226-0x00007FF7BCAA0000-0x00007FF7BCDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-62-0x00007FF6592B0000-0x00007FF659601000-memory.dmp

Filesize
3.3MB

Download
memory/1276-144-0x00007FF6592B0000-0x00007FF659601000-memory.dmp

Filesize
3.3MB

Download
memory/1276-231-0x00007FF6592B0000-0x00007FF659601000-memory.dmp

Filesize
3.3MB

Download
memory/1700-0-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp

Filesize
3.3MB

Download
memory/1700-134-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp

Filesize
3.3MB

Download
memory/1700-1-0x00000218679B0000-0x00000218679C0000-memory.dmp

Filesize
64KB

Download
memory/1700-156-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp

Filesize
3.3MB

Download
memory/1700-85-0x00007FF70AF00000-0x00007FF70B251000-memory.dmp

Filesize
3.3MB

Download
memory/2236-86-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-148-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-247-0x00007FF66E3A0000-0x00007FF66E6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-35-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-223-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-120-0x00007FF6BDD80000-0x00007FF6BE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-125-0x00007FF6ECF50000-0x00007FF6ED2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-255-0x00007FF6ECF50000-0x00007FF6ED2A1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-58-0x00007FF781A60000-0x00007FF781DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-230-0x00007FF781A60000-0x00007FF781DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-129-0x00007FF7AA910000-0x00007FF7AAC61000-memory.dmp

Filesize
3.3MB

Download
memory/3508-259-0x00007FF7AA910000-0x00007FF7AAC61000-memory.dmp

Filesize
3.3MB

Download
memory/3616-131-0x00007FF603850000-0x00007FF603BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-262-0x00007FF603850000-0x00007FF603BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-213-0x00007FF731170000-0x00007FF7314C1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-31-0x00007FF731170000-0x00007FF7314C1000-memory.dmp

Filesize
3.3MB

Download
memory/4204-211-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp

Filesize
3.3MB

Download
memory/4204-21-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp

Filesize
3.3MB

Download
memory/4204-78-0x00007FF7CE4F0000-0x00007FF7CE841000-memory.dmp

Filesize
3.3MB

Download
memory/4364-67-0x00007FF636280000-0x00007FF6365D1000-memory.dmp

Filesize
3.3MB

Download
memory/4364-145-0x00007FF636280000-0x00007FF6365D1000-memory.dmp

Filesize
3.3MB

Download
memory/4364-241-0x00007FF636280000-0x00007FF6365D1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-253-0x00007FF669020000-0x00007FF669371000-memory.dmp

Filesize
3.3MB

Download
memory/4412-132-0x00007FF669020000-0x00007FF669371000-memory.dmp

Filesize
3.3MB

Download
memory/4472-246-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-93-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-149-0x00007FF7CAC90000-0x00007FF7CAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-215-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-117-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-26-0x00007FF7E5690000-0x00007FF7E59E1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-222-0x00007FF630980000-0x00007FF630CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-57-0x00007FF630980000-0x00007FF630CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-257-0x00007FF7CA220000-0x00007FF7CA571000-memory.dmp

Filesize
3.3MB

Download
memory/4884-126-0x00007FF7CA220000-0x00007FF7CA571000-memory.dmp

Filesize
3.3MB

Download
memory/4968-228-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-54-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-122-0x00007FF7B4950000-0x00007FF7B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-92-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-209-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-8-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp

Filesize
3.3MB

Download