cobaltstrike | 3e333ec749a74bac9b35fde28280a3705893d29bd5d6f5dda8e966b8d938a07f

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

dab1c3501a2622fceaad7510ce5d3b37
SHA1

5fd3e70487daabdbc6d0d75c65c2529f6aaae184
SHA256

3e333ec749a74bac9b35fde28280a3705893d29bd5d6f5dda8e966b8d938a07f
SHA512

a9a70cb89d78db183fa3c59aac3137a98c6a1895e5271608e5fa5d999a6bde4bd389a1219c34a96021ad311302d01c101864ff262c27fac1a277d3dceecef060
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBib+56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023ce1-7.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cda-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cea-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ced-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cef-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf0-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cee-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cec-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ceb-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce9-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-32.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cdd-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf3-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf4-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf1-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/396-81-0x00007FF6C37A0000-0x00007FF6C3AF1000-memory.dmp	xmrig
behavioral2/memory/1140-83-0x00007FF76C570000-0x00007FF76C8C1000-memory.dmp	xmrig
behavioral2/memory/1216-82-0x00007FF78F630000-0x00007FF78F981000-memory.dmp	xmrig
behavioral2/memory/4636-76-0x00007FF78C200000-0x00007FF78C551000-memory.dmp	xmrig
behavioral2/memory/3228-55-0x00007FF7DB690000-0x00007FF7DB9E1000-memory.dmp	xmrig
behavioral2/memory/2988-115-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp	xmrig
behavioral2/memory/516-125-0x00007FF648840000-0x00007FF648B91000-memory.dmp	xmrig
behavioral2/memory/3996-129-0x00007FF7261B0000-0x00007FF726501000-memory.dmp	xmrig
behavioral2/memory/5028-124-0x00007FF730810000-0x00007FF730B61000-memory.dmp	xmrig
behavioral2/memory/3300-117-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp	xmrig
behavioral2/memory/4528-114-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp	xmrig
behavioral2/memory/1080-113-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp	xmrig
behavioral2/memory/2800-112-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp	xmrig
behavioral2/memory/1816-145-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp	xmrig
behavioral2/memory/3012-148-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp	xmrig
behavioral2/memory/2036-146-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp	xmrig
behavioral2/memory/1732-143-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp	xmrig
behavioral2/memory/2908-147-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp	xmrig
behavioral2/memory/2676-142-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp	xmrig
behavioral2/memory/832-144-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp	xmrig
behavioral2/memory/516-149-0x00007FF648840000-0x00007FF648B91000-memory.dmp	xmrig
behavioral2/memory/1440-161-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	xmrig
behavioral2/memory/4280-162-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp	xmrig
behavioral2/memory/2800-211-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp	xmrig
behavioral2/memory/1080-213-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp	xmrig
behavioral2/memory/2988-215-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp	xmrig
behavioral2/memory/4528-219-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp	xmrig
behavioral2/memory/3228-218-0x00007FF7DB690000-0x00007FF7DB9E1000-memory.dmp	xmrig
behavioral2/memory/396-222-0x00007FF6C37A0000-0x00007FF6C3AF1000-memory.dmp	xmrig
behavioral2/memory/1216-229-0x00007FF78F630000-0x00007FF78F981000-memory.dmp	xmrig
behavioral2/memory/1140-236-0x00007FF76C570000-0x00007FF76C8C1000-memory.dmp	xmrig
behavioral2/memory/3300-228-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp	xmrig
behavioral2/memory/4636-226-0x00007FF78C200000-0x00007FF78C551000-memory.dmp	xmrig
behavioral2/memory/5028-224-0x00007FF730810000-0x00007FF730B61000-memory.dmp	xmrig
behavioral2/memory/3996-239-0x00007FF7261B0000-0x00007FF726501000-memory.dmp	xmrig
behavioral2/memory/2676-242-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp	xmrig
behavioral2/memory/1732-241-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp	xmrig
behavioral2/memory/1816-249-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp	xmrig
behavioral2/memory/2036-246-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp	xmrig
behavioral2/memory/2908-245-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp	xmrig
behavioral2/memory/832-250-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp	xmrig
behavioral2/memory/3012-255-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp	xmrig
behavioral2/memory/1440-257-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	xmrig
behavioral2/memory/4280-259-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2800	QoORAzn.exe
1080	FzHSMEf.exe
4528	LsMcRIo.exe
2988	BvfwboC.exe
3300	MQUFnAa.exe
4636	bRSuUDf.exe
3228	ALRETlZ.exe
396	RcxIVfA.exe
1216	RLRzvZk.exe
5028	OYDZjwC.exe
3996	GKXgDfr.exe
1140	ZxRhfBa.exe
2676	jzoNTKv.exe
1732	daGojxu.exe
832	txMSuyJ.exe
1816	wTPZTiU.exe
2036	QmxHLoD.exe
2908	HQOAyro.exe
3012	uuhoChm.exe
1440	HihRWvu.exe
4280	BLGRnAT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/516-0-0x00007FF648840000-0x00007FF648B91000-memory.dmp	upx
behavioral2/files/0x0007000000023ce1-7.dat	upx
behavioral2/files/0x0008000000023cda-12.dat	upx
behavioral2/files/0x0007000000023ce3-24.dat	upx
behavioral2/files/0x0007000000023ce4-28.dat	upx
behavioral2/files/0x0007000000023ce7-48.dat	upx
behavioral2/files/0x0007000000023ce6-59.dat	upx
behavioral2/files/0x0007000000023cea-66.dat	upx
behavioral2/memory/396-81-0x00007FF6C37A0000-0x00007FF6C3AF1000-memory.dmp	upx
behavioral2/memory/1140-83-0x00007FF76C570000-0x00007FF76C8C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ced-89.dat	upx
behavioral2/files/0x0007000000023cef-97.dat	upx
behavioral2/files/0x0007000000023cf0-109.dat	upx
behavioral2/memory/2908-108-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp	upx
behavioral2/files/0x0007000000023cee-104.dat	upx
behavioral2/memory/1816-103-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp	upx
behavioral2/memory/2036-99-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp	upx
behavioral2/memory/832-98-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp	upx
behavioral2/memory/1732-86-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp	upx
behavioral2/files/0x0007000000023cec-84.dat	upx
behavioral2/memory/1216-82-0x00007FF78F630000-0x00007FF78F981000-memory.dmp	upx
behavioral2/files/0x0007000000023ceb-79.dat	upx
behavioral2/memory/4636-76-0x00007FF78C200000-0x00007FF78C551000-memory.dmp	upx
behavioral2/memory/2676-71-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp	upx
behavioral2/memory/3996-70-0x00007FF7261B0000-0x00007FF726501000-memory.dmp	upx
behavioral2/files/0x0007000000023ce9-68.dat	upx
behavioral2/memory/5028-64-0x00007FF730810000-0x00007FF730B61000-memory.dmp	upx
behavioral2/files/0x0007000000023ce8-57.dat	upx
behavioral2/memory/3228-55-0x00007FF7DB690000-0x00007FF7DB9E1000-memory.dmp	upx
behavioral2/memory/3300-44-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce2-39.dat	upx
behavioral2/memory/2988-33-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce5-32.dat	upx
behavioral2/memory/4528-21-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp	upx
behavioral2/files/0x0008000000023cdd-16.dat	upx
behavioral2/memory/1080-13-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp	upx
behavioral2/memory/2800-9-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp	upx
behavioral2/memory/2988-115-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp	upx
behavioral2/memory/516-125-0x00007FF648840000-0x00007FF648B91000-memory.dmp	upx
behavioral2/files/0x0007000000023cf3-131.dat	upx
behavioral2/files/0x0007000000023cf4-132.dat	upx
behavioral2/files/0x0007000000023cf1-135.dat	upx
behavioral2/memory/1440-134-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	upx
behavioral2/memory/4280-133-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp	upx
behavioral2/memory/3012-130-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp	upx
behavioral2/memory/3996-129-0x00007FF7261B0000-0x00007FF726501000-memory.dmp	upx
behavioral2/memory/5028-124-0x00007FF730810000-0x00007FF730B61000-memory.dmp	upx
behavioral2/memory/3300-117-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp	upx
behavioral2/memory/4528-114-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp	upx
behavioral2/memory/1080-113-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp	upx
behavioral2/memory/2800-112-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp	upx
behavioral2/memory/1816-145-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp	upx
behavioral2/memory/3012-148-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp	upx
behavioral2/memory/2036-146-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp	upx
behavioral2/memory/1732-143-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp	upx
behavioral2/memory/2908-147-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp	upx
behavioral2/memory/2676-142-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp	upx
behavioral2/memory/832-144-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp	upx
behavioral2/memory/516-149-0x00007FF648840000-0x00007FF648B91000-memory.dmp	upx
behavioral2/memory/1440-161-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	upx
behavioral2/memory/4280-162-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp	upx
behavioral2/memory/2800-211-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp	upx
behavioral2/memory/1080-213-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp	upx
behavioral2/memory/2988-215-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MQUFnAa.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKXgDfr.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZxRhfBa.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\txMSuyJ.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uuhoChm.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QmxHLoD.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLGRnAT.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bRSuUDf.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RcxIVfA.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLRzvZk.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzoNTKv.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wTPZTiU.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ALRETlZ.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daGojxu.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HihRWvu.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HQOAyro.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QoORAzn.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FzHSMEf.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LsMcRIo.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BvfwboC.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYDZjwC.exe	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2800	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 516 wrote to memory of 2800	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 516 wrote to memory of 1080	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 516 wrote to memory of 1080	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 516 wrote to memory of 4528	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 516 wrote to memory of 4528	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 516 wrote to memory of 2988	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 516 wrote to memory of 2988	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 516 wrote to memory of 3300	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 516 wrote to memory of 3300	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 516 wrote to memory of 4636	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 516 wrote to memory of 4636	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 516 wrote to memory of 3228	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 516 wrote to memory of 3228	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 516 wrote to memory of 396	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 516 wrote to memory of 396	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 516 wrote to memory of 1216	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 516 wrote to memory of 1216	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 516 wrote to memory of 5028	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 516 wrote to memory of 5028	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 516 wrote to memory of 3996	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 516 wrote to memory of 3996	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 516 wrote to memory of 1140	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 516 wrote to memory of 1140	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 516 wrote to memory of 2676	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 516 wrote to memory of 2676	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 516 wrote to memory of 1732	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 516 wrote to memory of 1732	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 516 wrote to memory of 832	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 516 wrote to memory of 832	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 516 wrote to memory of 1816	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 516 wrote to memory of 1816	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 516 wrote to memory of 2036	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 516 wrote to memory of 2036	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 516 wrote to memory of 2908	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 516 wrote to memory of 2908	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 516 wrote to memory of 3012	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 516 wrote to memory of 3012	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 516 wrote to memory of 1440	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 516 wrote to memory of 1440	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 516 wrote to memory of 4280	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 516 wrote to memory of 4280	516	2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_dab1c3501a2622fceaad7510ce5d3b37_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\System\QoORAzn.exe
  C:\Windows\System\QoORAzn.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\FzHSMEf.exe
  C:\Windows\System\FzHSMEf.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\LsMcRIo.exe
  C:\Windows\System\LsMcRIo.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\BvfwboC.exe
  C:\Windows\System\BvfwboC.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\MQUFnAa.exe
  C:\Windows\System\MQUFnAa.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\bRSuUDf.exe
  C:\Windows\System\bRSuUDf.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\ALRETlZ.exe
  C:\Windows\System\ALRETlZ.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\RcxIVfA.exe
  C:\Windows\System\RcxIVfA.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\RLRzvZk.exe
  C:\Windows\System\RLRzvZk.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\OYDZjwC.exe
  C:\Windows\System\OYDZjwC.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\GKXgDfr.exe
  C:\Windows\System\GKXgDfr.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\ZxRhfBa.exe
  C:\Windows\System\ZxRhfBa.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\jzoNTKv.exe
  C:\Windows\System\jzoNTKv.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\daGojxu.exe
  C:\Windows\System\daGojxu.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\txMSuyJ.exe
  C:\Windows\System\txMSuyJ.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\wTPZTiU.exe
  C:\Windows\System\wTPZTiU.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\QmxHLoD.exe
  C:\Windows\System\QmxHLoD.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\HQOAyro.exe
  C:\Windows\System\HQOAyro.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\uuhoChm.exe
  C:\Windows\System\uuhoChm.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\HihRWvu.exe
  C:\Windows\System\HihRWvu.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\BLGRnAT.exe
  C:\Windows\System\BLGRnAT.exe
  2⤵
  - Executes dropped EXE
  PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ALRETlZ.exe

Filesize
5.2MB

MD5
c035bf9ca089890f06f047f574047d2b

SHA1
8087d8453ad767c55b5eb663e30b642aba9f5635

SHA256
69fa02980abb02a2a215f836d16f2a30a919377726c995b3678513a6e79cbfe5

SHA512
5b85298997919f9a76e9f706e9e9292ee2081c6977f27c0553af99fa58e227dc555a78e8f297236149920d00b416b77dd1d7533c9a7fae973b10cebf1b16ea54

Download Submit
C:\Windows\System\BLGRnAT.exe

Filesize
5.2MB

MD5
9cfa71fc5beb14aed856b02a04a9c87f

SHA1
88c59f9439deb01a0cc972050b4805107c604a31

SHA256
649ac3465c027c739872285caa208c3a377be569e75a019508e698bc804cf95e

SHA512
1eb34d5ef1dbcfe680f1ed46c5d112553412858df189eda87a4736d10da179f5d0464dfe8756f0119fc1189986db45dc0a07d25f01bff3c985a2380a9404e3e7

Download Submit
C:\Windows\System\BvfwboC.exe

Filesize
5.2MB

MD5
49711fa47d703f3476522196b8d689f1

SHA1
59c61f95700faf4efbc5fe563ce69753db8f0e33

SHA256
c408ce6661a41b00c7503f5cf958883f38a8f8e38a98c136730fcccc320c550c

SHA512
4e62ea76c3eaeb087fdf1c09aab4c0e8abccccc218407d57b84fe6ef8022af0297aa08699576e11108520f16f5015ff3e48b5909cc17c8a48d0188e9424e7f09

Download Submit
C:\Windows\System\FzHSMEf.exe

Filesize
5.2MB

MD5
033dfc1d51f1e9f39cd670c62febf324

SHA1
1d58fa984f6decfad084cb256933e3e873a2d36a

SHA256
41a3cce64c96969ac0e544fb37f39375f8647172a973bd569f6a82f613e18375

SHA512
95764fc089b67fb340a63c0d400d5bc4f7b81a8e85846671c17d91bffa05bf1761a3e1b866b3de6f207bb15105cf6461364aba283ae70816a6fa12a4580af6d8

Download Submit
C:\Windows\System\GKXgDfr.exe

Filesize
5.2MB

MD5
a1f60b1076e4b115b28a8207eea72a5e

SHA1
58c7fbab205feac4def6dc49f276bb5f24bc610d

SHA256
6d295fb2b67a983098452bf356bc67d0bcbc08ea8aed2d5acddd02ec06d71ad6

SHA512
10f7e59038f5a239c1b8c1088a9d787fa2d6b32b3cd9193ffff7b9e3eebdc097fbf15a17fb37243583a2f73fdf7d5322946655d3805a7660bd997c3b34afe625

Download Submit
C:\Windows\System\HQOAyro.exe

Filesize
5.2MB

MD5
b26f2f99c43c8b6f39b224fa8f18fa28

SHA1
97348f2468064bb64953224a8650254bcceb0e55

SHA256
23a49bb02d9ac07a7a54b04dc530ebe8fdfe044c1049dab9e80f38641fd46b67

SHA512
0ba712c8844a0da0041c141a0a5fe23d6d690e3e9769081b236e013ada9e78a0fbeb82e7e8a1341c6a8a0d40ce99cddcdd63dd0446a03175e07c4d64e4372e50

Download Submit
C:\Windows\System\HihRWvu.exe

Filesize
5.2MB

MD5
39891da67a06419ba0159d8ad67f1064

SHA1
b93a03e6759d286ecc22b4ed47f8192697ca548c

SHA256
4683f8a54467934776ef660b50aea51540115469411c773d82ea6170d814c3da

SHA512
3c4ccd126e23dec3e8c458cc4cd56b1bb9814a8a902a3d072481733080644a27bf1848da7cbb866a5cdc9ae87a6b64da68bc9053dfa973269a2ee6f77c7435ee

Download Submit
C:\Windows\System\LsMcRIo.exe

Filesize
5.2MB

MD5
9ae873e28d592ee8ad9b58030bb66694

SHA1
ff1c232e08d9167ae1438b3762c7b68290d2ff66

SHA256
ac10f3f6bd0ba88fdbd18194b85129aafa9769e35be4064522a0a00f3d28c033

SHA512
2d53ee7f00dcdc3fde6fdde51b94f8d28ccbf18a5586ca3f046c9da5e5cf6bfb6e9097dfe695062d895fe72268e3469616116d6ab5dcd8b74cf060c2bdcd7841

Download Submit
C:\Windows\System\MQUFnAa.exe

Filesize
5.2MB

MD5
dd9116990bbda98929bdc07da575d89c

SHA1
814001d086d07f308f4ddcabb2030311cb58f296

SHA256
e83145452edd006d27fb5ba8d68974a46a1d56431782f086a0d6d3e29b12811a

SHA512
0e7d91b87bc339bcec2acc1c9fbfc62c3c6163601781dda375d9b8c33c7f3eff6feb703452ec32502f51686ba6e862235c76109e783e79fa1b8188a2b7e1113f

Download Submit
C:\Windows\System\OYDZjwC.exe

Filesize
5.2MB

MD5
09ff9e383fd095aa015be0f84776e295

SHA1
94cc6b92a603e3492c554d60b24f2ef5aaa8cf33

SHA256
1e8b56fb776123887f48416c2a03e984c4588e3508b7903ed691705ad26f6c6b

SHA512
420201ea0c074d9a46b8d2438ff40996e7af25a13b8b87db9a86e292d6b81d100d06f9af4730ea869bdad53e43dabd4b6f2eb49c0a9c871346e30fd71054e244

Download Submit
C:\Windows\System\QmxHLoD.exe

Filesize
5.2MB

MD5
24dc2f6e80147172ac833380d20c61a4

SHA1
f66871dd915ebd87cea73d3c367a444cf21afcae

SHA256
5a526da77bed81711d32c57e77f083b49b85ef555b309c0c7e0ef10b365112fb

SHA512
bbd3410f97a6e40aaf2442f56572b4944614452e6b4c177350e186947956436a250f60c66a66d888e251ae81d7a95bff3dabfc2bdbfa7e50ee0a31b355e85985

Download Submit
C:\Windows\System\QoORAzn.exe

Filesize
5.2MB

MD5
11763d8b7f34e4547a47ec89fdc3ad74

SHA1
23360cadedb7be3eccd1b72674082f1539a6ac04

SHA256
e5ad3b4cd65e9f7d3f77e6faf4d6308c8ca1c5cc1c9da102575c43140900e5b7

SHA512
8af020551f486d11e1bbf11dc39556f7a922d1f700378096080076bd28b54c94a17faa1f84a262ef00f5069c22b5132a4ead360a276c336fdf344f7beeadc92e

Download Submit
C:\Windows\System\RLRzvZk.exe

Filesize
5.2MB

MD5
05954ded05c3474ed13859043be07f1f

SHA1
e4a47372ee546509c1cdb2f389d2ffb01d0d70ca

SHA256
83e71092851171b76021e96909a71c18a00e3d2de0b506ecb6d9def231da517d

SHA512
7cf377e2c9057593a6904b72da32fe9f0b0b66334bba30313fc6da4bb854ae46c272271d6a9769dd792bcb61eaa0523a69f368d590a4d7c6e77cf031cc768a94

Download Submit
C:\Windows\System\RcxIVfA.exe

Filesize
5.2MB

MD5
05c977d06b9c889432ce757af1ea3034

SHA1
9b46d59cfb616488ff2c2b402aae5fdbfd78a015

SHA256
62ff3d9a68547b0dc052e0c5ae0b3551f1ef2526ae15930cafd2df955cded6af

SHA512
5837c5e1522c657b66a509dbcd280141da550277a576cf66943080944bc706d153aa451f9f6c7e0c3d2e71ae6ba66dd3a6b57f38871585bb9749d2444ef4d937

Download Submit
C:\Windows\System\ZxRhfBa.exe

Filesize
5.2MB

MD5
98e5f43509010de2b17bdb6b28b7991e

SHA1
8e8ea5fd3514e82fbe3089930ee79ba06845d391

SHA256
1083a8f7201ca0c518814db2efbc40d50e421cf5019b46b5d00681811a36d293

SHA512
ba6a9f620166a0651959fc62b01490da4c5c2b32bbcc9cd25959e7abb5f67879a05ab016b783909a28b55a323cc9cf33083bc89c54fa6b3c38367ab1e11c5eb5

Download Submit
C:\Windows\System\bRSuUDf.exe

Filesize
5.2MB

MD5
5ccef720cb1aec54a6283beb00940013

SHA1
95a83fe957cfb175d8c52c3faefdb2e61010d4f4

SHA256
6ab3e045bdea19562f621f5b47eee30be90937060681c6ed3ff47cf7725eb0c2

SHA512
b7d4a452459a36b65fd4c1ecedd3159f9a9ca0f5f0957fe88464e580c783d8b3584d64875b4d244e49a617c33b3aea8bf09e87ac2479cfd87543ba00f8e443cc

Download Submit
C:\Windows\System\daGojxu.exe

Filesize
5.2MB

MD5
28162adba8183c2feedbc644ab2379fc

SHA1
25b777f9cfbf657c486ab5dad4babb3c22e0a8d3

SHA256
5773f3342df0b0c0bae520e09ec099e72e4c310a832938043d8d3595bbd90500

SHA512
a9eff5839253776ce4f7abf5146ffce62c48c23a9c71d7268fa587e58802aa0d4fa532a682d9951deb1aa882714f5d41f53276378e1b5af96eb69163cdf90545

Download Submit
C:\Windows\System\jzoNTKv.exe

Filesize
5.2MB

MD5
2ff91335c534c59a66686d196a8c494b

SHA1
07f7d0806c9ee5e8f72ce2d5eafc5b5314e4e018

SHA256
5d539007261118149b5bd1967861ea3064ad6e87a8d1dee521aef3cfdcaff11c

SHA512
a7b07c500bd70c85620231338ffdf444b8ab688e633e23857bf2a6ae11aa71b3be98b783a53e93ba33b2959a35d54381eb68f6178af499d7ca033e4631559367

Download Submit
C:\Windows\System\txMSuyJ.exe

Filesize
5.2MB

MD5
98f508487482ae42f346ffb3771451eb

SHA1
a46c118fc60f81aa112b3d179cc71c6bcac9917f

SHA256
716f4132d783ede25f96ead786ddc0ca08bb374c661a405cda9b549133036595

SHA512
71943281a2ff9264b0c2e47ea0e871bd775e1e0a2a39bb3e7038faaee5cb108749680d401688c41a69264e1e22d97a2805d97352cac43c2e47125cc4e1678437

Download Submit
C:\Windows\System\uuhoChm.exe

Filesize
5.2MB

MD5
db36c5325a5d445101e40565833178af

SHA1
175b432729d27bbe45a8a6c54565a796713cf5fc

SHA256
64c8ad70abf54a5de76389afcc1d11f79e95a0195624323911f39f1bc4c3b1fd

SHA512
da67bd36838021b18f558c58c4932e2d7ce99afebbdb331118363f9eec7c9ec1e5c58ecd9effe0f78ffc60217a82c23ff3971b81f04c2c4153f2282eb12e9637

Download Submit
C:\Windows\System\wTPZTiU.exe

Filesize
5.2MB

MD5
bc60488594fbabb47969728f2196190b

SHA1
1c1a0832c185342ce854fae852c0be1bdb89d324

SHA256
cc985dbd03f30278fec768176886f41510fc801cf12f01dd7e69d3fc48b914e8

SHA512
95dac0eaf56ad9e8c3c6f0057dc8385faaf8073252fbcc0e2d22628fb3c23f447722e75bfe586e95d7a7d1066e43b19f2ad100ff3bb6e6ba42790829cefcdc4f

Download Submit
memory/396-222-0x00007FF6C37A0000-0x00007FF6C3AF1000-memory.dmp

Filesize
3.3MB

Download
memory/396-81-0x00007FF6C37A0000-0x00007FF6C3AF1000-memory.dmp

Filesize
3.3MB

Download
memory/516-0-0x00007FF648840000-0x00007FF648B91000-memory.dmp

Filesize
3.3MB

Download
memory/516-149-0x00007FF648840000-0x00007FF648B91000-memory.dmp

Filesize
3.3MB

Download
memory/516-125-0x00007FF648840000-0x00007FF648B91000-memory.dmp

Filesize
3.3MB

Download
memory/516-1-0x000002A4E4940000-0x000002A4E4950000-memory.dmp

Filesize
64KB

Download
memory/832-144-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp

Filesize
3.3MB

Download
memory/832-98-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp

Filesize
3.3MB

Download
memory/832-250-0x00007FF6ED1C0000-0x00007FF6ED511000-memory.dmp

Filesize
3.3MB

Download
memory/1080-113-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp

Filesize
3.3MB

Download
memory/1080-213-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp

Filesize
3.3MB

Download
memory/1080-13-0x00007FF73AA20000-0x00007FF73AD71000-memory.dmp

Filesize
3.3MB

Download
memory/1140-236-0x00007FF76C570000-0x00007FF76C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-83-0x00007FF76C570000-0x00007FF76C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-82-0x00007FF78F630000-0x00007FF78F981000-memory.dmp

Filesize
3.3MB

Download
memory/1216-229-0x00007FF78F630000-0x00007FF78F981000-memory.dmp

Filesize
3.3MB

Download
memory/1440-257-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1440-161-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1440-134-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1732-86-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp

Filesize
3.3MB

Download
memory/1732-241-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp

Filesize
3.3MB

Download
memory/1732-143-0x00007FF6238D0000-0x00007FF623C21000-memory.dmp

Filesize
3.3MB

Download
memory/1816-103-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-249-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-145-0x00007FF6081A0000-0x00007FF6084F1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-99-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-246-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-146-0x00007FF7B6860000-0x00007FF7B6BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-71-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp

Filesize
3.3MB

Download
memory/2676-242-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp

Filesize
3.3MB

Download
memory/2676-142-0x00007FF7E3710000-0x00007FF7E3A61000-memory.dmp

Filesize
3.3MB

Download
memory/2800-112-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-9-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-211-0x00007FF6EF260000-0x00007FF6EF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-245-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp

Filesize
3.3MB

Download
memory/2908-108-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp

Filesize
3.3MB

Download
memory/2908-147-0x00007FF7A9EE0000-0x00007FF7AA231000-memory.dmp

Filesize
3.3MB

Download
memory/2988-115-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-215-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-33-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-255-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-148-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-130-0x00007FF7A46A0000-0x00007FF7A49F1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-218-0x00007FF7DB690000-0x00007FF7DB9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-55-0x00007FF7DB690000-0x00007FF7DB9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-117-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-44-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-228-0x00007FF6A1060000-0x00007FF6A13B1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-239-0x00007FF7261B0000-0x00007FF726501000-memory.dmp

Filesize
3.3MB

Download
memory/3996-70-0x00007FF7261B0000-0x00007FF726501000-memory.dmp

Filesize
3.3MB

Download
memory/3996-129-0x00007FF7261B0000-0x00007FF726501000-memory.dmp

Filesize
3.3MB

Download
memory/4280-133-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-259-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-162-0x00007FF7B5460000-0x00007FF7B57B1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-219-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp

Filesize
3.3MB

Download
memory/4528-21-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp

Filesize
3.3MB

Download
memory/4528-114-0x00007FF6B96F0000-0x00007FF6B9A41000-memory.dmp

Filesize
3.3MB

Download
memory/4636-76-0x00007FF78C200000-0x00007FF78C551000-memory.dmp

Filesize
3.3MB

Download
memory/4636-226-0x00007FF78C200000-0x00007FF78C551000-memory.dmp

Filesize
3.3MB

Download
memory/5028-64-0x00007FF730810000-0x00007FF730B61000-memory.dmp

Filesize
3.3MB

Download
memory/5028-124-0x00007FF730810000-0x00007FF730B61000-memory.dmp

Filesize
3.3MB

Download
memory/5028-224-0x00007FF730810000-0x00007FF730B61000-memory.dmp

Filesize
3.3MB

Download