cobaltstrike | b045160f144dec819a41d71bcaeac2dac9c502967d5be1715ccd6ced420340e9

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fc556d85bf81a5338bd0205038420ff7
SHA1

609314a3d1a900797e96e4d9d7b8d76ad24a90c4
SHA256

b045160f144dec819a41d71bcaeac2dac9c502967d5be1715ccd6ced420340e9
SHA512

f6ddde02ba859e753be788b7b5b502a13a047ad50594790d5d47a700b72d5af79992b3e585d5039a85d961a3a8ef85eac0d3efdeddcf408882dee1000dda8967
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibj56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b2d-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-14.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-75.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8c-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-51.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/844-90-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp	xmrig
behavioral2/memory/3264-127-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	xmrig
behavioral2/memory/3460-126-0x00007FF6FE760000-0x00007FF6FEAB1000-memory.dmp	xmrig
behavioral2/memory/2952-123-0x00007FF7C21E0000-0x00007FF7C2531000-memory.dmp	xmrig
behavioral2/memory/1828-122-0x00007FF71F960000-0x00007FF71FCB1000-memory.dmp	xmrig
behavioral2/memory/4744-117-0x00007FF6A0200000-0x00007FF6A0551000-memory.dmp	xmrig
behavioral2/memory/4964-113-0x00007FF7E4740000-0x00007FF7E4A91000-memory.dmp	xmrig
behavioral2/memory/3392-31-0x00007FF711070000-0x00007FF7113C1000-memory.dmp	xmrig
behavioral2/memory/4584-134-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp	xmrig
behavioral2/memory/3576-136-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp	xmrig
behavioral2/memory/232-144-0x00007FF721E30000-0x00007FF722181000-memory.dmp	xmrig
behavioral2/memory/1336-142-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp	xmrig
behavioral2/memory/4880-150-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	xmrig
behavioral2/memory/2916-143-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp	xmrig
behavioral2/memory/844-140-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp	xmrig
behavioral2/memory/1488-139-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp	xmrig
behavioral2/memory/4040-138-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp	xmrig
behavioral2/memory/4272-137-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp	xmrig
behavioral2/memory/3560-135-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp	xmrig
behavioral2/memory/4752-133-0x00007FF792920000-0x00007FF792C71000-memory.dmp	xmrig
behavioral2/memory/4352-131-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp	xmrig
behavioral2/memory/2284-130-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp	xmrig
behavioral2/memory/648-129-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp	xmrig
behavioral2/memory/4880-128-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	xmrig
behavioral2/memory/4880-151-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	xmrig
behavioral2/memory/648-201-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp	xmrig
behavioral2/memory/2284-216-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp	xmrig
behavioral2/memory/4352-215-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp	xmrig
behavioral2/memory/3392-222-0x00007FF711070000-0x00007FF7113C1000-memory.dmp	xmrig
behavioral2/memory/4752-220-0x00007FF792920000-0x00007FF792C71000-memory.dmp	xmrig
behavioral2/memory/4584-219-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp	xmrig
behavioral2/memory/3576-224-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp	xmrig
behavioral2/memory/3560-228-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp	xmrig
behavioral2/memory/4272-227-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp	xmrig
behavioral2/memory/4040-238-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp	xmrig
behavioral2/memory/844-237-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp	xmrig
behavioral2/memory/1488-240-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp	xmrig
behavioral2/memory/4964-242-0x00007FF7E4740000-0x00007FF7E4A91000-memory.dmp	xmrig
behavioral2/memory/1336-244-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp	xmrig
behavioral2/memory/232-247-0x00007FF721E30000-0x00007FF722181000-memory.dmp	xmrig
behavioral2/memory/2916-248-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp	xmrig
behavioral2/memory/2952-252-0x00007FF7C21E0000-0x00007FF7C2531000-memory.dmp	xmrig
behavioral2/memory/4744-250-0x00007FF6A0200000-0x00007FF6A0551000-memory.dmp	xmrig
behavioral2/memory/1828-256-0x00007FF71F960000-0x00007FF71FCB1000-memory.dmp	xmrig
behavioral2/memory/3264-258-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	xmrig
behavioral2/memory/3460-255-0x00007FF6FE760000-0x00007FF6FEAB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
648	VqwPSCI.exe
2284	yJZPLIz.exe
4352	sXzoioi.exe
3392	jFeVcQd.exe
4752	uZQvLxf.exe
4584	sWcwbkB.exe
3560	edGQNBp.exe
3576	tUlsOKZ.exe
4272	bEvOAyV.exe
4040	hEdVFSZ.exe
1488	uKgIWMw.exe
844	SzMzmPO.exe
4964	kuPTBiv.exe
1336	tylnPdW.exe
2916	Gxywhao.exe
232	nuZlfYt.exe
4744	oudeMTB.exe
1828	AZUNVDx.exe
3460	CmEwATg.exe
2952	VgjNSuN.exe
3264	xWjfhuv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-0-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	upx
behavioral2/files/0x000c000000023b2d-5.dat	upx
behavioral2/files/0x000a000000023b90-14.dat	upx
behavioral2/files/0x000a000000023b91-17.dat	upx
behavioral2/files/0x000a000000023b8f-18.dat	upx
behavioral2/files/0x000a000000023b93-32.dat	upx
behavioral2/files/0x000a000000023b92-34.dat	upx
behavioral2/files/0x000a000000023b95-47.dat	upx
behavioral2/files/0x000a000000023b98-55.dat	upx
behavioral2/files/0x000a000000023b99-67.dat	upx
behavioral2/files/0x000a000000023b9b-78.dat	upx
behavioral2/memory/844-90-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-96.dat	upx
behavioral2/files/0x000a000000023b9e-102.dat	upx
behavioral2/memory/232-110-0x00007FF721E30000-0x00007FF722181000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-120.dat	upx
behavioral2/memory/3264-127-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	upx
behavioral2/memory/3460-126-0x00007FF6FE760000-0x00007FF6FEAB1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-124.dat	upx
behavioral2/memory/2952-123-0x00007FF7C21E0000-0x00007FF7C2531000-memory.dmp	upx
behavioral2/memory/1828-122-0x00007FF71F960000-0x00007FF71FCB1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-118.dat	upx
behavioral2/memory/4744-117-0x00007FF6A0200000-0x00007FF6A0551000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-114.dat	upx
behavioral2/memory/4964-113-0x00007FF7E4740000-0x00007FF7E4A91000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-98.dat	upx
behavioral2/memory/2916-94-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp	upx
behavioral2/memory/1336-93-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-75.dat	upx
behavioral2/files/0x000b000000023b8c-74.dat	upx
behavioral2/memory/4040-71-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp	upx
behavioral2/memory/1488-65-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-60.dat	upx
behavioral2/memory/4272-58-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp	upx
behavioral2/memory/3576-57-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-51.dat	upx
behavioral2/memory/3560-46-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp	upx
behavioral2/memory/4584-37-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp	upx
behavioral2/memory/4752-33-0x00007FF792920000-0x00007FF792C71000-memory.dmp	upx
behavioral2/memory/3392-31-0x00007FF711070000-0x00007FF7113C1000-memory.dmp	upx
behavioral2/memory/4352-22-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp	upx
behavioral2/memory/2284-19-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp	upx
behavioral2/memory/648-7-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp	upx
behavioral2/memory/4584-134-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp	upx
behavioral2/memory/3576-136-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp	upx
behavioral2/memory/232-144-0x00007FF721E30000-0x00007FF722181000-memory.dmp	upx
behavioral2/memory/1336-142-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp	upx
behavioral2/memory/4880-150-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	upx
behavioral2/memory/2916-143-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp	upx
behavioral2/memory/844-140-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp	upx
behavioral2/memory/1488-139-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp	upx
behavioral2/memory/4040-138-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp	upx
behavioral2/memory/4272-137-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp	upx
behavioral2/memory/3560-135-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp	upx
behavioral2/memory/4752-133-0x00007FF792920000-0x00007FF792C71000-memory.dmp	upx
behavioral2/memory/4352-131-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp	upx
behavioral2/memory/2284-130-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp	upx
behavioral2/memory/648-129-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp	upx
behavioral2/memory/4880-128-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	upx
behavioral2/memory/4880-151-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp	upx
behavioral2/memory/648-201-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp	upx
behavioral2/memory/2284-216-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp	upx
behavioral2/memory/4352-215-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp	upx
behavioral2/memory/3392-222-0x00007FF711070000-0x00007FF7113C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uZQvLxf.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edGQNBp.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKgIWMw.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nuZlfYt.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AZUNVDx.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmEwATg.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgjNSuN.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEvOAyV.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzMzmPO.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kuPTBiv.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJZPLIz.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sXzoioi.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFeVcQd.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEdVFSZ.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tylnPdW.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqwPSCI.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWcwbkB.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUlsOKZ.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Gxywhao.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oudeMTB.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xWjfhuv.exe	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 648	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4880 wrote to memory of 648	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4880 wrote to memory of 2284	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4880 wrote to memory of 2284	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4880 wrote to memory of 4352	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4880 wrote to memory of 4352	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4880 wrote to memory of 3392	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4880 wrote to memory of 3392	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4880 wrote to memory of 4752	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4880 wrote to memory of 4752	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4880 wrote to memory of 4584	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4880 wrote to memory of 4584	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4880 wrote to memory of 3560	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4880 wrote to memory of 3560	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4880 wrote to memory of 3576	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4880 wrote to memory of 3576	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4880 wrote to memory of 4272	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4880 wrote to memory of 4272	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4880 wrote to memory of 4040	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4880 wrote to memory of 4040	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4880 wrote to memory of 1488	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4880 wrote to memory of 1488	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4880 wrote to memory of 844	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4880 wrote to memory of 844	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4880 wrote to memory of 4964	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4880 wrote to memory of 4964	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4880 wrote to memory of 1336	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4880 wrote to memory of 1336	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4880 wrote to memory of 2916	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4880 wrote to memory of 2916	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4880 wrote to memory of 232	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4880 wrote to memory of 232	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4880 wrote to memory of 4744	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4880 wrote to memory of 4744	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4880 wrote to memory of 1828	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4880 wrote to memory of 1828	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4880 wrote to memory of 3264	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4880 wrote to memory of 3264	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4880 wrote to memory of 3460	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4880 wrote to memory of 3460	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4880 wrote to memory of 2952	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4880 wrote to memory of 2952	4880	2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_fc556d85bf81a5338bd0205038420ff7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System\VqwPSCI.exe
  C:\Windows\System\VqwPSCI.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\yJZPLIz.exe
  C:\Windows\System\yJZPLIz.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\sXzoioi.exe
  C:\Windows\System\sXzoioi.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\jFeVcQd.exe
  C:\Windows\System\jFeVcQd.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\uZQvLxf.exe
  C:\Windows\System\uZQvLxf.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\sWcwbkB.exe
  C:\Windows\System\sWcwbkB.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\edGQNBp.exe
  C:\Windows\System\edGQNBp.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\tUlsOKZ.exe
  C:\Windows\System\tUlsOKZ.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\bEvOAyV.exe
  C:\Windows\System\bEvOAyV.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\hEdVFSZ.exe
  C:\Windows\System\hEdVFSZ.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\uKgIWMw.exe
  C:\Windows\System\uKgIWMw.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\SzMzmPO.exe
  C:\Windows\System\SzMzmPO.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\kuPTBiv.exe
  C:\Windows\System\kuPTBiv.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\tylnPdW.exe
  C:\Windows\System\tylnPdW.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\Gxywhao.exe
  C:\Windows\System\Gxywhao.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\nuZlfYt.exe
  C:\Windows\System\nuZlfYt.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\oudeMTB.exe
  C:\Windows\System\oudeMTB.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\AZUNVDx.exe
  C:\Windows\System\AZUNVDx.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\xWjfhuv.exe
  C:\Windows\System\xWjfhuv.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\CmEwATg.exe
  C:\Windows\System\CmEwATg.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\VgjNSuN.exe
  C:\Windows\System\VgjNSuN.exe
  2⤵
  - Executes dropped EXE
  PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZUNVDx.exe

Filesize
5.2MB

MD5
525d156287f443b880da41600662d271

SHA1
7af581df830653c1704afb77477bb31f61c6829b

SHA256
2f436fd3eb1affdf6262efa1f2273d0e93dcfd7ea4b68b5d778834dd558684f9

SHA512
9f9f26db23dac8083a45af80adf104a256081a6a28a148d4a691f5afb57b3606cd7a0550ea3cad46b6854decc72d98920d7273fa6da3a12f1101aedfd1d63431

Download Submit
C:\Windows\System\CmEwATg.exe

Filesize
5.2MB

MD5
0dae8e9f8f7a0662813f8bd2dc44d304

SHA1
7d40c9bf7a59168ac5e49f2b10da542b303186a3

SHA256
b7e665995c7f28a6baffb63beb520b5683747a8f9e59339cd6fb164135fce666

SHA512
aa57321c03ff9ee830434360ee6af3c38b63a6446e13bfb1f753aa34001dcae5469e72e29750b2efb020c4a34ec6e6fde6533069314c794f3b1ebcf2d05698b6

Download Submit
C:\Windows\System\Gxywhao.exe

Filesize
5.2MB

MD5
b643c729061ee102064a5981e685fe8a

SHA1
b5f08c7ba314aa3e902cdaa0f930658162675664

SHA256
45f061b5070dfbafff29e55e004f24bc52324f70f82243253829fafbc9db35f2

SHA512
636bbd500dac18f49032491103e15c131b7bb2d590024f9734d4e665fe3bfb0d6a39cb776f0a4294dcf045cd498d2162ebbd9451319b29f6bcfb2e13f3bbade1

Download Submit
C:\Windows\System\SzMzmPO.exe

Filesize
5.2MB

MD5
73d2dd478cf1da14ffa949ba80257b32

SHA1
8d04d5a5b0cc86a0d73c6f126e834e4aea5f13a3

SHA256
f12d6e659eef739ea34474137139be95975170fb839eca0b9f4a7dbab4f7d28c

SHA512
b9bde4081691ad2845afed42cb6dace3f2156f5dab1c68f54a54a4898eeeb32c448ee9925508c04e133a2a98eecce13ba4043956e01341d6f5ce8e67faf8f20e

Download Submit
C:\Windows\System\VgjNSuN.exe

Filesize
5.2MB

MD5
1e6ac3bfa15fb31027e2b2b42ed5aa72

SHA1
b3dd33bb208725aed66d65f4cf97e0a1e2de6789

SHA256
0c5ca10a36af2213ef89b2af23ba98d69d0fc34e90d183fd0054fdb143cf62b9

SHA512
de01dc9db40a8fa1448ff01256be86fb1f9ad19e4a35f112ba8bf36a1ae91dfd9851dbc8ddf5dbcf30fa4efed008f1d6ddc0799d60cd11d72d6407e5827f8902

Download Submit
C:\Windows\System\VqwPSCI.exe

Filesize
5.2MB

MD5
23ac15113f69ad76d04275cb715f3e19

SHA1
5f03ad6908064653d3fd5d6a9a36d568424f1821

SHA256
c334bf97041a3a8caa672bf377290df4dfb3a6b171a41900b1f843250fda9ada

SHA512
adc6de521274bb422b1fe752513d00e80070567360cb0fe2e5572b60976daa72cb11052f0afe85f366800b9d4e9b2ea1154b1598bb6ba11cd407486223a1b76b

Download Submit
C:\Windows\System\bEvOAyV.exe

Filesize
5.2MB

MD5
648fa66b2b554aeb543ab1984fe791c6

SHA1
74a69820330da509f52b2632b2b62d1939c4193e

SHA256
d5c86b5c9c40ef132bf9db41aefb7de70e6c6459e65171a70226c52df5fdf30d

SHA512
0e85b7fd616385ffdde7d49aa516a6d5270f045f0f1855507a53e73f88073c0d94d5abb5941b8ab24677baab9372552dccde273a138822ddb31f3fb82d1cbcdc

Download Submit
C:\Windows\System\edGQNBp.exe

Filesize
5.2MB

MD5
28e286c1f7939a8bd56ab4765a9e56a7

SHA1
a6940ba0016319032ef2b7ff075007df50542213

SHA256
997245765b214d19e4bf8db7842ae5efd5598eb6a73f7eb8b16f10c09346290c

SHA512
0657329f3a1e4c2adbc30ff001971371f40afa42ef5a22dfaf7dbb97a9d93581d56cacfd9bdf89a986dfb86df3b09b11eb5cfe4ee6fed3e40ad2276686566fa0

Download Submit
C:\Windows\System\hEdVFSZ.exe

Filesize
5.2MB

MD5
67ba539233bf32c1733913980e9ca964

SHA1
6f9242cd7fadd2b1391c71836ba7e19894dec0ec

SHA256
312fb43071bccdb349e9e8d398604ea15cb2d4a24203ace97ec9cb1934a8e3e9

SHA512
e03a26a58b9f77c7c346b7b7652bfeba796658fcdc07d50653e2dea7dc21cd0fa93ccebeca318dae24914d47bd7c5ac33c4944a9fc1ee04089222c1e22873865

Download Submit
C:\Windows\System\jFeVcQd.exe

Filesize
5.2MB

MD5
9fe76f228d5cc343a39d6fd65a5f2b52

SHA1
f208ac0aac7f6b52ed9e290bcea4257079cc4988

SHA256
487a67cbad307217a614953da125c6c34b5068aec4ba40f02ba2277f8766930d

SHA512
26e83a07e14357075f3fa04fcfbbc2fff910309d63fdabf61dc0e0070e2a05f978df146c6ade21bf89ca786de54f8d70b85f0ac6334de26e76e8c4287cab43e2

Download Submit
C:\Windows\System\kuPTBiv.exe

Filesize
5.2MB

MD5
55be962a1d56cd0b17097a56f741fbe7

SHA1
e8508fe345bd47ab3039b64dc37e0abeecc8ff0b

SHA256
c22894bae3272f3beb281df7555f491b519daffdd80a4c03d9e205d271098354

SHA512
9143bf9188495d09c3012570bea16ab7f3f59e29a47c75b24531d06ab8b34be1aef9be1eae2938d63cfd4fae8363a45ffba66bedd25dbe7d22e4406e3cf05d39

Download Submit
C:\Windows\System\nuZlfYt.exe

Filesize
5.2MB

MD5
cd4d183d51c77dfdf99c3ce618f9d49d

SHA1
25947c206f6d1def087e9f982c6bbe2b26fab0c5

SHA256
1157ecb4a9d082a04f80159fe787d24d0c6f1a0226e294c6a5d7496d2ee1f7ee

SHA512
e2549e08b8201029ea8727fea1184a11c28eaa16cd8eae59640f9320bc85b0948f3dd7aac865c2d26f7cce7c21fa39ae396d7d670fbdfd9b37203e3a3cde271c

Download Submit
C:\Windows\System\oudeMTB.exe

Filesize
5.2MB

MD5
c32d65014edbf327430dfa6b2729e7f2

SHA1
0f6c8ccb24c726740397c2f6091d1383c3561886

SHA256
4dd5f2ab55461c9f96f69799f7096ed34351cd4a0ac2ce97ee0c1650f9bb2231

SHA512
e47827541a72b9152753ced24a8b50cd86c2ee30760445f4ce55e9f5610ceee8a348d7486ca44bef22053108ad76c25082a790449b18d846cfe16dbfca4c51ac

Download Submit
C:\Windows\System\sWcwbkB.exe

Filesize
5.2MB

MD5
cfd5227426de84924430957880636f48

SHA1
d16c8c2f72fc4d6fb442526b79be0145423eedd2

SHA256
3efe91edf1b52ebb09001c42d0d11c450771b6363a9c1ffd57d376f454040c07

SHA512
071e5a9406da210fb1fcca2f19f396780ac2da088bd8b52784066bf17ada5dc0661ce0ff7d3d97791daa5f93056a4fe69c4c752f1bbc5891760f4125fee8c10a

Download Submit
C:\Windows\System\sXzoioi.exe

Filesize
5.2MB

MD5
e9f1dc6e640016aa2f4a60a91cf14c4c

SHA1
46ead0c5b7ea988605dbb06e2f91a8a95ab88417

SHA256
4bf7f7ab95b1616df3700556faac4943950ce58ec48a31e0ec78d9fcadeb0d8d

SHA512
9e9da40d1e7c4b1d1c4d8976e8d0f3e8db0005eafe7739847b7ad31e90914e705e83ff56bab6af82fc84fddcbc7a545e246017f015d77113cb67279ff1282704

Download Submit
C:\Windows\System\tUlsOKZ.exe

Filesize
5.2MB

MD5
16f527c0ab089c0e90799d2408c1a5e6

SHA1
d8ad5d6d15622ff9d62ce0919cd2fdf0826c060b

SHA256
69e45c69075a2965d8ec746df231b4a6d47f248fc6554a381d5a7562624aee38

SHA512
a35acaddb877c4f6afb129347a56d91bcaa9fe3cdea813e72f3b5df50d39af083689ea0d5cafaaafef7a46808f253de70f0e005b7d92d51d3e459651a3b24e8a

Download Submit
C:\Windows\System\tylnPdW.exe

Filesize
5.2MB

MD5
5127ee5b3fc154b8d9ebed1eb24fe4db

SHA1
09fd1bb30262918b009a3737a94e84e3764e78c2

SHA256
efb41c29f6e5f6e53ac9bef192773a531c7c6ecc7414cb39bf90fea06c9f6141

SHA512
024035f5180d7ca54aecf7fea15791a5e53e835a1f742f3dbd8d0ccd878409e6a40377a62cc574f5ab4c7d197728bf6e63684d986a2f73c947fdb22855d6e630

Download Submit
C:\Windows\System\uKgIWMw.exe

Filesize
5.2MB

MD5
1dd03c63f843d54c9ce2b86bdfcb3049

SHA1
b65f29c48ddcfbf25dc88158679fbec87f126aba

SHA256
db64646f18de3d1d4b2900084514a4dcf277f2c52b9c1a6ccd83903be0cacd21

SHA512
b2fa87aae25cac8a3957057024a8c6d8b89c2b7c96b014d7dd2d6be642374bb18352e0eb5fca4f4fca190ddfa222d5f7bb5d2a5b071f67a31242b35773396d8f

Download Submit
C:\Windows\System\uZQvLxf.exe

Filesize
5.2MB

MD5
8e64db673bfc53a7793477d074394d9a

SHA1
0429f8b0db08379a75981d4bb9849fc84c252cb2

SHA256
a00f0d16742c3b23d7810b74b739b14715f605808a2f33465e5d1add85dc549f

SHA512
034530353a382f830e3f812955c5f3e5eebd88f2be3184a0a98ecb15de2226b580e1d85541a26801069d4ff3c3476bee5ad332c500c82e4502f8f031938d541f

Download Submit
C:\Windows\System\xWjfhuv.exe

Filesize
5.2MB

MD5
6b9017cbcdb190764882ec83c420e7c0

SHA1
cbae01fdc3708185928218cc9bc8b3b673789fae

SHA256
1fcb31ca683672eea84ef7e81e83e963cf909bd031742b395baacaac2f335937

SHA512
bb1fb9b7419ce3d269314a1c99f6318ab0ded21c88976f89052306e1257f7a189b2902607dc2c86110efbb9963687e506864f3d070d88a256ed08414de98c2c9

Download Submit
C:\Windows\System\yJZPLIz.exe

Filesize
5.2MB

MD5
5eeb7da332b4240b0881e869abb446ed

SHA1
d08f1368a3b93dc2254163499a1cdb62f2294618

SHA256
985fe71b57c42aba09f8b3e122d2b4dfd0c4ef1e25e556457fe2a2a9bd885e03

SHA512
09b992e5729048da45eed10f0ee531fafa4b4110eb673865ca08639e3b4cc85185b3d32a209da2501ae4340b1514b27ff1a5ce7b8b2cf094cfc9a64a29ce02c7

Download Submit
memory/232-110-0x00007FF721E30000-0x00007FF722181000-memory.dmp

Filesize
3.3MB

Download
memory/232-247-0x00007FF721E30000-0x00007FF722181000-memory.dmp

Filesize
3.3MB

Download
memory/232-144-0x00007FF721E30000-0x00007FF722181000-memory.dmp

Filesize
3.3MB

Download
memory/648-129-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp

Filesize
3.3MB

Download
memory/648-7-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp

Filesize
3.3MB

Download
memory/648-201-0x00007FF6FCCB0000-0x00007FF6FD001000-memory.dmp

Filesize
3.3MB

Download
memory/844-140-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp

Filesize
3.3MB

Download
memory/844-237-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp

Filesize
3.3MB

Download
memory/844-90-0x00007FF7B5EE0000-0x00007FF7B6231000-memory.dmp

Filesize
3.3MB

Download
memory/1336-244-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1336-93-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1336-142-0x00007FF69C590000-0x00007FF69C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-65-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-240-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-139-0x00007FF727A80000-0x00007FF727DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-256-0x00007FF71F960000-0x00007FF71FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-122-0x00007FF71F960000-0x00007FF71FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-216-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-130-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-19-0x00007FF734BA0000-0x00007FF734EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-143-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp

Filesize
3.3MB

Download
memory/2916-248-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp

Filesize
3.3MB

Download
memory/2916-94-0x00007FF73ECE0000-0x00007FF73F031000-memory.dmp

Filesize
3.3MB

Download
memory/2952-252-0x00007FF7C21E0000-0x00007FF7C2531000-memory.dmp

Filesize
3.3MB

Download
memory/2952-123-0x00007FF7C21E0000-0x00007FF7C2531000-memory.dmp

Filesize
3.3MB

Download
memory/3264-258-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-127-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-31-0x00007FF711070000-0x00007FF7113C1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-222-0x00007FF711070000-0x00007FF7113C1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-126-0x00007FF6FE760000-0x00007FF6FEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-255-0x00007FF6FE760000-0x00007FF6FEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-228-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-135-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-46-0x00007FF716C80000-0x00007FF716FD1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-136-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp

Filesize
3.3MB

Download
memory/3576-57-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp

Filesize
3.3MB

Download
memory/3576-224-0x00007FF7268C0000-0x00007FF726C11000-memory.dmp

Filesize
3.3MB

Download
memory/4040-238-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-71-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-138-0x00007FF76A450000-0x00007FF76A7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-137-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp

Filesize
3.3MB

Download
memory/4272-58-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp

Filesize
3.3MB

Download
memory/4272-227-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp

Filesize
3.3MB

Download
memory/4352-22-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-215-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-131-0x00007FF62E060000-0x00007FF62E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-219-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-37-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-134-0x00007FF6142A0000-0x00007FF6145F1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-117-0x00007FF6A0200000-0x00007FF6A0551000-memory.dmp

Filesize
3.3MB

Download
memory/4744-250-0x00007FF6A0200000-0x00007FF6A0551000-memory.dmp

Filesize
3.3MB

Download
memory/4752-33-0x00007FF792920000-0x00007FF792C71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-220-0x00007FF792920000-0x00007FF792C71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-133-0x00007FF792920000-0x00007FF792C71000-memory.dmp

Filesize
3.3MB

Download
memory/4880-128-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp

Filesize
3.3MB

Download
memory/4880-0-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp

Filesize
3.3MB

Download
memory/4880-150-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp

Filesize
3.3MB

Download
memory/4880-151-0x00007FF7316B0000-0x00007FF731A01000-memory.dmp

Filesize
3.3MB

Download
memory/4880-1-0x00000208EF260000-0x00000208EF270000-memory.dmp

Filesize
64KB

Download
memory/4964-242-0x00007FF7E4740000-0x00007FF7E4A91000-memory.dmp

Filesize
3.3MB

Download
memory/4964-113-0x00007FF7E4740000-0x00007FF7E4A91000-memory.dmp

Filesize
3.3MB

Download