cobaltstrike | e2999ebfb0d288ffb05404a99dfd7604f8ee0d4ff7b6313e829708fa53e38ba9

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

02f8258c7dd5a419fa850a0988744e44
SHA1

eb78d8ff2e8eaaedb7760b9fa230736ffa42678f
SHA256

e2999ebfb0d288ffb05404a99dfd7604f8ee0d4ff7b6313e829708fa53e38ba9
SHA512

11a45872c93b2a025a465ea48c58f452475feb915b6bf0f388d369fafbfd729b9538dfa295c09ef122717bbb924b7be00d344859dcdd2e106be727e7094782d5
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibj56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8b-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-8.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-32.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9e-97.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bae-118.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbc-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb7-117.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9d-104.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-101.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-80.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8e-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4568-59-0x00007FF7B1620000-0x00007FF7B1971000-memory.dmp	xmrig
behavioral2/memory/3240-108-0x00007FF656510000-0x00007FF656861000-memory.dmp	xmrig
behavioral2/memory/4608-94-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp	xmrig
behavioral2/memory/5104-92-0x00007FF725880000-0x00007FF725BD1000-memory.dmp	xmrig
behavioral2/memory/3712-83-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	xmrig
behavioral2/memory/4464-126-0x00007FF734640000-0x00007FF734991000-memory.dmp	xmrig
behavioral2/memory/3140-127-0x00007FF66FF50000-0x00007FF6702A1000-memory.dmp	xmrig
behavioral2/memory/4360-128-0x00007FF7DB6B0000-0x00007FF7DBA01000-memory.dmp	xmrig
behavioral2/memory/492-131-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	xmrig
behavioral2/memory/936-133-0x00007FF664800000-0x00007FF664B51000-memory.dmp	xmrig
behavioral2/memory/4344-132-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp	xmrig
behavioral2/memory/3216-130-0x00007FF778CA0000-0x00007FF778FF1000-memory.dmp	xmrig
behavioral2/memory/916-129-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp	xmrig
behavioral2/memory/1588-134-0x00007FF653CC0000-0x00007FF654011000-memory.dmp	xmrig
behavioral2/memory/1416-135-0x00007FF77C540000-0x00007FF77C891000-memory.dmp	xmrig
behavioral2/memory/3384-138-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp	xmrig
behavioral2/memory/2224-137-0x00007FF797590000-0x00007FF7978E1000-memory.dmp	xmrig
behavioral2/memory/2284-136-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp	xmrig
behavioral2/memory/2344-139-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	xmrig
behavioral2/memory/3712-140-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	xmrig
behavioral2/memory/2756-154-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	xmrig
behavioral2/memory/4384-156-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp	xmrig
behavioral2/memory/4880-155-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp	xmrig
behavioral2/memory/3712-163-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	xmrig
behavioral2/memory/5104-222-0x00007FF725880000-0x00007FF725BD1000-memory.dmp	xmrig
behavioral2/memory/4608-224-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp	xmrig
behavioral2/memory/916-226-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp	xmrig
behavioral2/memory/1588-228-0x00007FF653CC0000-0x00007FF654011000-memory.dmp	xmrig
behavioral2/memory/4568-230-0x00007FF7B1620000-0x00007FF7B1971000-memory.dmp	xmrig
behavioral2/memory/492-232-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	xmrig
behavioral2/memory/4344-234-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp	xmrig
behavioral2/memory/1416-236-0x00007FF77C540000-0x00007FF77C891000-memory.dmp	xmrig
behavioral2/memory/2284-238-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp	xmrig
behavioral2/memory/3384-240-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp	xmrig
behavioral2/memory/2224-242-0x00007FF797590000-0x00007FF7978E1000-memory.dmp	xmrig
behavioral2/memory/2344-244-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	xmrig
behavioral2/memory/4880-254-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp	xmrig
behavioral2/memory/2756-256-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	xmrig
behavioral2/memory/3240-259-0x00007FF656510000-0x00007FF656861000-memory.dmp	xmrig
behavioral2/memory/4384-260-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp	xmrig
behavioral2/memory/4464-262-0x00007FF734640000-0x00007FF734991000-memory.dmp	xmrig
behavioral2/memory/3140-264-0x00007FF66FF50000-0x00007FF6702A1000-memory.dmp	xmrig
behavioral2/memory/4360-267-0x00007FF7DB6B0000-0x00007FF7DBA01000-memory.dmp	xmrig
behavioral2/memory/936-268-0x00007FF664800000-0x00007FF664B51000-memory.dmp	xmrig
behavioral2/memory/3216-270-0x00007FF778CA0000-0x00007FF778FF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5104	FMkKOCy.exe
4608	RIRBUUH.exe
916	EzPicQH.exe
1588	LvdLgoW.exe
492	llcBMHo.exe
4568	pqiXZcj.exe
4344	uYWVdkt.exe
1416	sfgcrIS.exe
2284	rlExivr.exe
3384	cZqacCe.exe
2224	nznezxp.exe
2344	dKvarII.exe
2756	PTGmDpF.exe
4880	BpqMpes.exe
4384	ImQXLIZ.exe
4464	zvwXGVs.exe
3240	BuAHAcJ.exe
3216	DKiGVpH.exe
3140	TtKzflz.exe
4360	OMfnSmL.exe
936	cxNxvIM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3712-0-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-6.dat	upx
behavioral2/files/0x000a000000023b92-8.dat	upx
behavioral2/files/0x000a000000023b94-27.dat	upx
behavioral2/memory/1588-28-0x00007FF653CC0000-0x00007FF654011000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-40.dat	upx
behavioral2/files/0x000a000000023b97-50.dat	upx
behavioral2/memory/4568-59-0x00007FF7B1620000-0x00007FF7B1971000-memory.dmp	upx
behavioral2/memory/2284-60-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp	upx
behavioral2/memory/3384-71-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-73.dat	upx
behavioral2/memory/2344-72-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-68.dat	upx
behavioral2/files/0x000a000000023b99-65.dat	upx
behavioral2/memory/2224-63-0x00007FF797590000-0x00007FF7978E1000-memory.dmp	upx
behavioral2/memory/1416-54-0x00007FF77C540000-0x00007FF77C891000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-61.dat	upx
behavioral2/files/0x000a000000023b95-47.dat	upx
behavioral2/memory/4344-43-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp	upx
behavioral2/memory/492-42-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-32.dat	upx
behavioral2/memory/2756-78-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	upx
behavioral2/files/0x000b000000023b9e-97.dat	upx
behavioral2/files/0x000e000000023bae-118.dat	upx
behavioral2/files/0x0009000000023bbc-123.dat	upx
behavioral2/files/0x000a000000023ba7-121.dat	upx
behavioral2/files/0x0008000000023bb7-117.dat	upx
behavioral2/memory/3240-108-0x00007FF656510000-0x00007FF656861000-memory.dmp	upx
behavioral2/memory/4384-106-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9d-104.dat	upx
behavioral2/files/0x000b000000023b9f-101.dat	upx
behavioral2/memory/4608-94-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp	upx
behavioral2/memory/5104-92-0x00007FF725880000-0x00007FF725BD1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-90.dat	upx
behavioral2/memory/4880-89-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp	upx
behavioral2/memory/3712-83-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-80.dat	upx
behavioral2/memory/916-18-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp	upx
behavioral2/memory/4608-15-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-19.dat	upx
behavioral2/memory/5104-9-0x00007FF725880000-0x00007FF725BD1000-memory.dmp	upx
behavioral2/memory/4464-126-0x00007FF734640000-0x00007FF734991000-memory.dmp	upx
behavioral2/memory/3140-127-0x00007FF66FF50000-0x00007FF6702A1000-memory.dmp	upx
behavioral2/memory/4360-128-0x00007FF7DB6B0000-0x00007FF7DBA01000-memory.dmp	upx
behavioral2/memory/492-131-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp	upx
behavioral2/memory/936-133-0x00007FF664800000-0x00007FF664B51000-memory.dmp	upx
behavioral2/memory/4344-132-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp	upx
behavioral2/memory/3216-130-0x00007FF778CA0000-0x00007FF778FF1000-memory.dmp	upx
behavioral2/memory/916-129-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp	upx
behavioral2/memory/1588-134-0x00007FF653CC0000-0x00007FF654011000-memory.dmp	upx
behavioral2/memory/1416-135-0x00007FF77C540000-0x00007FF77C891000-memory.dmp	upx
behavioral2/memory/3384-138-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp	upx
behavioral2/memory/2224-137-0x00007FF797590000-0x00007FF7978E1000-memory.dmp	upx
behavioral2/memory/2284-136-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp	upx
behavioral2/memory/2344-139-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	upx
behavioral2/memory/3712-140-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	upx
behavioral2/memory/2756-154-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	upx
behavioral2/memory/4384-156-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp	upx
behavioral2/memory/4880-155-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp	upx
behavioral2/memory/3712-163-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp	upx
behavioral2/memory/5104-222-0x00007FF725880000-0x00007FF725BD1000-memory.dmp	upx
behavioral2/memory/4608-224-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp	upx
behavioral2/memory/916-226-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp	upx
behavioral2/memory/1588-228-0x00007FF653CC0000-0x00007FF654011000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zvwXGVs.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BuAHAcJ.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TtKzflz.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMkKOCy.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RIRBUUH.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYWVdkt.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlExivr.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BpqMpes.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OMfnSmL.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EzPicQH.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llcBMHo.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pqiXZcj.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dKvarII.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKiGVpH.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nznezxp.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxNxvIM.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvdLgoW.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sfgcrIS.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cZqacCe.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PTGmDpF.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImQXLIZ.exe	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 5104	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3712 wrote to memory of 5104	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3712 wrote to memory of 4608	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3712 wrote to memory of 4608	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3712 wrote to memory of 916	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3712 wrote to memory of 916	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3712 wrote to memory of 1588	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3712 wrote to memory of 1588	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3712 wrote to memory of 492	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3712 wrote to memory of 492	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3712 wrote to memory of 4344	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3712 wrote to memory of 4344	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3712 wrote to memory of 4568	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3712 wrote to memory of 4568	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3712 wrote to memory of 1416	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3712 wrote to memory of 1416	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3712 wrote to memory of 2284	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3712 wrote to memory of 2284	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3712 wrote to memory of 3384	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3712 wrote to memory of 3384	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3712 wrote to memory of 2224	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3712 wrote to memory of 2224	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3712 wrote to memory of 2344	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3712 wrote to memory of 2344	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3712 wrote to memory of 2756	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3712 wrote to memory of 2756	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3712 wrote to memory of 4880	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3712 wrote to memory of 4880	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3712 wrote to memory of 4384	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3712 wrote to memory of 4384	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3712 wrote to memory of 4464	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3712 wrote to memory of 4464	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3712 wrote to memory of 3240	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3712 wrote to memory of 3240	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3712 wrote to memory of 3216	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3712 wrote to memory of 3216	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3712 wrote to memory of 3140	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3712 wrote to memory of 3140	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3712 wrote to memory of 4360	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3712 wrote to memory of 4360	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3712 wrote to memory of 936	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3712 wrote to memory of 936	3712	2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_02f8258c7dd5a419fa850a0988744e44_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\System\FMkKOCy.exe
  C:\Windows\System\FMkKOCy.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\RIRBUUH.exe
  C:\Windows\System\RIRBUUH.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\EzPicQH.exe
  C:\Windows\System\EzPicQH.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\LvdLgoW.exe
  C:\Windows\System\LvdLgoW.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\llcBMHo.exe
  C:\Windows\System\llcBMHo.exe
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\System\uYWVdkt.exe
  C:\Windows\System\uYWVdkt.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\pqiXZcj.exe
  C:\Windows\System\pqiXZcj.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\sfgcrIS.exe
  C:\Windows\System\sfgcrIS.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\rlExivr.exe
  C:\Windows\System\rlExivr.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\cZqacCe.exe
  C:\Windows\System\cZqacCe.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\nznezxp.exe
  C:\Windows\System\nznezxp.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\dKvarII.exe
  C:\Windows\System\dKvarII.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\PTGmDpF.exe
  C:\Windows\System\PTGmDpF.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\BpqMpes.exe
  C:\Windows\System\BpqMpes.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\ImQXLIZ.exe
  C:\Windows\System\ImQXLIZ.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\zvwXGVs.exe
  C:\Windows\System\zvwXGVs.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\BuAHAcJ.exe
  C:\Windows\System\BuAHAcJ.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\DKiGVpH.exe
  C:\Windows\System\DKiGVpH.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\TtKzflz.exe
  C:\Windows\System\TtKzflz.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\OMfnSmL.exe
  C:\Windows\System\OMfnSmL.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\cxNxvIM.exe
  C:\Windows\System\cxNxvIM.exe
  2⤵
  - Executes dropped EXE
  PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BpqMpes.exe

Filesize
5.2MB

MD5
c9529ed4a8c0ca199f135c7346cab43e

SHA1
ca6852c6ae37b9d921d07308d14a79479a360964

SHA256
368b01147f82b10fc19a25b8d6b665c0c04ca0063aa9127df83c6b5645d49f4b

SHA512
9e3ef92724db480ea8fe853231cf7aae808c51c632de72c3ebdbb15a74f4b0212f961cc3770a656c6eea380634403997dc5b9391da212f6da295b40dd62fdea6

Download Submit
C:\Windows\System\BuAHAcJ.exe

Filesize
5.2MB

MD5
f20da9459fdd954fa2beb5580c8ca958

SHA1
64816543f2ad7e923a83b0b8fa579163ca2dc4dd

SHA256
deb4b29bfbcf5aa56d94b4f3d0a27c51350803ccf43c7bdf1bb72e6a1971d128

SHA512
c8b55cbf2291d7b520d61404634802ac3e7a36e7eff14990ec0e7dc71288e70cea8e469c236194f153baa5c9f97f903b4699dc5a391917a1942ef4a16f947ea7

Download Submit
C:\Windows\System\DKiGVpH.exe

Filesize
5.2MB

MD5
b73e7076b3e5134a7d7cd2e6a642c7f7

SHA1
b5ecc1e8c56efb56e57fee56b3608ba572c27709

SHA256
72de759c32c7e1aacfb277a8bade6672c94144fbba3650439340e49f3bd22dab

SHA512
1fb6beaeb4f0e6af71f826cd4509476592e527904ab9080990bc8a2ba30dc639632a5e47ee87eceface95e2f5e3733031da7e953888bf9db4a30a643903f7342

Download Submit
C:\Windows\System\EzPicQH.exe

Filesize
5.2MB

MD5
ef16b8491a3e01d97150960d11d1ad87

SHA1
097fb327d206a9208ee92237c765148338e4635c

SHA256
fd00ed3f0c0cb1d3b5879508e78bec52b72464a6b6ac4ea652d01764019926c1

SHA512
49af0c6bcf04cd25d99df5b1e36a7e2e7cf3cd915af152542fbb103b6fb155534af34dcd1dd86be0e8fff40bdf6bf0c13868ed71ea61b462cadce543112d3977

Download Submit
C:\Windows\System\FMkKOCy.exe

Filesize
5.2MB

MD5
1c2c0aa2f478ee94f0ef27d8b728da9a

SHA1
797faebaa7889998aec5dad0835b1939c0219cb7

SHA256
37483c18b1d7671742d8bca0bff6fc727835d20df7e5e9d4bfcb7bfaf8856f28

SHA512
3e274b62186df9a5189066c3b6c6f43bdaf74c6baa2e4d887ddb65e6df14e06c47ec5734d3711ef9a8e584ee92ad85081c6dbc11b9ff2e3f03cfb5de55ef282a

Download Submit
C:\Windows\System\ImQXLIZ.exe

Filesize
5.2MB

MD5
33f50468d459a8e344317b8453d9d4ce

SHA1
6d7ca841e49d338810f86584045f9511942ab23a

SHA256
f62bf3db6769debbe52098276aea8aabb0196547e8e49f96254d6d167572e92e

SHA512
7d22fefba7ea3fc5c66906cc187409e40d6633020cae58d359159c835e918d3feb5912789d4956dd06884e3cd866811aa87dbd88c4ee7b31442af71d8d19de49

Download Submit
C:\Windows\System\LvdLgoW.exe

Filesize
5.2MB

MD5
1f7d9e8f05a1f64f7b297c1adab3fb34

SHA1
a3ecb7c8ab31761e84517217bde8b01bfacf5b4a

SHA256
ffde6185f5bbe4364be75f3171887237bc1e6cfa61bbe7788f8defef5966ce89

SHA512
764cd2ab7e50818dd79447a82c2b8e0c7cbbf42d9d6f8b411b027e83b7e84aeadc3d9abed0e23bbeac456c0c7acfb14f97157fb2ee0bf19b55c982e312e94a85

Download Submit
C:\Windows\System\OMfnSmL.exe

Filesize
5.2MB

MD5
2da479ac11617b8491332fe2ac7867fd

SHA1
0e42f79ead1a625ba0119a529fd6c1439be45833

SHA256
ca86405e3f499449df3f0d5c36f96fd6ef6084c9edb60fd6f4f8fcbbedc7dc39

SHA512
fc7a59b4a59f3850d02486f0959b026bfabc9cd201f56fd4003eb8dc0183b2542e8941bd18791bf2437e0f45f325d101ec0a25f40b7659b451763e6106a15b3e

Download Submit
C:\Windows\System\PTGmDpF.exe

Filesize
5.2MB

MD5
028505cb7e4316065263b09df564834d

SHA1
74debc105f11779aa001e3c031dcd2618e368464

SHA256
3aaff90f18649c5cfd502b77070a65b58a868ad763560fce0ca1a440b0a1bb6d

SHA512
7b8599aec296b214fc4ac86cfd8fecc180115fa43958e6e2a7ee33a2bf6b60bad2f9ca09822ffc9e217cca7463b409148437ab2c4d97b6d92e6e229ff3d4eaa7

Download Submit
C:\Windows\System\RIRBUUH.exe

Filesize
5.2MB

MD5
9287845e008eb43a8cd12eb06c33075d

SHA1
b771a056615321050ac5bfa6d14f0fdc861ab537

SHA256
573110980c6a007dbcdab62648f8e6f1890efae2aa1320ea381295a2881175dd

SHA512
9994791d27911afa88907beccc5494989de474aefa3b77ef6a93cfaa45530ffec5880b9f353bae35db172e722827e3d62a4a647488b5d796f1b5323517c781e1

Download Submit
C:\Windows\System\TtKzflz.exe

Filesize
5.2MB

MD5
2409379922fd0baf9841166f143a8d37

SHA1
79dc21558ea7d2aecf1c039e8afc3f611013e164

SHA256
e9d902212fcd7375c714c8990763fd912f7707b6cdab3f62d45f258da1a6ee78

SHA512
10e5dbe3e4026797de9b40fda4dc70a547c6176dd4f62388c6d32862e85e34bf8068d0dd229be2efd4f4d208119d9e5e6427505afd9a34721de75373a9761e9d

Download Submit
C:\Windows\System\cZqacCe.exe

Filesize
5.2MB

MD5
085d399b80e601ce1e4066c5bab9e287

SHA1
077ffabd698e2dac20205468b1628c78c1da68a1

SHA256
14c7d219ab78193f5cbd6afd0ae5dc2809e6beadc684e5f2d99310e23e091d90

SHA512
39cfde0eb17da10fcb5b02e902d072d6935c1555846caa1550669e43c0f72a17255b6e50f022e4548824abf61ed1d465886f6c44ad94a194f4cd0e475cc227dc

Download Submit
C:\Windows\System\cxNxvIM.exe

Filesize
5.2MB

MD5
e41a438ffe2c564941ae5980843c9771

SHA1
808ba9c2653753d6d24753bd5b9bc0fff9e7e7fa

SHA256
0ffb58b65664118769844db3b271402ea117ccb996eee36270dccd2f320f8766

SHA512
98e6cd4501b4792887e33f4738ea15ece4cc189c5d6bb87f4161b241cf05cf1510d76156a87a5f975b52e195fd7c581a89bc775be020d1c81896fbdffd7adea7

Download Submit
C:\Windows\System\dKvarII.exe

Filesize
5.2MB

MD5
841383ddfdd7f4d03ec730ab4b68e0ef

SHA1
ae9ab94404ca996039449419a18993228f73fa19

SHA256
5e05b4b9ddb3a13bcb194162ea4815460dbe200bc4572ce2617a3fbbb2469f3b

SHA512
f7e7d713327c6c1d34fbbd98842cf791a66c9dc9fbe8b4886cf067708e5e188281423b3f671b6389d8c08d137322b4d909915ec2ed49e809b073df2386bd0f63

Download Submit
C:\Windows\System\llcBMHo.exe

Filesize
5.2MB

MD5
cc952f2011268dc37878ebe5d99e47ae

SHA1
3b08aa6a1d26ba8213846cda6fd92c72a48ed6bd

SHA256
86378f4d05b8d7dde49a19fb88b7082dd73c4cb04b2838c7791dadc0d40a83cc

SHA512
c1359ebb9103dfdf21d5869aa16746cea78c67475070c96c2db015685608f47231623c31c2af1d3a2a1f0a2ef80d62e196f48a6c1ab7701adeb048b9e7f67b1b

Download Submit
C:\Windows\System\nznezxp.exe

Filesize
5.2MB

MD5
2fb29957512b2a625c9732db90168d9c

SHA1
60c37bde985962dbb23f3a03bc2987909e71b89c

SHA256
cfc3889b6d15b552e9659e5cde5bf62921e0f9f34403eb9cc5b7f8a48bf3f087

SHA512
7a824af6d0f03bbe862c641de438619e071bab58b427abad8e0b10cc48ce5926dd4b2d0f7378dbef68126c485fd0f083234e1cc44db878789019450671dcd653

Download Submit
C:\Windows\System\pqiXZcj.exe

Filesize
5.2MB

MD5
12ceebb5fd8addc6946a1c5131431844

SHA1
c8822d35036f78ccf033debb0a5195cdfe0861b0

SHA256
aa222b21a04f71661e9600db87acf8bfb9e1b75b87673f02248b62223d96de84

SHA512
81cb7e0721e850ef1a72f98cc2533aa3f160bac64415503c3f68eb25b5a8534746b83e92b9e62bd33fa47905cb006b781f3981620b8899c4a0e143f522b581a6

Download Submit
C:\Windows\System\rlExivr.exe

Filesize
5.2MB

MD5
c67ab6d0c1c8e4ce48f70b4b0865b1e0

SHA1
64d8742ed82a03734c23cda0c77fc59743218c93

SHA256
f337f1c581522d87aab7fc558464d42875e9237e03484df4ec71af238d120f0a

SHA512
a10306faa1f87768743e9ed4afd4c652bc7f9f61921da2a62746a1492ea89a29d9302c8f1e717bc5bd4ebf079a3d38e279a94a5ee9e35b225efdc1f76c6175f4

Download Submit
C:\Windows\System\sfgcrIS.exe

Filesize
5.2MB

MD5
360f9840bc2d7b7b1ba63980a8b8e4eb

SHA1
5209eccbb1edd8afa7da7f2b1854863ffe02ef25

SHA256
ba26790693bc8c80738add1908f8c3cd1729c03c78d3e4d496bcfc7421464dac

SHA512
c58abd9f6b907f577ddcd10305228dd10879458ca7eeec054f1ecc7b546397d1aec7ce8268f45cf624560b9141dcfc182142bdc3c685c0e802115f76c15579fe

Download Submit
C:\Windows\System\uYWVdkt.exe

Filesize
5.2MB

MD5
62f172002760ff865a9388afce80ad7b

SHA1
32f25490ca5a711bd22c2e0fb57585020577bb57

SHA256
99e1b3bcc4f94d22f377ba63b8a2d82d44512dd0e4f7babba610d2b63ff4e802

SHA512
6decb42ff5375049e30b7820435f130b0a509cf5f977c5a0ce271a2acc35e7d29833f731b4f77840d167ef4139683dd6c26b188adc0f16126a71b54f16ca8ba7

Download Submit
C:\Windows\System\zvwXGVs.exe

Filesize
5.2MB

MD5
9f3fa308e51aa371e3ce3bb84b0e682f

SHA1
3a95b1abfe7473c9ce49a9d6cd5dbd8ef6eb6573

SHA256
bc8bcf083f5fdc39e2bef3a4f753d4e45723b41644a42a0694cf75773fc6d1a0

SHA512
db47ef3b7882f1e398eb4f9524ed1dedad4e7c057f70d69476c62fa4c2667d2adc1f8ac3cce31533dff2295978f79e5518bae9db6cac1cdcb3aacea7a62bcc1f

Download Submit
memory/492-131-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/492-42-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/492-232-0x00007FF66EF10000-0x00007FF66F261000-memory.dmp

Filesize
3.3MB

Download
memory/916-129-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp

Filesize
3.3MB

Download
memory/916-18-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp

Filesize
3.3MB

Download
memory/916-226-0x00007FF7E4B10000-0x00007FF7E4E61000-memory.dmp

Filesize
3.3MB

Download
memory/936-268-0x00007FF664800000-0x00007FF664B51000-memory.dmp

Filesize
3.3MB

Download
memory/936-133-0x00007FF664800000-0x00007FF664B51000-memory.dmp

Filesize
3.3MB

Download
memory/1416-54-0x00007FF77C540000-0x00007FF77C891000-memory.dmp

Filesize
3.3MB

Download
memory/1416-236-0x00007FF77C540000-0x00007FF77C891000-memory.dmp

Filesize
3.3MB

Download
memory/1416-135-0x00007FF77C540000-0x00007FF77C891000-memory.dmp

Filesize
3.3MB

Download
memory/1588-134-0x00007FF653CC0000-0x00007FF654011000-memory.dmp

Filesize
3.3MB

Download
memory/1588-228-0x00007FF653CC0000-0x00007FF654011000-memory.dmp

Filesize
3.3MB

Download
memory/1588-28-0x00007FF653CC0000-0x00007FF654011000-memory.dmp

Filesize
3.3MB

Download
memory/2224-63-0x00007FF797590000-0x00007FF7978E1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-242-0x00007FF797590000-0x00007FF7978E1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-137-0x00007FF797590000-0x00007FF7978E1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-238-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-136-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-60-0x00007FF7DD270000-0x00007FF7DD5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-72-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/2344-139-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/2344-244-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/2756-78-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/2756-256-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/2756-154-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/3140-264-0x00007FF66FF50000-0x00007FF6702A1000-memory.dmp

Filesize
3.3MB

Download
memory/3140-127-0x00007FF66FF50000-0x00007FF6702A1000-memory.dmp

Filesize
3.3MB

Download
memory/3216-270-0x00007FF778CA0000-0x00007FF778FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3216-130-0x00007FF778CA0000-0x00007FF778FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-108-0x00007FF656510000-0x00007FF656861000-memory.dmp

Filesize
3.3MB

Download
memory/3240-259-0x00007FF656510000-0x00007FF656861000-memory.dmp

Filesize
3.3MB

Download
memory/3384-71-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp

Filesize
3.3MB

Download
memory/3384-240-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp

Filesize
3.3MB

Download
memory/3384-138-0x00007FF69A8C0000-0x00007FF69AC11000-memory.dmp

Filesize
3.3MB

Download
memory/3712-0-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp

Filesize
3.3MB

Download
memory/3712-83-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp

Filesize
3.3MB

Download
memory/3712-1-0x0000017BDD630000-0x0000017BDD640000-memory.dmp

Filesize
64KB

Download
memory/3712-163-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp

Filesize
3.3MB

Download
memory/3712-140-0x00007FF6D91E0000-0x00007FF6D9531000-memory.dmp

Filesize
3.3MB

Download
memory/4344-132-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp

Filesize
3.3MB

Download
memory/4344-43-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp

Filesize
3.3MB

Download
memory/4344-234-0x00007FF7AF330000-0x00007FF7AF681000-memory.dmp

Filesize
3.3MB

Download
memory/4360-128-0x00007FF7DB6B0000-0x00007FF7DBA01000-memory.dmp

Filesize
3.3MB

Download
memory/4360-267-0x00007FF7DB6B0000-0x00007FF7DBA01000-memory.dmp

Filesize
3.3MB

Download
memory/4384-260-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-106-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-156-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-126-0x00007FF734640000-0x00007FF734991000-memory.dmp

Filesize
3.3MB

Download
memory/4464-262-0x00007FF734640000-0x00007FF734991000-memory.dmp

Filesize
3.3MB

Download
memory/4568-230-0x00007FF7B1620000-0x00007FF7B1971000-memory.dmp

Filesize
3.3MB

Download
memory/4568-59-0x00007FF7B1620000-0x00007FF7B1971000-memory.dmp

Filesize
3.3MB

Download
memory/4608-15-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-224-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-94-0x00007FF7CB480000-0x00007FF7CB7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-254-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp

Filesize
3.3MB

Download
memory/4880-155-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp

Filesize
3.3MB

Download
memory/4880-89-0x00007FF7199F0000-0x00007FF719D41000-memory.dmp

Filesize
3.3MB

Download
memory/5104-222-0x00007FF725880000-0x00007FF725BD1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-9-0x00007FF725880000-0x00007FF725BD1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-92-0x00007FF725880000-0x00007FF725BD1000-memory.dmp

Filesize
3.3MB

Download