cobaltstrike | 497d3c955bf27f60465a952aec2bb44f8e70069a4eb820b1d95df1fa32f8f139

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8c065b9be5951b9f5bc1227131a3bc48
SHA1

4523c1911e7e558227b14ccbd13162a0c4e237bf
SHA256

497d3c955bf27f60465a952aec2bb44f8e70069a4eb820b1d95df1fa32f8f139
SHA512

e2bf6bd9ba2de236a868f3dc18864d14525ce6946a0854a75f29caf603b37fcab3b0cb98800827965ac13095e791c590971094e80fe2646c0d3c4696057c5080
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibj56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cad-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-94.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4140-82-0x00007FF6A25B0000-0x00007FF6A2901000-memory.dmp	xmrig
behavioral2/memory/1208-75-0x00007FF7C3F90000-0x00007FF7C42E1000-memory.dmp	xmrig
behavioral2/memory/3992-71-0x00007FF6A99F0000-0x00007FF6A9D41000-memory.dmp	xmrig
behavioral2/memory/5112-125-0x00007FF78BAE0000-0x00007FF78BE31000-memory.dmp	xmrig
behavioral2/memory/4680-127-0x00007FF7F0580000-0x00007FF7F08D1000-memory.dmp	xmrig
behavioral2/memory/3896-128-0x00007FF760CC0000-0x00007FF761011000-memory.dmp	xmrig
behavioral2/memory/4388-123-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp	xmrig
behavioral2/memory/2544-122-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp	xmrig
behavioral2/memory/4992-101-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	xmrig
behavioral2/memory/1444-135-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp	xmrig
behavioral2/memory/388-146-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp	xmrig
behavioral2/memory/3120-145-0x00007FF721300000-0x00007FF721651000-memory.dmp	xmrig
behavioral2/memory/1600-143-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp	xmrig
behavioral2/memory/1424-142-0x00007FF649550000-0x00007FF6498A1000-memory.dmp	xmrig
behavioral2/memory/4396-140-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp	xmrig
behavioral2/memory/3872-138-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp	xmrig
behavioral2/memory/3888-137-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp	xmrig
behavioral2/memory/4992-131-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	xmrig
behavioral2/memory/4424-136-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	xmrig
behavioral2/memory/2660-149-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp	xmrig
behavioral2/memory/5104-153-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp	xmrig
behavioral2/memory/2064-148-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp	xmrig
behavioral2/memory/3640-147-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp	xmrig
behavioral2/memory/4992-154-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	xmrig
behavioral2/memory/2544-210-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp	xmrig
behavioral2/memory/4388-214-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp	xmrig
behavioral2/memory/388-213-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp	xmrig
behavioral2/memory/4424-216-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	xmrig
behavioral2/memory/1444-218-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp	xmrig
behavioral2/memory/3888-224-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp	xmrig
behavioral2/memory/3872-226-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp	xmrig
behavioral2/memory/4396-229-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp	xmrig
behavioral2/memory/1208-232-0x00007FF7C3F90000-0x00007FF7C42E1000-memory.dmp	xmrig
behavioral2/memory/3992-235-0x00007FF6A99F0000-0x00007FF6A9D41000-memory.dmp	xmrig
behavioral2/memory/1600-240-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp	xmrig
behavioral2/memory/4140-239-0x00007FF6A25B0000-0x00007FF6A2901000-memory.dmp	xmrig
behavioral2/memory/3120-237-0x00007FF721300000-0x00007FF721651000-memory.dmp	xmrig
behavioral2/memory/1424-231-0x00007FF649550000-0x00007FF6498A1000-memory.dmp	xmrig
behavioral2/memory/3640-249-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp	xmrig
behavioral2/memory/5112-251-0x00007FF78BAE0000-0x00007FF78BE31000-memory.dmp	xmrig
behavioral2/memory/2064-254-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp	xmrig
behavioral2/memory/2660-256-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp	xmrig
behavioral2/memory/5104-258-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp	xmrig
behavioral2/memory/4680-260-0x00007FF7F0580000-0x00007FF7F08D1000-memory.dmp	xmrig
behavioral2/memory/3896-262-0x00007FF760CC0000-0x00007FF761011000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2544	BtvpJZl.exe
4388	LcnfgCy.exe
388	CfDYcEr.exe
1444	EfYfJBi.exe
4424	aTPMFFm.exe
3888	dFzAWYj.exe
3872	kXSADBE.exe
3992	xQewADI.exe
4396	yGuuoTG.exe
1208	ATntzTX.exe
1424	xlRAGzy.exe
1600	DsOeoLq.exe
4140	CKygvrF.exe
3120	KjSLuLz.exe
3640	HBoOPiU.exe
2064	UjWATMn.exe
2660	yKOQeUS.exe
4680	irtQsFq.exe
5112	LqCXqlQ.exe
3896	aIAYPUf.exe
5104	FgNcYew.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-0-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	upx
behavioral2/files/0x0008000000023cad-4.dat	upx
behavioral2/files/0x0007000000023cb2-10.dat	upx
behavioral2/memory/4388-19-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-33.dat	upx
behavioral2/files/0x0007000000023cb8-52.dat	upx
behavioral2/files/0x0007000000023cb5-48.dat	upx
behavioral2/files/0x0007000000023cba-56.dat	upx
behavioral2/files/0x0007000000023cbb-77.dat	upx
behavioral2/memory/4140-82-0x00007FF6A25B0000-0x00007FF6A2901000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-84.dat	upx
behavioral2/memory/3120-83-0x00007FF721300000-0x00007FF721651000-memory.dmp	upx
behavioral2/memory/1600-81-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-79.dat	upx
behavioral2/memory/1208-75-0x00007FF7C3F90000-0x00007FF7C42E1000-memory.dmp	upx
behavioral2/memory/3992-71-0x00007FF6A99F0000-0x00007FF6A9D41000-memory.dmp	upx
behavioral2/memory/1424-70-0x00007FF649550000-0x00007FF6498A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-62.dat	upx
behavioral2/memory/4396-59-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-60.dat	upx
behavioral2/memory/3888-53-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp	upx
behavioral2/memory/3872-43-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp	upx
behavioral2/memory/4424-40-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-35.dat	upx
behavioral2/memory/1444-34-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-32.dat	upx
behavioral2/files/0x0007000000023cb1-17.dat	upx
behavioral2/memory/388-21-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp	upx
behavioral2/memory/2544-8-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp	upx
behavioral2/memory/3640-90-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-93.dat	upx
behavioral2/files/0x0007000000023cc0-100.dat	upx
behavioral2/memory/2660-109-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-118.dat	upx
behavioral2/memory/5112-125-0x00007FF78BAE0000-0x00007FF78BE31000-memory.dmp	upx
behavioral2/memory/4680-127-0x00007FF7F0580000-0x00007FF7F08D1000-memory.dmp	upx
behavioral2/memory/3896-128-0x00007FF760CC0000-0x00007FF761011000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-129.dat	upx
behavioral2/memory/5104-126-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp	upx
behavioral2/memory/4388-123-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp	upx
behavioral2/memory/2544-122-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-120.dat	upx
behavioral2/files/0x0007000000023cc2-106.dat	upx
behavioral2/memory/2064-102-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp	upx
behavioral2/memory/4992-101-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-94.dat	upx
behavioral2/memory/1444-135-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp	upx
behavioral2/memory/388-146-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp	upx
behavioral2/memory/3120-145-0x00007FF721300000-0x00007FF721651000-memory.dmp	upx
behavioral2/memory/1600-143-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp	upx
behavioral2/memory/1424-142-0x00007FF649550000-0x00007FF6498A1000-memory.dmp	upx
behavioral2/memory/4396-140-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp	upx
behavioral2/memory/3872-138-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp	upx
behavioral2/memory/3888-137-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp	upx
behavioral2/memory/4992-131-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	upx
behavioral2/memory/4424-136-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	upx
behavioral2/memory/2660-149-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp	upx
behavioral2/memory/5104-153-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp	upx
behavioral2/memory/2064-148-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp	upx
behavioral2/memory/3640-147-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp	upx
behavioral2/memory/4992-154-0x00007FF7110D0000-0x00007FF711421000-memory.dmp	upx
behavioral2/memory/2544-210-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp	upx
behavioral2/memory/4388-214-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp	upx
behavioral2/memory/388-213-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BtvpJZl.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LcnfgCy.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EfYfJBi.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTPMFFm.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kXSADBE.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xQewADI.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UjWATMn.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dFzAWYj.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGuuoTG.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ATntzTX.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DsOeoLq.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KjSLuLz.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HBoOPiU.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfDYcEr.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKygvrF.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irtQsFq.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqCXqlQ.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aIAYPUf.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FgNcYew.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xlRAGzy.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yKOQeUS.exe	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2544	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4992 wrote to memory of 2544	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4992 wrote to memory of 4388	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4992 wrote to memory of 4388	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4992 wrote to memory of 388	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4992 wrote to memory of 388	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4992 wrote to memory of 1444	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4992 wrote to memory of 1444	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4992 wrote to memory of 4424	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4992 wrote to memory of 4424	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4992 wrote to memory of 3888	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4992 wrote to memory of 3888	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4992 wrote to memory of 3872	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4992 wrote to memory of 3872	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4992 wrote to memory of 3992	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4992 wrote to memory of 3992	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4992 wrote to memory of 4396	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4992 wrote to memory of 4396	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4992 wrote to memory of 1208	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4992 wrote to memory of 1208	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4992 wrote to memory of 1424	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4992 wrote to memory of 1424	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4992 wrote to memory of 1600	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4992 wrote to memory of 1600	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4992 wrote to memory of 4140	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4992 wrote to memory of 4140	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4992 wrote to memory of 3120	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4992 wrote to memory of 3120	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4992 wrote to memory of 3640	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4992 wrote to memory of 3640	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4992 wrote to memory of 2064	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4992 wrote to memory of 2064	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4992 wrote to memory of 2660	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4992 wrote to memory of 2660	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4992 wrote to memory of 4680	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4992 wrote to memory of 4680	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4992 wrote to memory of 5112	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4992 wrote to memory of 5112	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4992 wrote to memory of 3896	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4992 wrote to memory of 3896	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4992 wrote to memory of 5104	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4992 wrote to memory of 5104	4992	2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_8c065b9be5951b9f5bc1227131a3bc48_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\System\BtvpJZl.exe
  C:\Windows\System\BtvpJZl.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\LcnfgCy.exe
  C:\Windows\System\LcnfgCy.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\CfDYcEr.exe
  C:\Windows\System\CfDYcEr.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\EfYfJBi.exe
  C:\Windows\System\EfYfJBi.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\aTPMFFm.exe
  C:\Windows\System\aTPMFFm.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\dFzAWYj.exe
  C:\Windows\System\dFzAWYj.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\kXSADBE.exe
  C:\Windows\System\kXSADBE.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\xQewADI.exe
  C:\Windows\System\xQewADI.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\yGuuoTG.exe
  C:\Windows\System\yGuuoTG.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\ATntzTX.exe
  C:\Windows\System\ATntzTX.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\xlRAGzy.exe
  C:\Windows\System\xlRAGzy.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\DsOeoLq.exe
  C:\Windows\System\DsOeoLq.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\CKygvrF.exe
  C:\Windows\System\CKygvrF.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\KjSLuLz.exe
  C:\Windows\System\KjSLuLz.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\HBoOPiU.exe
  C:\Windows\System\HBoOPiU.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\UjWATMn.exe
  C:\Windows\System\UjWATMn.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\yKOQeUS.exe
  C:\Windows\System\yKOQeUS.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\irtQsFq.exe
  C:\Windows\System\irtQsFq.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\LqCXqlQ.exe
  C:\Windows\System\LqCXqlQ.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\aIAYPUf.exe
  C:\Windows\System\aIAYPUf.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\FgNcYew.exe
  C:\Windows\System\FgNcYew.exe
  2⤵
  - Executes dropped EXE
  PID:5104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ATntzTX.exe

Filesize
5.2MB

MD5
59e0a0898622b310f599138c8a145626

SHA1
d259a70c1ec893f254fd514f1dc3cd3a78d3b75a

SHA256
c3dc2e09aa6391e9b885925a75af4c2be0e48e9c74abd9d312bd7173b8950579

SHA512
65771dd32ef95e364c901d817650676034defedb188b1b328dcdbaec3d9dde10772d4706daf04173d486b126017b9c2993b65bc69d3b1b80012db96823878dfa

Download Submit
C:\Windows\System\BtvpJZl.exe

Filesize
5.2MB

MD5
eab64e0f33900b67a91b799b2bed8cde

SHA1
bd52ffe0f9b2834aa960eb664d6185ccfd2bc212

SHA256
8d04bec75670a3f4453849a5ac8bffd77694f52ea286b5917937a00f6cb9dc38

SHA512
590afe45e22aedb3131a00863bd329afc7c2c75e717f26d5b951e44ff390a92cafd778d7b3173bbdb38bb13eeaa73ac3164fc77bfbd4a378c2fb8f6a9ff0a9d3

Download Submit
C:\Windows\System\CKygvrF.exe

Filesize
5.2MB

MD5
85915636352fe5c51d7a070fe4fcf150

SHA1
91ddf041a637ff66fe7ad388eeea0f788ce2b2ca

SHA256
099d761ab2e3c1d4a872cd89d3b4344fb8c150138ada0169486634f24a54f959

SHA512
65695479970a35233c56238091406dace16cdc51ab3fa405fd03d2d84f26738c653a73b7a38d5d7aa601936a196259d1424ca619e17886848b16ea68b8f6dab6

Download Submit
C:\Windows\System\CfDYcEr.exe

Filesize
5.2MB

MD5
83dacc9a0f1cf8d97c265af6ae63c70d

SHA1
e1956aa2fe34d3cee20fb03cb69962ba30fc9d4b

SHA256
16f75c37590a34e579f8ffe2a55d707a7de1c9ae57cad323ad06aeb3f99cb399

SHA512
a38f22a05c63c9b30fb94096699797e176986d160e4b2b89bb017b5869cb63ff94e2548418cd626b1604e02473e8bf04f80372d2aa180b0ac1384b3eec209bd5

Download Submit
C:\Windows\System\DsOeoLq.exe

Filesize
5.2MB

MD5
d7d3a1bde6d2258f129c2a0af9c7490c

SHA1
b6198ee94f85281dd3b011084a3e48fc78bd7451

SHA256
0eef69a1146a32b609bf0aa6d6a76288251258a8b5e303748a9dee95caa8476f

SHA512
8079057721b4144c98c419950f256f6bdd2c4caf29395bcbbeff22512d605fc31e2eba5e758769f56849fc2622d9004b779c98fbafddc63b73c1e8e2d8c286ac

Download Submit
C:\Windows\System\EfYfJBi.exe

Filesize
5.2MB

MD5
3160e637937d11b27b96dc0d1f397ac2

SHA1
447e878c805c6f47d9d104cb9ce4e6a8fd8e549d

SHA256
09fc5aef548b269d4ed1c0fec50885fec24213428bd32c991a57daacf3a1a486

SHA512
1eead60ea7f655c781e5f182021cac2db7cc5315b5f088eff9d39e26b139727d439915a09f17a58da146d06b32a543cc6a857fc7a0ccb7a45847004c20436bfe

Download Submit
C:\Windows\System\FgNcYew.exe

Filesize
5.2MB

MD5
1f09b5773a4fcbd9c59dc5995d888371

SHA1
a3bf560101283d99d73f62ac389004b590b911c2

SHA256
8cce3df5a80dd92760cf961c9756e74181af80731198f8087503a6dbb3d4ef06

SHA512
f3a479831a359939715f8e65bfa39c4797f68f62440fb1e3dc841b65a8e7db6af243c8d931515169a11790d86c92916ed0b26d0128435a9c7e38cfb00a65e9ac

Download Submit
C:\Windows\System\HBoOPiU.exe

Filesize
5.2MB

MD5
b42a56e97dc4f1ac7e6ffe6eb7c00b3d

SHA1
9923505ec4441a04c3c2ea3466230f6f53b0b075

SHA256
8d643f5b2c8a80df8ff5e806cca87d13369819866baf27e92a9cfa7eb5869b1a

SHA512
542df72c2017c4ab25d4c1085c4d46e6ff57336315ee8a78c790416a129a05fdaa80baf08bbf91b9532c555a095958521f7988ded783623ba3d1ca276de54157

Download Submit
C:\Windows\System\KjSLuLz.exe

Filesize
5.2MB

MD5
c28f422919cf0346e2ec4ebb664d3193

SHA1
e759eda314728b7c4450e53929de97a262684eb6

SHA256
a01c891bce1260a5a2c3340a84ef2a24de6bf62db253b61248855d7021a9b191

SHA512
b64860caba448f428243e9004965a2b35d63a61a462526a81d2b9cf3907b3d75652b12dd48fb3dc489f2d6a6af757b00952a5281ceaaafb74cc32157c77557e7

Download Submit
C:\Windows\System\LcnfgCy.exe

Filesize
5.2MB

MD5
21d8a3457d7781c1ab5b161448f8cf02

SHA1
1450e8198d8facbd29ed15f5c624e5c3cd9bb9a1

SHA256
1a97b50158deacadf865c5106fcede3fc0c43d7460c63dedeff9d416028e9a92

SHA512
a0bf65498610ed0c2e0bee2c8eb59c26de0089f36c4545026b2a31eee60a17497d19bf9d85448b4ddaafea44db90264cad89520c49c22a892367bbe2e83f1b79

Download Submit
C:\Windows\System\LqCXqlQ.exe

Filesize
5.2MB

MD5
edc53e35ba7734cba25ad06b73895841

SHA1
6502d56b5c1e13a73c255eb1e7b6a9323d9fba27

SHA256
87c0b8f683f095146b9e043e9c976f86304113bacca421935158de83126d5007

SHA512
4791c1c01b3cd1da47a5c972d56b82b39e20a6d592606b37e2dbbb88e6f5d4de67be64c25c0cffdb693393d997da6f0f262e4b43acc22f56d3660f789c9f8ddb

Download Submit
C:\Windows\System\UjWATMn.exe

Filesize
5.2MB

MD5
3b8143b8e8aaa889617d290f047d40ce

SHA1
79412b33926b5a5d243e7e0fb213f7a81c50c6cb

SHA256
2415c7798598d395c37dca2970eddfcc60199407d14bc006f746c4df81b3b187

SHA512
673a971e60e7fdcfb91b9f220d1c8d725ed1a0849fa447549047b1b952efc4e16660343135b42582503b52d727b0ccdace47afada2d98bcde2fbf6900a0be575

Download Submit
C:\Windows\System\aIAYPUf.exe

Filesize
5.2MB

MD5
4575c8e5c59151723ba01da116f75cfd

SHA1
0e0011d6e950dfe7370d3b2260cb79684ba63d90

SHA256
00dd85e5e6751e99e74b870a6f1dc1d0f0d041ba7387d00cc3c9ad8950ccbdc3

SHA512
d7ccf3d49d0ab3f7a598f57aee567e3f4e60be57cf943eb14bf2f3bd99f898ed29f6236d2adbb34a0f4bab5120f03d9cb325fc4b70a96df9ce0b3d93a31d6ee8

Download Submit
C:\Windows\System\aTPMFFm.exe

Filesize
5.2MB

MD5
3a356206fa7a4eb01fed18af949b04fc

SHA1
049e2d2046197de049614c75dbb8a4ce3bf67747

SHA256
e779ada72e132de80a0ae792289ad86fc9b9b592a6cd2c805226cf91802ec0b0

SHA512
9537ae34fda6feff6a90c3793272bad9d908b13539a0e4712090807fd4fe3595a8c075fcee4682b191610be97cf2c6244f015e2b2f53c6a73b85dcce8561e098

Download Submit
C:\Windows\System\dFzAWYj.exe

Filesize
5.2MB

MD5
23ce90f22f71a043e2168d52797e0b55

SHA1
1b65947b6cf3243f1000206fe5235aea08400a73

SHA256
f584d439b78cbc9d2737140569be55386ab12d7d48318795fa72046bdda2f732

SHA512
67620b779a6417adea1b452bf48d4608ef07cf1ef943666aec62e88da534254b0b63d5cff2e9b21dbd1964f03ba88d6f38f15f91ae472472ff523a7672f5132d

Download Submit
C:\Windows\System\irtQsFq.exe

Filesize
5.2MB

MD5
1816e0261c74a1afbe988e54923898bd

SHA1
b1bbaeccb4600128d7be6f5669c6cc41673c2507

SHA256
7b5efd108efee39ef815cf78f9db993461afb5d4ac2e5e31955dd09fb06fbe32

SHA512
76e1dd318b0a4cc6b024265eb873918cef728919d96732aae4c61e479313bd258e80dca6aaadf177137514e02001a049fc150d5e7d2761adce376f41f0f36aae

Download Submit
C:\Windows\System\kXSADBE.exe

Filesize
5.2MB

MD5
4597b741b0a64e4beffc528fec854bc9

SHA1
c45a66dafe13e57a85de9ab665833b96af71edb8

SHA256
a0e114b24f9f4a8df6dc2aa90e18a2e9456a3110fc54ef2aa2c66fdc5b0fdae0

SHA512
84834c096b5d88c703a158d924a74b0c51217a3f245219cfe232df40f21dc0b524fd6a0f35fb297b05d7852e001bb28e24bf3455b14352c120ec1fd1e78f9cb0

Download Submit
C:\Windows\System\xQewADI.exe

Filesize
5.2MB

MD5
9da90ae97d8d3c7be871128819dac645

SHA1
2cd6bc9e9937b9cfdff13387d01d7af61212f11d

SHA256
e3fd0e9d01a492e562e54abd5479e04d44e41655988d4bbd9467deb1396028c2

SHA512
56985089108ae3530a9e23ff95aad468fec9d9fa9cd69791db6675b2c26158724f0e56f3f735b214da9ba7458be1a2c276ab69e5e15526bbeb74a8191b137d31

Download Submit
C:\Windows\System\xlRAGzy.exe

Filesize
5.2MB

MD5
d53af5e7513f5747b9f7948b5dbfbbe2

SHA1
d4b0d461cac00faa8ad88b01dc237696858bd824

SHA256
85b7a3db453ca0af3ef5ba38bd07d6dc2564d2385edf13bd8cbc2cbae4769036

SHA512
6e7e958f4850115ac022b41b0892baf37d4bdc03f364e41e4978e78d1ea87e777c34eb23c252b507f26fe4008a2be27b4e53372df156be3928c4a4b6bfdb022e

Download Submit
C:\Windows\System\yGuuoTG.exe

Filesize
5.2MB

MD5
92f8eb219ad0bb590e4a604e3ece7075

SHA1
36fa6b30335dfdb497db703670221c71343e1a21

SHA256
76b67340ff2a81b3d4d0c15392d14789e73c45bcedceaee48edafaa5583ec9bc

SHA512
b218bd89822c46c580d2d5cf1afefcaa89c3743b6bd031159fd1da1a7299d8d34ecc6c6e52b5229391efa2999247ceed12e2306501f4d987a1f0cfc1dba5b14d

Download Submit
C:\Windows\System\yKOQeUS.exe

Filesize
5.2MB

MD5
a914732f94832e42d069a3b6ccfe9ec1

SHA1
4590ceb76e0ed6db71e2411afce0acbcbe44ae0f

SHA256
dd6ff38726b9157f14132960a73322f479a714d7d01b5de9789e95ec09df897e

SHA512
9c953d9a08248352063c409f5670fb0bec41444c1b835ceb263cf70a368fa52e6c2cd7537a9e4ba409e6d25f8817cbbb3fce782a576a1602e667c886c52f3aec

Download Submit
memory/388-21-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp

Filesize
3.3MB

Download
memory/388-213-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp

Filesize
3.3MB

Download
memory/388-146-0x00007FF6E4A40000-0x00007FF6E4D91000-memory.dmp

Filesize
3.3MB

Download
memory/1208-232-0x00007FF7C3F90000-0x00007FF7C42E1000-memory.dmp

Filesize
3.3MB

Download
memory/1208-75-0x00007FF7C3F90000-0x00007FF7C42E1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-231-0x00007FF649550000-0x00007FF6498A1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-70-0x00007FF649550000-0x00007FF6498A1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-142-0x00007FF649550000-0x00007FF6498A1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-135-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp

Filesize
3.3MB

Download
memory/1444-34-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp

Filesize
3.3MB

Download
memory/1444-218-0x00007FF7F81F0000-0x00007FF7F8541000-memory.dmp

Filesize
3.3MB

Download
memory/1600-81-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp

Filesize
3.3MB

Download
memory/1600-240-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp

Filesize
3.3MB

Download
memory/1600-143-0x00007FF6ACE30000-0x00007FF6AD181000-memory.dmp

Filesize
3.3MB

Download
memory/2064-254-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp

Filesize
3.3MB

Download
memory/2064-148-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp

Filesize
3.3MB

Download
memory/2064-102-0x00007FF73B9B0000-0x00007FF73BD01000-memory.dmp

Filesize
3.3MB

Download
memory/2544-122-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-8-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-210-0x00007FF720C90000-0x00007FF720FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-109-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-256-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-149-0x00007FF7B31A0000-0x00007FF7B34F1000-memory.dmp

Filesize
3.3MB

Download
memory/3120-237-0x00007FF721300000-0x00007FF721651000-memory.dmp

Filesize
3.3MB

Download
memory/3120-83-0x00007FF721300000-0x00007FF721651000-memory.dmp

Filesize
3.3MB

Download
memory/3120-145-0x00007FF721300000-0x00007FF721651000-memory.dmp

Filesize
3.3MB

Download
memory/3640-147-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-249-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-90-0x00007FF6F8460000-0x00007FF6F87B1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-138-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp

Filesize
3.3MB

Download
memory/3872-226-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp

Filesize
3.3MB

Download
memory/3872-43-0x00007FF64A6D0000-0x00007FF64AA21000-memory.dmp

Filesize
3.3MB

Download
memory/3888-53-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp

Filesize
3.3MB

Download
memory/3888-137-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp

Filesize
3.3MB

Download
memory/3888-224-0x00007FF7A6920000-0x00007FF7A6C71000-memory.dmp

Filesize
3.3MB

Download
memory/3896-262-0x00007FF760CC0000-0x00007FF761011000-memory.dmp

Filesize
3.3MB

Download
memory/3896-128-0x00007FF760CC0000-0x00007FF761011000-memory.dmp

Filesize
3.3MB

Download
memory/3992-71-0x00007FF6A99F0000-0x00007FF6A9D41000-memory.dmp

Filesize
3.3MB

Download
memory/3992-235-0x00007FF6A99F0000-0x00007FF6A9D41000-memory.dmp

Filesize
3.3MB

Download
memory/4140-82-0x00007FF6A25B0000-0x00007FF6A2901000-memory.dmp

Filesize
3.3MB

Download
memory/4140-239-0x00007FF6A25B0000-0x00007FF6A2901000-memory.dmp

Filesize
3.3MB

Download
memory/4388-123-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4388-19-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4388-214-0x00007FF63E8C0000-0x00007FF63EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4396-59-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp

Filesize
3.3MB

Download
memory/4396-140-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp

Filesize
3.3MB

Download
memory/4396-229-0x00007FF7E45C0000-0x00007FF7E4911000-memory.dmp

Filesize
3.3MB

Download
memory/4424-216-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-136-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-40-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-260-0x00007FF7F0580000-0x00007FF7F08D1000-memory.dmp

Filesize
3.3MB

Download
memory/4680-127-0x00007FF7F0580000-0x00007FF7F08D1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-154-0x00007FF7110D0000-0x00007FF711421000-memory.dmp

Filesize
3.3MB

Download
memory/4992-0-0x00007FF7110D0000-0x00007FF711421000-memory.dmp

Filesize
3.3MB

Download
memory/4992-101-0x00007FF7110D0000-0x00007FF711421000-memory.dmp

Filesize
3.3MB

Download
memory/4992-1-0x000001F918A10000-0x000001F918A20000-memory.dmp

Filesize
64KB

Download
memory/4992-131-0x00007FF7110D0000-0x00007FF711421000-memory.dmp

Filesize
3.3MB

Download
memory/5104-126-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp

Filesize
3.3MB

Download
memory/5104-258-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp

Filesize
3.3MB

Download
memory/5104-153-0x00007FF6FAF40000-0x00007FF6FB291000-memory.dmp

Filesize
3.3MB

Download
memory/5112-125-0x00007FF78BAE0000-0x00007FF78BE31000-memory.dmp

Filesize
3.3MB

Download
memory/5112-251-0x00007FF78BAE0000-0x00007FF78BE31000-memory.dmp

Filesize
3.3MB

Download