cobaltstrike | b70e7f3887df6a829b401f5d9916b3f47363c888336b3a5cd7dbccd3cec080d4

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b53a59ac82938a755d1273fbf3160006
SHA1

d42a3beba285c88301441799a263ca2f45c7e369
SHA256

b70e7f3887df6a829b401f5d9916b3f47363c888336b3a5cd7dbccd3cec080d4
SHA512

ab0b88de1148bb027efae8640c32d06efd1ceb2a2356103dafe42d6eaf70e974b351c24ed63aae50db6be1e7dfc8ceeb42aeef0435969c65cceaa87f43a3a323
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibj56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023baa-6.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc3-11.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc8-10.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc9-22.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bca-29.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bce-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd0-43.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd4-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd3-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd6-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-66.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-75.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c06-82.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bab-90.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c08-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-118.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c07-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-128.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2456-25-0x00007FF66BD20000-0x00007FF66C071000-memory.dmp	xmrig
behavioral2/memory/1152-80-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp	xmrig
behavioral2/memory/2108-73-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp	xmrig
behavioral2/memory/4940-64-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	xmrig
behavioral2/memory/4852-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	xmrig
behavioral2/memory/1088-120-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp	xmrig
behavioral2/memory/2164-115-0x00007FF6254E0000-0x00007FF625831000-memory.dmp	xmrig
behavioral2/memory/1808-103-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp	xmrig
behavioral2/memory/3888-102-0x00007FF719750000-0x00007FF719AA1000-memory.dmp	xmrig
behavioral2/memory/3004-91-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp	xmrig
behavioral2/memory/232-26-0x00007FF6723F0000-0x00007FF672741000-memory.dmp	xmrig
behavioral2/memory/5088-125-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp	xmrig
behavioral2/memory/2396-135-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp	xmrig
behavioral2/memory/3024-138-0x00007FF781740000-0x00007FF781A91000-memory.dmp	xmrig
behavioral2/memory/4092-137-0x00007FF7A9270000-0x00007FF7A95C1000-memory.dmp	xmrig
behavioral2/memory/5032-136-0x00007FF797800000-0x00007FF797B51000-memory.dmp	xmrig
behavioral2/memory/1268-139-0x00007FF65E500000-0x00007FF65E851000-memory.dmp	xmrig
behavioral2/memory/4744-140-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	xmrig
behavioral2/memory/5096-142-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp	xmrig
behavioral2/memory/4836-143-0x00007FF6525F0000-0x00007FF652941000-memory.dmp	xmrig
behavioral2/memory/4940-141-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	xmrig
behavioral2/memory/4852-158-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	xmrig
behavioral2/memory/2828-159-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp	xmrig
behavioral2/memory/1740-166-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp	xmrig
behavioral2/memory/4940-168-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	xmrig
behavioral2/memory/2108-219-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp	xmrig
behavioral2/memory/1152-221-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp	xmrig
behavioral2/memory/2456-223-0x00007FF66BD20000-0x00007FF66C071000-memory.dmp	xmrig
behavioral2/memory/232-225-0x00007FF6723F0000-0x00007FF672741000-memory.dmp	xmrig
behavioral2/memory/3004-237-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp	xmrig
behavioral2/memory/3888-238-0x00007FF719750000-0x00007FF719AA1000-memory.dmp	xmrig
behavioral2/memory/1808-242-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp	xmrig
behavioral2/memory/1088-244-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp	xmrig
behavioral2/memory/2396-248-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp	xmrig
behavioral2/memory/3024-250-0x00007FF781740000-0x00007FF781A91000-memory.dmp	xmrig
behavioral2/memory/5088-246-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp	xmrig
behavioral2/memory/2164-240-0x00007FF6254E0000-0x00007FF625831000-memory.dmp	xmrig
behavioral2/memory/1268-252-0x00007FF65E500000-0x00007FF65E851000-memory.dmp	xmrig
behavioral2/memory/4744-260-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	xmrig
behavioral2/memory/5096-262-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp	xmrig
behavioral2/memory/4852-264-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	xmrig
behavioral2/memory/4836-270-0x00007FF6525F0000-0x00007FF652941000-memory.dmp	xmrig
behavioral2/memory/1740-268-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp	xmrig
behavioral2/memory/2828-266-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp	xmrig
behavioral2/memory/4092-275-0x00007FF7A9270000-0x00007FF7A95C1000-memory.dmp	xmrig
behavioral2/memory/5032-273-0x00007FF797800000-0x00007FF797B51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2108	SZeLfqT.exe
1152	WHIjiKr.exe
2456	DyWHape.exe
232	BYFwQau.exe
3004	YiYuVNi.exe
3888	GfREAmv.exe
2164	brulche.exe
1808	oPUDehK.exe
1088	JlXpVtH.exe
5088	SDyFLDy.exe
2396	dfWopew.exe
3024	epchnHc.exe
1268	IGVjxbZ.exe
4744	IwugiJR.exe
5096	oZtbuoR.exe
4836	UNrsSfe.exe
4852	agjPbmp.exe
2828	PkTAfLC.exe
1740	zAZWTmI.exe
5032	IwrbGNx.exe
4092	VJyfaVi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4940-0-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	upx
behavioral2/files/0x000c000000023baa-6.dat	upx
behavioral2/files/0x0008000000023bc3-11.dat	upx
behavioral2/files/0x0009000000023bc8-10.dat	upx
behavioral2/memory/1152-14-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp	upx
behavioral2/files/0x0009000000023bc9-22.dat	upx
behavioral2/memory/2456-25-0x00007FF66BD20000-0x00007FF66C071000-memory.dmp	upx
behavioral2/files/0x0009000000023bca-29.dat	upx
behavioral2/files/0x000e000000023bce-34.dat	upx
behavioral2/memory/3888-35-0x00007FF719750000-0x00007FF719AA1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd0-43.dat	upx
behavioral2/memory/1808-48-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd4-47.dat	upx
behavioral2/files/0x0008000000023bd3-52.dat	upx
behavioral2/files/0x0008000000023bd6-63.dat	upx
behavioral2/files/0x0008000000023bd5-66.dat	upx
behavioral2/files/0x0008000000023c05-75.dat	upx
behavioral2/memory/1152-80-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp	upx
behavioral2/files/0x0008000000023c06-82.dat	upx
behavioral2/memory/1268-81-0x00007FF65E500000-0x00007FF65E851000-memory.dmp	upx
behavioral2/memory/3024-74-0x00007FF781740000-0x00007FF781A91000-memory.dmp	upx
behavioral2/memory/2108-73-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp	upx
behavioral2/memory/2396-65-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp	upx
behavioral2/memory/4940-64-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	upx
behavioral2/memory/5088-60-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp	upx
behavioral2/memory/1088-49-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp	upx
behavioral2/memory/2164-45-0x00007FF6254E0000-0x00007FF625831000-memory.dmp	upx
behavioral2/memory/3004-30-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp	upx
behavioral2/files/0x000c000000023bab-90.dat	upx
behavioral2/files/0x0008000000023c08-101.dat	upx
behavioral2/files/0x0008000000023c09-108.dat	upx
behavioral2/memory/4852-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	upx
behavioral2/files/0x0008000000023c0f-122.dat	upx
behavioral2/memory/1740-121-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp	upx
behavioral2/memory/1088-120-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0a-118.dat	upx
behavioral2/memory/2828-116-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp	upx
behavioral2/memory/2164-115-0x00007FF6254E0000-0x00007FF625831000-memory.dmp	upx
behavioral2/memory/4836-110-0x00007FF6525F0000-0x00007FF652941000-memory.dmp	upx
behavioral2/memory/1808-103-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp	upx
behavioral2/memory/3888-102-0x00007FF719750000-0x00007FF719AA1000-memory.dmp	upx
behavioral2/memory/5096-97-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp	upx
behavioral2/memory/3004-91-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-89.dat	upx
behavioral2/memory/4744-87-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	upx
behavioral2/memory/232-26-0x00007FF6723F0000-0x00007FF672741000-memory.dmp	upx
behavioral2/memory/2108-8-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp	upx
behavioral2/memory/5088-125-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp	upx
behavioral2/files/0x0008000000023c10-128.dat	upx
behavioral2/files/0x0008000000023c11-133.dat	upx
behavioral2/memory/2396-135-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp	upx
behavioral2/memory/3024-138-0x00007FF781740000-0x00007FF781A91000-memory.dmp	upx
behavioral2/memory/4092-137-0x00007FF7A9270000-0x00007FF7A95C1000-memory.dmp	upx
behavioral2/memory/5032-136-0x00007FF797800000-0x00007FF797B51000-memory.dmp	upx
behavioral2/memory/1268-139-0x00007FF65E500000-0x00007FF65E851000-memory.dmp	upx
behavioral2/memory/4744-140-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	upx
behavioral2/memory/5096-142-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp	upx
behavioral2/memory/4836-143-0x00007FF6525F0000-0x00007FF652941000-memory.dmp	upx
behavioral2/memory/4940-141-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	upx
behavioral2/memory/4852-158-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	upx
behavioral2/memory/2828-159-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp	upx
behavioral2/memory/1740-166-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp	upx
behavioral2/memory/4940-168-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp	upx
behavioral2/memory/2108-219-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DyWHape.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brulche.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfWopew.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IwugiJR.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oZtbuoR.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PkTAfLC.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJyfaVi.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZeLfqT.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDyFLDy.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zAZWTmI.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IwrbGNx.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JlXpVtH.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfREAmv.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epchnHc.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNrsSfe.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WHIjiKr.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiYuVNi.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPUDehK.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IGVjxbZ.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\agjPbmp.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BYFwQau.exe	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2108	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4940 wrote to memory of 2108	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4940 wrote to memory of 1152	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4940 wrote to memory of 1152	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4940 wrote to memory of 2456	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4940 wrote to memory of 2456	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4940 wrote to memory of 232	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4940 wrote to memory of 232	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4940 wrote to memory of 3004	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4940 wrote to memory of 3004	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4940 wrote to memory of 3888	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4940 wrote to memory of 3888	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4940 wrote to memory of 2164	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4940 wrote to memory of 2164	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4940 wrote to memory of 1808	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4940 wrote to memory of 1808	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4940 wrote to memory of 1088	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4940 wrote to memory of 1088	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4940 wrote to memory of 5088	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4940 wrote to memory of 5088	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4940 wrote to memory of 2396	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4940 wrote to memory of 2396	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4940 wrote to memory of 3024	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4940 wrote to memory of 3024	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4940 wrote to memory of 1268	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4940 wrote to memory of 1268	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4940 wrote to memory of 4744	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4940 wrote to memory of 4744	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4940 wrote to memory of 5096	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4940 wrote to memory of 5096	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4940 wrote to memory of 4852	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4940 wrote to memory of 4852	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4940 wrote to memory of 4836	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4940 wrote to memory of 4836	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4940 wrote to memory of 2828	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4940 wrote to memory of 2828	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4940 wrote to memory of 1740	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4940 wrote to memory of 1740	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4940 wrote to memory of 5032	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4940 wrote to memory of 5032	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4940 wrote to memory of 4092	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4940 wrote to memory of 4092	4940	2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_b53a59ac82938a755d1273fbf3160006_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System\SZeLfqT.exe
  C:\Windows\System\SZeLfqT.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\WHIjiKr.exe
  C:\Windows\System\WHIjiKr.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\DyWHape.exe
  C:\Windows\System\DyWHape.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\BYFwQau.exe
  C:\Windows\System\BYFwQau.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\YiYuVNi.exe
  C:\Windows\System\YiYuVNi.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\GfREAmv.exe
  C:\Windows\System\GfREAmv.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\brulche.exe
  C:\Windows\System\brulche.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\oPUDehK.exe
  C:\Windows\System\oPUDehK.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\JlXpVtH.exe
  C:\Windows\System\JlXpVtH.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\SDyFLDy.exe
  C:\Windows\System\SDyFLDy.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\dfWopew.exe
  C:\Windows\System\dfWopew.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\epchnHc.exe
  C:\Windows\System\epchnHc.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\IGVjxbZ.exe
  C:\Windows\System\IGVjxbZ.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\IwugiJR.exe
  C:\Windows\System\IwugiJR.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\oZtbuoR.exe
  C:\Windows\System\oZtbuoR.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\agjPbmp.exe
  C:\Windows\System\agjPbmp.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\UNrsSfe.exe
  C:\Windows\System\UNrsSfe.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\PkTAfLC.exe
  C:\Windows\System\PkTAfLC.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\zAZWTmI.exe
  C:\Windows\System\zAZWTmI.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\IwrbGNx.exe
  C:\Windows\System\IwrbGNx.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\VJyfaVi.exe
  C:\Windows\System\VJyfaVi.exe
  2⤵
  - Executes dropped EXE
  PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BYFwQau.exe

Filesize
5.2MB

MD5
92c7fcf34f0f0ce7478a0c06213f9af2

SHA1
7831e0e51da7ac372fd56cd607779d9d56a80c57

SHA256
c9ee7140b82b337fdae17e9f1ffdd72adbbeea8d9849379240b00873905113f2

SHA512
abadcd34fd683473663f84e084e606562d02cc4fdd9b353f6b6f24063acb591dced36aefee4972650a367ffe06238124995be2725dee80859aeebe2b2afff94d

Download Submit
C:\Windows\System\DyWHape.exe

Filesize
5.2MB

MD5
dec24423a502d651aa18b64242f2e78c

SHA1
188c423fc08161a556c0f81e5df6303940c3678c

SHA256
5f7bccab201cb429f2dba58e8f6f4e9f7df74efd4b17b5d1e887f70558bf83d2

SHA512
42a50f11df123af19257bba9fda134d4521689f3f1b26a47c7a590dd2386a65328a286c034401800555234c9f7bacffb9a8999ecbe96c68d47a45662298be769

Download Submit
C:\Windows\System\GfREAmv.exe

Filesize
5.2MB

MD5
1d77f34c23e9c58f1495e6091f1fb407

SHA1
ce245bc160e4b11d4979f2c16af996d8bfa71896

SHA256
d57c6b9024307b81c4c6e60ab8f61b9f6baf12696e1269425cce2769e3232f89

SHA512
ec74b6e5daa894f34824907c70b6f60d047c70d180961d60631762106a055fbf2bcd57e14e41696ab33077bdd4b57ed20aa2dfedf2e398bd84e618fb79952673

Download Submit
C:\Windows\System\IGVjxbZ.exe

Filesize
5.2MB

MD5
c02c81a5bd066efe7412b0a3c8539f3c

SHA1
8d4242c7f247797ed965673c61d8fa802afde3f6

SHA256
d86754e12a085115341386ed30cf717c848444b381c550da975d3425a8f271e0

SHA512
310385a2223231b6b2977862195c87dd6556f9ae6fdb035e0dc122047bb98bc94930b535f8c7cbb3b39063706e9e922fb707fdbb3f8d21168285440a995ad21d

Download Submit
C:\Windows\System\IwrbGNx.exe

Filesize
5.2MB

MD5
f49852e9d47d9cde2f30831df6d7d453

SHA1
93ee7e8286fa7c9b7826d23fefae9c4df5e908f2

SHA256
5192dfe0506c165e44661e47c168ab0d47993c986d0e7ca78f1de5dbc695e239

SHA512
39149e429bd07de409c2edb6f3f0ce495a2a7afc94a1ffb64e0aad1d23640f1f55221e97762ef0e4bf193793705fe63e0dcd6feccabc865906b560f9a8c46c64

Download Submit
C:\Windows\System\IwugiJR.exe

Filesize
5.2MB

MD5
fd8ea71ceda4acfda8167f562a8d697d

SHA1
6059b8464921d3ed4a8001847273836b4d25880f

SHA256
4b612ce0f92461a62b90aac69c937ce451f6b9442eaceec8bb2032b2827bc085

SHA512
5e553a8217c153044eb52e8aae609416faf1c0a9888f2f7fd2599951e91140156300d2ed6582060b3bb113bb83dd86ab061e835b59e24a2bc1a7b02b6709a341

Download Submit
C:\Windows\System\JlXpVtH.exe

Filesize
5.2MB

MD5
1d54ba3e1eafd551b37f6ada382e689a

SHA1
96748bc60190524a9753223bbd5ede65db39928c

SHA256
2efec7ccdceeb63e25d39b043eb805ab8279d3af23eec0c02e6cc814a37045da

SHA512
8a1698683dc56bb16dc41c3a72d751c821dfd5809ecbd02c1c75fba68221665bb2a452934fdcd6367cd8f5633814c3d854e444d35e392f9b51b9707f6cd92de7

Download Submit
C:\Windows\System\PkTAfLC.exe

Filesize
5.2MB

MD5
f53abbb2799fb9304b10ae5b1952028e

SHA1
7abf0f69844ad630618ae8d7e19d90c2e8a04532

SHA256
60e870713a0d07d2d0e0797172a100ce4632523486dc10f6134d6c2c23bdaadf

SHA512
89d59e9878c5b9c9f7c1d6fe9423f5802aa3bedde2b5bc8499a0c9e0e1ddd7d184f44dc0425b42d0a6479c7d84d30f30cd5c235d535e4901b34c8f2de227725f

Download Submit
C:\Windows\System\SDyFLDy.exe

Filesize
5.2MB

MD5
131947cd10e4e61836cab08566c8f04f

SHA1
529d9c0859e699b8d1b71521d1d319f7bcdcc45f

SHA256
90588d123e1bf06860594dd23b52af1c160da5a00c3781c902ec8f6af7eaf55e

SHA512
10df2efd469fa8ce5bdfaf98fc0832c2fb641dc9dc8d269b0c4f89f433f7773d76b52b4528a47fbb803cfc5a7b255840093260330b79a62378c0e52bdb8ba198

Download Submit
C:\Windows\System\SZeLfqT.exe

Filesize
5.2MB

MD5
3eccbfc7102c28012b30e1b5c1583f98

SHA1
cc03dd58c3ade4388a2cc62f6296b9fa1468bacf

SHA256
80be26fc707bd5bc10240063a67d0d798073079b0131610a7956bd31577714e7

SHA512
1a1e8c2156f7006fa04f47e1eaae28a690d908dc427b651d3142fb0a897ac7e3bafb1f0ce2e1b92356a6c850f12b3462d1ea5e3d93b73e6f748a3c9a63042c85

Download Submit
C:\Windows\System\UNrsSfe.exe

Filesize
5.2MB

MD5
6b34fea207aeb4466a171fecee6f1770

SHA1
e1d69f091c64e77a38d24c28519b181bf651463e

SHA256
c26ab54ce24ceae11d5c46d88fe941dd6952aa93140c70117fde3d4eaefd09c0

SHA512
4cf809a2d92c523237a91a93b2527f0c129bd5ff1b381eaef76329c0dfc59ec947b80a09ad99828b1dbab8e53b1e868e42be41fb1d3b117518837381eb314420

Download Submit
C:\Windows\System\VJyfaVi.exe

Filesize
5.2MB

MD5
971dd67c9f0f619d1f474a27b1e00781

SHA1
6a6fb92b56b80457ab7eef5c56b47db7bba30130

SHA256
ccc20a7577e850917389e9da808b422e3c38992180567b95c431eb730dda3e26

SHA512
22c0272749de0ad5e8fdfc1a075ccbb71f2bd954215db90c915fc9e7fc36018e2afb4ee85443d9f54171630e1602a789d793d6dd6156209d4356c47bdfa9e137

Download Submit
C:\Windows\System\WHIjiKr.exe

Filesize
5.2MB

MD5
ca403edd60478c0a15d5c7d38aa769c6

SHA1
d3ad229b2239ad1955987054b065a896b58c05d2

SHA256
c4c3a860a08fc500ededf04a15ec689e79ec6d34a0c13cac405429e4e15fe18f

SHA512
f64e353a10ad22774dd1cb19f8449105910eff1ee970b3e70c46fccc8ee7e7123c5f9381a33ea5997e33f02c58f41b208ffa5a84fbd5769f06ff3d765fdf10f2

Download Submit
C:\Windows\System\YiYuVNi.exe

Filesize
5.2MB

MD5
3f8aeaabf8468d40227b2e265b392578

SHA1
8b86cbb94d4e84e3253242b830cd3fa3056a8d1e

SHA256
fe4dfe26acdfb4706c9111c31e0047a99bf9620eaecb2579bb2dc4a21181cd3a

SHA512
3dafda0d2b10ed553b894d5cd5cb7a8e8002a650f18f41a03ffd84ab33673e5683e7c03176acd31d27652d71728551666ec18c602b1dddcc7181717aa8e59954

Download Submit
C:\Windows\System\agjPbmp.exe

Filesize
5.2MB

MD5
9f11ac990484e158ebf5bf92bec03558

SHA1
7e2358630be7c97c914dc6654c11b01825b08287

SHA256
e13575930e82d0a10aa9545540372203d101fbe5b7bc63be42b5af5f405cabcf

SHA512
cdee990438e76ed0b6d40b828e9af5b73f162315e9e894d08b9e41edaf1d9ee601305390e3db53f5a9de3eb25bee6e704dd7e16db49825b76a5303857f33773f

Download Submit
C:\Windows\System\brulche.exe

Filesize
5.2MB

MD5
84b50a8ff0a34b86b5bbb9c4f31ce1aa

SHA1
9f3454f67f08b95d33675662b9cb4b2d4ffe575f

SHA256
df74ed51280b264481a8ff6a3ca91de6f076a958b3894408c02e5ea80e6b4230

SHA512
dff966c805081746f6874976a2a3abf49bd915f02ae5dbd0346eef516669a008eb7550a4b246bd40873c6f2c77007a1008183d1502bb5f2cf265762923bd4623

Download Submit
C:\Windows\System\dfWopew.exe

Filesize
5.2MB

MD5
4d32999d2ed364ad28c8fc6503eb6d3a

SHA1
1384936dcc4caac97936d7b15aea232351513dcb

SHA256
a95df4989b5983e055df9ddb2aad0b40c527970332ed500c396e0ab3a56e0c67

SHA512
496158ccb7a9d04a9573c52d9752fee524ad3ad75d6c6611b1773d6e879db9afffce23da621237d94578393169e4bbd969575f1c4867835bf2f8f15ff75800fd

Download Submit
C:\Windows\System\epchnHc.exe

Filesize
5.2MB

MD5
5e7cd85eba703392763bc5894b4642cf

SHA1
f182da08fcec3fb195784949327cd9c11a8a72bf

SHA256
323796e3aedb5158de023beeaa30df7c929a9cab6dc61c97b1435bd329e922ea

SHA512
4699adee34fe4ef06f8c104104bf14785300c5a4f6392acf8a35668d14587386754ccffbdc387274e8fb2bd4729e0c00d073a3526e3d8b5455656381e131c266

Download Submit
C:\Windows\System\oPUDehK.exe

Filesize
5.2MB

MD5
3e99a322cda3f89ae27eb063b10cbe9c

SHA1
dd739c90a73065062ed8340b13204be45c2d44fd

SHA256
ed43b6603e657e0318b5adf2cf61a9ad17c99ab61257a1132a15422cb9ec0383

SHA512
9ce9d77e709ff7ca795ee687d8f7e575eb0c9d6dcadd7b71bf53d549b19ec3e635aba37b5b91b3f328bb229a5ed486385b5e51d0efba534e7496f6b88dd931e3

Download Submit
C:\Windows\System\oZtbuoR.exe

Filesize
5.2MB

MD5
9b3a667a99ff3b431f7bdb5b8f9a39a0

SHA1
66a83fbf00c3aa6a534c14e25b75c44ef1e56e20

SHA256
7be6e4d37a5068809d24fad998092317702f84dcc9bfa198b1664882e0561d4b

SHA512
f12dc92a81282a28b91fa07d940e84130b3445444c84e3b3e92d6aa7bed30162ee7943c2094744184669e4ce02a9e2db3b6a630aafac723780f3e036d1043827

Download Submit
C:\Windows\System\zAZWTmI.exe

Filesize
5.2MB

MD5
4e2560d04d2ce985455e0342506aedb2

SHA1
703c7afc044d2517af0545c0e6070c60801584c0

SHA256
27732fb312ad6cb4a8f6fdeba80f989268e427f0ce9d9a9d3a07996dd72054c3

SHA512
de7b3ba643c62e2c4d5300a4905cb547f5e46834431e52a0cf730387bd48b0b05a3516efeb500e0ba1241df267d9d03565fb9c2b65a8e525ae2add14b6805644

Download Submit
memory/232-225-0x00007FF6723F0000-0x00007FF672741000-memory.dmp

Filesize
3.3MB

Download
memory/232-26-0x00007FF6723F0000-0x00007FF672741000-memory.dmp

Filesize
3.3MB

Download
memory/1088-244-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-49-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-120-0x00007FF60ECA0000-0x00007FF60EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-80-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp

Filesize
3.3MB

Download
memory/1152-14-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp

Filesize
3.3MB

Download
memory/1152-221-0x00007FF7E3900000-0x00007FF7E3C51000-memory.dmp

Filesize
3.3MB

Download
memory/1268-252-0x00007FF65E500000-0x00007FF65E851000-memory.dmp

Filesize
3.3MB

Download
memory/1268-139-0x00007FF65E500000-0x00007FF65E851000-memory.dmp

Filesize
3.3MB

Download
memory/1268-81-0x00007FF65E500000-0x00007FF65E851000-memory.dmp

Filesize
3.3MB

Download
memory/1740-166-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-121-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-268-0x00007FF6C0370000-0x00007FF6C06C1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-103-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-242-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-48-0x00007FF6D6180000-0x00007FF6D64D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-219-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-8-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-73-0x00007FF6B6480000-0x00007FF6B67D1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-115-0x00007FF6254E0000-0x00007FF625831000-memory.dmp

Filesize
3.3MB

Download
memory/2164-240-0x00007FF6254E0000-0x00007FF625831000-memory.dmp

Filesize
3.3MB

Download
memory/2164-45-0x00007FF6254E0000-0x00007FF625831000-memory.dmp

Filesize
3.3MB

Download
memory/2396-248-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp

Filesize
3.3MB

Download
memory/2396-135-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp

Filesize
3.3MB

Download
memory/2396-65-0x00007FF7C3D40000-0x00007FF7C4091000-memory.dmp

Filesize
3.3MB

Download
memory/2456-25-0x00007FF66BD20000-0x00007FF66C071000-memory.dmp

Filesize
3.3MB

Download
memory/2456-223-0x00007FF66BD20000-0x00007FF66C071000-memory.dmp

Filesize
3.3MB

Download
memory/2828-159-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp

Filesize
3.3MB

Download
memory/2828-116-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp

Filesize
3.3MB

Download
memory/2828-266-0x00007FF7D6C10000-0x00007FF7D6F61000-memory.dmp

Filesize
3.3MB

Download
memory/3004-30-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp

Filesize
3.3MB

Download
memory/3004-91-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp

Filesize
3.3MB

Download
memory/3004-237-0x00007FF6CC3B0000-0x00007FF6CC701000-memory.dmp

Filesize
3.3MB

Download
memory/3024-138-0x00007FF781740000-0x00007FF781A91000-memory.dmp

Filesize
3.3MB

Download
memory/3024-250-0x00007FF781740000-0x00007FF781A91000-memory.dmp

Filesize
3.3MB

Download
memory/3024-74-0x00007FF781740000-0x00007FF781A91000-memory.dmp

Filesize
3.3MB

Download
memory/3888-102-0x00007FF719750000-0x00007FF719AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-238-0x00007FF719750000-0x00007FF719AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-35-0x00007FF719750000-0x00007FF719AA1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-275-0x00007FF7A9270000-0x00007FF7A95C1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-137-0x00007FF7A9270000-0x00007FF7A95C1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-260-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/4744-140-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/4744-87-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/4836-110-0x00007FF6525F0000-0x00007FF652941000-memory.dmp

Filesize
3.3MB

Download
memory/4836-270-0x00007FF6525F0000-0x00007FF652941000-memory.dmp

Filesize
3.3MB

Download
memory/4836-143-0x00007FF6525F0000-0x00007FF652941000-memory.dmp

Filesize
3.3MB

Download
memory/4852-158-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/4852-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/4852-264-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/4940-168-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4940-64-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4940-141-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4940-0-0x00007FF75D910000-0x00007FF75DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4940-1-0x000001B9AC090000-0x000001B9AC0A0000-memory.dmp

Filesize
64KB

Download
memory/5032-136-0x00007FF797800000-0x00007FF797B51000-memory.dmp

Filesize
3.3MB

Download
memory/5032-273-0x00007FF797800000-0x00007FF797B51000-memory.dmp

Filesize
3.3MB

Download
memory/5088-246-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp

Filesize
3.3MB

Download
memory/5088-125-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp

Filesize
3.3MB

Download
memory/5088-60-0x00007FF77EE20000-0x00007FF77F171000-memory.dmp

Filesize
3.3MB

Download
memory/5096-262-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp

Filesize
3.3MB

Download
memory/5096-97-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp

Filesize
3.3MB

Download
memory/5096-142-0x00007FF78D7C0000-0x00007FF78DB11000-memory.dmp

Filesize
3.3MB

Download