cobaltstrike | 6636e15c0e73dec8a3c9b644f5103f1057058c31efac04eb35a18634e00bca9b

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e4cac74f43a9f73cc0728d38482d171e
SHA1

977112261fff435460b1880fdcdd8bb687fff836
SHA256

6636e15c0e73dec8a3c9b644f5103f1057058c31efac04eb35a18634e00bca9b
SHA512

c408aee2a4299e00b785ffedc86b654f326fc8cba05838dbbb4abdbb549ce8e47ca2d3ce3fc06f6a4d5e97741b97edf826c801edb9a647767b974329decbe91d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c8f-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-46.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c90-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4460-50-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp	xmrig
behavioral2/memory/1132-68-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	xmrig
behavioral2/memory/1580-69-0x00007FF74F450000-0x00007FF74F7A1000-memory.dmp	xmrig
behavioral2/memory/4004-80-0x00007FF7324C0000-0x00007FF732811000-memory.dmp	xmrig
behavioral2/memory/4416-89-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp	xmrig
behavioral2/memory/3760-86-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	xmrig
behavioral2/memory/4912-103-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp	xmrig
behavioral2/memory/3300-108-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp	xmrig
behavioral2/memory/3664-105-0x00007FF668F20000-0x00007FF669271000-memory.dmp	xmrig
behavioral2/memory/4940-102-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp	xmrig
behavioral2/memory/552-101-0x00007FF625470000-0x00007FF6257C1000-memory.dmp	xmrig
behavioral2/memory/3284-73-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp	xmrig
behavioral2/memory/4460-116-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp	xmrig
behavioral2/memory/1132-134-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	xmrig
behavioral2/memory/3688-135-0x00007FF64BAD0000-0x00007FF64BE21000-memory.dmp	xmrig
behavioral2/memory/4228-136-0x00007FF761F10000-0x00007FF762261000-memory.dmp	xmrig
behavioral2/memory/2888-137-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp	xmrig
behavioral2/memory/2444-138-0x00007FF688EF0000-0x00007FF689241000-memory.dmp	xmrig
behavioral2/memory/1688-147-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp	xmrig
behavioral2/memory/4012-148-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp	xmrig
behavioral2/memory/1220-153-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp	xmrig
behavioral2/memory/2008-157-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp	xmrig
behavioral2/memory/216-159-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp	xmrig
behavioral2/memory/2728-158-0x00007FF662960000-0x00007FF662CB1000-memory.dmp	xmrig
behavioral2/memory/1132-163-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	xmrig
behavioral2/memory/3284-217-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp	xmrig
behavioral2/memory/4004-219-0x00007FF7324C0000-0x00007FF732811000-memory.dmp	xmrig
behavioral2/memory/3760-221-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	xmrig
behavioral2/memory/4416-225-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp	xmrig
behavioral2/memory/4940-223-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp	xmrig
behavioral2/memory/4912-227-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp	xmrig
behavioral2/memory/3300-229-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp	xmrig
behavioral2/memory/4460-234-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp	xmrig
behavioral2/memory/2888-236-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp	xmrig
behavioral2/memory/1688-238-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp	xmrig
behavioral2/memory/1580-241-0x00007FF74F450000-0x00007FF74F7A1000-memory.dmp	xmrig
behavioral2/memory/4012-249-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp	xmrig
behavioral2/memory/1220-251-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp	xmrig
behavioral2/memory/552-253-0x00007FF625470000-0x00007FF6257C1000-memory.dmp	xmrig
behavioral2/memory/3664-255-0x00007FF668F20000-0x00007FF669271000-memory.dmp	xmrig
behavioral2/memory/2728-257-0x00007FF662960000-0x00007FF662CB1000-memory.dmp	xmrig
behavioral2/memory/2008-259-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp	xmrig
behavioral2/memory/216-264-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp	xmrig
behavioral2/memory/2444-266-0x00007FF688EF0000-0x00007FF689241000-memory.dmp	xmrig
behavioral2/memory/3688-268-0x00007FF64BAD0000-0x00007FF64BE21000-memory.dmp	xmrig
behavioral2/memory/4228-270-0x00007FF761F10000-0x00007FF762261000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3284	eJEHrip.exe
4004	IrnsTJM.exe
3760	MhruhmP.exe
4940	EgFEwsa.exe
4912	uoXYqCZ.exe
4416	HDBrLpi.exe
3300	XDQPcbM.exe
4460	tEnohqm.exe
2888	xGGfMvv.exe
1688	vjQTguH.exe
1580	eMIMRpT.exe
4012	msvfZUD.exe
1220	WNrxfsf.exe
552	ockGmaS.exe
3664	dnVrKJU.exe
2008	hNeAksz.exe
2728	uTBgdLW.exe
216	forvRwY.exe
2444	gpWEqBN.exe
3688	XFTlNAg.exe
4228	CnfybRX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1132-0-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	upx
behavioral2/files/0x0008000000023c8f-4.dat	upx
behavioral2/memory/3284-8-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp	upx
behavioral2/memory/3760-22-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-29.dat	upx
behavioral2/memory/4912-31-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-40.dat	upx
behavioral2/files/0x0007000000023c98-43.dat	upx
behavioral2/memory/3300-42-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp	upx
behavioral2/memory/4416-38-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-34.dat	upx
behavioral2/memory/4940-30-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-27.dat	upx
behavioral2/files/0x0007000000023c93-18.dat	upx
behavioral2/memory/4004-14-0x00007FF7324C0000-0x00007FF732811000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-46.dat	upx
behavioral2/files/0x0008000000023c90-53.dat	upx
behavioral2/memory/2888-54-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-59.dat	upx
behavioral2/memory/1688-60-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp	upx
behavioral2/memory/4460-50-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-64.dat	upx
behavioral2/memory/1132-68-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	upx
behavioral2/memory/1580-69-0x00007FF74F450000-0x00007FF74F7A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-72.dat	upx
behavioral2/files/0x0007000000023c9e-77.dat	upx
behavioral2/memory/4004-80-0x00007FF7324C0000-0x00007FF732811000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-88.dat	upx
behavioral2/memory/4416-89-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp	upx
behavioral2/memory/3760-86-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	upx
behavioral2/memory/1220-84-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-93.dat	upx
behavioral2/memory/4912-103-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-107.dat	upx
behavioral2/files/0x0007000000023ca2-110.dat	upx
behavioral2/memory/2728-109-0x00007FF662960000-0x00007FF662CB1000-memory.dmp	upx
behavioral2/memory/3300-108-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp	upx
behavioral2/memory/2008-106-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp	upx
behavioral2/memory/3664-105-0x00007FF668F20000-0x00007FF669271000-memory.dmp	upx
behavioral2/memory/4940-102-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp	upx
behavioral2/memory/552-101-0x00007FF625470000-0x00007FF6257C1000-memory.dmp	upx
behavioral2/memory/4012-74-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp	upx
behavioral2/memory/3284-73-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-115.dat	upx
behavioral2/memory/4460-116-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-127.dat	upx
behavioral2/files/0x0007000000023ca6-131.dat	upx
behavioral2/files/0x0007000000023ca4-122.dat	upx
behavioral2/memory/216-133-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp	upx
behavioral2/memory/1132-134-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	upx
behavioral2/memory/3688-135-0x00007FF64BAD0000-0x00007FF64BE21000-memory.dmp	upx
behavioral2/memory/4228-136-0x00007FF761F10000-0x00007FF762261000-memory.dmp	upx
behavioral2/memory/2888-137-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp	upx
behavioral2/memory/2444-138-0x00007FF688EF0000-0x00007FF689241000-memory.dmp	upx
behavioral2/memory/1688-147-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp	upx
behavioral2/memory/4012-148-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp	upx
behavioral2/memory/1220-153-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp	upx
behavioral2/memory/2008-157-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp	upx
behavioral2/memory/216-159-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp	upx
behavioral2/memory/2728-158-0x00007FF662960000-0x00007FF662CB1000-memory.dmp	upx
behavioral2/memory/1132-163-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp	upx
behavioral2/memory/3284-217-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp	upx
behavioral2/memory/4004-219-0x00007FF7324C0000-0x00007FF732811000-memory.dmp	upx
behavioral2/memory/3760-221-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\msvfZUD.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WNrxfsf.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hNeAksz.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CnfybRX.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgFEwsa.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDBrLpi.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tEnohqm.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMIMRpT.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dnVrKJU.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTBgdLW.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IrnsTJM.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MhruhmP.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDQPcbM.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGGfMvv.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJEHrip.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uoXYqCZ.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjQTguH.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ockGmaS.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\forvRwY.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpWEqBN.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFTlNAg.exe	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3284	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1132 wrote to memory of 3284	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1132 wrote to memory of 4004	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1132 wrote to memory of 4004	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1132 wrote to memory of 3760	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1132 wrote to memory of 3760	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1132 wrote to memory of 4940	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1132 wrote to memory of 4940	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1132 wrote to memory of 4912	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1132 wrote to memory of 4912	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1132 wrote to memory of 4416	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1132 wrote to memory of 4416	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1132 wrote to memory of 3300	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1132 wrote to memory of 3300	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1132 wrote to memory of 4460	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1132 wrote to memory of 4460	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1132 wrote to memory of 2888	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1132 wrote to memory of 2888	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1132 wrote to memory of 1688	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1132 wrote to memory of 1688	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1132 wrote to memory of 1580	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1132 wrote to memory of 1580	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1132 wrote to memory of 4012	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1132 wrote to memory of 4012	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1132 wrote to memory of 1220	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1132 wrote to memory of 1220	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1132 wrote to memory of 552	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1132 wrote to memory of 552	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1132 wrote to memory of 3664	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1132 wrote to memory of 3664	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1132 wrote to memory of 2008	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1132 wrote to memory of 2008	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1132 wrote to memory of 2728	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1132 wrote to memory of 2728	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1132 wrote to memory of 216	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1132 wrote to memory of 216	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1132 wrote to memory of 2444	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1132 wrote to memory of 2444	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1132 wrote to memory of 3688	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1132 wrote to memory of 3688	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1132 wrote to memory of 4228	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1132 wrote to memory of 4228	1132	2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_e4cac74f43a9f73cc0728d38482d171e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System\eJEHrip.exe
  C:\Windows\System\eJEHrip.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\IrnsTJM.exe
  C:\Windows\System\IrnsTJM.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\MhruhmP.exe
  C:\Windows\System\MhruhmP.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\EgFEwsa.exe
  C:\Windows\System\EgFEwsa.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\uoXYqCZ.exe
  C:\Windows\System\uoXYqCZ.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\HDBrLpi.exe
  C:\Windows\System\HDBrLpi.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\XDQPcbM.exe
  C:\Windows\System\XDQPcbM.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\tEnohqm.exe
  C:\Windows\System\tEnohqm.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\xGGfMvv.exe
  C:\Windows\System\xGGfMvv.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\vjQTguH.exe
  C:\Windows\System\vjQTguH.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\eMIMRpT.exe
  C:\Windows\System\eMIMRpT.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\msvfZUD.exe
  C:\Windows\System\msvfZUD.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\WNrxfsf.exe
  C:\Windows\System\WNrxfsf.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\ockGmaS.exe
  C:\Windows\System\ockGmaS.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\dnVrKJU.exe
  C:\Windows\System\dnVrKJU.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\hNeAksz.exe
  C:\Windows\System\hNeAksz.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\uTBgdLW.exe
  C:\Windows\System\uTBgdLW.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\forvRwY.exe
  C:\Windows\System\forvRwY.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\gpWEqBN.exe
  C:\Windows\System\gpWEqBN.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\XFTlNAg.exe
  C:\Windows\System\XFTlNAg.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\CnfybRX.exe
  C:\Windows\System\CnfybRX.exe
  2⤵
  - Executes dropped EXE
  PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CnfybRX.exe

Filesize
5.2MB

MD5
db2557646ed080ccfc65aeac893b1ceb

SHA1
38ea8efc767241269c825ca02d0770f9238f8244

SHA256
4f0e18854259c14234287a8c832b28243e7567506af04085a677432c0d42d9b3

SHA512
4971793232bbf18231495b80bbf8a206de25e78ae7780b614ac9cb921acf2a353212e3ede24409dd233a57f8dd2acab8bcbdcfbf5b55e5a64e5c43eb8c66d93b

Download Submit
C:\Windows\System\EgFEwsa.exe

Filesize
5.2MB

MD5
2a4e44faab7c950b5bb6117b5042d23c

SHA1
2643e8924ce03a2494afc03a20538ae9ba7ad5a8

SHA256
162e467ba90edc213fa797a9e08a0ab1a885d302d66efff68eec14867d0f8fa8

SHA512
e8a43e49055c28967711822ad5c585a51a17f8aa381a01b864d93250bda130cbcefccc49420fed71067394c5b30803299ac0926da9fcdd416eff991f913c3bcc

Download Submit
C:\Windows\System\HDBrLpi.exe

Filesize
5.2MB

MD5
d048a5dd7b73796e1df4a8eee258a286

SHA1
c4d46808e8154cec83324d6c8531c5fa8eb06d99

SHA256
db0334d777af55c260ac57589e3aa89d91fa4e700a1edec179d5ca6aece40e3f

SHA512
c2a39cf9cf0ab5d7d2dfda1d3e398cd2ac5922ccdcefbcbf70b8cfd76616f7390915f25088cd886eee229578f0f773dd354e22338966f781c581ee958c49e875

Download Submit
C:\Windows\System\IrnsTJM.exe

Filesize
5.2MB

MD5
4120a7b280257e4c800db61de68ba307

SHA1
764b7a8e3ef93533b0c46ef8badb56f89cf5900f

SHA256
d47e1c205128b66469a55b0396c353f8e0aa6773c5653611e14dd405de7f3990

SHA512
cf04d35269b0e22295804c13e7189e4a4035f2a88c534409ed3c7bc34460da1ebc7985014f6601712d96dc95f4c86418b9961116f6fb3dda31299c3ab03824b2

Download Submit
C:\Windows\System\MhruhmP.exe

Filesize
5.2MB

MD5
7fdb45446c98ebddd704953333814608

SHA1
3958f4a83647a746dff3403ea943ecc2d7bd1b19

SHA256
03f6e754d29c858bb958b3c770b257511c84ff692ce68a438a87ff17d484997f

SHA512
75a02e2687e15f7cc2d90e1892a30b55f90edf9ee65c0ae403dd409e2cc0672b2b5f14328b7f4fac317f684e4e0ed5900c326088cbb02efee472e58553d8c559

Download Submit
C:\Windows\System\WNrxfsf.exe

Filesize
5.2MB

MD5
651d96534f366adbb684d01c8e5c61b5

SHA1
a6f668d616246b5a26541d976226443dd9db3d32

SHA256
19ee933562991e3917d0d151773a78361f2df8875edda876be5002d2f115c33d

SHA512
47f2639154dcd716cf2cd66d2e3e2e5be7c347c57b27c2216832eca0566383024992aaa0a0d66c2892cd05a5acf5734c3fdfd87af90d5071af6aba697a487fcd

Download Submit
C:\Windows\System\XDQPcbM.exe

Filesize
5.2MB

MD5
cf147f93dee86923560dbf908ec0f819

SHA1
8d95fd3581397d306abe389a154706b6228cf527

SHA256
c0b457874f04e6af6259e06cff8685afc8778540ecbbde6c7b173c8dce912f84

SHA512
14de96b9fbe76e78159173ab855d3d001516a5a6e8556d1e5010cc4c820a5334a5092c47c3f8ba98d60b0ee0802dd92e58669ec79f2a05fba11b13073ce10efc

Download Submit
C:\Windows\System\XFTlNAg.exe

Filesize
5.2MB

MD5
285a8ba24b40bb6522d276d8f32aa0bb

SHA1
2053dc0d318cce74e4c993c3a00ae8410beb7753

SHA256
d1185be62cba5b52d26e4aa585bcc86469b29cee36421a65b21e3245716c9bd2

SHA512
504480f75a756c567c2d444004dbf89f5b5c63ecac50aba7f67af5e570f76fb8f3b375ae176d715a88dca8df0905aea34276fb96913ba991e91b396f7f5f4b49

Download Submit
C:\Windows\System\dnVrKJU.exe

Filesize
5.2MB

MD5
7ea7fd6f69c1f6f869b9beb4b801eab6

SHA1
d1b17a1b635710ea8d634e24877270aec4d24169

SHA256
52fb878aec1905cae90e849642c7911a76247d4bad4f95610947f7b042d0dfeb

SHA512
115494eb787cd65a7dddb97b203d4518aca81effb46cf2408de9c9d69e0d75040da8735e150e0569204222c3852aa6dca7dec58ad542d992fec320294e922117

Download Submit
C:\Windows\System\eJEHrip.exe

Filesize
5.2MB

MD5
85a21cf891e89b5f72cd59810a4d839a

SHA1
0903a5822afd54819871d1b2cd045c774eacb921

SHA256
d5c81a7fba153a6e9efa2691ee776c8fcb46536f48b9894c15c11a8436d2769c

SHA512
b3a736b26be10b70bf0598377f47817fb3d1cbdefd0f5871ac299f88cd763ecb703e20a33e6ae0f72bc52c3de0cf5b1529055a09e52d4e6a6e9e1622de19dc09

Download Submit
C:\Windows\System\eMIMRpT.exe

Filesize
5.2MB

MD5
81f2f16a06e41a90c8dffd2d69ef3c4c

SHA1
d705942a89990f658bb094eb7c7cfaada260ee07

SHA256
b6039c3fc1b8cb6cfa9246a4db93f3a73ad5978c2b240d7466da649c5483bbb6

SHA512
42b0beb23b4a9713d703b94253de411c5e96a31b0f3e0aa6e3b71aaa6069ce71dfac573bf6ee9980cdf63d7ef7ce8af9ef9072dfebbc4d1c0f29d25566c6ae89

Download Submit
C:\Windows\System\forvRwY.exe

Filesize
5.2MB

MD5
ce7a91985bd1cb824d105afea88082e1

SHA1
473fc69fbeb093504a950b8ea868f038077801d6

SHA256
46eeafb20e529d2edec05101734221a41198b36f49fc9fefd293365bb769a6cc

SHA512
bf288866fd8408fd0e3b1856d905a87bd4927bee6fae5d2d7f87418dbb858f1b31458d30e1e6b037779e690c771826864e02e66ea39f7ea467503cee7edf0a72

Download Submit
C:\Windows\System\gpWEqBN.exe

Filesize
5.2MB

MD5
874c96ced2a23bac023ffe1e81d9432a

SHA1
fcf16b3e284e7daa3ab461f9980124947f90d9ac

SHA256
2668e580dcace1b0e0287215379f0168b002abb2a0a52bacdd27e784228625c1

SHA512
f92434c79783b63ef0ea45761bf7e81f2f84fb9f454c84ad6f2656ebd9c660df9b5ed5e14264f12f1b68c58f21116a6870b36233eb4b029a46e39d68823c7d59

Download Submit
C:\Windows\System\hNeAksz.exe

Filesize
5.2MB

MD5
d70f4c94a099ec5d0b0008d01ff40ead

SHA1
f3bfd4a907b778ca9fa923437365854556ce6b35

SHA256
aeeb0366b4513cfbc3e534716ffbe52589108ece53c42c0c67d9568c465d510b

SHA512
163cc9c1ed5cf02dc7f25019248ad8cea9360d1cbe8417adde28e85e4d762788ca6caaabc6d2298dbe13578ca0815774d6ea2527e1aea3a67d1e3898aa06c7b1

Download Submit
C:\Windows\System\msvfZUD.exe

Filesize
5.2MB

MD5
1ae305d4fdfadf104ce1de8a5d48b61b

SHA1
36650bb3ecf8ca4bcaf532e133c07335b8d4eaa5

SHA256
79caacb16f4a760fe1dc57bb9a6f6e753d0d437dee074375327a7e082683c44b

SHA512
b43f60ba0d7cf92a13b6651b2810cb3e2a80fddeaeed850c2a05260fcd919349641fc1c70f1b978a0982d7e487f69f1c13fa0a0aa862cdd1eaeb18772c4d568d

Download Submit
C:\Windows\System\ockGmaS.exe

Filesize
5.2MB

MD5
e7c4dafa10492b172a4aca04d0f56ef0

SHA1
f69c823bf268fc5e7f7d7b683366116b77d99cf6

SHA256
556e0df799d05549b37e4d98117fe6cabbacd1d132e646e978e343fb4dde3f1c

SHA512
5957f10e326baa99262d0aad5c7f13547ba52aaa66e66cd9c006ebce7d7957471092c17810317d404eb6ad7ab349eefde8033a6ac320a45f946151ae9c3b7160

Download Submit
C:\Windows\System\tEnohqm.exe

Filesize
5.2MB

MD5
cde8bb45e98a546df3084321dedc07fe

SHA1
1022301d06c1e6d942b463e1c0c2267a5b839be9

SHA256
ff5ef2ac241374565f50c18bf31d582597e3f2443109a17b7ea0d755aab7bc1b

SHA512
a1ded33485f89e93b21c08371075e77962e00ca08059d6e57ee6a9004539c9088a1e7e6b88b7d380ba1c0c9fc51c72d220a8c453df53d65dcfd4711a0a647c0e

Download Submit
C:\Windows\System\uTBgdLW.exe

Filesize
5.2MB

MD5
a1623859284fc7f70e00ae6014c32e4c

SHA1
eef863607fca6b18b5dd035bd9d215f6ad5cf789

SHA256
c5fd00fa37c4ec67dabd9352dc9f67a79e2ee3e71f9e653031accb13c6634b3d

SHA512
02eead93848236b04fcb358b360f64bf56d62e1f74688e2504189e8984763ded25cf6d1e4198a28d33710dffaac5258bb44137c660612fca723f46c3bbbfaaf1

Download Submit
C:\Windows\System\uoXYqCZ.exe

Filesize
5.2MB

MD5
d6070a26b22699c71b82995f3c079024

SHA1
3c64cb62b6ba76d5f383d91c128d7a46bd431bc1

SHA256
0815baa4849cee8b7d883580d22590ea54e0cba3e2fccc7d7a85eee5f03c0abd

SHA512
a961a027ea25b6df93cca96ebda3824e011301a24ed80732d30e587a27e47d93477973f254af9acc57602b4d1050000fdb7f5ccb57c8c84c1b57273d217816e5

Download Submit
C:\Windows\System\vjQTguH.exe

Filesize
5.2MB

MD5
5cb3f6755df3a06d64fd1450d8bb286f

SHA1
a61672f51c7184f0e04e042f7065ffc4a1b6b3fd

SHA256
68ea6b56e3c12be137a034215207e9179f9b654733c97972a88d32e1364f066e

SHA512
6bdaca828c0afb47e55cd729d898a321e6e2191578893b9ee3e26d38919b948f299629ac802f709b7faa227dc06f73c3453f4b698994803b84452ed0d2f4319f

Download Submit
C:\Windows\System\xGGfMvv.exe

Filesize
5.2MB

MD5
7f0b6e3e4d4ebaf7abff4adce919347d

SHA1
47a9def767c4422e0cecb26a2754e6665c03d8e5

SHA256
084a16373c482a3197bf7403923051593c6950e363ae256e2aa057a85ec263b1

SHA512
c480ce62cd52ec19f38ce44e09b5672b730b6c39b5222c5e87aec8e5bd13d37ffca1298b2408119f94b86baf1f7392f8a84e11d57c8d32be02185e8c7d43d28f

Download Submit
memory/216-159-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp

Filesize
3.3MB

Download
memory/216-133-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp

Filesize
3.3MB

Download
memory/216-264-0x00007FF7653A0000-0x00007FF7656F1000-memory.dmp

Filesize
3.3MB

Download
memory/552-101-0x00007FF625470000-0x00007FF6257C1000-memory.dmp

Filesize
3.3MB

Download
memory/552-253-0x00007FF625470000-0x00007FF6257C1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-134-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp

Filesize
3.3MB

Download
memory/1132-68-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp

Filesize
3.3MB

Download
memory/1132-0-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp

Filesize
3.3MB

Download
memory/1132-163-0x00007FF7E9AC0000-0x00007FF7E9E11000-memory.dmp

Filesize
3.3MB

Download
memory/1132-1-0x000002107F7E0000-0x000002107F7F0000-memory.dmp

Filesize
64KB

Download
memory/1220-153-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp

Filesize
3.3MB

Download
memory/1220-84-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp

Filesize
3.3MB

Download
memory/1220-251-0x00007FF6679D0000-0x00007FF667D21000-memory.dmp

Filesize
3.3MB

Download
memory/1580-69-0x00007FF74F450000-0x00007FF74F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-241-0x00007FF74F450000-0x00007FF74F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-60-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-238-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-147-0x00007FF66BE80000-0x00007FF66C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-157-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-259-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-106-0x00007FF7B4690000-0x00007FF7B49E1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-266-0x00007FF688EF0000-0x00007FF689241000-memory.dmp

Filesize
3.3MB

Download
memory/2444-138-0x00007FF688EF0000-0x00007FF689241000-memory.dmp

Filesize
3.3MB

Download
memory/2728-109-0x00007FF662960000-0x00007FF662CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-158-0x00007FF662960000-0x00007FF662CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-257-0x00007FF662960000-0x00007FF662CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-236-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp

Filesize
3.3MB

Download
memory/2888-54-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp

Filesize
3.3MB

Download
memory/2888-137-0x00007FF63A0E0000-0x00007FF63A431000-memory.dmp

Filesize
3.3MB

Download
memory/3284-73-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp

Filesize
3.3MB

Download
memory/3284-8-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp

Filesize
3.3MB

Download
memory/3284-217-0x00007FF608E70000-0x00007FF6091C1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-108-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp

Filesize
3.3MB

Download
memory/3300-42-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp

Filesize
3.3MB

Download
memory/3300-229-0x00007FF7C6A00000-0x00007FF7C6D51000-memory.dmp

Filesize
3.3MB

Download
memory/3664-255-0x00007FF668F20000-0x00007FF669271000-memory.dmp

Filesize
3.3MB

Download
memory/3664-105-0x00007FF668F20000-0x00007FF669271000-memory.dmp

Filesize
3.3MB

Download
memory/3688-135-0x00007FF64BAD0000-0x00007FF64BE21000-memory.dmp

Filesize
3.3MB

Download
memory/3688-268-0x00007FF64BAD0000-0x00007FF64BE21000-memory.dmp

Filesize
3.3MB

Download
memory/3760-22-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-86-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-221-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-80-0x00007FF7324C0000-0x00007FF732811000-memory.dmp

Filesize
3.3MB

Download
memory/4004-14-0x00007FF7324C0000-0x00007FF732811000-memory.dmp

Filesize
3.3MB

Download
memory/4004-219-0x00007FF7324C0000-0x00007FF732811000-memory.dmp

Filesize
3.3MB

Download
memory/4012-74-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp

Filesize
3.3MB

Download
memory/4012-249-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp

Filesize
3.3MB

Download
memory/4012-148-0x00007FF6A0100000-0x00007FF6A0451000-memory.dmp

Filesize
3.3MB

Download
memory/4228-270-0x00007FF761F10000-0x00007FF762261000-memory.dmp

Filesize
3.3MB

Download
memory/4228-136-0x00007FF761F10000-0x00007FF762261000-memory.dmp

Filesize
3.3MB

Download
memory/4416-38-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-89-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-225-0x00007FF788E50000-0x00007FF7891A1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-234-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-50-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-116-0x00007FF6DD1A0000-0x00007FF6DD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-31-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-227-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-103-0x00007FF79F7A0000-0x00007FF79FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-30-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp

Filesize
3.3MB

Download
memory/4940-223-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp

Filesize
3.3MB

Download
memory/4940-102-0x00007FF6838B0000-0x00007FF683C01000-memory.dmp

Filesize
3.3MB

Download