cobaltstrike | 21470d3aeb8879e0587b3993317b6fb3dd79a636ec54bc5846b5dc95558b2d98

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

befbfd2feb53d51e9b769e906bde1f90
SHA1

733c0c3b3e85d8e4709b778ecf758ec45727a75e
SHA256

21470d3aeb8879e0587b3993317b6fb3dd79a636ec54bc5846b5dc95558b2d98
SHA512

8171a9d6ab33e4c990d3a89ccf8835609cd2b991d771e4d873958a19bcbed50a08a317f5d9f234e799e8b34c371312fe8392e83cff83bad34b4b325a8d2d9b82
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c58-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-77.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c66-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-117.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5064-68-0x00007FF728770000-0x00007FF728AC1000-memory.dmp	xmrig
behavioral2/memory/3928-97-0x00007FF7A4F10000-0x00007FF7A5261000-memory.dmp	xmrig
behavioral2/memory/3888-94-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp	xmrig
behavioral2/memory/2648-93-0x00007FF716A10000-0x00007FF716D61000-memory.dmp	xmrig
behavioral2/memory/184-92-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	xmrig
behavioral2/memory/4692-66-0x00007FF723690000-0x00007FF7239E1000-memory.dmp	xmrig
behavioral2/memory/4112-65-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp	xmrig
behavioral2/memory/4080-27-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	xmrig
behavioral2/memory/4476-103-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp	xmrig
behavioral2/memory/4336-101-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp	xmrig
behavioral2/memory/2972-107-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp	xmrig
behavioral2/memory/264-114-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp	xmrig
behavioral2/memory/1640-130-0x00007FF785410000-0x00007FF785761000-memory.dmp	xmrig
behavioral2/memory/5060-129-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp	xmrig
behavioral2/memory/4112-115-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp	xmrig
behavioral2/memory/2848-137-0x00007FF714090000-0x00007FF7143E1000-memory.dmp	xmrig
behavioral2/memory/4100-138-0x00007FF622A10000-0x00007FF622D61000-memory.dmp	xmrig
behavioral2/memory/3484-139-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp	xmrig
behavioral2/memory/184-140-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	xmrig
behavioral2/memory/1552-146-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	xmrig
behavioral2/memory/3464-158-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp	xmrig
behavioral2/memory/4508-159-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp	xmrig
behavioral2/memory/1164-163-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp	xmrig
behavioral2/memory/3148-166-0x00007FF759F00000-0x00007FF75A251000-memory.dmp	xmrig
behavioral2/memory/184-167-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	xmrig
behavioral2/memory/2648-224-0x00007FF716A10000-0x00007FF716D61000-memory.dmp	xmrig
behavioral2/memory/4080-226-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	xmrig
behavioral2/memory/3888-228-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp	xmrig
behavioral2/memory/4336-230-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp	xmrig
behavioral2/memory/4476-232-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp	xmrig
behavioral2/memory/264-239-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp	xmrig
behavioral2/memory/4112-241-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp	xmrig
behavioral2/memory/2972-245-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp	xmrig
behavioral2/memory/5064-247-0x00007FF728770000-0x00007FF728AC1000-memory.dmp	xmrig
behavioral2/memory/4692-244-0x00007FF723690000-0x00007FF7239E1000-memory.dmp	xmrig
behavioral2/memory/5060-249-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp	xmrig
behavioral2/memory/2848-251-0x00007FF714090000-0x00007FF7143E1000-memory.dmp	xmrig
behavioral2/memory/4100-253-0x00007FF622A10000-0x00007FF622D61000-memory.dmp	xmrig
behavioral2/memory/3484-255-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp	xmrig
behavioral2/memory/3928-257-0x00007FF7A4F10000-0x00007FF7A5261000-memory.dmp	xmrig
behavioral2/memory/1552-259-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	xmrig
behavioral2/memory/3464-266-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp	xmrig
behavioral2/memory/4508-268-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp	xmrig
behavioral2/memory/1640-270-0x00007FF785410000-0x00007FF785761000-memory.dmp	xmrig
behavioral2/memory/3148-272-0x00007FF759F00000-0x00007FF75A251000-memory.dmp	xmrig
behavioral2/memory/1164-274-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2648	IdTlsNV.exe
4080	FbmfpfD.exe
3888	egvTZvY.exe
4336	ZGCIvxx.exe
4476	GfsLPMl.exe
2972	hQCAGMc.exe
264	rOIVNvw.exe
5064	xSPGtCk.exe
4112	oGloxQt.exe
5060	hgUFRbQ.exe
4692	rPiMAyO.exe
2848	CbfFkvn.exe
4100	iZbSwwg.exe
3484	LykdPYT.exe
3928	GMPbPFU.exe
1552	amcufyo.exe
3464	EYFZJdu.exe
4508	xTpJVgK.exe
1640	TDCAqSJ.exe
3148	mUmIjJY.exe
1164	RlMaXsy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/184-0-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	upx
behavioral2/files/0x000a000000023c58-4.dat	upx
behavioral2/files/0x0007000000023c73-8.dat	upx
behavioral2/files/0x0007000000023c72-13.dat	upx
behavioral2/memory/2648-14-0x00007FF716A10000-0x00007FF716D61000-memory.dmp	upx
behavioral2/memory/3888-20-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-24.dat	upx
behavioral2/memory/4336-29-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-35.dat	upx
behavioral2/memory/2972-41-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-52.dat	upx
behavioral2/memory/5064-68-0x00007FF728770000-0x00007FF728AC1000-memory.dmp	upx
behavioral2/memory/5060-71-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-77.dat	upx
behavioral2/files/0x000b000000023c66-83.dat	upx
behavioral2/files/0x0007000000023c7e-95.dat	upx
behavioral2/files/0x0007000000023c7f-99.dat	upx
behavioral2/memory/1552-98-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	upx
behavioral2/memory/3928-97-0x00007FF7A4F10000-0x00007FF7A5261000-memory.dmp	upx
behavioral2/memory/3888-94-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp	upx
behavioral2/memory/2648-93-0x00007FF716A10000-0x00007FF716D61000-memory.dmp	upx
behavioral2/memory/184-92-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	upx
behavioral2/memory/3484-86-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp	upx
behavioral2/memory/4100-78-0x00007FF622A10000-0x00007FF622D61000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-75.dat	upx
behavioral2/memory/2848-72-0x00007FF714090000-0x00007FF7143E1000-memory.dmp	upx
behavioral2/memory/4692-66-0x00007FF723690000-0x00007FF7239E1000-memory.dmp	upx
behavioral2/memory/4112-65-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-59.dat	upx
behavioral2/files/0x0007000000023c7b-58.dat	upx
behavioral2/files/0x0007000000023c7a-69.dat	upx
behavioral2/memory/264-50-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-49.dat	upx
behavioral2/memory/4476-36-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp	upx
behavioral2/memory/4080-27-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c74-26.dat	upx
behavioral2/memory/4476-103-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp	upx
behavioral2/memory/4336-101-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-106.dat	upx
behavioral2/memory/2972-107-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp	upx
behavioral2/memory/264-114-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-121.dat	upx
behavioral2/memory/1164-131-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-133.dat	upx
behavioral2/files/0x0007000000023c85-134.dat	upx
behavioral2/memory/3148-132-0x00007FF759F00000-0x00007FF75A251000-memory.dmp	upx
behavioral2/memory/1640-130-0x00007FF785410000-0x00007FF785761000-memory.dmp	upx
behavioral2/memory/5060-129-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp	upx
behavioral2/memory/4112-115-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-117.dat	upx
behavioral2/memory/4508-116-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp	upx
behavioral2/memory/3464-108-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp	upx
behavioral2/memory/2848-137-0x00007FF714090000-0x00007FF7143E1000-memory.dmp	upx
behavioral2/memory/4100-138-0x00007FF622A10000-0x00007FF622D61000-memory.dmp	upx
behavioral2/memory/3484-139-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp	upx
behavioral2/memory/184-140-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	upx
behavioral2/memory/1552-146-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	upx
behavioral2/memory/3464-158-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp	upx
behavioral2/memory/4508-159-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp	upx
behavioral2/memory/1164-163-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp	upx
behavioral2/memory/3148-166-0x00007FF759F00000-0x00007FF75A251000-memory.dmp	upx
behavioral2/memory/184-167-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp	upx
behavioral2/memory/2648-224-0x00007FF716A10000-0x00007FF716D61000-memory.dmp	upx
behavioral2/memory/4080-226-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZGCIvxx.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rPiMAyO.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\amcufyo.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xTpJVgK.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CbfFkvn.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZbSwwg.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LykdPYT.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egvTZvY.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfsLPMl.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xSPGtCk.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOIVNvw.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUmIjJY.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RlMaXsy.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGloxQt.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hgUFRbQ.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMPbPFU.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EYFZJdu.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdTlsNV.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbmfpfD.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQCAGMc.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDCAqSJ.exe	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 2648	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 184 wrote to memory of 2648	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 184 wrote to memory of 4080	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 184 wrote to memory of 4080	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 184 wrote to memory of 3888	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 184 wrote to memory of 3888	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 184 wrote to memory of 4336	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 184 wrote to memory of 4336	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 184 wrote to memory of 4476	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 184 wrote to memory of 4476	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 184 wrote to memory of 2972	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 184 wrote to memory of 2972	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 184 wrote to memory of 5064	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 184 wrote to memory of 5064	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 184 wrote to memory of 264	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 184 wrote to memory of 264	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 184 wrote to memory of 4112	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 184 wrote to memory of 4112	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 184 wrote to memory of 5060	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 184 wrote to memory of 5060	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 184 wrote to memory of 4692	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 184 wrote to memory of 4692	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 184 wrote to memory of 2848	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 184 wrote to memory of 2848	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 184 wrote to memory of 4100	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 184 wrote to memory of 4100	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 184 wrote to memory of 3484	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 184 wrote to memory of 3484	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 184 wrote to memory of 3928	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 184 wrote to memory of 3928	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 184 wrote to memory of 1552	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 184 wrote to memory of 1552	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 184 wrote to memory of 3464	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 184 wrote to memory of 3464	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 184 wrote to memory of 4508	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 184 wrote to memory of 4508	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 184 wrote to memory of 1640	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 184 wrote to memory of 1640	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 184 wrote to memory of 3148	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 184 wrote to memory of 3148	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 184 wrote to memory of 1164	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 184 wrote to memory of 1164	184	2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_befbfd2feb53d51e9b769e906bde1f90_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\System\IdTlsNV.exe
  C:\Windows\System\IdTlsNV.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\FbmfpfD.exe
  C:\Windows\System\FbmfpfD.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\egvTZvY.exe
  C:\Windows\System\egvTZvY.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\ZGCIvxx.exe
  C:\Windows\System\ZGCIvxx.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\GfsLPMl.exe
  C:\Windows\System\GfsLPMl.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\hQCAGMc.exe
  C:\Windows\System\hQCAGMc.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\xSPGtCk.exe
  C:\Windows\System\xSPGtCk.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\rOIVNvw.exe
  C:\Windows\System\rOIVNvw.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\oGloxQt.exe
  C:\Windows\System\oGloxQt.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\hgUFRbQ.exe
  C:\Windows\System\hgUFRbQ.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\rPiMAyO.exe
  C:\Windows\System\rPiMAyO.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\CbfFkvn.exe
  C:\Windows\System\CbfFkvn.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\iZbSwwg.exe
  C:\Windows\System\iZbSwwg.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\LykdPYT.exe
  C:\Windows\System\LykdPYT.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\GMPbPFU.exe
  C:\Windows\System\GMPbPFU.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\amcufyo.exe
  C:\Windows\System\amcufyo.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\EYFZJdu.exe
  C:\Windows\System\EYFZJdu.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\xTpJVgK.exe
  C:\Windows\System\xTpJVgK.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\TDCAqSJ.exe
  C:\Windows\System\TDCAqSJ.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\mUmIjJY.exe
  C:\Windows\System\mUmIjJY.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\RlMaXsy.exe
  C:\Windows\System\RlMaXsy.exe
  2⤵
  - Executes dropped EXE
  PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbfFkvn.exe

Filesize
5.2MB

MD5
eb861e616136e0191c4d01003d7caef1

SHA1
a8a8d92667b84941e44f02f0fde77e67873b27b8

SHA256
e24473c06e5b397e478e494edc0260b9638c734aab026ee484921eb2ff597098

SHA512
4f83f010b6dd0fc3890bf8e2929e6e1c8e2e502501d27bb7914c485b5d5435637dcff23321c41dcba296ce8d9bbca3d99924f602e5be8c840239b372d2c9e727

Download Submit
C:\Windows\System\EYFZJdu.exe

Filesize
5.2MB

MD5
d4e1ab17b600302de6b55faf5d8565ec

SHA1
6760ece783ba6827577f8a973720bea188efa52a

SHA256
3ff236979e61822b9382df15ff543b255f936bbf07c74a408a52d17f62a469cf

SHA512
598b921af476965daf254f65066143784b1b6508befa36eca0d4cc8060de0814bd6ecbb97642c765bfe547ad5557d4f348a5ed857354e78091ae8ab30287276a

Download Submit
C:\Windows\System\FbmfpfD.exe

Filesize
5.2MB

MD5
2537771766282d9735a0e6085c44ac56

SHA1
751d4340464f8d7f5a8a25ab1dfea14aa5c9bd53

SHA256
0102bc5f56b247705d63d8d9fcd70383d715045012a446707600b26253741efd

SHA512
3de706c9cd2f4758d1e7ba48ecd60dddb92e0295d2f408bd200ecf92c0efaa4386e4e1938d474388a26621b3a362ddb197d9121b4c267c2ed5e301b883acb52e

Download Submit
C:\Windows\System\GMPbPFU.exe

Filesize
5.2MB

MD5
00128a609bdf2899b39a37450009eefb

SHA1
51b5f35cf2c7f56f4f78f3109d7b5da3be9d4f58

SHA256
e4f6807f66a2f36dabcb99b194f08c33d82def72ad2e4f711249cce2039bb337

SHA512
ac17bd59393b5bbd5f309aa490f5f26ec040987bde1722aaaf07ba4b7d3fea9341b5eea8a8a5b84a37280d056a5d75244b15b60b52787291d992acf459a0e7b5

Download Submit
C:\Windows\System\GfsLPMl.exe

Filesize
5.2MB

MD5
a21f8ab4c72caf80bcab7898228cf330

SHA1
23222657410c55bf960ab3e626e2c90890900529

SHA256
12233105b381e6b1296ec65ce973a8ec263281d1b59e52a63f35b20fcbc91847

SHA512
63267a105d70c4e1b62e4c13e05aa8d90c1cd3de78d9f285a36c0928a915e9dff0a0b06a7794b41f28d42c4c32e1e6eba41248a004f1773a6a1d4543b10e9616

Download Submit
C:\Windows\System\IdTlsNV.exe

Filesize
5.2MB

MD5
98142b0746ffa5dae4937f74a22fd1bb

SHA1
13647ee1b3e6c106744c299a9aee4aa50b81964f

SHA256
f932b59f2891046872f2994ec309236ae95a239d4ad534f5290941b3e301c4cb

SHA512
2ab84cf6f3e5b96620b9ed508805a4bc1928d720f2a7dd0efea28bca014f2bdac698485d1865c8eee1ff2434b23d96fc4f854ca24e3335fa92d474ffebfa0cc2

Download Submit
C:\Windows\System\LykdPYT.exe

Filesize
5.2MB

MD5
7d0accb62c82c346994886823d84c11e

SHA1
5ad1980fe195b7919e7ce37e09f0ce875536d45a

SHA256
34b93059f988d60557ffa7378e6b0bd5d2a2f2e9bce16989c3e93289b915df92

SHA512
d15749d8e29d8999fd19568c800563803013af6795fc6d31ff1fc35f1720a0565dc5c5d8acea50f2daffd92ecc8971af5eb8eb07c970e50ed5ab1d490143b93a

Download Submit
C:\Windows\System\RlMaXsy.exe

Filesize
5.2MB

MD5
d556a1602e1e2c18e0d51dbefb0703ea

SHA1
2de3db65d112ae84540ba06d823e247a9521f56d

SHA256
8d849ad3b7588fb1490663f1e9ffadec3e0470a7cd9d508231447b40a78e2267

SHA512
44a08efdf7f75722cfbadc17e5f7860ac299c0887affad197e932de078763dd8457433cfdee4f19e208d122e72a161db821c6b110528231c12a7d1b07b078ce1

Download Submit
C:\Windows\System\TDCAqSJ.exe

Filesize
5.2MB

MD5
4c4692cf97e79ed23cd1d3dbbcb39ec6

SHA1
3faaab5826c364d5e942e65705bb799485a55947

SHA256
17487c7d1a51eb9d315808cac84ac4a04fb9bfdbec7ca3f495a6eef03f0b646b

SHA512
cf571613a67ef2446276e6d1534b1e719ec4913227e16ae053c8b0c1f87c28ad60f2eec7b677e9396c888739b41aef5704fd592da1b045d98ac48859d3b10a10

Download Submit
C:\Windows\System\ZGCIvxx.exe

Filesize
5.2MB

MD5
1985d8460ae951165175918c64ba3274

SHA1
510b0d3b7632a8799648f221cd0aaeb0ae6f162f

SHA256
15475290b0e492c3c9a66c706afe4b72adf78e0f55e95a60280ebbfce16b9d40

SHA512
f85c3032ac124022221d484316d88ca962b2d6b19f17bb25d59669a05e4be1e38e955f88b3eadf4483961cb509b5e7b1b6033afdee28fa901ff4b885a48fb4fd

Download Submit
C:\Windows\System\amcufyo.exe

Filesize
5.2MB

MD5
a384389075aa967913f2248831c1fed9

SHA1
e2f752eff69e4204894022ccbcfb96a9fe725fb3

SHA256
3ffa61a5a47dff12da156d2003c38c44b76f77ce238830fb42fd3e97ae07938f

SHA512
99bd8f99aa20aa169535c39e3af9a5d3b66b2a2c590f90e2e09d77317313479e373a411cd8a6033c5c074f532456c708d4ba281c5513637cf00ee910973548e0

Download Submit
C:\Windows\System\egvTZvY.exe

Filesize
5.2MB

MD5
a26e298d03e5dd089fc306df5bd9d132

SHA1
27e0cee4f58e734c758d7bf726bc317ff146f49b

SHA256
8a4ea12e43d772e1227ffb37751d0d25e25cccef734234eb4127b642893d99e1

SHA512
b7fa794875822246ec57fd0dbbfd13af22ac74937bf87cc86ad3cbd7f80da7865a261b332f4bfa2f67e5d4696df7bbb1d0dd276194baadb795d473a044566029

Download Submit
C:\Windows\System\hQCAGMc.exe

Filesize
5.2MB

MD5
389cbd5467b1684f7d87f80a676a3945

SHA1
bb4d52239de290d87e8682084c968e0c05cc664c

SHA256
47ca4535da8b413df98ff1898306f3bd35cb3d08df0631ef20ddf89c343353f6

SHA512
3d4c538d470741cc0ea28fd18f48ea6ac422cacc61d6b78927a22f47ac2545271772b8a11dccd2e67a4f8459e951523e94cf5567e27d4846caa39245a3e0ae60

Download Submit
C:\Windows\System\hgUFRbQ.exe

Filesize
5.2MB

MD5
d8f4828dd62feb28981aa2ab91dc898d

SHA1
87de857300c675d084cd7c629fd6ebe4dd02ab6c

SHA256
21ddad11d68482cf7a6aeca7fffb126cf0f1bce74886ba7ec87edc6237c325bf

SHA512
cde02f1ef954ccb97ec1e238895e934267eab548ae59d234e743ee2bdecde87f57aee7719f858c4d6c713cd990400f5f826889eaf59818e46b686facdfa161d1

Download Submit
C:\Windows\System\iZbSwwg.exe

Filesize
5.2MB

MD5
422e31517989048d786874635cd070a8

SHA1
97652002ae3b3b9199d2cebd0eab089ad693507f

SHA256
e5b65f6a5a92fd3a513e655cdf9377015f17cd1d24f9f0d6365c1db794a7a9ea

SHA512
8fa992133aeebc4dcf0c1aa0e1ec59f92794f3ac5a0c015eaf15d41373d70e3e9f14085ca41bc66d0413454498bb7764e7aeeccfd3a8b94cca73a00a2065a774

Download Submit
C:\Windows\System\mUmIjJY.exe

Filesize
5.2MB

MD5
65d5d0b07c51a5671013e324d6ca57f2

SHA1
5b100601953b93d5daaf38df2c60aad7639d611e

SHA256
159e156688271b9b6a751d7bae98584ec621cba57d4f73d8044ee5c8c8f32010

SHA512
849ee6d1666c06235181ec6778684ee13f28639d02c1b627f48111de696b6ba72fc7939a3d2e588a13361259c7d359ed129a74499632074d69a048716923e92f

Download Submit
C:\Windows\System\oGloxQt.exe

Filesize
5.2MB

MD5
2b5341f8f6fd8650bd132c3427272e31

SHA1
ffaca1409af5db0e2640e3819deeb71f5891e4a8

SHA256
b7d18c554fb61f0d77b94cfb185a327c02eec208f859695e14c394ca1ad5f4b8

SHA512
fb446875fc1abe4b1123baece3e0475d2d6dfe026ca30d6749396f10aae57683952d1038c8efd9d33f609686b3e3177432a6787a094b604377a335c0c2236077

Download Submit
C:\Windows\System\rOIVNvw.exe

Filesize
5.2MB

MD5
beb591bd3a2b491b96f7d7d3cfcfde2f

SHA1
2122c446025d129751906858bf22313d61ceb032

SHA256
5c6da13d7c7de7926457347178330a90e969f3e7f519d41927a1440491e55373

SHA512
7b4c7c90b71e24c4a24432fded8064402591c32717fd426e79b445d46c9d43eaf9c5e1e5f770796784f98d511f03d9008c035da6a570a06ff4d7373eafec4c4c

Download Submit
C:\Windows\System\rPiMAyO.exe

Filesize
5.2MB

MD5
0a15097157c302994a6a34dd23bbe5d3

SHA1
78a3afea15be01f7d82d0b658bbcb25f53694d4e

SHA256
6c0ebe8df2c0ccd57f211c329ac6e2505a02821b3394492fa86874c2c4c9bac9

SHA512
93395c734500010d233266ae13cab2ddf00135f345e1c69168bd7607a454f7e654aa00a0faf6262a770031659e787f7289e225d678d390e372cf081c1add8abe

Download Submit
C:\Windows\System\xSPGtCk.exe

Filesize
5.2MB

MD5
bfc530955f2c17f3d2b786e6c9abf611

SHA1
3393a735b3ab7bf07ce79b0f9620026577bdb835

SHA256
9577754562c9b6eaae7f204cf4eb91a4ea3aa916e9cfe197fb9dbf0b4e161987

SHA512
32dbe39bd9655c93c4be0d2d7f121458727dcf56b6a1fc025fce8497851fc492f1f8850fbdd4190939d8cae652933dbd88595797a629eaa5d01f0d6e9f91291b

Download Submit
C:\Windows\System\xTpJVgK.exe

Filesize
5.2MB

MD5
f2ff0dd0d8f4b004c59c4234f127e74c

SHA1
71829c6a92cd9740f5269f2f00fb30309ceb02d1

SHA256
0fa2337e0067b3529f0437330da38267bc41417b83eb718d72b85f0bedee7f9b

SHA512
6eebaf4b2099460ffa1c0e0eba2238fb565d29479d03f4c6c7b920b020a93752e7a84f3d52a0a4556c1b0a7ba46a0088c393f74db86870aa93bc5525a48e2016

Download Submit
memory/184-167-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/184-1-0x000001B9EDE40000-0x000001B9EDE50000-memory.dmp

Filesize
64KB

Download
memory/184-140-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/184-0-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/184-92-0x00007FF6F5880000-0x00007FF6F5BD1000-memory.dmp

Filesize
3.3MB

Download
memory/264-239-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp

Filesize
3.3MB

Download
memory/264-50-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp

Filesize
3.3MB

Download
memory/264-114-0x00007FF6AED30000-0x00007FF6AF081000-memory.dmp

Filesize
3.3MB

Download
memory/1164-131-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-163-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-274-0x00007FF7BC680000-0x00007FF7BC9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-259-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/1552-146-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/1552-98-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/1640-130-0x00007FF785410000-0x00007FF785761000-memory.dmp

Filesize
3.3MB

Download
memory/1640-270-0x00007FF785410000-0x00007FF785761000-memory.dmp

Filesize
3.3MB

Download
memory/2648-93-0x00007FF716A10000-0x00007FF716D61000-memory.dmp

Filesize
3.3MB

Download
memory/2648-224-0x00007FF716A10000-0x00007FF716D61000-memory.dmp

Filesize
3.3MB

Download
memory/2648-14-0x00007FF716A10000-0x00007FF716D61000-memory.dmp

Filesize
3.3MB

Download
memory/2848-72-0x00007FF714090000-0x00007FF7143E1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-251-0x00007FF714090000-0x00007FF7143E1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-137-0x00007FF714090000-0x00007FF7143E1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-41-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-245-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-107-0x00007FF71F7A0000-0x00007FF71FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-166-0x00007FF759F00000-0x00007FF75A251000-memory.dmp

Filesize
3.3MB

Download
memory/3148-132-0x00007FF759F00000-0x00007FF75A251000-memory.dmp

Filesize
3.3MB

Download
memory/3148-272-0x00007FF759F00000-0x00007FF75A251000-memory.dmp

Filesize
3.3MB

Download
memory/3464-266-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp

Filesize
3.3MB

Download
memory/3464-158-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp

Filesize
3.3MB

Download
memory/3464-108-0x00007FF65CC30000-0x00007FF65CF81000-memory.dmp

Filesize
3.3MB

Download
memory/3484-255-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp

Filesize
3.3MB

Download
memory/3484-139-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp

Filesize
3.3MB

Download
memory/3484-86-0x00007FF69C3C0000-0x00007FF69C711000-memory.dmp

Filesize
3.3MB

Download
memory/3888-20-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-228-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-94-0x00007FF632B70000-0x00007FF632EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-97-0x00007FF7A4F10000-0x00007FF7A5261000-memory.dmp

Filesize
3.3MB

Download
memory/3928-257-0x00007FF7A4F10000-0x00007FF7A5261000-memory.dmp

Filesize
3.3MB

Download
memory/4080-27-0x00007FF790190000-0x00007FF7904E1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-226-0x00007FF790190000-0x00007FF7904E1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-138-0x00007FF622A10000-0x00007FF622D61000-memory.dmp

Filesize
3.3MB

Download
memory/4100-253-0x00007FF622A10000-0x00007FF622D61000-memory.dmp

Filesize
3.3MB

Download
memory/4100-78-0x00007FF622A10000-0x00007FF622D61000-memory.dmp

Filesize
3.3MB

Download
memory/4112-241-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-65-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-115-0x00007FF6D46A0000-0x00007FF6D49F1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-29-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp

Filesize
3.3MB

Download
memory/4336-230-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp

Filesize
3.3MB

Download
memory/4336-101-0x00007FF6C1920000-0x00007FF6C1C71000-memory.dmp

Filesize
3.3MB

Download
memory/4476-103-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-232-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-36-0x00007FF733B50000-0x00007FF733EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-159-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-268-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-116-0x00007FF67FF80000-0x00007FF6802D1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-244-0x00007FF723690000-0x00007FF7239E1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-66-0x00007FF723690000-0x00007FF7239E1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-71-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-249-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-129-0x00007FF75F070000-0x00007FF75F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-247-0x00007FF728770000-0x00007FF728AC1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-68-0x00007FF728770000-0x00007FF728AC1000-memory.dmp

Filesize
3.3MB

Download