cobaltstrike | fdba5126bda89a0d6f18c0994daed7ff89c769e2f317c1d1565a484034efa111

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7e8eccbadd278e711e4f8433c9a1de4c
SHA1

e7b3a6fb60f4fe931a958ad1696e88b029f2b314
SHA256

fdba5126bda89a0d6f18c0994daed7ff89c769e2f317c1d1565a484034efa111
SHA512

f1e19bd6d71fb0e75326c8098a0d88570ff75dda377b80505d865e36cd8c02051b136260be3d28d73d532bf1bd0218e79b753264847d59175ce59ae83cb61cb0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUU

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b46-5.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-13.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbf-18.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc0-23.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc4-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc6-32.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcb-58.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba9-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bff-109.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c00-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfe-98.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfd-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfc-84.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfb-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-72.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc9-48.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c06-129.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-143.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c07-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/464-95-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp	xmrig
behavioral2/memory/4068-115-0x00007FF76BB20000-0x00007FF76BE71000-memory.dmp	xmrig
behavioral2/memory/3616-114-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	xmrig
behavioral2/memory/2456-108-0x00007FF7999A0000-0x00007FF799CF1000-memory.dmp	xmrig
behavioral2/memory/3372-102-0x00007FF6A5B30000-0x00007FF6A5E81000-memory.dmp	xmrig
behavioral2/memory/1924-90-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp	xmrig
behavioral2/memory/3496-83-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp	xmrig
behavioral2/memory/4700-82-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	xmrig
behavioral2/memory/5040-78-0x00007FF6EFF60000-0x00007FF6F02B1000-memory.dmp	xmrig
behavioral2/memory/4612-71-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	xmrig
behavioral2/memory/1916-124-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp	xmrig
behavioral2/memory/4316-138-0x00007FF722920000-0x00007FF722C71000-memory.dmp	xmrig
behavioral2/memory/4464-148-0x00007FF776510000-0x00007FF776861000-memory.dmp	xmrig
behavioral2/memory/1924-137-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp	xmrig
behavioral2/memory/5068-136-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp	xmrig
behavioral2/memory/2836-131-0x00007FF6965E0000-0x00007FF696931000-memory.dmp	xmrig
behavioral2/memory/2748-140-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp	xmrig
behavioral2/memory/1728-134-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp	xmrig
behavioral2/memory/3448-123-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp	xmrig
behavioral2/memory/4920-122-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	xmrig
behavioral2/memory/5044-120-0x00007FF701250000-0x00007FF7015A1000-memory.dmp	xmrig
behavioral2/memory/4612-152-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	xmrig
behavioral2/memory/2464-171-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp	xmrig
behavioral2/memory/2612-173-0x00007FF691750000-0x00007FF691AA1000-memory.dmp	xmrig
behavioral2/memory/4612-174-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	xmrig
behavioral2/memory/4700-208-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	xmrig
behavioral2/memory/3496-210-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp	xmrig
behavioral2/memory/464-212-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp	xmrig
behavioral2/memory/5044-215-0x00007FF701250000-0x00007FF7015A1000-memory.dmp	xmrig
behavioral2/memory/3616-216-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	xmrig
behavioral2/memory/1916-232-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp	xmrig
behavioral2/memory/4920-228-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	xmrig
behavioral2/memory/3448-231-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp	xmrig
behavioral2/memory/2836-227-0x00007FF6965E0000-0x00007FF696931000-memory.dmp	xmrig
behavioral2/memory/1728-236-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp	xmrig
behavioral2/memory/5040-235-0x00007FF6EFF60000-0x00007FF6F02B1000-memory.dmp	xmrig
behavioral2/memory/1924-241-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp	xmrig
behavioral2/memory/4316-242-0x00007FF722920000-0x00007FF722C71000-memory.dmp	xmrig
behavioral2/memory/3372-244-0x00007FF6A5B30000-0x00007FF6A5E81000-memory.dmp	xmrig
behavioral2/memory/5068-239-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp	xmrig
behavioral2/memory/2456-249-0x00007FF7999A0000-0x00007FF799CF1000-memory.dmp	xmrig
behavioral2/memory/2748-250-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp	xmrig
behavioral2/memory/4068-248-0x00007FF76BB20000-0x00007FF76BE71000-memory.dmp	xmrig
behavioral2/memory/4464-259-0x00007FF776510000-0x00007FF776861000-memory.dmp	xmrig
behavioral2/memory/2612-261-0x00007FF691750000-0x00007FF691AA1000-memory.dmp	xmrig
behavioral2/memory/2464-263-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4700	dlQvYuI.exe
3496	vHHGfcS.exe
464	hMxJGBu.exe
5044	XZhvXQd.exe
3616	JYokUgI.exe
4920	VAxtkkr.exe
3448	ButzdpL.exe
1916	uIGGANf.exe
2836	GWpEerh.exe
1728	BxCaZlz.exe
5040	kjSJMdr.exe
5068	BiQRUwy.exe
1924	jzUUaMX.exe
4316	YIHXGfK.exe
3372	sXLKxoP.exe
2456	bvSWpLS.exe
2748	EpTEUtT.exe
4068	znrlvny.exe
2464	AZWCcyG.exe
4464	XoxSFFD.exe
2612	ISjSKfL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4612-0-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	upx
behavioral2/files/0x000c000000023b46-5.dat	upx
behavioral2/files/0x0009000000023bbe-13.dat	upx
behavioral2/files/0x0009000000023bbf-18.dat	upx
behavioral2/files/0x0009000000023bc0-23.dat	upx
behavioral2/memory/3616-27-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	upx
behavioral2/files/0x000e000000023bc4-34.dat	upx
behavioral2/files/0x0008000000023bc6-32.dat	upx
behavioral2/memory/5044-31-0x00007FF701250000-0x00007FF7015A1000-memory.dmp	upx
behavioral2/memory/464-22-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp	upx
behavioral2/memory/3496-17-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp	upx
behavioral2/memory/4700-6-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	upx
behavioral2/memory/4920-39-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	upx
behavioral2/memory/3448-47-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-52.dat	upx
behavioral2/files/0x0008000000023bcb-58.dat	upx
behavioral2/memory/1728-65-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp	upx
behavioral2/files/0x000b000000023ba9-67.dat	upx
behavioral2/memory/464-95-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp	upx
behavioral2/memory/4316-101-0x00007FF722920000-0x00007FF722C71000-memory.dmp	upx
behavioral2/files/0x0008000000023c05-112.dat	upx
behavioral2/memory/4068-115-0x00007FF76BB20000-0x00007FF76BE71000-memory.dmp	upx
behavioral2/memory/3616-114-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	upx
behavioral2/memory/2748-111-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bff-109.dat	upx
behavioral2/memory/2456-108-0x00007FF7999A0000-0x00007FF799CF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c00-105.dat	upx
behavioral2/memory/3372-102-0x00007FF6A5B30000-0x00007FF6A5E81000-memory.dmp	upx
behavioral2/files/0x0008000000023bfe-98.dat	upx
behavioral2/files/0x0008000000023bfd-93.dat	upx
behavioral2/memory/1924-90-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp	upx
behavioral2/files/0x0008000000023bfc-84.dat	upx
behavioral2/memory/3496-83-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp	upx
behavioral2/memory/4700-82-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	upx
behavioral2/memory/5040-78-0x00007FF6EFF60000-0x00007FF6F02B1000-memory.dmp	upx
behavioral2/files/0x0008000000023bfb-73.dat	upx
behavioral2/files/0x0008000000023bcc-72.dat	upx
behavioral2/memory/4612-71-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	upx
behavioral2/memory/5068-66-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp	upx
behavioral2/memory/2836-51-0x00007FF6965E0000-0x00007FF696931000-memory.dmp	upx
behavioral2/memory/1916-50-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-48.dat	upx
behavioral2/memory/1916-124-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp	upx
behavioral2/files/0x0008000000023c06-129.dat	upx
behavioral2/files/0x0008000000023c19-143.dat	upx
behavioral2/memory/4316-138-0x00007FF722920000-0x00007FF722C71000-memory.dmp	upx
behavioral2/memory/4464-148-0x00007FF776510000-0x00007FF776861000-memory.dmp	upx
behavioral2/memory/2612-149-0x00007FF691750000-0x00007FF691AA1000-memory.dmp	upx
behavioral2/memory/2464-147-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp	upx
behavioral2/memory/1924-137-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp	upx
behavioral2/memory/5068-136-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp	upx
behavioral2/memory/2836-131-0x00007FF6965E0000-0x00007FF696931000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-132.dat	upx
behavioral2/memory/2748-140-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp	upx
behavioral2/memory/1728-134-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp	upx
behavioral2/memory/3448-123-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp	upx
behavioral2/memory/4920-122-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	upx
behavioral2/memory/5044-120-0x00007FF701250000-0x00007FF7015A1000-memory.dmp	upx
behavioral2/memory/4612-152-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	upx
behavioral2/memory/2464-171-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp	upx
behavioral2/memory/2612-173-0x00007FF691750000-0x00007FF691AA1000-memory.dmp	upx
behavioral2/memory/4612-174-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp	upx
behavioral2/memory/4700-208-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	upx
behavioral2/memory/3496-210-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vHHGfcS.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JYokUgI.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ButzdpL.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uIGGANf.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjSJMdr.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzUUaMX.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\znrlvny.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dlQvYuI.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XZhvXQd.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GWpEerh.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BiQRUwy.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ISjSKfL.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMxJGBu.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EpTEUtT.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AZWCcyG.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XoxSFFD.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VAxtkkr.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BxCaZlz.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YIHXGfK.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sXLKxoP.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvSWpLS.exe	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4700	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4612 wrote to memory of 4700	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4612 wrote to memory of 3496	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4612 wrote to memory of 3496	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4612 wrote to memory of 464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4612 wrote to memory of 464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4612 wrote to memory of 5044	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4612 wrote to memory of 5044	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4612 wrote to memory of 3616	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4612 wrote to memory of 3616	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4612 wrote to memory of 4920	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4612 wrote to memory of 4920	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4612 wrote to memory of 3448	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4612 wrote to memory of 3448	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4612 wrote to memory of 1916	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4612 wrote to memory of 1916	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4612 wrote to memory of 2836	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4612 wrote to memory of 2836	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4612 wrote to memory of 1728	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4612 wrote to memory of 1728	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4612 wrote to memory of 5040	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4612 wrote to memory of 5040	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4612 wrote to memory of 5068	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4612 wrote to memory of 5068	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4612 wrote to memory of 1924	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4612 wrote to memory of 1924	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4612 wrote to memory of 4316	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4612 wrote to memory of 4316	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4612 wrote to memory of 3372	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4612 wrote to memory of 3372	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4612 wrote to memory of 2748	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4612 wrote to memory of 2748	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4612 wrote to memory of 2456	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4612 wrote to memory of 2456	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4612 wrote to memory of 4068	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4612 wrote to memory of 4068	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4612 wrote to memory of 2464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4612 wrote to memory of 2464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4612 wrote to memory of 4464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4612 wrote to memory of 4464	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4612 wrote to memory of 2612	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4612 wrote to memory of 2612	4612	2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_7e8eccbadd278e711e4f8433c9a1de4c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\System\dlQvYuI.exe
  C:\Windows\System\dlQvYuI.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\vHHGfcS.exe
  C:\Windows\System\vHHGfcS.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\hMxJGBu.exe
  C:\Windows\System\hMxJGBu.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\XZhvXQd.exe
  C:\Windows\System\XZhvXQd.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\JYokUgI.exe
  C:\Windows\System\JYokUgI.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\VAxtkkr.exe
  C:\Windows\System\VAxtkkr.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\ButzdpL.exe
  C:\Windows\System\ButzdpL.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\uIGGANf.exe
  C:\Windows\System\uIGGANf.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\GWpEerh.exe
  C:\Windows\System\GWpEerh.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\BxCaZlz.exe
  C:\Windows\System\BxCaZlz.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\kjSJMdr.exe
  C:\Windows\System\kjSJMdr.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\BiQRUwy.exe
  C:\Windows\System\BiQRUwy.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\jzUUaMX.exe
  C:\Windows\System\jzUUaMX.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\YIHXGfK.exe
  C:\Windows\System\YIHXGfK.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\sXLKxoP.exe
  C:\Windows\System\sXLKxoP.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\EpTEUtT.exe
  C:\Windows\System\EpTEUtT.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\bvSWpLS.exe
  C:\Windows\System\bvSWpLS.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\znrlvny.exe
  C:\Windows\System\znrlvny.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\AZWCcyG.exe
  C:\Windows\System\AZWCcyG.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\XoxSFFD.exe
  C:\Windows\System\XoxSFFD.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\ISjSKfL.exe
  C:\Windows\System\ISjSKfL.exe
  2⤵
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZWCcyG.exe

Filesize
5.2MB

MD5
46315a28845ba61265e6b64a72913978

SHA1
d53b47fe9beb1d285ff77197811b5a33aca305e9

SHA256
7f2e4f0e8e5c6293800869e89ecaade9682ef83b71ba9b6488957a5b4d3d87ad

SHA512
adf3c72f8b482f5b6681e216cc40908a82fa4d5b4b9b285dfeac44585712e94be866ac8b198ffa7f0911043a867a95046113e35155b93769060fba97841df2fd

Download Submit
C:\Windows\System\BiQRUwy.exe

Filesize
5.2MB

MD5
95c209e6896b4eb11eda36b9b715feab

SHA1
b3fe9a72670fa78d44e0f068b3a67ec19fd3a029

SHA256
c17a7b570184c1f6e3668d1d58821c138ce38ab5458852ece01a188d9820bc53

SHA512
5186c1f11194a5a6852ffabfa84e8618fe3366299e9cd2f2d2245fda647d02346d16ee90b8beb2f63d8144c0df44f98034b4deac7de41411727c8361bf236cb2

Download Submit
C:\Windows\System\ButzdpL.exe

Filesize
5.2MB

MD5
94d60e52557c25773df9d7ce1873c9ff

SHA1
6bd0bd2be3d619c48a7a0003701ada16fbaf31bd

SHA256
6d4631b04187c8ed22ba46eed3b7140b1880104171c9ca3f63e69843d7e11f97

SHA512
8c823456d4cbf2e6c53dee1ab72cef587a2378d89c0b6073b1574bff8a7cb857c226fc755fa2699c4ef23df9ffb1215c3e2e87c456b517e73f7aedae1f3be1c2

Download Submit
C:\Windows\System\BxCaZlz.exe

Filesize
5.2MB

MD5
b05275c8cbe18645d03a4ed1ae1c9ae0

SHA1
35daa1e424d676b36f2d53903d271aafcb6029d1

SHA256
db364d6eb5e82f9eb07b070ee1e99f6a06d1afaec1af818ec24dfd848b4144ff

SHA512
c9e815e6360ef5ce88800187e17697c4a82a8855deec5002e354561cc89516851371a3cb907596780b1b25195e6d5d8dc586d1ecbb0d483a056e8dcf429c7750

Download Submit
C:\Windows\System\EpTEUtT.exe

Filesize
5.2MB

MD5
7e04e2e26c4688db8d67da27c4110d8e

SHA1
4cbf6b4c8af18e0aa1d06f5818738e175734c00a

SHA256
1a5dfef92aadba90cb3b9125fc43002a3d8d310d4eeccc4d53ace106b20a4594

SHA512
ab86a97703fe1fd43b0a2692aa3d645e03d0d3acd1103eaa5cc158380cbd066fb5dc0e467b3fc6ecf9b092003927fc716b9a6294c3b915a2da415577bb8b17e0

Download Submit
C:\Windows\System\GWpEerh.exe

Filesize
5.2MB

MD5
f1cfc95fc2d33e59efca1eb87e9d3209

SHA1
f88ea524e69f4cabe62583b4f35b4ff961ab2679

SHA256
9c318b20325ad6f9d593bd04b375d35a216b675384fc47e2c73dc903409429b0

SHA512
e6050885f49c17867713b73aa16d13ed587fc3d02f731bccb82167f38017e2583b8a733c7a0265907fdf5945286eb9246122f34038d0340cb2ff89bc3bbd7620

Download Submit
C:\Windows\System\ISjSKfL.exe

Filesize
5.2MB

MD5
d6accc3424e81dd0363bce005d5857b1

SHA1
8acf74fddd5267b035df7376dff4daf025288044

SHA256
1379be86584484a6cf30d16df65157ba252962cb4bce0652f97a77292bdd268f

SHA512
c63e68cf510c4f5d7ca51e5856f3d3c381b0d35adb4913ff208907694ed7bedddc110f8c19416bf1d900e2ddf3884caec5d1ba6d63acb7b21fa5dc82cc39997a

Download Submit
C:\Windows\System\JYokUgI.exe

Filesize
5.2MB

MD5
3e9df67fd2a3d8949aaae6b35707f1ee

SHA1
5b4ca0f681cb6439222129b8dae46913d3cff133

SHA256
b1039a9c2acbbb78b30158c17da87a4d9eb87c796e387df84244c6c1970290fd

SHA512
592bd8b395feb2fdaa52745356a311d1848219a6f6d49267ed7abe61f7b324b9def88e7a16efc5b3d685d99f736ce751657e626ddeeb575bc39b73517183b2e2

Download Submit
C:\Windows\System\VAxtkkr.exe

Filesize
5.2MB

MD5
40b3078177c704cc1417d57affbd60d8

SHA1
c478aa50a47fe6025ce53840a1decdd621d80849

SHA256
b5afa5af95b82371b44b42663ab6a54d2aedbac6e2afde2fc910896b1058b0b7

SHA512
0fb77cfd64795cd53f0d733ca4ab8878525871f932463bc16cfc74d99938325e4a1162f995946e9b8268f40e69aa6980daa4ea947f7255fac57cc327eccab39e

Download Submit
C:\Windows\System\XZhvXQd.exe

Filesize
5.2MB

MD5
7ac50d94dc8b17967a6c1646a837a2d2

SHA1
b2ba0e0a46764d1b4b009838bf4af1d454b74dea

SHA256
c6347820a3d2e4154c7e87741af73f34f4bdda975621075a1c9b682353e09003

SHA512
73b34bef6d78315086aa2a622a1a0591a6d2d9711c1776b985a77254acf9403d28785f5308f18f7c86ae86a91fac7d4ca0195df65cc5a97fbbd9dda8003f8067

Download Submit
C:\Windows\System\XoxSFFD.exe

Filesize
5.2MB

MD5
02efc418afdcaee3ae1031a4ff86fe22

SHA1
02635e7055a0f87749d529c8e9153ac4f0954a7b

SHA256
bd61c73250715fd332e9b2e6c7fb71fc9ee4c3ae40b99455307a20f6b8d97fa5

SHA512
5969d44a1d45aa2b79c834982b9863ed92c910edafd795b776312089c3182f7ebf2e455ff90464589640fa73219753b8aa3f6be9e7c5ff39302c942f8179e255

Download Submit
C:\Windows\System\YIHXGfK.exe

Filesize
5.2MB

MD5
a21f23e8f23669ffb217bc00046eb4f6

SHA1
1756c0eb00ae83cadeaa8ed72f1df2952a6fd4ce

SHA256
23465e3253614aae122cc2a4374e39007dc9dd2fe194dc2ca7ac12d9b672bea1

SHA512
8823a04026a5631281a0becd16e58990b11c0ee870065dbbffa702dd5f1407d2fe063d608b8a3679cbd81cecb422d6d2d2f10c55e541e8cfd2508085009568d8

Download Submit
C:\Windows\System\bvSWpLS.exe

Filesize
5.2MB

MD5
a2fc704eb75c5468a0ffdfea1b023e47

SHA1
3bf17a80311791ded6fbd6627338c6ae3250c2a4

SHA256
01523eb82a4e4889994f3082e59d69a3dc7c23b5a7d04267991604bb47342400

SHA512
803e44e9a94bc3e9eed94d4b34daa8162418af9d51732a852bc468ec0e575ff6916f1fb059d9f629d8eba0d5152214d2335ad59ecbccdaf5e500f854a511d45b

Download Submit
C:\Windows\System\dlQvYuI.exe

Filesize
5.2MB

MD5
445259979dd4070a266ce201ebfc50c2

SHA1
7a83e13d3b0f134012706df6fe29183bfa86ba25

SHA256
2e0ff14d7350f044912cf4e394d88f613469020758cf35037e7a43b9f5078940

SHA512
4988081a564472690696c4940c1594d7d44f911cf361d4da1a2dc5ce32a3a6b2a761f362776b8c7cd9d54f60902faeec4bc77be4ed9f0611f5117db3f0bf984c

Download Submit
C:\Windows\System\hMxJGBu.exe

Filesize
5.2MB

MD5
1765f966d709890ce4dae35cba0d75c1

SHA1
45eb77ceb5dbca7a3e6076347954aac982d38094

SHA256
336ae59c99dd7d46cfacffa438a3efdc1976037eb3d89cc0942ba88745ef736d

SHA512
180d149579d6d368be926eaf3cf61cfa205f30ce2d843dd918b5f7237add03a55cb889930e3efad75a2cf4bb9afa508197ef9c0a4936603a934d6a32e46e1e14

Download Submit
C:\Windows\System\jzUUaMX.exe

Filesize
5.2MB

MD5
0598a5824cfdc2c5b869c075a53b95f8

SHA1
8be815de45dd4fb8542012997e229666b18ac3cf

SHA256
9b81a78afa4b836f4d5bc4287ded9268bc35f2247d545f03dac6ffda38992beb

SHA512
4c7cd4f44f7d83904b0f480f6cea05e0a5c237b0d8fa1f30feba6d4d8ebf801e484bd2208db94d56cf18f704eeb464c51a57d30e31fd047e3ac98b4cc62dd116

Download Submit
C:\Windows\System\kjSJMdr.exe

Filesize
5.2MB

MD5
7be4734fa134fc4aa468976e37239495

SHA1
a4cd95eb04b657341e1e2d10e0dfc08b365a9df3

SHA256
9508af89901e4f59b3d0d2919b5e67191466cd1867860325bdc67f029487e670

SHA512
8bec2b44a78593145d07ba15ea2932e1ddb2655fa9338aafea237bacaeaef11f3d3e4a1140e28f57ca4d7b13fdc3e3c8d5e1a50c58ad970fdbed3f975d4a0ef9

Download Submit
C:\Windows\System\sXLKxoP.exe

Filesize
5.2MB

MD5
66deddb084297945f108cfcfd483ff2a

SHA1
fefdc1d6fad5b03145f2067b73d7521ac39a16c9

SHA256
7f73957350ade7d26880264eccf8a62c023ad2942cc6b050346edd2066b99e11

SHA512
72da330990ebb4051f470bff2f724ce9fd3b0f0ea4ebbd43bf1a97f43c5bd3da903d88a9f9609868ed2e8208948dfd946c0f8f9aa37e55dcde0e8d41c04e15ab

Download Submit
C:\Windows\System\uIGGANf.exe

Filesize
5.2MB

MD5
8d07bd5b0c28cc40c2d7e2b2083e2de8

SHA1
60776fb4d0b503c30fcb1dc7f5cc56f064ef667d

SHA256
0e57d78fc247fff74eedb8ac8354ff1d7841c5526ad76477438036d8004e83a0

SHA512
5d34081e86b7a9323a6735d38247059ed77719c25dd623dfcb953c137c74c202541cdc0c4c41a5b9776bf0abab3a69763f62689b0649af6086f2bc918590cfcf

Download Submit
C:\Windows\System\vHHGfcS.exe

Filesize
5.2MB

MD5
c49c00acc0028632c1722d9ffc5abdfd

SHA1
417187a0d600b938442f7c44ec57ceff6ea9e892

SHA256
d2da00716863c84d5873ed722ba4a3b75ebe52f056831e4901baeed74ba34129

SHA512
c01dd401f816015f1237e554490e65f5021771b3c9c422ced7b01d596a6094faa332c444093db2be043ca4db80053e3a7333dd26e2a8c08105db6ce285204307

Download Submit
C:\Windows\System\znrlvny.exe

Filesize
5.2MB

MD5
0e1e2ba28fd361fd3dd6b5199cd6d342

SHA1
f909944712b445e2cb9d0882df03b360f194fb2f

SHA256
430dc6936400aa6aaeb6f9b35b550c23ed4c3761dc03aeac3751ab4b98e03939

SHA512
abfbb678f3366bf9bf5b9a67efad824d8f54ea340b7c46907a46d000a9b79810c0cc8da420d0a07e6919b0360d31788b827902dbc78251b362a1bb8c589887bc

Download Submit
memory/464-212-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp

Filesize
3.3MB

Download
memory/464-95-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp

Filesize
3.3MB

Download
memory/464-22-0x00007FF7AFFF0000-0x00007FF7B0341000-memory.dmp

Filesize
3.3MB

Download
memory/1728-236-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp

Filesize
3.3MB

Download
memory/1728-134-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp

Filesize
3.3MB

Download
memory/1728-65-0x00007FF7A6AC0000-0x00007FF7A6E11000-memory.dmp

Filesize
3.3MB

Download
memory/1916-50-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp

Filesize
3.3MB

Download
memory/1916-232-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp

Filesize
3.3MB

Download
memory/1916-124-0x00007FF6BC4B0000-0x00007FF6BC801000-memory.dmp

Filesize
3.3MB

Download
memory/1924-137-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp

Filesize
3.3MB

Download
memory/1924-90-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp

Filesize
3.3MB

Download
memory/1924-241-0x00007FF7A49D0000-0x00007FF7A4D21000-memory.dmp

Filesize
3.3MB

Download
memory/2456-108-0x00007FF7999A0000-0x00007FF799CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-249-0x00007FF7999A0000-0x00007FF799CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-147-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp

Filesize
3.3MB

Download
memory/2464-171-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp

Filesize
3.3MB

Download
memory/2464-263-0x00007FF6BECD0000-0x00007FF6BF021000-memory.dmp

Filesize
3.3MB

Download
memory/2612-149-0x00007FF691750000-0x00007FF691AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-261-0x00007FF691750000-0x00007FF691AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-173-0x00007FF691750000-0x00007FF691AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-250-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-140-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-111-0x00007FF724F70000-0x00007FF7252C1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-51-0x00007FF6965E0000-0x00007FF696931000-memory.dmp

Filesize
3.3MB

Download
memory/2836-131-0x00007FF6965E0000-0x00007FF696931000-memory.dmp

Filesize
3.3MB

Download
memory/2836-227-0x00007FF6965E0000-0x00007FF696931000-memory.dmp

Filesize
3.3MB

Download
memory/3372-102-0x00007FF6A5B30000-0x00007FF6A5E81000-memory.dmp

Filesize
3.3MB

Download
memory/3372-244-0x00007FF6A5B30000-0x00007FF6A5E81000-memory.dmp

Filesize
3.3MB

Download
memory/3448-123-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp

Filesize
3.3MB

Download
memory/3448-231-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp

Filesize
3.3MB

Download
memory/3448-47-0x00007FF7C18D0000-0x00007FF7C1C21000-memory.dmp

Filesize
3.3MB

Download
memory/3496-210-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-17-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-83-0x00007FF69D060000-0x00007FF69D3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-27-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/3616-216-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/3616-114-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/4068-115-0x00007FF76BB20000-0x00007FF76BE71000-memory.dmp

Filesize
3.3MB

Download
memory/4068-248-0x00007FF76BB20000-0x00007FF76BE71000-memory.dmp

Filesize
3.3MB

Download
memory/4316-242-0x00007FF722920000-0x00007FF722C71000-memory.dmp

Filesize
3.3MB

Download
memory/4316-101-0x00007FF722920000-0x00007FF722C71000-memory.dmp

Filesize
3.3MB

Download
memory/4316-138-0x00007FF722920000-0x00007FF722C71000-memory.dmp

Filesize
3.3MB

Download
memory/4464-148-0x00007FF776510000-0x00007FF776861000-memory.dmp

Filesize
3.3MB

Download
memory/4464-259-0x00007FF776510000-0x00007FF776861000-memory.dmp

Filesize
3.3MB

Download
memory/4612-152-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-174-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-71-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-0-0x00007FF7A1890000-0x00007FF7A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-1-0x00000249A4490000-0x00000249A44A0000-memory.dmp

Filesize
64KB

Download
memory/4700-208-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/4700-6-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/4700-82-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/4920-228-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-122-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-39-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-78-0x00007FF6EFF60000-0x00007FF6F02B1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-235-0x00007FF6EFF60000-0x00007FF6F02B1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-215-0x00007FF701250000-0x00007FF7015A1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-31-0x00007FF701250000-0x00007FF7015A1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-120-0x00007FF701250000-0x00007FF7015A1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-239-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-66-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-136-0x00007FF7C4A50000-0x00007FF7C4DA1000-memory.dmp

Filesize
3.3MB

Download