cobaltstrike | 51dd86e518ce2d88c12205557ba59a0ca2f07b95e1defd2f501fb418fce136fa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0b5f3e812a72c6bcaef0d2220c7cb633
SHA1

c6c77d9b7986280f06d4a617216d7f1b03af67bd
SHA256

51dd86e518ce2d88c12205557ba59a0ca2f07b95e1defd2f501fb418fce136fa
SHA512

2fed02ba55dfd5cefc726434c1cdb3d329e33c414b4bc3dacd6d1abc4619ba9a2e2f8bde3c317abdb795485c6ff5792a81b1785e0d58db43c998009f9b597d8b
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibd56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c97-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-103.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c98-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-18.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1804-90-0x00007FF6205C0000-0x00007FF620911000-memory.dmp	xmrig
behavioral2/memory/2536-127-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp	xmrig
behavioral2/memory/1736-140-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	xmrig
behavioral2/memory/4520-141-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp	xmrig
behavioral2/memory/2916-143-0x00007FF6484F0000-0x00007FF648841000-memory.dmp	xmrig
behavioral2/memory/2996-145-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp	xmrig
behavioral2/memory/1696-139-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp	xmrig
behavioral2/memory/392-138-0x00007FF69C110000-0x00007FF69C461000-memory.dmp	xmrig
behavioral2/memory/2608-134-0x00007FF79A020000-0x00007FF79A371000-memory.dmp	xmrig
behavioral2/memory/2924-133-0x00007FF782F10000-0x00007FF783261000-memory.dmp	xmrig
behavioral2/memory/964-144-0x00007FF633540000-0x00007FF633891000-memory.dmp	xmrig
behavioral2/memory/3936-131-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp	xmrig
behavioral2/memory/968-142-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp	xmrig
behavioral2/memory/2116-130-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp	xmrig
behavioral2/memory/1632-137-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp	xmrig
behavioral2/memory/4624-135-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp	xmrig
behavioral2/memory/3480-129-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp	xmrig
behavioral2/memory/4476-132-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp	xmrig
behavioral2/memory/2236-146-0x00007FF685720000-0x00007FF685A71000-memory.dmp	xmrig
behavioral2/memory/4436-147-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp	xmrig
behavioral2/memory/1840-149-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp	xmrig
behavioral2/memory/3608-148-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp	xmrig
behavioral2/memory/2536-150-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp	xmrig
behavioral2/memory/2536-151-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp	xmrig
behavioral2/memory/3480-208-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp	xmrig
behavioral2/memory/2116-210-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp	xmrig
behavioral2/memory/4476-212-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp	xmrig
behavioral2/memory/2608-221-0x00007FF79A020000-0x00007FF79A371000-memory.dmp	xmrig
behavioral2/memory/3936-224-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp	xmrig
behavioral2/memory/1804-225-0x00007FF6205C0000-0x00007FF620911000-memory.dmp	xmrig
behavioral2/memory/1632-227-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp	xmrig
behavioral2/memory/4520-232-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp	xmrig
behavioral2/memory/1696-234-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp	xmrig
behavioral2/memory/4624-238-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp	xmrig
behavioral2/memory/2924-240-0x00007FF782F10000-0x00007FF783261000-memory.dmp	xmrig
behavioral2/memory/392-236-0x00007FF69C110000-0x00007FF69C461000-memory.dmp	xmrig
behavioral2/memory/1736-243-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	xmrig
behavioral2/memory/968-256-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp	xmrig
behavioral2/memory/2996-254-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp	xmrig
behavioral2/memory/4436-253-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp	xmrig
behavioral2/memory/3608-251-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp	xmrig
behavioral2/memory/1840-249-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp	xmrig
behavioral2/memory/2916-247-0x00007FF6484F0000-0x00007FF648841000-memory.dmp	xmrig
behavioral2/memory/964-245-0x00007FF633540000-0x00007FF633891000-memory.dmp	xmrig
behavioral2/memory/2236-259-0x00007FF685720000-0x00007FF685A71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3480	TyJGmjD.exe
2116	VbWKtzl.exe
3936	igEJorh.exe
4476	ulUGVwI.exe
2924	zSqJIAV.exe
2608	auqeaps.exe
4624	faeHSBY.exe
1804	NdUbyKP.exe
1632	HAbNaiR.exe
392	LCcPhza.exe
1736	ehRmDGJ.exe
1696	qcpMnxk.exe
4520	ZvSciki.exe
968	gQcluNk.exe
2916	DFzfeMH.exe
964	ObBRQTI.exe
2996	bwgSUlT.exe
2236	HViHGbe.exe
4436	ihUoFUg.exe
3608	vpzVRiX.exe
1840	vyElBMK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2536-0-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c97-5.dat	upx
behavioral2/files/0x0008000000023c9f-29.dat	upx
behavioral2/memory/4624-34-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp	upx
behavioral2/memory/3936-45-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-44.dat	upx
behavioral2/files/0x0007000000023c9d-40.dat	upx
behavioral2/files/0x0007000000023c9c-39.dat	upx
behavioral2/files/0x0007000000023ca2-38.dat	upx
behavioral2/files/0x0007000000023ca6-60.dat	upx
behavioral2/memory/2608-62-0x00007FF79A020000-0x00007FF79A371000-memory.dmp	upx
behavioral2/memory/1736-79-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	upx
behavioral2/memory/2916-87-0x00007FF6484F0000-0x00007FF648841000-memory.dmp	upx
behavioral2/memory/392-91-0x00007FF69C110000-0x00007FF69C461000-memory.dmp	upx
behavioral2/memory/2236-93-0x00007FF685720000-0x00007FF685A71000-memory.dmp	upx
behavioral2/memory/4520-92-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-105.dat	upx
behavioral2/files/0x0007000000023cad-123.dat	upx
behavioral2/files/0x0007000000023cae-125.dat	upx
behavioral2/files/0x0007000000023cac-121.dat	upx
behavioral2/memory/1840-120-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp	upx
behavioral2/memory/3608-119-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp	upx
behavioral2/memory/4436-118-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-113.dat	upx
behavioral2/files/0x0007000000023ca9-103.dat	upx
behavioral2/files/0x0008000000023c98-101.dat	upx
behavioral2/files/0x0007000000023ca8-99.dat	upx
behavioral2/memory/1804-90-0x00007FF6205C0000-0x00007FF620911000-memory.dmp	upx
behavioral2/memory/2996-89-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp	upx
behavioral2/memory/964-88-0x00007FF633540000-0x00007FF633891000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-86.dat	upx
behavioral2/memory/968-85-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-83.dat	upx
behavioral2/files/0x0007000000023ca4-81.dat	upx
behavioral2/memory/1696-80-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp	upx
behavioral2/memory/1632-67-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-58.dat	upx
behavioral2/files/0x0007000000023c9e-52.dat	upx
behavioral2/memory/2924-28-0x00007FF782F10000-0x00007FF783261000-memory.dmp	upx
behavioral2/memory/4476-27-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp	upx
behavioral2/memory/2116-24-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-18.dat	upx
behavioral2/memory/3480-10-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp	upx
behavioral2/memory/2536-127-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp	upx
behavioral2/memory/1736-140-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	upx
behavioral2/memory/4520-141-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp	upx
behavioral2/memory/2916-143-0x00007FF6484F0000-0x00007FF648841000-memory.dmp	upx
behavioral2/memory/2996-145-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp	upx
behavioral2/memory/1696-139-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp	upx
behavioral2/memory/392-138-0x00007FF69C110000-0x00007FF69C461000-memory.dmp	upx
behavioral2/memory/2608-134-0x00007FF79A020000-0x00007FF79A371000-memory.dmp	upx
behavioral2/memory/2924-133-0x00007FF782F10000-0x00007FF783261000-memory.dmp	upx
behavioral2/memory/964-144-0x00007FF633540000-0x00007FF633891000-memory.dmp	upx
behavioral2/memory/3936-131-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp	upx
behavioral2/memory/968-142-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp	upx
behavioral2/memory/2116-130-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp	upx
behavioral2/memory/1632-137-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp	upx
behavioral2/memory/4624-135-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp	upx
behavioral2/memory/3480-129-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp	upx
behavioral2/memory/4476-132-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp	upx
behavioral2/memory/2236-146-0x00007FF685720000-0x00007FF685A71000-memory.dmp	upx
behavioral2/memory/4436-147-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp	upx
behavioral2/memory/1840-149-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp	upx
behavioral2/memory/3608-148-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zSqJIAV.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFzfeMH.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HViHGbe.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VbWKtzl.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auqeaps.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\faeHSBY.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAbNaiR.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCcPhza.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ehRmDGJ.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvSciki.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bwgSUlT.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TyJGmjD.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ihUoFUg.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ulUGVwI.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gQcluNk.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObBRQTI.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igEJorh.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qcpMnxk.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vpzVRiX.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vyElBMK.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NdUbyKP.exe	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3480	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2536 wrote to memory of 3480	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2536 wrote to memory of 2116	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2536 wrote to memory of 2116	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2536 wrote to memory of 3936	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2536 wrote to memory of 3936	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2536 wrote to memory of 4476	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2536 wrote to memory of 4476	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2536 wrote to memory of 2924	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2536 wrote to memory of 2924	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2536 wrote to memory of 2608	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2536 wrote to memory of 2608	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2536 wrote to memory of 4624	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2536 wrote to memory of 4624	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2536 wrote to memory of 1804	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2536 wrote to memory of 1804	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2536 wrote to memory of 1632	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2536 wrote to memory of 1632	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2536 wrote to memory of 392	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2536 wrote to memory of 392	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2536 wrote to memory of 1696	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2536 wrote to memory of 1696	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2536 wrote to memory of 1736	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2536 wrote to memory of 1736	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2536 wrote to memory of 4520	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2536 wrote to memory of 4520	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2536 wrote to memory of 968	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2536 wrote to memory of 968	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2536 wrote to memory of 2916	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2536 wrote to memory of 2916	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2536 wrote to memory of 964	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2536 wrote to memory of 964	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2536 wrote to memory of 2996	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2536 wrote to memory of 2996	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2536 wrote to memory of 2236	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2536 wrote to memory of 2236	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2536 wrote to memory of 4436	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2536 wrote to memory of 4436	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2536 wrote to memory of 3608	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2536 wrote to memory of 3608	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2536 wrote to memory of 1840	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2536 wrote to memory of 1840	2536	2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_0b5f3e812a72c6bcaef0d2220c7cb633_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System\TyJGmjD.exe
  C:\Windows\System\TyJGmjD.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\VbWKtzl.exe
  C:\Windows\System\VbWKtzl.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\igEJorh.exe
  C:\Windows\System\igEJorh.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\ulUGVwI.exe
  C:\Windows\System\ulUGVwI.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\zSqJIAV.exe
  C:\Windows\System\zSqJIAV.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\auqeaps.exe
  C:\Windows\System\auqeaps.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\faeHSBY.exe
  C:\Windows\System\faeHSBY.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\NdUbyKP.exe
  C:\Windows\System\NdUbyKP.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\HAbNaiR.exe
  C:\Windows\System\HAbNaiR.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\LCcPhza.exe
  C:\Windows\System\LCcPhza.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\qcpMnxk.exe
  C:\Windows\System\qcpMnxk.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\ehRmDGJ.exe
  C:\Windows\System\ehRmDGJ.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\ZvSciki.exe
  C:\Windows\System\ZvSciki.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\gQcluNk.exe
  C:\Windows\System\gQcluNk.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\DFzfeMH.exe
  C:\Windows\System\DFzfeMH.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\ObBRQTI.exe
  C:\Windows\System\ObBRQTI.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\bwgSUlT.exe
  C:\Windows\System\bwgSUlT.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\HViHGbe.exe
  C:\Windows\System\HViHGbe.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\ihUoFUg.exe
  C:\Windows\System\ihUoFUg.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\vpzVRiX.exe
  C:\Windows\System\vpzVRiX.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\vyElBMK.exe
  C:\Windows\System\vyElBMK.exe
  2⤵
  - Executes dropped EXE
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DFzfeMH.exe

Filesize
5.2MB

MD5
98b08bb2c6cf08921fcb737678ad63b7

SHA1
7ccea3c2234b6c1a7cc17f6a830da26dfaf5cf39

SHA256
1a4e41c223d8017ec4ed62f01373be911a2dadbe44e61cc5dc9a00a70f08588a

SHA512
1bc21230e2045da30a5eb7b17b4cd7bd23c640ac347584db860ff4f8f487787497096b672618dbb466150cb88ef406406e660b0a271bae80feb7816d86ba2b4d

Download Submit
C:\Windows\System\HAbNaiR.exe

Filesize
5.2MB

MD5
c49e8fc65e54d52a212526065d71cc88

SHA1
0aeb12fe8954de882379590a3f1a8086fb9e57e5

SHA256
52694cb60615fad1ed585f9d2e2a4c642a86a0a3342dae8a15ec29b7fd4cee41

SHA512
bd4bf94e9133349f99d7dba69d87ec95b01add986f060d6fa34e067078efdcbe79b35d8e91e6509fa291ca7226c997e7b5f6d8e0448ec3e69cd2b59a92388104

Download Submit
C:\Windows\System\HViHGbe.exe

Filesize
5.2MB

MD5
020f4d65e2ae580683ba25089a9e342b

SHA1
9c0715383a7017fb1908bec9b358f3a2540e3320

SHA256
e775f016ade4234fe0083820f6f9cc44503887ba70f8094fa8041fb9c1187049

SHA512
e8cdcf79845184e59bd44dbdf92d6a8d2dcd203dbff42cc5f00b6fda41e0d46399ab813b619b65f13088106bbdd563b295bd311a717265b34fb65e24d6f6d1d2

Download Submit
C:\Windows\System\LCcPhza.exe

Filesize
5.2MB

MD5
b4f1a0c74c51a0fdde1c9d0cd21d38eb

SHA1
7ed5a340c6722c7dfa64bb9d84748d1631f39706

SHA256
b7ca57801cd016ef608a4e7537da19d8373a9956fca8316e4d070d4a3331af45

SHA512
b04de99b88d265ab880ac15c807f72cdc7a6e92b8344ea1bb351210fd60873b056afe030127bbd47937efb041d3f73966c2b6c7da594a1b1370c94f20aaff98f

Download Submit
C:\Windows\System\NdUbyKP.exe

Filesize
5.2MB

MD5
4409acb695dabfc1b3eb8e00bb10bb6d

SHA1
3b5136fbb12b724b43871508f2163ade025b84f1

SHA256
83aa19d58e6bac82befd0c3b6f9afc44eacf97a71f082e6f8c580fd6a4cc4451

SHA512
b38992d4775d824cd257985ebe5cd22238b92cc6bd28216a90117be7499641452e66ba30aa74d1b44305a1686957eb818a29868c31faed6f87195961838c18be

Download Submit
C:\Windows\System\ObBRQTI.exe

Filesize
5.2MB

MD5
3a97f86e04bbdf1d768733933deca2b3

SHA1
399c7ee159efc19771969c270cc2d6bab49a927d

SHA256
135f5181c370755eecbb7f08539ed8a491a893bfaac35c44578716f5c72db821

SHA512
3581c35c78a7e4f9b532ca7bb50c4da1790e069aa67bdc9da12e857ba817c67f93ad7d9e24fb966b1df59a20eff1a53f948d2905b46643a28681182af6033f25

Download Submit
C:\Windows\System\TyJGmjD.exe

Filesize
5.2MB

MD5
e02b644ab80f004c11d6d167148e4e45

SHA1
c0b3d5deb90cbe2478d5e011bca41d28eb56df99

SHA256
5d9025baa62a741f8ff3f2efcf5bca0f6883590271dc57f57a75d7e36ddf8d65

SHA512
82da8a1c1b819c5095000e9f41121f71d0197dd06fa0d334a8093b5bacd9a7e93051e5b6417a108bc583417aa4333704b6df7c2180f9ddf9a201d534f0f7515b

Download Submit
C:\Windows\System\VbWKtzl.exe

Filesize
5.2MB

MD5
244089e7e427424ef334cdec5c62df93

SHA1
c113912b5196c984e508d2546362c0e98d686604

SHA256
8d0260885046096d1568d67ab69684861fadb1bdce650cf0cb61ee1b688b3d34

SHA512
f69bbaf6141e527908ebbe69396b053aafa9c1f05b2d3ff4273a98ecedbaf7cfe3af5b9a6f4446f31940cf681eaf512eac9a541800ddcacb507edf8c0f4719d5

Download Submit
C:\Windows\System\ZvSciki.exe

Filesize
5.2MB

MD5
fd55d5551ae8a7f65f5b87b84572e6b9

SHA1
e8f6088dcfe1befe705dd7dc4ba2ef1b1f28fcc3

SHA256
56e9d8fffb9deafbabd9e73acd971420c3ea4f2f06cff3ca735c4ac7030ffda7

SHA512
c240f5be9e2cab10593ef7c8eb1adda35d86d44e3d03e9cd3f6b656f5ea073bb97a93a86b65a434ff43dc3c22c5c8f928f9406451aa92674e001cf4e2b7ca238

Download Submit
C:\Windows\System\auqeaps.exe

Filesize
5.2MB

MD5
31e046719b86478fc24f97f1f39c665e

SHA1
15498c127050226f64119e8524bb073c4a96172e

SHA256
d71ceef970186d471925280ca6a511763745f692cb1917ff4864395153016dee

SHA512
6b949d37b8834bd01b0ee36a7e985eabb3e972a0942b1f9b5d570452f5692ffde801fac5ac063f863f177fbe46ed67226db442d8cf7d107975af0b48d690bcd7

Download Submit
C:\Windows\System\bwgSUlT.exe

Filesize
5.2MB

MD5
54a432a46439d21a8cbc6d20b033ecf6

SHA1
eecd2df4d78fd3604afbcd868b7e5a9f8cd088be

SHA256
5c4c90701b2734bee240f93e79a185f547d1d2472dee0413532fcc4eee3f9926

SHA512
60e1003e100aedab689d7d1135f052479f18832eb71d8d2aaa66f219e2687e187463449476671783619f28cc2fcf418289b418f36b3fe3e43432c5c4c4ee6549

Download Submit
C:\Windows\System\ehRmDGJ.exe

Filesize
5.2MB

MD5
cea5686953fc5104f08ef3fffc7b2e15

SHA1
1f5800a1bd9f652d4d386c16c3397fb00b69d922

SHA256
e962adbdd800ec05a4f2781a7986e4f33a70514dc16ed7a1c3116ae716ea9c1e

SHA512
e15565b24f0d19fdc324cddd2c8f8051a153971d7bdfe14fa1d195d31a24d61689e4d777da4dbc88f43402b5210266043b226907744e2aedf4f2b9958d124df4

Download Submit
C:\Windows\System\faeHSBY.exe

Filesize
5.2MB

MD5
5fd5603b5b88149d4637820d951ec7b0

SHA1
159077525f33a3ca90b8b476f020b6685fd6cc33

SHA256
5fb339dd9c5e746b97fc2ab20cf7dba8bf8490807b6d49e028b42524d8ef081a

SHA512
c844e28526675e4c3bc4967d0c1f8814329d4b9190efe12894987e415816d3862e34f00249287aca6233c00fe8e5aacbe64c3198641ceb1b98b14ae8a95dd47d

Download Submit
C:\Windows\System\gQcluNk.exe

Filesize
5.2MB

MD5
f038931ec46905e7e9750a1749b5c0ff

SHA1
7496e953a68caa4e6d8296b1950e221629263a76

SHA256
081ce8d3953a8aaf1b7f5d7e3012a8a47f3de45dcd765ba39fecb55de99bdf98

SHA512
84e7f82dd25965771ee455bae2033862400cdaa7cae675453210b6aa9ccceac8ed38c25917e1736792ef0d19709c9fff8ab923dbf1a254830976d8b4a4658f0e

Download Submit
C:\Windows\System\igEJorh.exe

Filesize
5.2MB

MD5
74a253558e5d99fd7b7289cf4696dc7e

SHA1
9d88649c1a20bb4cb241d1b94461db29d9085c27

SHA256
e017cc4298e1770d0c66bfdaeae5643507ce5a8c61fa4506fe8741a40cc5cee5

SHA512
b0ed7c3eca1983d1faacefa2c245962bcda99aba0a240adb41af3085c60962859a2f4c6bb047cfe851611fac3c8c575ad496257d3c861ea479df2c1112505158

Download Submit
C:\Windows\System\ihUoFUg.exe

Filesize
5.2MB

MD5
b6ba3f6b811bcc1469a6bd15d5c8e5e2

SHA1
9c364e40d482e54bc4e5c5d8b51872de3e4d5723

SHA256
2c7fd08aa972df764140425d674de0d6dbab7a4e22a94d6afdb61bc620d38ca3

SHA512
b7cbfecb50a847f6378dfda862656b27c181d1dd38447b169a6c54231315db1f119f2a41fb7738f37119fce35d4ec5686eaa5f90f4b7f266334305b5daf193db

Download Submit
C:\Windows\System\qcpMnxk.exe

Filesize
5.2MB

MD5
00971ce00df01c4e16f4d4e20ffb8864

SHA1
7e3935fbc564e6cf6cec943ff6eef48b164fe986

SHA256
9927011b678de2ac6f5ef73b77a47b7006c5228bb3945e7e954d8a9157696531

SHA512
785dca9efd5cffe5d440b02cc12566f8b14dc3a91507c956e59c99fd9d8638f0e208b263ddb59e9665fbaaff004c575c238bfb7b015073a151c4b22818018509

Download Submit
C:\Windows\System\ulUGVwI.exe

Filesize
5.2MB

MD5
f2f7c99116b0df3d63cdcd5a41a14e7f

SHA1
a28510918bf0ce8393a8cee8326126fb5279820d

SHA256
30b63c46b8400658c7a28ab55de798a521da52b56f46c0b3e02661214a096869

SHA512
78848dd08b365ab52ea237bf678b32b857e6fb81e4d2c9fd07b9e2f2e5c36582914ac3e00eb0c3efed6909a9feb3268250b03ce3d9eaa3fc541127ef53be1a60

Download Submit
C:\Windows\System\vpzVRiX.exe

Filesize
5.2MB

MD5
76e506c19f1035486e80f0bd9c656e67

SHA1
1088db52b3766aa0d76367f4677a703babd16f93

SHA256
e9122dabd63aac5ce46f03b702d8ff0c1478a73e892e8754a41b8693c5b0f6fb

SHA512
18d403e1b952d361030addb9c2e26d75d3f3141340db1fdbd4d88bd54f30f2ff52f42e768fdbcded3eaf27e1f86d31df0bec9156debbaafa9a3b73c751de84b4

Download Submit
C:\Windows\System\vyElBMK.exe

Filesize
5.2MB

MD5
268b82dbb39ca0d0a83a7a4b82ddc7ee

SHA1
0c791dd4bda3a7b4a5f4c87e6d1e5e9926c81b7d

SHA256
4cf20f2584e34ce7468ac634bbf3adaf96ea57455a300cbb37798e6c18b13a92

SHA512
f12b7a2bf06b17ddd8620dcb3b577a2a8fb018a080df6d4a8106962c6f18c4e162c3fc0cc29ed6a37cb4398eb1bd65580c6866a005b1ba0f8b2658996d87a41e

Download Submit
C:\Windows\System\zSqJIAV.exe

Filesize
5.2MB

MD5
866abef0eebb6cf2e263c027df9a4e16

SHA1
1730e97672056a99a810d6048e92f2bcf925f59f

SHA256
31453e0e4dae9f75c85110b85446d71e992b806541247edbcbb9e82b79410019

SHA512
008ea2b3491498fd35c3ad2b7c9d83c4e9bc61cad68635624cac84a4d4b979043640142e7ea42d9fc92935b5bea48f986075496b9c8c5d8c942540d5cfbf9b4a

Download Submit
memory/392-91-0x00007FF69C110000-0x00007FF69C461000-memory.dmp

Filesize
3.3MB

Download
memory/392-138-0x00007FF69C110000-0x00007FF69C461000-memory.dmp

Filesize
3.3MB

Download
memory/392-236-0x00007FF69C110000-0x00007FF69C461000-memory.dmp

Filesize
3.3MB

Download
memory/964-88-0x00007FF633540000-0x00007FF633891000-memory.dmp

Filesize
3.3MB

Download
memory/964-245-0x00007FF633540000-0x00007FF633891000-memory.dmp

Filesize
3.3MB

Download
memory/964-144-0x00007FF633540000-0x00007FF633891000-memory.dmp

Filesize
3.3MB

Download
memory/968-256-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp

Filesize
3.3MB

Download
memory/968-142-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp

Filesize
3.3MB

Download
memory/968-85-0x00007FF74AD00000-0x00007FF74B051000-memory.dmp

Filesize
3.3MB

Download
memory/1632-67-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp

Filesize
3.3MB

Download
memory/1632-227-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp

Filesize
3.3MB

Download
memory/1632-137-0x00007FF7DADD0000-0x00007FF7DB121000-memory.dmp

Filesize
3.3MB

Download
memory/1696-139-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp

Filesize
3.3MB

Download
memory/1696-234-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp

Filesize
3.3MB

Download
memory/1696-80-0x00007FF70DEB0000-0x00007FF70E201000-memory.dmp

Filesize
3.3MB

Download
memory/1736-243-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/1736-79-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/1736-140-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/1804-90-0x00007FF6205C0000-0x00007FF620911000-memory.dmp

Filesize
3.3MB

Download
memory/1804-225-0x00007FF6205C0000-0x00007FF620911000-memory.dmp

Filesize
3.3MB

Download
memory/1840-120-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp

Filesize
3.3MB

Download
memory/1840-149-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp

Filesize
3.3MB

Download
memory/1840-249-0x00007FF7AA410000-0x00007FF7AA761000-memory.dmp

Filesize
3.3MB

Download
memory/2116-210-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2116-130-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2116-24-0x00007FF69B840000-0x00007FF69BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2236-146-0x00007FF685720000-0x00007FF685A71000-memory.dmp

Filesize
3.3MB

Download
memory/2236-259-0x00007FF685720000-0x00007FF685A71000-memory.dmp

Filesize
3.3MB

Download
memory/2236-93-0x00007FF685720000-0x00007FF685A71000-memory.dmp

Filesize
3.3MB

Download
memory/2536-151-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-150-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-0-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-1-0x00000258B4C00000-0x00000258B4C10000-memory.dmp

Filesize
64KB

Download
memory/2536-127-0x00007FF7D7450000-0x00007FF7D77A1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-62-0x00007FF79A020000-0x00007FF79A371000-memory.dmp

Filesize
3.3MB

Download
memory/2608-221-0x00007FF79A020000-0x00007FF79A371000-memory.dmp

Filesize
3.3MB

Download
memory/2608-134-0x00007FF79A020000-0x00007FF79A371000-memory.dmp

Filesize
3.3MB

Download
memory/2916-247-0x00007FF6484F0000-0x00007FF648841000-memory.dmp

Filesize
3.3MB

Download
memory/2916-87-0x00007FF6484F0000-0x00007FF648841000-memory.dmp

Filesize
3.3MB

Download
memory/2916-143-0x00007FF6484F0000-0x00007FF648841000-memory.dmp

Filesize
3.3MB

Download
memory/2924-240-0x00007FF782F10000-0x00007FF783261000-memory.dmp

Filesize
3.3MB

Download
memory/2924-133-0x00007FF782F10000-0x00007FF783261000-memory.dmp

Filesize
3.3MB

Download
memory/2924-28-0x00007FF782F10000-0x00007FF783261000-memory.dmp

Filesize
3.3MB

Download
memory/2996-145-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp

Filesize
3.3MB

Download
memory/2996-254-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp

Filesize
3.3MB

Download
memory/2996-89-0x00007FF7E79D0000-0x00007FF7E7D21000-memory.dmp

Filesize
3.3MB

Download
memory/3480-10-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-208-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-129-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-119-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp

Filesize
3.3MB

Download
memory/3608-251-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp

Filesize
3.3MB

Download
memory/3608-148-0x00007FF6DDAB0000-0x00007FF6DDE01000-memory.dmp

Filesize
3.3MB

Download
memory/3936-131-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp

Filesize
3.3MB

Download
memory/3936-224-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp

Filesize
3.3MB

Download
memory/3936-45-0x00007FF605BD0000-0x00007FF605F21000-memory.dmp

Filesize
3.3MB

Download
memory/4436-253-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-118-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-147-0x00007FF6B9B90000-0x00007FF6B9EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-212-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-27-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-132-0x00007FF7F1270000-0x00007FF7F15C1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-92-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-232-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-141-0x00007FF7ABA60000-0x00007FF7ABDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-238-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp

Filesize
3.3MB

Download
memory/4624-135-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp

Filesize
3.3MB

Download
memory/4624-34-0x00007FF6B1EE0000-0x00007FF6B2231000-memory.dmp

Filesize
3.3MB

Download