cobaltstrike | 4797fa56992164a0d962468c27f7b66a54ef5af6ad52f34602ec28851d79eaaf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

34d47fe107f9544a6c2d43e088de84ed
SHA1

0cce49c90cbfdaf996a2f0a8bfa1064c82e305c7
SHA256

4797fa56992164a0d962468c27f7b66a54ef5af6ad52f34602ec28851d79eaaf
SHA512

90bbe8c052f40b6c6c21f1a723179587ff48560dcbf4a1a50fb84de3411c8732a8c18ade0adfd32303a09026dd2b48929b9b421c79440d2234447a4a28c273fe
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c92-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-17.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c93-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-94.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2260-57-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	xmrig
behavioral2/memory/2372-73-0x00007FF6DC980000-0x00007FF6DCCD1000-memory.dmp	xmrig
behavioral2/memory/4108-72-0x00007FF606570000-0x00007FF6068C1000-memory.dmp	xmrig
behavioral2/memory/4448-56-0x00007FF6B6300000-0x00007FF6B6651000-memory.dmp	xmrig
behavioral2/memory/1780-55-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp	xmrig
behavioral2/memory/1196-41-0x00007FF6342C0000-0x00007FF634611000-memory.dmp	xmrig
behavioral2/memory/2780-79-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp	xmrig
behavioral2/memory/3788-78-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp	xmrig
behavioral2/memory/848-121-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp	xmrig
behavioral2/memory/4432-120-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp	xmrig
behavioral2/memory/1348-106-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp	xmrig
behavioral2/memory/844-101-0x00007FF730930000-0x00007FF730C81000-memory.dmp	xmrig
behavioral2/memory/3056-83-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp	xmrig
behavioral2/memory/2260-137-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	xmrig
behavioral2/memory/472-144-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp	xmrig
behavioral2/memory/8-152-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	xmrig
behavioral2/memory/2924-151-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp	xmrig
behavioral2/memory/220-158-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp	xmrig
behavioral2/memory/1692-157-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp	xmrig
behavioral2/memory/3576-161-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp	xmrig
behavioral2/memory/1236-160-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp	xmrig
behavioral2/memory/2720-159-0x00007FF780490000-0x00007FF7807E1000-memory.dmp	xmrig
behavioral2/memory/4888-162-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp	xmrig
behavioral2/memory/2260-163-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	xmrig
behavioral2/memory/1780-213-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp	xmrig
behavioral2/memory/4108-215-0x00007FF606570000-0x00007FF6068C1000-memory.dmp	xmrig
behavioral2/memory/3788-217-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp	xmrig
behavioral2/memory/2780-222-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp	xmrig
behavioral2/memory/3056-223-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp	xmrig
behavioral2/memory/1196-231-0x00007FF6342C0000-0x00007FF634611000-memory.dmp	xmrig
behavioral2/memory/1348-233-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp	xmrig
behavioral2/memory/4448-235-0x00007FF6B6300000-0x00007FF6B6651000-memory.dmp	xmrig
behavioral2/memory/2372-238-0x00007FF6DC980000-0x00007FF6DCCD1000-memory.dmp	xmrig
behavioral2/memory/4432-241-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp	xmrig
behavioral2/memory/472-243-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp	xmrig
behavioral2/memory/848-240-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp	xmrig
behavioral2/memory/2924-254-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp	xmrig
behavioral2/memory/844-256-0x00007FF730930000-0x00007FF730C81000-memory.dmp	xmrig
behavioral2/memory/8-258-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	xmrig
behavioral2/memory/1692-262-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp	xmrig
behavioral2/memory/220-261-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp	xmrig
behavioral2/memory/4888-265-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp	xmrig
behavioral2/memory/2720-266-0x00007FF780490000-0x00007FF7807E1000-memory.dmp	xmrig
behavioral2/memory/1236-270-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp	xmrig
behavioral2/memory/3576-269-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1780	jQMulhY.exe
4108	XQgrALR.exe
3788	rOyxaKt.exe
2780	dBfgnLe.exe
3056	sFOFQak.exe
1196	OpMQSsE.exe
1348	OOYQDVw.exe
4448	vDJGbjZ.exe
4432	JeqYaJN.exe
848	rHFGPaQ.exe
2372	qvLcatz.exe
472	KnJzOAB.exe
2924	fpDrPpC.exe
8	ISZwdZH.exe
844	hpyVHQH.exe
220	GoHrOIT.exe
1692	fFoGAVl.exe
2720	iTUglPH.exe
1236	yxafNMH.exe
3576	WmAPVhx.exe
4888	CwmuLby.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2260-0-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c92-4.dat	upx
behavioral2/files/0x0007000000023c96-10.dat	upx
behavioral2/files/0x0007000000023c97-17.dat	upx
behavioral2/memory/3788-18-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp	upx
behavioral2/memory/4108-15-0x00007FF606570000-0x00007FF6068C1000-memory.dmp	upx
behavioral2/memory/1780-12-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-26.dat	upx
behavioral2/memory/3056-28-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-29.dat	upx
behavioral2/memory/2780-27-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-36.dat	upx
behavioral2/files/0x0007000000023c9b-40.dat	upx
behavioral2/files/0x0007000000023c9c-46.dat	upx
behavioral2/memory/2260-57-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	upx
behavioral2/memory/4432-59-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-65.dat	upx
behavioral2/files/0x0007000000023ca0-71.dat	upx
behavioral2/memory/472-74-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp	upx
behavioral2/memory/2372-73-0x00007FF6DC980000-0x00007FF6DCCD1000-memory.dmp	upx
behavioral2/memory/4108-72-0x00007FF606570000-0x00007FF6068C1000-memory.dmp	upx
behavioral2/memory/848-70-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-67.dat	upx
behavioral2/files/0x0007000000023c9d-63.dat	upx
behavioral2/memory/4448-56-0x00007FF6B6300000-0x00007FF6B6651000-memory.dmp	upx
behavioral2/memory/1780-55-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp	upx
behavioral2/memory/1348-42-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp	upx
behavioral2/memory/1196-41-0x00007FF6342C0000-0x00007FF634611000-memory.dmp	upx
behavioral2/memory/2780-79-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp	upx
behavioral2/memory/3788-78-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-82.dat	upx
behavioral2/memory/2924-84-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-93.dat	upx
behavioral2/files/0x0007000000023ca5-105.dat	upx
behavioral2/files/0x0007000000023ca7-116.dat	upx
behavioral2/files/0x0007000000023ca9-124.dat	upx
behavioral2/files/0x0007000000023ca8-130.dat	upx
behavioral2/files/0x0007000000023ca6-131.dat	upx
behavioral2/memory/3576-128-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp	upx
behavioral2/memory/4888-127-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp	upx
behavioral2/memory/1236-126-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp	upx
behavioral2/memory/2720-125-0x00007FF780490000-0x00007FF7807E1000-memory.dmp	upx
behavioral2/memory/848-121-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp	upx
behavioral2/memory/4432-120-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp	upx
behavioral2/memory/1692-108-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-107.dat	upx
behavioral2/memory/1348-106-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp	upx
behavioral2/memory/220-102-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp	upx
behavioral2/memory/844-101-0x00007FF730930000-0x00007FF730C81000-memory.dmp	upx
behavioral2/memory/8-97-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-94.dat	upx
behavioral2/memory/3056-83-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp	upx
behavioral2/memory/2260-137-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	upx
behavioral2/memory/472-144-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp	upx
behavioral2/memory/8-152-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp	upx
behavioral2/memory/2924-151-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp	upx
behavioral2/memory/220-158-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp	upx
behavioral2/memory/1692-157-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp	upx
behavioral2/memory/3576-161-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp	upx
behavioral2/memory/1236-160-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp	upx
behavioral2/memory/2720-159-0x00007FF780490000-0x00007FF7807E1000-memory.dmp	upx
behavioral2/memory/4888-162-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp	upx
behavioral2/memory/2260-163-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp	upx
behavioral2/memory/1780-213-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jQMulhY.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dBfgnLe.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOYQDVw.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JeqYaJN.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvLcatz.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnJzOAB.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpMQSsE.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vDJGbjZ.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFoGAVl.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxafNMH.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CwmuLby.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XQgrALR.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sFOFQak.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ISZwdZH.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpyVHQH.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOyxaKt.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHFGPaQ.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fpDrPpC.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GoHrOIT.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iTUglPH.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WmAPVhx.exe	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1780	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2260 wrote to memory of 1780	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2260 wrote to memory of 4108	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2260 wrote to memory of 4108	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2260 wrote to memory of 3788	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2260 wrote to memory of 3788	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2260 wrote to memory of 2780	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2260 wrote to memory of 2780	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2260 wrote to memory of 3056	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2260 wrote to memory of 3056	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2260 wrote to memory of 1196	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2260 wrote to memory of 1196	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2260 wrote to memory of 1348	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2260 wrote to memory of 1348	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2260 wrote to memory of 4448	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2260 wrote to memory of 4448	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2260 wrote to memory of 4432	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2260 wrote to memory of 4432	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2260 wrote to memory of 848	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2260 wrote to memory of 848	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2260 wrote to memory of 2372	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2260 wrote to memory of 2372	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2260 wrote to memory of 472	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2260 wrote to memory of 472	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2260 wrote to memory of 2924	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2260 wrote to memory of 2924	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2260 wrote to memory of 8	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2260 wrote to memory of 8	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2260 wrote to memory of 844	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2260 wrote to memory of 844	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2260 wrote to memory of 220	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2260 wrote to memory of 220	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2260 wrote to memory of 1692	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2260 wrote to memory of 1692	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2260 wrote to memory of 2720	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2260 wrote to memory of 2720	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2260 wrote to memory of 1236	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2260 wrote to memory of 1236	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2260 wrote to memory of 3576	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2260 wrote to memory of 3576	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2260 wrote to memory of 4888	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2260 wrote to memory of 4888	2260	2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_34d47fe107f9544a6c2d43e088de84ed_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System\jQMulhY.exe
  C:\Windows\System\jQMulhY.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\XQgrALR.exe
  C:\Windows\System\XQgrALR.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\rOyxaKt.exe
  C:\Windows\System\rOyxaKt.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\dBfgnLe.exe
  C:\Windows\System\dBfgnLe.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\sFOFQak.exe
  C:\Windows\System\sFOFQak.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\OpMQSsE.exe
  C:\Windows\System\OpMQSsE.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\OOYQDVw.exe
  C:\Windows\System\OOYQDVw.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\vDJGbjZ.exe
  C:\Windows\System\vDJGbjZ.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\JeqYaJN.exe
  C:\Windows\System\JeqYaJN.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\rHFGPaQ.exe
  C:\Windows\System\rHFGPaQ.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System\qvLcatz.exe
  C:\Windows\System\qvLcatz.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\KnJzOAB.exe
  C:\Windows\System\KnJzOAB.exe
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Windows\System\fpDrPpC.exe
  C:\Windows\System\fpDrPpC.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\ISZwdZH.exe
  C:\Windows\System\ISZwdZH.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\hpyVHQH.exe
  C:\Windows\System\hpyVHQH.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\GoHrOIT.exe
  C:\Windows\System\GoHrOIT.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\fFoGAVl.exe
  C:\Windows\System\fFoGAVl.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\iTUglPH.exe
  C:\Windows\System\iTUglPH.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\yxafNMH.exe
  C:\Windows\System\yxafNMH.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\WmAPVhx.exe
  C:\Windows\System\WmAPVhx.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\CwmuLby.exe
  C:\Windows\System\CwmuLby.exe
  2⤵
  - Executes dropped EXE
  PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CwmuLby.exe

Filesize
5.2MB

MD5
ad38f62258cc08f88182c333d313c4fe

SHA1
2570b2f8874f432489a60db66fbed0a4028a2de5

SHA256
5a6d591d36515ca699af72fbf814c0350f90b6483c800cdccf8721b2e5f2dd2d

SHA512
a32f8bf5f15bcb817bcfbab785e683cc54da5e2e3e3e25d2af355387b0482f25492c4531456b9eb459db1cdde0b96c778b066b2e3a9f18e814afaf69051fbf9e

Download Submit
C:\Windows\System\GoHrOIT.exe

Filesize
5.2MB

MD5
393d7d57fcffffcdde71dba6257b2eaf

SHA1
45458b352c212fbdfa9a550a87a48924cf041d88

SHA256
e2a3b9b04508fd268e1f16ada813861a5aea5205c255781a9dc24988d5ba6655

SHA512
b505a481807ecc74657328cdcdd8b0a5ae3811f6810aab8c69aa170308d9217f74ec880b8f5c07dc0288e8795737ce41a1c6bd1ace85e0a306b9c1312359c573

Download Submit
C:\Windows\System\ISZwdZH.exe

Filesize
5.2MB

MD5
825f513021e2608575ef761b2a9bca74

SHA1
003b777542609d0544213c7c413f6db64655abe4

SHA256
e818a45a41cdcc580bc45d80d8a2f57716ebc17b46f1f70470fc82ce09b9d9ff

SHA512
86de95212af5dd3854c0ae08e2469088455bc4cd8fb926cfa4ab0c22cd81e05102307aa63e9951568549b7df5b9f39a89f3eb3ea85b399d297654f7a2441dda9

Download Submit
C:\Windows\System\JeqYaJN.exe

Filesize
5.2MB

MD5
69b8fedc88aaffc1618c21122c2c382d

SHA1
55540e7f1f758a39e9f1ee8ce9d1add66b88e74c

SHA256
cbffcf178a9ea50186ee9b7d35d064cc77c46e74aa8cd5e2643878f2355ebfb2

SHA512
14d2711ea35d0ac01c7dbf97cbaa0c213cae4d25b4e16e52be591af6279adc9d911279f25a38aed5334b05c50b5d8323860f4e07ad65d6217abe9efafaac0a4d

Download Submit
C:\Windows\System\KnJzOAB.exe

Filesize
5.2MB

MD5
5d55786e6b17ebfad37bfa7cbcdc4422

SHA1
a8525be5ea4b962a77573589ab69328168e07b3b

SHA256
7f77c769883033f8415c2d99584d7847ecda2dc65435c76fd58b2787232f01c4

SHA512
98e8783ff1aacc58e823c56cd7bae16045b62a1332363638593cc3a272eadb749e889b502cb6af36f0ba7bf0b5cfa8411dcc32366189005f46b25becae1425c8

Download Submit
C:\Windows\System\OOYQDVw.exe

Filesize
5.2MB

MD5
3187f04e2d17dffe08b2742e1276ec9b

SHA1
410b7e90e91ae01a259b16acf607bc28a129dd77

SHA256
0befbf768b448a9ce9f6fcb30e92369dbb3aeebf965677e4dab00256c531ddae

SHA512
ae5e65c3710066209697778a39d0fd69f87402717631b7a45efeb2751bab208cb3df8953aa2616cdc7e238ee83b3a7f14318c365c475c1e4660609e37312ef58

Download Submit
C:\Windows\System\OpMQSsE.exe

Filesize
5.2MB

MD5
500060a830b4b7aedba68680b5eb9deb

SHA1
44a750e3497ba9efddeaff113c5bb7fc3e40180e

SHA256
5a8339d455fe1de9911031bc072f38b80f32a785ac43796b84f081041f026c6f

SHA512
f5d1ee726d1a2494062618b23401642eca2fbc659c79f524fb706d00068b399c07998b07736607e85b49bb1c9ff55fbb11673b76b0fb72d04ef5238974209442

Download Submit
C:\Windows\System\WmAPVhx.exe

Filesize
5.2MB

MD5
260d7432b45670a6255fc6c828e3a76b

SHA1
4de045ac467c5bc9306d1a5f61404ef2b49e43f9

SHA256
a95425e9337d7ec1ed54db3cb077ae65ad9202a8965023defb39c7011525e749

SHA512
065e593ad60335d1be4fc63af2f6ffa9000f7db9269edee4de7bb3d0d0037ac4058b113a984c5db0d6c5596965de662acc31df74317c55b03555269ee92281b9

Download Submit
C:\Windows\System\XQgrALR.exe

Filesize
5.2MB

MD5
a9429e199b8a9b852b2f710b63df38ce

SHA1
f2ff7e0ec9ec1875907ee42eff61fd89ae1af9cf

SHA256
6cfdc96055676c344a094019341e8262446e31fabe297d424b56fef77d3d4c6b

SHA512
004e17379e844a1ce94dda1d553caf58f1ab36c0a8d582fbfd6a248234d2a8e81f6942864c87393bb752bcd5294aa4cc889fb859ba00d9ac92c7bbc32809f64f

Download Submit
C:\Windows\System\dBfgnLe.exe

Filesize
5.2MB

MD5
366c98c378e187ff7bec3b949820e3f2

SHA1
96f246c60ef8838c8730dbb0e044e962f74578cb

SHA256
9d9ce8606de8b2a30a7a88a24cae5fe074c2f091419094e936c5884bc127fcde

SHA512
6f8f17878908998e3e2df0733e9f26d48457b01c80c3c190c0a1574aa7d68cb9adfc51b69945b286b837c288b07973f73d3c30738dab32779e3ed45c858958d7

Download Submit
C:\Windows\System\fFoGAVl.exe

Filesize
5.2MB

MD5
060a3c831d7af9f20db63a62e1d7720f

SHA1
8d7d8dacb6316b04973bf0c174133a14e4b52829

SHA256
413bcd57bd1cd425a873753d6653ae94437572c0ba81a26318badf94c0e65651

SHA512
cbd03ac3dd64453f847e092334c7b8a9641af15a058ffa81dcdff8a7e2af2e053d0266203ed22fb834ad34249875a5bccb2f5eeb7e5d9f42d660b429b11417a1

Download Submit
C:\Windows\System\fpDrPpC.exe

Filesize
5.2MB

MD5
7c8e4916c17e9dea0133f984319fd565

SHA1
eaa3912f1603eb243986a37439fa5f3c3ca1cd13

SHA256
07a1f0eb998fb99eca0410158bd11a92f41d8c4ad26b14c0814f93d9b7e2dcf0

SHA512
1077669a5ab1a2805c89b52069233b96117a8a622ee3b0406f1daa5f41ef011ff4c2a40cb1242ac4720245b33f8473e259dc2d6f8c870a11c36fe0876247493c

Download Submit
C:\Windows\System\hpyVHQH.exe

Filesize
5.2MB

MD5
861932ad5cfece62052f06589ea94711

SHA1
42bd6730a4e722a0cc0c95495ca0d6738dd32a06

SHA256
cbe41d3c348fc9ac7c39280e9add69180f30a4b41c21d8b02b8320d2057c7f94

SHA512
68dfb41145fbb34b8dcb84d29e693810574137bd46b21755bcb1f2edcaf424d9a0a759895f0cca2e786be2d2b172ee57ba32b4b3849b4e69746edb5be993a214

Download Submit
C:\Windows\System\iTUglPH.exe

Filesize
5.2MB

MD5
395a815db6ba9e6fac28c5f9bf03ec87

SHA1
73bc71fdf5f559b44dce641fd5325577eee2c090

SHA256
7ca6c2a0e582f0a5a6a6a149fe3b49ecd61365ca12b895e4dac51b6fe3721f4b

SHA512
a78c18347ca6620899bc6ee9e9eef3952a4308827c91e4b275b4a40f7c46bd26f5a2058bcfeb4e078ba3c1ab95c4a634b9d997d068ca43104cba70b894203967

Download Submit
C:\Windows\System\jQMulhY.exe

Filesize
5.2MB

MD5
19c36e82aec31adf70e26ad65782fc25

SHA1
05f9f902c4a4198e1afe22eb6234f5a283b4e749

SHA256
239915b7b6c4fe58be38ac3e4840cd3aec417cbd2fb980a35c7aaad8ddcc6849

SHA512
8843a13e3e2e7e9a5e015393432020b3b2c37473ee0d8ed132bd36cb8bef378bb5928597de98ac2dbce3877c555c388b1bf06a6ca31aec64da26508cef099063

Download Submit
C:\Windows\System\qvLcatz.exe

Filesize
5.2MB

MD5
e03868a709af5f9f35a5e4d88b4eaa4b

SHA1
94e964fe27a162bb7615966b9136a4f03e3c59eb

SHA256
11d487573493c26febb6b02cd3b2412555b0184213580433194b2791e6a79738

SHA512
8a776c7c741e1edf511c4cd3d76d65cd0689611634230eec9b155f1ddfa87d2280f1dc41562a041663249216fdb9449874446dad415249dcd5cac40f23879d45

Download Submit
C:\Windows\System\rHFGPaQ.exe

Filesize
5.2MB

MD5
1b533078ac08c6aa96aff5c5fa1d7382

SHA1
5dbfdcebc71a0329b2089734779929a59382e4b3

SHA256
7216d20069c1526e43cc4deb5b723f7e7ab1b8d88b764aaed8a92fd1cc42dd94

SHA512
710594c1470828201914fbcc9e7e5b1416a9a8990316719cbd7eb8b86b0d8c880ba66c93958ad7a2a892aad7cb7e70cb139e37ea8056eadfbbfd0804e45d829d

Download Submit
C:\Windows\System\rOyxaKt.exe

Filesize
5.2MB

MD5
3ed932f5b92db39583be0019f4129cf8

SHA1
50d8f599249c71c979f90d6c12b26e3ce0b44fe1

SHA256
696ba1828927cc043b0d5ca2203501422007f8ac3c1b03ae8db9ab5e58d93a89

SHA512
defc4b88cf9d5599dc9ddc5599e59941613dee6dde3b57b683fe2ffa6b1a280473833dfb0811c8c1117bd10a026966ad93dc4c2c99bf97f7e4585caf78f436c4

Download Submit
C:\Windows\System\sFOFQak.exe

Filesize
5.2MB

MD5
992189fb5f1e288ae6b97342349e9df8

SHA1
d61c3d2caae4031716f81963616b53f227939605

SHA256
a259c3551a1b938eb9e0d745022d0596f871f0784dccc1dcfc62fab61cc92ce8

SHA512
fc84a16cabab19cfc1fb7451c75a73205c51f1ed5b10c0d82c739e6d0b8814e6efad8a92e4ae90dee65774b807917de09cc061402e23c1f77c4e618fb5cc21fb

Download Submit
C:\Windows\System\vDJGbjZ.exe

Filesize
5.2MB

MD5
e8310c51c36441282006cf886d12b88d

SHA1
ab31968eda28a889c36087393da96113c7555151

SHA256
fb072d709fb7cffa8340c66777a5aa66a203c6d28cbf626ff4aaa28077ecc7fd

SHA512
3317912bdcdb53581b2b5d458feab5e6d393679b7e8c05efef07c15c47f89732364a5b22b79e8af4527af1c5cba6f80936d826e3ecff86cbc0295d3b36db874c

Download Submit
C:\Windows\System\yxafNMH.exe

Filesize
5.2MB

MD5
4c347fbc13dc39fb6dbd6a374f9f489c

SHA1
bb7891f35402eee10bf6ad8a76c8beefbd6ddd0d

SHA256
941755e86f24f2ff5612c1d2013429b6ebb37aa79d662e02b37f35e8e1479ab1

SHA512
a221f233e88e7b91d9acb6ca63e9e5f235f60eb916252bb87f8985a628f4e3e04093c0e1f934a082d2f214cd3cdd885d56d7504b90cec1257e95112f75d16849

Download Submit
memory/8-152-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/8-97-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/8-258-0x00007FF78EB60000-0x00007FF78EEB1000-memory.dmp

Filesize
3.3MB

Download
memory/220-261-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp

Filesize
3.3MB

Download
memory/220-158-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp

Filesize
3.3MB

Download
memory/220-102-0x00007FF6EAE40000-0x00007FF6EB191000-memory.dmp

Filesize
3.3MB

Download
memory/472-144-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp

Filesize
3.3MB

Download
memory/472-243-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp

Filesize
3.3MB

Download
memory/472-74-0x00007FF6ACFB0000-0x00007FF6AD301000-memory.dmp

Filesize
3.3MB

Download
memory/844-101-0x00007FF730930000-0x00007FF730C81000-memory.dmp

Filesize
3.3MB

Download
memory/844-256-0x00007FF730930000-0x00007FF730C81000-memory.dmp

Filesize
3.3MB

Download
memory/848-240-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp

Filesize
3.3MB

Download
memory/848-121-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp

Filesize
3.3MB

Download
memory/848-70-0x00007FF7B6C40000-0x00007FF7B6F91000-memory.dmp

Filesize
3.3MB

Download
memory/1196-41-0x00007FF6342C0000-0x00007FF634611000-memory.dmp

Filesize
3.3MB

Download
memory/1196-231-0x00007FF6342C0000-0x00007FF634611000-memory.dmp

Filesize
3.3MB

Download
memory/1236-126-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-160-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-270-0x00007FF6A8470000-0x00007FF6A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-42-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp

Filesize
3.3MB

Download
memory/1348-233-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp

Filesize
3.3MB

Download
memory/1348-106-0x00007FF78E7C0000-0x00007FF78EB11000-memory.dmp

Filesize
3.3MB

Download
memory/1692-157-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp

Filesize
3.3MB

Download
memory/1692-108-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp

Filesize
3.3MB

Download
memory/1692-262-0x00007FF68A1D0000-0x00007FF68A521000-memory.dmp

Filesize
3.3MB

Download
memory/1780-213-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1780-12-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1780-55-0x00007FF71FBC0000-0x00007FF71FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2260-163-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-137-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-57-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-0-0x00007FF6ABF50000-0x00007FF6AC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-1-0x000001D68A690000-0x000001D68A6A0000-memory.dmp

Filesize
64KB

Download
memory/2372-73-0x00007FF6DC980000-0x00007FF6DCCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-238-0x00007FF6DC980000-0x00007FF6DCCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-159-0x00007FF780490000-0x00007FF7807E1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-125-0x00007FF780490000-0x00007FF7807E1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-266-0x00007FF780490000-0x00007FF7807E1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-27-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-79-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-222-0x00007FF6CF880000-0x00007FF6CFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-84-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp

Filesize
3.3MB

Download
memory/2924-151-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp

Filesize
3.3MB

Download
memory/2924-254-0x00007FF7C6900000-0x00007FF7C6C51000-memory.dmp

Filesize
3.3MB

Download
memory/3056-28-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp

Filesize
3.3MB

Download
memory/3056-223-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp

Filesize
3.3MB

Download
memory/3056-83-0x00007FF76DCF0000-0x00007FF76E041000-memory.dmp

Filesize
3.3MB

Download
memory/3576-161-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-128-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-269-0x00007FF660F50000-0x00007FF6612A1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-217-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp

Filesize
3.3MB

Download
memory/3788-18-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp

Filesize
3.3MB

Download
memory/3788-78-0x00007FF70ACE0000-0x00007FF70B031000-memory.dmp

Filesize
3.3MB

Download
memory/4108-72-0x00007FF606570000-0x00007FF6068C1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-215-0x00007FF606570000-0x00007FF6068C1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-15-0x00007FF606570000-0x00007FF6068C1000-memory.dmp

Filesize
3.3MB

Download
memory/4432-241-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp

Filesize
3.3MB

Download
memory/4432-59-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp

Filesize
3.3MB

Download
memory/4432-120-0x00007FF7309D0000-0x00007FF730D21000-memory.dmp

Filesize
3.3MB

Download
memory/4448-56-0x00007FF6B6300000-0x00007FF6B6651000-memory.dmp

Filesize
3.3MB

Download
memory/4448-235-0x00007FF6B6300000-0x00007FF6B6651000-memory.dmp

Filesize
3.3MB

Download
memory/4888-265-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-162-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-127-0x00007FF7D0980000-0x00007FF7D0CD1000-memory.dmp

Filesize
3.3MB

Download