cobaltstrike | b2cb7fc5a3539d6a5ce36d7f371e224fafa236534b01b999a74310a9ff9dfb25

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

68bdf67bf7dea2b983150fa6b0c83495
SHA1

fa8f8ec1f70753ce9431f18b5e0bac7999e149f5
SHA256

b2cb7fc5a3539d6a5ce36d7f371e224fafa236534b01b999a74310a9ff9dfb25
SHA512

ec5b52c6e88e9d7a38ccd5d7a16d177ecf9e60cbac513a13bf45c0d6d2c85dfa71657bf6c747af6b13d57f06f4ef32f34101b95d6978861d5adeef1b1963d909
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibd56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c08-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023caa-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cab-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-44.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2684-126-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	xmrig
behavioral2/memory/2244-127-0x00007FF7FCB40000-0x00007FF7FCE91000-memory.dmp	xmrig
behavioral2/memory/4368-123-0x00007FF7A0330000-0x00007FF7A0681000-memory.dmp	xmrig
behavioral2/memory/1664-122-0x00007FF7E0D40000-0x00007FF7E1091000-memory.dmp	xmrig
behavioral2/memory/4212-113-0x00007FF7A3570000-0x00007FF7A38C1000-memory.dmp	xmrig
behavioral2/memory/1116-112-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	xmrig
behavioral2/memory/4532-107-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	xmrig
behavioral2/memory/1056-98-0x00007FF6F1B30000-0x00007FF6F1E81000-memory.dmp	xmrig
behavioral2/memory/1196-79-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	xmrig
behavioral2/memory/3068-73-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp	xmrig
behavioral2/memory/2108-52-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp	xmrig
behavioral2/memory/1888-39-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp	xmrig
behavioral2/memory/3204-128-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	xmrig
behavioral2/memory/3644-129-0x00007FF767810000-0x00007FF767B61000-memory.dmp	xmrig
behavioral2/memory/3332-130-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp	xmrig
behavioral2/memory/4472-135-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp	xmrig
behavioral2/memory/3204-131-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	xmrig
behavioral2/memory/4980-138-0x00007FF744660000-0x00007FF7449B1000-memory.dmp	xmrig
behavioral2/memory/4160-140-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	xmrig
behavioral2/memory/4112-146-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp	xmrig
behavioral2/memory/2652-153-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp	xmrig
behavioral2/memory/4976-147-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp	xmrig
behavioral2/memory/2892-139-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp	xmrig
behavioral2/memory/3204-154-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	xmrig
behavioral2/memory/3644-204-0x00007FF767810000-0x00007FF767B61000-memory.dmp	xmrig
behavioral2/memory/3332-206-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp	xmrig
behavioral2/memory/4980-208-0x00007FF744660000-0x00007FF7449B1000-memory.dmp	xmrig
behavioral2/memory/4472-222-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp	xmrig
behavioral2/memory/1888-224-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp	xmrig
behavioral2/memory/2892-226-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp	xmrig
behavioral2/memory/2108-228-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp	xmrig
behavioral2/memory/4160-230-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	xmrig
behavioral2/memory/3068-232-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp	xmrig
behavioral2/memory/1056-235-0x00007FF6F1B30000-0x00007FF6F1E81000-memory.dmp	xmrig
behavioral2/memory/1196-236-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	xmrig
behavioral2/memory/4532-238-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	xmrig
behavioral2/memory/1116-240-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	xmrig
behavioral2/memory/4212-248-0x00007FF7A3570000-0x00007FF7A38C1000-memory.dmp	xmrig
behavioral2/memory/4112-249-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp	xmrig
behavioral2/memory/4976-251-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp	xmrig
behavioral2/memory/1664-253-0x00007FF7E0D40000-0x00007FF7E1091000-memory.dmp	xmrig
behavioral2/memory/4368-255-0x00007FF7A0330000-0x00007FF7A0681000-memory.dmp	xmrig
behavioral2/memory/2684-257-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	xmrig
behavioral2/memory/2652-259-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp	xmrig
behavioral2/memory/2244-261-0x00007FF7FCB40000-0x00007FF7FCE91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3644	ulBbPRK.exe
3332	RsshMIa.exe
4980	rouCAmL.exe
4472	lVfDlTC.exe
1888	wMuDjiv.exe
2108	sRMXILO.exe
2892	eCkWhLj.exe
4160	ILkzWMr.exe
1056	RYctAWe.exe
3068	GSGRMwf.exe
1196	PvCkRHl.exe
4532	jdWPAhb.exe
1116	AoKIXLq.exe
4112	RvSlNhK.exe
4976	vYNKkNl.exe
1664	xfyVovC.exe
4212	QPDcAsp.exe
4368	RBRtvOV.exe
2684	GAnHVfB.exe
2652	mJHHsil.exe
2244	AdmamXy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3204-0-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	upx
behavioral2/files/0x000a000000023c08-5.dat	upx
behavioral2/memory/3644-7-0x00007FF767810000-0x00007FF767B61000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-10.dat	upx
behavioral2/files/0x0008000000023caa-12.dat	upx
behavioral2/memory/4980-18-0x00007FF744660000-0x00007FF7449B1000-memory.dmp	upx
behavioral2/memory/3332-16-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-22.dat	upx
behavioral2/memory/4472-25-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-30.dat	upx
behavioral2/files/0x0007000000023cb3-36.dat	upx
behavioral2/memory/2892-49-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-54.dat	upx
behavioral2/memory/4160-64-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-83.dat	upx
behavioral2/files/0x0007000000023cbb-90.dat	upx
behavioral2/files/0x0007000000023cbd-101.dat	upx
behavioral2/files/0x0007000000023cc0-111.dat	upx
behavioral2/files/0x0007000000023cbf-118.dat	upx
behavioral2/memory/2684-126-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	upx
behavioral2/memory/2244-127-0x00007FF7FCB40000-0x00007FF7FCE91000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-124.dat	upx
behavioral2/memory/4368-123-0x00007FF7A0330000-0x00007FF7A0681000-memory.dmp	upx
behavioral2/memory/1664-122-0x00007FF7E0D40000-0x00007FF7E1091000-memory.dmp	upx
behavioral2/memory/2652-117-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp	upx
behavioral2/memory/4212-113-0x00007FF7A3570000-0x00007FF7A38C1000-memory.dmp	upx
behavioral2/memory/1116-112-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	upx
behavioral2/memory/4532-107-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-104.dat	upx
behavioral2/memory/1056-98-0x00007FF6F1B30000-0x00007FF6F1E81000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-94.dat	upx
behavioral2/files/0x0007000000023cb9-93.dat	upx
behavioral2/memory/4976-88-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp	upx
behavioral2/memory/4112-82-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp	upx
behavioral2/memory/1196-79-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-74.dat	upx
behavioral2/memory/3068-73-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp	upx
behavioral2/files/0x0008000000023cab-68.dat	upx
behavioral2/files/0x0007000000023cb5-61.dat	upx
behavioral2/memory/2108-52-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-47.dat	upx
behavioral2/files/0x0007000000023cb2-44.dat	upx
behavioral2/memory/1888-39-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp	upx
behavioral2/memory/3204-128-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	upx
behavioral2/memory/3644-129-0x00007FF767810000-0x00007FF767B61000-memory.dmp	upx
behavioral2/memory/3332-130-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp	upx
behavioral2/memory/4472-135-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp	upx
behavioral2/memory/3204-131-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	upx
behavioral2/memory/4980-138-0x00007FF744660000-0x00007FF7449B1000-memory.dmp	upx
behavioral2/memory/4160-140-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	upx
behavioral2/memory/4112-146-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp	upx
behavioral2/memory/2652-153-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp	upx
behavioral2/memory/4976-147-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp	upx
behavioral2/memory/2892-139-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp	upx
behavioral2/memory/3204-154-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp	upx
behavioral2/memory/3644-204-0x00007FF767810000-0x00007FF767B61000-memory.dmp	upx
behavioral2/memory/3332-206-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp	upx
behavioral2/memory/4980-208-0x00007FF744660000-0x00007FF7449B1000-memory.dmp	upx
behavioral2/memory/4472-222-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp	upx
behavioral2/memory/1888-224-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp	upx
behavioral2/memory/2892-226-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp	upx
behavioral2/memory/2108-228-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp	upx
behavioral2/memory/4160-230-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp	upx
behavioral2/memory/3068-232-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RsshMIa.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVfDlTC.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSGRMwf.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xfyVovC.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBRtvOV.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdmamXy.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mJHHsil.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rouCAmL.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RYctAWe.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AoKIXLq.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RvSlNhK.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAnHVfB.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ulBbPRK.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRMXILO.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCkWhLj.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ILkzWMr.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QPDcAsp.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMuDjiv.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvCkRHl.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jdWPAhb.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vYNKkNl.exe	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3644	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3204 wrote to memory of 3644	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3204 wrote to memory of 3332	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3204 wrote to memory of 3332	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3204 wrote to memory of 4980	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3204 wrote to memory of 4980	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3204 wrote to memory of 4472	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3204 wrote to memory of 4472	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3204 wrote to memory of 1888	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3204 wrote to memory of 1888	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3204 wrote to memory of 2108	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3204 wrote to memory of 2108	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3204 wrote to memory of 2892	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3204 wrote to memory of 2892	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3204 wrote to memory of 4160	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3204 wrote to memory of 4160	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3204 wrote to memory of 1056	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3204 wrote to memory of 1056	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3204 wrote to memory of 3068	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3204 wrote to memory of 3068	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3204 wrote to memory of 1196	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3204 wrote to memory of 1196	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3204 wrote to memory of 1116	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3204 wrote to memory of 1116	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3204 wrote to memory of 4532	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3204 wrote to memory of 4532	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3204 wrote to memory of 4112	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3204 wrote to memory of 4112	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3204 wrote to memory of 4976	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3204 wrote to memory of 4976	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3204 wrote to memory of 1664	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3204 wrote to memory of 1664	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3204 wrote to memory of 4212	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3204 wrote to memory of 4212	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3204 wrote to memory of 4368	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3204 wrote to memory of 4368	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3204 wrote to memory of 2244	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3204 wrote to memory of 2244	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3204 wrote to memory of 2684	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3204 wrote to memory of 2684	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3204 wrote to memory of 2652	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3204 wrote to memory of 2652	3204	2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_68bdf67bf7dea2b983150fa6b0c83495_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System\ulBbPRK.exe
  C:\Windows\System\ulBbPRK.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\RsshMIa.exe
  C:\Windows\System\RsshMIa.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\rouCAmL.exe
  C:\Windows\System\rouCAmL.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\lVfDlTC.exe
  C:\Windows\System\lVfDlTC.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\wMuDjiv.exe
  C:\Windows\System\wMuDjiv.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\sRMXILO.exe
  C:\Windows\System\sRMXILO.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\eCkWhLj.exe
  C:\Windows\System\eCkWhLj.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\ILkzWMr.exe
  C:\Windows\System\ILkzWMr.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\RYctAWe.exe
  C:\Windows\System\RYctAWe.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\GSGRMwf.exe
  C:\Windows\System\GSGRMwf.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\PvCkRHl.exe
  C:\Windows\System\PvCkRHl.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\AoKIXLq.exe
  C:\Windows\System\AoKIXLq.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\jdWPAhb.exe
  C:\Windows\System\jdWPAhb.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\RvSlNhK.exe
  C:\Windows\System\RvSlNhK.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\vYNKkNl.exe
  C:\Windows\System\vYNKkNl.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\xfyVovC.exe
  C:\Windows\System\xfyVovC.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\QPDcAsp.exe
  C:\Windows\System\QPDcAsp.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\RBRtvOV.exe
  C:\Windows\System\RBRtvOV.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\AdmamXy.exe
  C:\Windows\System\AdmamXy.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\GAnHVfB.exe
  C:\Windows\System\GAnHVfB.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\mJHHsil.exe
  C:\Windows\System\mJHHsil.exe
  2⤵
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdmamXy.exe

Filesize
5.2MB

MD5
265bcf0b0a54ff66c7e2cdfa875eb209

SHA1
020ef3fe985d3aa219a56797a75a02028402c82b

SHA256
0c47d360969a31cf2be7cb1d1f6be7419b7f35aad2526fff336cf4499655adfd

SHA512
33d58ceca9f67807ae6caadc7126927b16c8a9547ee808e272ac76c34223108fd71fbb4706088029ee0dcd730667603cc2cbe7608dafe1b78357b186f779b3fc

Download Submit
C:\Windows\System\AoKIXLq.exe

Filesize
5.2MB

MD5
209e89a5e223b18f83580ce9e91d68c5

SHA1
036b3c2157fef76a51b337c5c1f75fa705f7dc77

SHA256
c601924ab63fee647d80b176d580593cce8f2c44afe2430ca770951dc6aedf0f

SHA512
9f2daecb9d7a423640e876099e993b6b3ffcd24d0842a4ffb72bb551c7aa19e20293efa297e01988b58c0bb7e8431f73363ae5e76e0aea846d58d9169a8fd908

Download Submit
C:\Windows\System\GAnHVfB.exe

Filesize
5.2MB

MD5
45486b4c0220be17b68ffa7d72fe65d6

SHA1
474a750b957e8bbad383992826017ad663343b50

SHA256
e6516c00ced5cf94d55a5f17744094da53a772147c6781214da1e373a5b3890b

SHA512
f3453cf2605139929eed5f5e0053e8f3fc3c48ca0b9f6af7c6f1ea7952a446661f9bfcb5dfee8e7192dc8a69ebe02c8ec21b638123b8e37b8b8d7709cf42265d

Download Submit
C:\Windows\System\GSGRMwf.exe

Filesize
5.2MB

MD5
eb92b3685f2e15b57d564123b8e1041a

SHA1
5fb99adec0ea7c3e1d470f46f4b72c8a0748c7a1

SHA256
676a9da13c8d218e3015bbf4972e0b3e57ce4e5ba08384dd82fe4f1d8e36ccb7

SHA512
8e85fc01e8988f14a919e3ef3536fb53f9c31c189c1c401698baead2c7d658a9201a24bc1e5710b2f6cda448b8986bb1eb487c77589612a87291e2d69a582d2d

Download Submit
C:\Windows\System\ILkzWMr.exe

Filesize
5.2MB

MD5
6850909285d2531c85d7cdce02bda9ba

SHA1
5a585507545e673ba24ca9de1453b47c13723206

SHA256
1a04a66b1983441c5f8e0cc1b4dd9075ab683a36b0832107a58bb26b7ba69db7

SHA512
1294376b83dd64bcae84643f6ebd706088b7787b261d1565b620e8fcb7ab3f39df1c2ae3f0216e0bf4930a9e2f3b6ee3a498924ac6214f2bbd8c353f7f763d5b

Download Submit
C:\Windows\System\PvCkRHl.exe

Filesize
5.2MB

MD5
bd0a0f97ac8b4bcd6d6f0944c94a6b7b

SHA1
c2981bed9b0134c4b98516a5fbe4f89b42863b64

SHA256
914d4ba59fae4cf23b282dd55737636c710ec406195cecc0dea5d45363bf427b

SHA512
70ec1ca85a7585fd6fea6ac8985471ae4ab916a577578c3a7edc009f60c128b5b56223fc8da2f4ff414bb7bf6a410662c2315a3610d12f7e31bd7dc0825b6567

Download Submit
C:\Windows\System\QPDcAsp.exe

Filesize
5.2MB

MD5
832ebe647a17ea4fc945d1a1ad1b492c

SHA1
0a0ccfab2eb97139b36fa4983e901dbe1fec02ca

SHA256
a52d80a8989d88c62352c0f59a988861d08368dc9852ffc228d47394ce51b244

SHA512
72d84fb181bed3bf73d0eab22cfa9411df793b6056a5af4878361849092dce69004c9e258e108a21eed8fa9f0d7e866f6ef4722fe45a39699ad1b7b63fd45e61

Download Submit
C:\Windows\System\RBRtvOV.exe

Filesize
5.2MB

MD5
c27a2584c45ebc8cc9b216dc3228d2f5

SHA1
64affdb5739ee59ede85d04c9d688c20de4d68c5

SHA256
0aef053897d3473f7e0f2bb857b547f56128741a807bb591467a8879b44d1bb2

SHA512
38edd08d0cb846cc715374a87e0be7c99af355a44d19a3a16f46ddc68cae54160890f5f076d3ffc6f0eb5fab8bc84a6515f8a55eaabdc3c1eb868ff3b4a4371b

Download Submit
C:\Windows\System\RYctAWe.exe

Filesize
5.2MB

MD5
074f9124a5a9d7577b3f119faa489391

SHA1
00d0a51fd82400bb7548bf5b3c71f088e7aabd25

SHA256
9036b193223ee616accd1f53720596ac5560505a458df96a855b6a89331440e3

SHA512
c3694f7b4d87fa9d6230d7e27a7e900d9c1550f2dfd936ff2e4d9ab2e692cc49e21a2317cf6b7c0f74e46703f3ed72ead839ba7a80a9850c8add2ba37cf8eecd

Download Submit
C:\Windows\System\RsshMIa.exe

Filesize
5.2MB

MD5
7426c1ecfcb08ddc992b7cba83f7fef0

SHA1
997c6641179a60c361d9c108749300d27d684b2e

SHA256
a74ac6e0f5aa705d1f91099daa677b4c8f88ee7bb056d762eabd37d65bb115ea

SHA512
bb2eddaa1a58d387c7468aaaaff9e992bc651e41616e9f619435b2a8c39345f3c141bd25468e72b9f531edef2c9a40bbeb69d38fddb91b521ee66515c27f7a36

Download Submit
C:\Windows\System\RvSlNhK.exe

Filesize
5.2MB

MD5
79cb1897c62b2019a7791a998b88720f

SHA1
3e8afa2fafecaea45b758e1ffc7825d27d79589e

SHA256
8281c00220e185a772e9ca3395ea878a9493b7868b306f2390a4929dbacb7d6f

SHA512
0a86e5b8820ddc33ceceb72e83d1bf23b84a2475be4a617e954fd46a204f9cf6b2f60221e3edff3d58c0117b326f2178af797e5ecc066ead2a9b20e71b1d00d1

Download Submit
C:\Windows\System\eCkWhLj.exe

Filesize
5.2MB

MD5
b71faefc366e71efae175e821958df2a

SHA1
e743f3a04af950a5e8e61c60c0ff5ccbaad88237

SHA256
62edabe4d02245dba5ffa159acffe67d19eefc841b762ab165fe215810371847

SHA512
08d2ed035ed5918e756c123292d8380427ae7d8e198492a64ca028a0325bc04d2780542947784c7e1230ed0d8a68b9cb83a2e9d1fa63ba2b5157882123286181

Download Submit
C:\Windows\System\jdWPAhb.exe

Filesize
5.2MB

MD5
27ec67fbc985342ee3b0cc021120a2f3

SHA1
9cfd358d45345722fe0c3fd9c671efe197322e24

SHA256
edc6dd0c62da80f6ff4f57b4ce722c3f14269f1086be35d72940677856277af9

SHA512
b35a705e811e726cba45b4fa90075e2a7555e1eeb79e3652cffc60e688c084c1b34a4c94a822d33b7d042e22d23ede7fc9f94015bea06327fdfcc9e3e0d06c1c

Download Submit
C:\Windows\System\lVfDlTC.exe

Filesize
5.2MB

MD5
4ee891ca83a3e34d88366bfb06f22585

SHA1
aae5e45562219e8cc42b9edb428c5bc68da6a3f7

SHA256
c5619eeb6b16cafd1a216516db2bb4e033662175e944acace34751cf4801864f

SHA512
1c76ffbb1853629d6ae71139578a9a261979f893c5d6963f0478a5e792e227f305d87b20dc1a5fc6adf436e4bfa3f909278176848bf1f9f2186085aeecab9659

Download Submit
C:\Windows\System\mJHHsil.exe

Filesize
5.2MB

MD5
2e2f84efd9546f2b55c1dfe4d3c3520c

SHA1
ec5de860c1f322c07915890183516627007b28f3

SHA256
914c8dbf3bf7489fc152ff5fc8b77c1b63b200530682c6c4b9df5700fa030296

SHA512
6a33f39155263b3c8a8605d221a1d37b330cd2bbce2fbdeb6790d704d40b7b858ae5ef28e30958c158afb1e0bb5efba9e3398046ee24bec208fc5b64b38b90c9

Download Submit
C:\Windows\System\rouCAmL.exe

Filesize
5.2MB

MD5
458fe7e2f5df95eff206e88248fb9558

SHA1
89e3d29496c58c4935e1059ac12dbbfff761e1fd

SHA256
0797dc57ede0ed4c0e8cbf4de7c033e98d2d63e6d57c4dd91c62cb471f18c73c

SHA512
21831a8b1b0dacae2dbb706ac7b0d792cd5ddadd47b4ad4b6920f4fb89961c254fc972f4deb6afda5df75991efc422020fcb9d0b2b58bff548a10d7372870128

Download Submit
C:\Windows\System\sRMXILO.exe

Filesize
5.2MB

MD5
11a579accfa26e145e2c8cf46e1b2cee

SHA1
b2a92cd7d9f7fa67313e91fabb5f2860a48168cd

SHA256
b0cd63c77446ddcb6f3e77603ad06062a8ddd1c5764402a78a646e9541b265b9

SHA512
81c7d486fb91514d9ac6897fccb51edae5704c1c152fd1254254a65ae7c6edc0cff03083157fd346f526cafa02ae6de84b837496bcdf257e7fa65e1a62894354

Download Submit
C:\Windows\System\ulBbPRK.exe

Filesize
5.2MB

MD5
8edd168bc2a958756ba1fc90ed68875e

SHA1
95cd3dd4c9b79916efa6cbc5faf456b49ba0a81a

SHA256
60461bb1ecfe5ad2279ae74647c97a9535762d1f41a16c27d81afb07cc7f52a2

SHA512
7808033cb5f866c14adfbd4934ade8899f9239b494dbda2dc86aec4b03616793f7905d25390b56faf4aa0388438264dc8f5cf19bf16648e9b90a9c8a372857b9

Download Submit
C:\Windows\System\vYNKkNl.exe

Filesize
5.2MB

MD5
167bb6dd3d12481c0b20ffbc0e2e5c33

SHA1
75b85a2e662ac673f0223b5b451672214a08a6e0

SHA256
adec86b4bbe21cf4795b14e48e4e6953b1d90d4e5279b0dc07f2ef8afa9b4b0e

SHA512
f2d50dfba4fbb06def92caa7fc5ab0666b5cf98c9c70410c1806b08b27436ff756726cc130ab6ead1911f9896c511ea62a98a492e0ad069c7e2090447292c915

Download Submit
C:\Windows\System\wMuDjiv.exe

Filesize
5.2MB

MD5
18f97441feba1e2e0fcbb5c01d421c4c

SHA1
b01a7caf5804f3d56c820c586026efb2eb1ef777

SHA256
dbbb718a3b7a970591f7046ce30cf4e00bfee1c8eacf5d5730c0a0cf306d9c4a

SHA512
b9e6db477e45dbf9bda80ed705d6b40ac3052e985f5af028e68e0abd6e8df12e68f616920bf51be3836d208b12678bc7d29377e75713fb2a435a2767ce40f1c2

Download Submit
C:\Windows\System\xfyVovC.exe

Filesize
5.2MB

MD5
1bc9be18cf0e6312464563c0521d0903

SHA1
a06d303e9fea4c70c53a2d775cc73456ce8deab8

SHA256
04cc9b3122896c45f8a99548d85667772e6389122a8415be42c54c91cdf69a18

SHA512
9c7769c25ff3422f1cabdcc60ffb3c831b82d488073fb8f8a7d5f9ffa6f92b9d928983c43881d3fd216cafd6d88801cbacc03f45b0ec6a19a9bba48fbd1eb600

Download Submit
memory/1056-98-0x00007FF6F1B30000-0x00007FF6F1E81000-memory.dmp

Filesize
3.3MB

Download
memory/1056-235-0x00007FF6F1B30000-0x00007FF6F1E81000-memory.dmp

Filesize
3.3MB

Download
memory/1116-112-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1116-240-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1196-79-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp

Filesize
3.3MB

Download
memory/1196-236-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp

Filesize
3.3MB

Download
memory/1664-122-0x00007FF7E0D40000-0x00007FF7E1091000-memory.dmp

Filesize
3.3MB

Download
memory/1664-253-0x00007FF7E0D40000-0x00007FF7E1091000-memory.dmp

Filesize
3.3MB

Download
memory/1888-224-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp

Filesize
3.3MB

Download
memory/1888-39-0x00007FF66A810000-0x00007FF66AB61000-memory.dmp

Filesize
3.3MB

Download
memory/2108-228-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-52-0x00007FF6C0880000-0x00007FF6C0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-127-0x00007FF7FCB40000-0x00007FF7FCE91000-memory.dmp

Filesize
3.3MB

Download
memory/2244-261-0x00007FF7FCB40000-0x00007FF7FCE91000-memory.dmp

Filesize
3.3MB

Download
memory/2652-117-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp

Filesize
3.3MB

Download
memory/2652-153-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp

Filesize
3.3MB

Download
memory/2652-259-0x00007FF6CE8F0000-0x00007FF6CEC41000-memory.dmp

Filesize
3.3MB

Download
memory/2684-257-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp

Filesize
3.3MB

Download
memory/2684-126-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp

Filesize
3.3MB

Download
memory/2892-226-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp

Filesize
3.3MB

Download
memory/2892-139-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp

Filesize
3.3MB

Download
memory/2892-49-0x00007FF7DC510000-0x00007FF7DC861000-memory.dmp

Filesize
3.3MB

Download
memory/3068-232-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-73-0x00007FF6A1890000-0x00007FF6A1BE1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-128-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-131-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-0-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-1-0x0000024540A90000-0x0000024540AA0000-memory.dmp

Filesize
64KB

Download
memory/3204-154-0x00007FF747E60000-0x00007FF7481B1000-memory.dmp

Filesize
3.3MB

Download
memory/3332-16-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp

Filesize
3.3MB

Download
memory/3332-130-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp

Filesize
3.3MB

Download
memory/3332-206-0x00007FF6297D0000-0x00007FF629B21000-memory.dmp

Filesize
3.3MB

Download
memory/3644-204-0x00007FF767810000-0x00007FF767B61000-memory.dmp

Filesize
3.3MB

Download
memory/3644-129-0x00007FF767810000-0x00007FF767B61000-memory.dmp

Filesize
3.3MB

Download
memory/3644-7-0x00007FF767810000-0x00007FF767B61000-memory.dmp

Filesize
3.3MB

Download
memory/4112-249-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-82-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-146-0x00007FF7F3B50000-0x00007FF7F3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-230-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-140-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-64-0x00007FF72B170000-0x00007FF72B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-113-0x00007FF7A3570000-0x00007FF7A38C1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-248-0x00007FF7A3570000-0x00007FF7A38C1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-123-0x00007FF7A0330000-0x00007FF7A0681000-memory.dmp

Filesize
3.3MB

Download
memory/4368-255-0x00007FF7A0330000-0x00007FF7A0681000-memory.dmp

Filesize
3.3MB

Download
memory/4472-222-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp

Filesize
3.3MB

Download
memory/4472-25-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp

Filesize
3.3MB

Download
memory/4472-135-0x00007FF79D5B0000-0x00007FF79D901000-memory.dmp

Filesize
3.3MB

Download
memory/4532-107-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-238-0x00007FF736A90000-0x00007FF736DE1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-88-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-147-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-251-0x00007FF67A9A0000-0x00007FF67ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-208-0x00007FF744660000-0x00007FF7449B1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-18-0x00007FF744660000-0x00007FF7449B1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-138-0x00007FF744660000-0x00007FF7449B1000-memory.dmp

Filesize
3.3MB

Download