cobaltstrike | 25e517521ae9fb8fc16fe674bf764391d179267472a839c5830b785d767ec637

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ead1fe5746bf59e91ea0959a39ba069e
SHA1

2186e676d2c47c2f0f42e22826101aab76d58a73
SHA256

25e517521ae9fb8fc16fe674bf764391d179267472a839c5830b785d767ec637
SHA512

0c9696084af25b999fe24474c55c3a5b1be65d30ff6f1ce6dd3112ebebdae01ec6426b0e09f59a04b7547f6a68e3f99aa047a0e7d6b09803a6ea4d402879a3fc
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibd56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b81-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-96.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7f-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-18.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2640-124-0x00007FF6DF100000-0x00007FF6DF451000-memory.dmp	xmrig
behavioral2/memory/3496-123-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	xmrig
behavioral2/memory/5060-117-0x00007FF7840D0000-0x00007FF784421000-memory.dmp	xmrig
behavioral2/memory/116-62-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	xmrig
behavioral2/memory/2680-49-0x00007FF66B3D0000-0x00007FF66B721000-memory.dmp	xmrig
behavioral2/memory/3648-129-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp	xmrig
behavioral2/memory/4868-130-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp	xmrig
behavioral2/memory/4676-131-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp	xmrig
behavioral2/memory/1884-132-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	xmrig
behavioral2/memory/5064-133-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp	xmrig
behavioral2/memory/4704-134-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp	xmrig
behavioral2/memory/624-135-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp	xmrig
behavioral2/memory/3496-136-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	xmrig
behavioral2/memory/4732-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	xmrig
behavioral2/memory/4680-139-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp	xmrig
behavioral2/memory/536-158-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp	xmrig
behavioral2/memory/2388-157-0x00007FF72E530000-0x00007FF72E881000-memory.dmp	xmrig
behavioral2/memory/2120-155-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp	xmrig
behavioral2/memory/3432-152-0x00007FF7254D0000-0x00007FF725821000-memory.dmp	xmrig
behavioral2/memory/4076-149-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp	xmrig
behavioral2/memory/1920-156-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp	xmrig
behavioral2/memory/4888-153-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp	xmrig
behavioral2/memory/2952-160-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp	xmrig
behavioral2/memory/3496-161-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	xmrig
behavioral2/memory/3648-216-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp	xmrig
behavioral2/memory/4868-218-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp	xmrig
behavioral2/memory/4676-220-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp	xmrig
behavioral2/memory/2680-234-0x00007FF66B3D0000-0x00007FF66B721000-memory.dmp	xmrig
behavioral2/memory/5064-236-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp	xmrig
behavioral2/memory/1884-242-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	xmrig
behavioral2/memory/4704-241-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp	xmrig
behavioral2/memory/116-239-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	xmrig
behavioral2/memory/536-249-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp	xmrig
behavioral2/memory/3432-247-0x00007FF7254D0000-0x00007FF725821000-memory.dmp	xmrig
behavioral2/memory/624-254-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp	xmrig
behavioral2/memory/4888-258-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp	xmrig
behavioral2/memory/5060-257-0x00007FF7840D0000-0x00007FF784421000-memory.dmp	xmrig
behavioral2/memory/4732-253-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	xmrig
behavioral2/memory/4680-251-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp	xmrig
behavioral2/memory/4076-245-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp	xmrig
behavioral2/memory/1920-262-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp	xmrig
behavioral2/memory/2120-260-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp	xmrig
behavioral2/memory/2952-266-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp	xmrig
behavioral2/memory/2640-265-0x00007FF6DF100000-0x00007FF6DF451000-memory.dmp	xmrig
behavioral2/memory/2388-268-0x00007FF72E530000-0x00007FF72E881000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3648	pejeBkQ.exe
4868	bXfVgWQ.exe
5064	cjMutDu.exe
4676	vuRWUDb.exe
1884	LvPtuCk.exe
2680	KXcgXQp.exe
4704	OrJiPya.exe
624	SxbaRSy.exe
116	vJZNRhX.exe
4732	GOEfcVI.exe
4076	PdHmNuN.exe
4680	mNLAGVN.exe
536	vahaNHG.exe
3432	BccAnjJ.exe
5060	aJsdtTa.exe
4888	fShKEIV.exe
2120	dVzcXje.exe
1920	nYeQPaM.exe
2388	gjStBTT.exe
2640	cOGAzZT.exe
2952	HcCVqtM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3496-0-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	upx
behavioral2/files/0x000b000000023b81-5.dat	upx
behavioral2/files/0x000a000000023b83-9.dat	upx
behavioral2/files/0x000a000000023b85-26.dat	upx
behavioral2/files/0x000a000000023b88-41.dat	upx
behavioral2/files/0x000a000000023b87-54.dat	upx
behavioral2/memory/4732-67-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-78.dat	upx
behavioral2/files/0x000a000000023b8d-83.dat	upx
behavioral2/files/0x000a000000023b92-96.dat	upx
behavioral2/memory/4888-97-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-110.dat	upx
behavioral2/files/0x000a000000023b94-126.dat	upx
behavioral2/memory/2952-125-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp	upx
behavioral2/memory/2640-124-0x00007FF6DF100000-0x00007FF6DF451000-memory.dmp	upx
behavioral2/memory/3496-123-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	upx
behavioral2/memory/2388-122-0x00007FF72E530000-0x00007FF72E881000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-120.dat	upx
behavioral2/memory/5060-117-0x00007FF7840D0000-0x00007FF784421000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-113.dat	upx
behavioral2/files/0x000a000000023b8f-111.dat	upx
behavioral2/memory/1920-108-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-106.dat	upx
behavioral2/memory/2120-100-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp	upx
behavioral2/memory/3432-88-0x00007FF7254D0000-0x00007FF725821000-memory.dmp	upx
behavioral2/memory/536-87-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-79.dat	upx
behavioral2/files/0x000a000000023b8b-91.dat	upx
behavioral2/files/0x000a000000023b8a-71.dat	upx
behavioral2/memory/4076-76-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp	upx
behavioral2/memory/4680-68-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp	upx
behavioral2/memory/116-62-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	upx
behavioral2/memory/624-58-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-55.dat	upx
behavioral2/memory/2680-49-0x00007FF66B3D0000-0x00007FF66B721000-memory.dmp	upx
behavioral2/memory/4704-42-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp	upx
behavioral2/memory/1884-39-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-46.dat	upx
behavioral2/files/0x000a000000023b84-27.dat	upx
behavioral2/memory/4676-28-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp	upx
behavioral2/memory/5064-22-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-18.dat	upx
behavioral2/memory/4868-14-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp	upx
behavioral2/memory/3648-7-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp	upx
behavioral2/memory/3648-129-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp	upx
behavioral2/memory/4868-130-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp	upx
behavioral2/memory/4676-131-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp	upx
behavioral2/memory/1884-132-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp	upx
behavioral2/memory/5064-133-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp	upx
behavioral2/memory/4704-134-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp	upx
behavioral2/memory/624-135-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp	upx
behavioral2/memory/3496-136-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	upx
behavioral2/memory/4732-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx
behavioral2/memory/4680-139-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp	upx
behavioral2/memory/536-158-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp	upx
behavioral2/memory/2388-157-0x00007FF72E530000-0x00007FF72E881000-memory.dmp	upx
behavioral2/memory/2120-155-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp	upx
behavioral2/memory/3432-152-0x00007FF7254D0000-0x00007FF725821000-memory.dmp	upx
behavioral2/memory/4076-149-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp	upx
behavioral2/memory/1920-156-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp	upx
behavioral2/memory/4888-153-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp	upx
behavioral2/memory/2952-160-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp	upx
behavioral2/memory/3496-161-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp	upx
behavioral2/memory/3648-216-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vuRWUDb.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOEfcVI.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mNLAGVN.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vahaNHG.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXfVgWQ.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXcgXQp.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PdHmNuN.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fShKEIV.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjStBTT.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cOGAzZT.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvPtuCk.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vJZNRhX.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aJsdtTa.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVzcXje.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pejeBkQ.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjMutDu.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrJiPya.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SxbaRSy.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BccAnjJ.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYeQPaM.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HcCVqtM.exe	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3648	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3496 wrote to memory of 3648	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3496 wrote to memory of 4868	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3496 wrote to memory of 4868	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3496 wrote to memory of 5064	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3496 wrote to memory of 5064	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3496 wrote to memory of 4676	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3496 wrote to memory of 4676	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3496 wrote to memory of 1884	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3496 wrote to memory of 1884	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3496 wrote to memory of 2680	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3496 wrote to memory of 2680	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3496 wrote to memory of 4704	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3496 wrote to memory of 4704	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3496 wrote to memory of 624	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3496 wrote to memory of 624	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3496 wrote to memory of 116	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3496 wrote to memory of 116	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3496 wrote to memory of 4732	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3496 wrote to memory of 4732	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3496 wrote to memory of 4076	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3496 wrote to memory of 4076	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3496 wrote to memory of 4680	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3496 wrote to memory of 4680	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3496 wrote to memory of 536	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3496 wrote to memory of 536	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3496 wrote to memory of 3432	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3496 wrote to memory of 3432	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3496 wrote to memory of 4888	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3496 wrote to memory of 4888	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3496 wrote to memory of 5060	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3496 wrote to memory of 5060	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3496 wrote to memory of 2120	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3496 wrote to memory of 2120	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3496 wrote to memory of 1920	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3496 wrote to memory of 1920	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3496 wrote to memory of 2388	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3496 wrote to memory of 2388	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3496 wrote to memory of 2640	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3496 wrote to memory of 2640	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3496 wrote to memory of 2952	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3496 wrote to memory of 2952	3496	2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_ead1fe5746bf59e91ea0959a39ba069e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\System\pejeBkQ.exe
  C:\Windows\System\pejeBkQ.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\bXfVgWQ.exe
  C:\Windows\System\bXfVgWQ.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\cjMutDu.exe
  C:\Windows\System\cjMutDu.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\vuRWUDb.exe
  C:\Windows\System\vuRWUDb.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\LvPtuCk.exe
  C:\Windows\System\LvPtuCk.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\KXcgXQp.exe
  C:\Windows\System\KXcgXQp.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\OrJiPya.exe
  C:\Windows\System\OrJiPya.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\SxbaRSy.exe
  C:\Windows\System\SxbaRSy.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\vJZNRhX.exe
  C:\Windows\System\vJZNRhX.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\GOEfcVI.exe
  C:\Windows\System\GOEfcVI.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\PdHmNuN.exe
  C:\Windows\System\PdHmNuN.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\mNLAGVN.exe
  C:\Windows\System\mNLAGVN.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\vahaNHG.exe
  C:\Windows\System\vahaNHG.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\BccAnjJ.exe
  C:\Windows\System\BccAnjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\fShKEIV.exe
  C:\Windows\System\fShKEIV.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\aJsdtTa.exe
  C:\Windows\System\aJsdtTa.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\dVzcXje.exe
  C:\Windows\System\dVzcXje.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\nYeQPaM.exe
  C:\Windows\System\nYeQPaM.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\gjStBTT.exe
  C:\Windows\System\gjStBTT.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\cOGAzZT.exe
  C:\Windows\System\cOGAzZT.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\HcCVqtM.exe
  C:\Windows\System\HcCVqtM.exe
  2⤵
  - Executes dropped EXE
  PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BccAnjJ.exe

Filesize
5.2MB

MD5
fd5cf682a897d5ef1f47e56262b47728

SHA1
83f96c014613058ddb6277e9f100c673d193e2cc

SHA256
32f4aefa405a788d8dc0c0f3667ab3986cd2dbbf2a698f25f678973b2fe8100f

SHA512
05053c6a930fad702aa3b7e3b27ab2a2eee8dbeaa6671e9ec3c3b33e0558cbc408830095af676d886515305620d4b3b83a9f8228269e9aeecbdf4fa87b99d2ab

Download Submit
C:\Windows\System\GOEfcVI.exe

Filesize
5.2MB

MD5
7c685a8cf84bbc45ba43f528a5469f4e

SHA1
4a50686b98bb2af714571335ca00dc24a2889a4c

SHA256
f36e6ac21a0122088595b07bd60d3f0a5272e104c54a526d1857f81db8571194

SHA512
991d53a4cc9bba217329d60e5ff6aca43881beb54ee08d7d6a531059be36697c1f612401203e3d161eb16763cce71ab9ea5d01420e9ab931a1caa1c1145211bb

Download Submit
C:\Windows\System\HcCVqtM.exe

Filesize
5.2MB

MD5
0d9ab536ed91df233327bc071e5da49d

SHA1
c143c040b4250e2966838c90ee5fdc4ddae5fe4a

SHA256
da5bcab22825551ae41369eb8465eafc91b7ca1f5ac33a8d3b4507b468639d19

SHA512
380c3c59e6b02d7a0b5733d79a192ad512a0a3d51c2d825db0c5da658cd3babacd8f89523a32cfc92211bb15e766b28671159a518966ceff04e704a131492417

Download Submit
C:\Windows\System\KXcgXQp.exe

Filesize
5.2MB

MD5
8d1490b10ddec17200e9b2acb447ce54

SHA1
fde8683110486659d951d3151f81d0375b1f7972

SHA256
c98538e55accab1fbc821b6dfbca1ecfe1e3009defb83936a7db8ed1a20d9e84

SHA512
8c753d477d37775f556df976a77e4cb2639facb8d40ec7098974fcb5910c62f094e4f84ac32d596ade40a4e14f904847982c597fea09f26105b36d9353ea16cf

Download Submit
C:\Windows\System\LvPtuCk.exe

Filesize
5.2MB

MD5
56bcdf23ea8f6cdba2be45ab9adbbe92

SHA1
2968263f60606b1c7f30ef4ecf33338752b394d1

SHA256
5211c8ae0d32b0a7ccc6a6ba7d9929de876b0ea15fa9d4b22b453fc9930e69ab

SHA512
62e553c2648ea4468ef60908222528d016cabe62e012b2e8e0c4fe9ffdb3f1a400d71055166a4d565991e9ec33b6350060074d1bb19d0096d9eff0b23a50ec5b

Download Submit
C:\Windows\System\OrJiPya.exe

Filesize
5.2MB

MD5
3b7061944cf0efd30f2c1a4853578dda

SHA1
838d4e90b03d966e5f9d9cbfc25d784534384a45

SHA256
2c89262431603e00ddb7c32f210b7edd9f9f4cd35de2a33c2bf9e67872de40b0

SHA512
852cf24bbc4adda2b56bb2be16563b247bd495dfc9e24df2ef3103714578c58eb74cc9be6c2a4534c8dcc57365034baf84e3ee46e4854553e62dd9ef3946b277

Download Submit
C:\Windows\System\PdHmNuN.exe

Filesize
5.2MB

MD5
fdf1e9a0db3ade59fdfee186e3cc927a

SHA1
44c244a0fb5edf3f51a3fbb60163f317f49328f2

SHA256
b6abd9061ed1c561f988965e44ff28f7e3698a3502e55de7d970e60fab413e94

SHA512
2d7a2345d2b117bf28ee643910bdb5b0b4bdbeb1ada7066d62300931540bf5cbd501b128bb82cfd6b07ec1185340f2db9090544c72027ce7c5ddb6889d9ce03c

Download Submit
C:\Windows\System\SxbaRSy.exe

Filesize
5.2MB

MD5
1523eb44a190900aa870df45f5852e2d

SHA1
3e1540f92ad57f2071110a4313e76f856398a7c6

SHA256
7b4a12092eb4cbdab7e7e528ed8f26db7ab17cf60d66a4dca690a9d15dfa3af3

SHA512
7a953280bf650593272f3583ac631d981e4d0b5fdfffcbbe83c06cb7d7756040cc2f8e7666321d97412ba1c967ef158bd344300a2fddaf5b9edd90b8ed70102a

Download Submit
C:\Windows\System\aJsdtTa.exe

Filesize
5.2MB

MD5
cacf9f97688ef11592d2abe31173f1d3

SHA1
6cf53c9cc3a578653ae4b7d6b8536e9e2916b357

SHA256
1cd3f61e44c3472141ac9f46893a54fb2408db144c9e05cde5160301e61f0299

SHA512
ed3195e8140e22054c63bd29118ebae0298acf763a436b9c7955c0680ac5d4a1a0a1c51d261e2b16af0533362caaa3ff35a2f2ff4f5227ae2f803e308f83b8f7

Download Submit
C:\Windows\System\bXfVgWQ.exe

Filesize
5.2MB

MD5
852a58570e83cbbafd88d6268c05529c

SHA1
50ebb4467658c2fac48dbe61491905d6787df6ea

SHA256
5a36a0ac3195e1d28ef04914fc9a383f2166a93716d6ff47c5b0f74d74a92630

SHA512
e6b3f3a51650577c4c3244b37bc7568347b19f7fe541e1a6d90932bd2ff770782523cea880b9044edbfb3fc55c2ec48ffeb06d68dcde376a18c456a848f75361

Download Submit
C:\Windows\System\cOGAzZT.exe

Filesize
5.2MB

MD5
478265f5515271e1fff43104a009fd78

SHA1
934ef62e35dea56f60cbb5da29cb128cddb73f2d

SHA256
6440f51580fa14348b22fc4d5b081dda128f63ef2f658845435c05f866a11e4e

SHA512
f3330c01b09f5af858cd9bbe72081b841523ac105ae9777fb6b81c06262cdec35d4899868b5bd3b9ce0c43b9376bd257eac7d0c6d98fa96468b4e348683a8806

Download Submit
C:\Windows\System\cjMutDu.exe

Filesize
5.2MB

MD5
c57ef68e34170765d9b1af929c3a3064

SHA1
0382c560937596d2f98d566a66d378a4a07d6b56

SHA256
7da06c45ec4d91a982fb5b823ddef7a597a45ec9af3b224a6c92cb4764bf3b50

SHA512
9a4f730468fea3b75da42072c27f55cb6c9609e74b836c8ab8373e19f46d5841472f964edce7659a0254d80635dd715396dabe901b1130ebceca2cab8f79c080

Download Submit
C:\Windows\System\dVzcXje.exe

Filesize
5.2MB

MD5
e3de81f6e441ea923286ca7dc4b3144f

SHA1
7bc16a6dba318a8cecc85a0da3169a41706b079c

SHA256
6d2c1d90c246b16bca2cbb6c52ddac29a3b6828acb69565acf61653a1c4c5b6a

SHA512
8dd006bdec9d64e39df1ab69d34844b7652e243651964d9121bf235beef08967d8cdc5a85f055c8d876a1ef00ccd6e6e6a90399be8fe4cfa4df021e2971f865c

Download Submit
C:\Windows\System\fShKEIV.exe

Filesize
5.2MB

MD5
8c76daf1b059afb2a53b63cbc1b70bd7

SHA1
7d6732cec9e25dd07d38a2c9795e1eae2d191668

SHA256
533cc9f62a20f2b0d2055b5681c48178b6cbb66f971f6e0a47e5b2190992a09f

SHA512
bea54f362b0eab7391bb4d4b837614987870e7d5736846edbfaa5d191dd45277fb331f1fc9e3871fb04c30013d845a0218dad6aa7b8bdafc5f552ad8d9e1f156

Download Submit
C:\Windows\System\gjStBTT.exe

Filesize
5.2MB

MD5
165c7269017890e1f9c1e019c795f8fd

SHA1
8a5e460370a094ac01efb7ca6f64c83b0521216a

SHA256
1675e503ad5dce46a4d008f965c9829019d96af4e722c13258f36501b15d84d3

SHA512
14378a1804662775d55e4f5420b2b679ee6cc6050ea0e6363edf5877fb8304229fbb5bbd7d24c0bd8e8d243da416b7760826e32eec11766cb9d88629db8740ad

Download Submit
C:\Windows\System\mNLAGVN.exe

Filesize
5.2MB

MD5
1b1277ce0f7c4c6dfe224328292d5d44

SHA1
345601c2d12263771b9d1cbbad320fa91b3fbc25

SHA256
c484534046982486784355b617d653d35d97cb881c19cd7db81f61ab3fceb9ac

SHA512
2b092bf800bb1b1ef88f91ef55121a6a5d57cdf05c7dda13545bd73b8d1234c9b0319cbf99bb4adcb51665110ae9f584dcf8d43e983ac9212a1d72a62d30ddaf

Download Submit
C:\Windows\System\nYeQPaM.exe

Filesize
5.2MB

MD5
084aa49eede32c2c322c0f368ea0d0b8

SHA1
6819c03b20d41c9688881d251a12d1ce233c44ee

SHA256
a02fec4a0db1c925ba3715798c5275b05cbafecc4b088e6339fa4921896eb51a

SHA512
34ebe9aff9bee8925ff4c7cfbeb8bb920e12131e63b0dad36e4eb16e710b34c931dbce3814bdebdf1cc55a113a856b615525aaea937abb5ee1885f7c18e78e31

Download Submit
C:\Windows\System\pejeBkQ.exe

Filesize
5.2MB

MD5
1dd7dbaf32eeee12b66f2a92cc3a5efe

SHA1
e28fa44e88256030dc9ba6f90ab4b6dea3fadcc8

SHA256
ef53f086ce306b6bec830bd1637d12f69ecccd58e18659e589bcf230b5072a6d

SHA512
68fbd8a987415c3f1e077fda9920c2541f46d37dfb56ae1571a5bba9baf2135fe6c5ccfd4f66c915cbcd6e533f9c11c625d52a6ffa6ed931b4349be0310e5311

Download Submit
C:\Windows\System\vJZNRhX.exe

Filesize
5.2MB

MD5
d6f2cbd14d6a7cd0e3bcf0c4f2d3c2eb

SHA1
f7c563503528edaf6c508337e4f799a56fc2f9a6

SHA256
d14646d761295d9dec266147b5c985745f68571c7953e80cb04ba599f5a8edcc

SHA512
70eb6652ab8789927f6b76017a95de952fa271d968f263e7fab23af6c4eaeaf5336d5817f9cc8d7c6f6151153d7dafe70308149397f66eba4489a1a512dd9edf

Download Submit
C:\Windows\System\vahaNHG.exe

Filesize
5.2MB

MD5
f6e25434957ac73e4d4ae874bf12d3a7

SHA1
5d41401cf9006289023d2008e98716b30046c8b2

SHA256
5c0301e82fb3059f9f41b82f208acc764625eb346a7011e34a7b3966c92203a6

SHA512
1a379020512d40c54074a2917c957e540947c83a1c9feefdbfe0ca94aab8ef202bd0b48de58406ee7da986082148f9939edaa1e97dfc5aa5c644f4b0b6013c16

Download Submit
C:\Windows\System\vuRWUDb.exe

Filesize
5.2MB

MD5
1e0184dc2990dff88cc39a10dc47cab6

SHA1
7f3d3d66dc33fc07c998ceaa08d1f00278273da8

SHA256
a79145ad524e8fcb526f1a97ca743a979f856e779c98c95b451f46cd41354333

SHA512
2680c7a9c666ad600ef405f56d4535a3ee69a49eaa8fc7e38e1c0f32453ca901877a97dac6814ecf92721a3d7021eb945d82e107ba387049e1824cd9563c3ec6

Download Submit
memory/116-62-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp

Filesize
3.3MB

Download
memory/116-239-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp

Filesize
3.3MB

Download
memory/536-249-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp

Filesize
3.3MB

Download
memory/536-87-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp

Filesize
3.3MB

Download
memory/536-158-0x00007FF6BE8A0000-0x00007FF6BEBF1000-memory.dmp

Filesize
3.3MB

Download
memory/624-135-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp

Filesize
3.3MB

Download
memory/624-58-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp

Filesize
3.3MB

Download
memory/624-254-0x00007FF7A8550000-0x00007FF7A88A1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-39-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1884-132-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1884-242-0x00007FF71FC20000-0x00007FF71FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1920-108-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-156-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-262-0x00007FF642A70000-0x00007FF642DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-260-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-100-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-155-0x00007FF63BF90000-0x00007FF63C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-157-0x00007FF72E530000-0x00007FF72E881000-memory.dmp

Filesize
3.3MB

Download
memory/2388-122-0x00007FF72E530000-0x00007FF72E881000-memory.dmp

Filesize
3.3MB

Download
memory/2388-268-0x00007FF72E530000-0x00007FF72E881000-memory.dmp

Filesize
3.3MB

Download
memory/2640-124-0x00007FF6DF100000-0x00007FF6DF451000-memory.dmp

Filesize
3.3MB

Download
memory/2640-265-0x00007FF6DF100000-0x00007FF6DF451000-memory.dmp

Filesize
3.3MB

Download
memory/2680-49-0x00007FF66B3D0000-0x00007FF66B721000-memory.dmp

Filesize
3.3MB

Download
memory/2680-234-0x00007FF66B3D0000-0x00007FF66B721000-memory.dmp

Filesize
3.3MB

Download
memory/2952-160-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp

Filesize
3.3MB

Download
memory/2952-266-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp

Filesize
3.3MB

Download
memory/2952-125-0x00007FF6A2ED0000-0x00007FF6A3221000-memory.dmp

Filesize
3.3MB

Download
memory/3432-152-0x00007FF7254D0000-0x00007FF725821000-memory.dmp

Filesize
3.3MB

Download
memory/3432-88-0x00007FF7254D0000-0x00007FF725821000-memory.dmp

Filesize
3.3MB

Download
memory/3432-247-0x00007FF7254D0000-0x00007FF725821000-memory.dmp

Filesize
3.3MB

Download
memory/3496-161-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp

Filesize
3.3MB

Download
memory/3496-136-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp

Filesize
3.3MB

Download
memory/3496-1-0x0000017947330000-0x0000017947340000-memory.dmp

Filesize
64KB

Download
memory/3496-123-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp

Filesize
3.3MB

Download
memory/3496-0-0x00007FF66C2C0000-0x00007FF66C611000-memory.dmp

Filesize
3.3MB

Download
memory/3648-7-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp

Filesize
3.3MB

Download
memory/3648-216-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp

Filesize
3.3MB

Download
memory/3648-129-0x00007FF6E4EE0000-0x00007FF6E5231000-memory.dmp

Filesize
3.3MB

Download
memory/4076-245-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-76-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-149-0x00007FF7CBAA0000-0x00007FF7CBDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-220-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp

Filesize
3.3MB

Download
memory/4676-131-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp

Filesize
3.3MB

Download
memory/4676-28-0x00007FF6DF4F0000-0x00007FF6DF841000-memory.dmp

Filesize
3.3MB

Download
memory/4680-251-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp

Filesize
3.3MB

Download
memory/4680-139-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp

Filesize
3.3MB

Download
memory/4680-68-0x00007FF6EED40000-0x00007FF6EF091000-memory.dmp

Filesize
3.3MB

Download
memory/4704-134-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-241-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-42-0x00007FF7D83A0000-0x00007FF7D86F1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/4732-253-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/4732-67-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/4868-14-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp

Filesize
3.3MB

Download
memory/4868-218-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp

Filesize
3.3MB

Download
memory/4868-130-0x00007FF7ADFE0000-0x00007FF7AE331000-memory.dmp

Filesize
3.3MB

Download
memory/4888-258-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-97-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-153-0x00007FF6D4DA0000-0x00007FF6D50F1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-257-0x00007FF7840D0000-0x00007FF784421000-memory.dmp

Filesize
3.3MB

Download
memory/5060-117-0x00007FF7840D0000-0x00007FF784421000-memory.dmp

Filesize
3.3MB

Download
memory/5064-22-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-236-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-133-0x00007FF7B0970000-0x00007FF7B0CC1000-memory.dmp

Filesize
3.3MB

Download