cobaltstrike | 534b626544c76bad2a554141e79c2b0fa76cb6833fee295a3c76d409ae996896

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ab121c4ea54c859b5668bad2165b10bf
SHA1

0d51b9cb604d8514c4f1d4f9e0595de3f782badd
SHA256

534b626544c76bad2a554141e79c2b0fa76cb6833fee295a3c76d409ae996896
SHA512

14bddf33899e8f1ed41a0e68b3763e581540b62defd4ab999d9340ee02a729a26b016931181100c4651a8fb46a1ea407e55c70c3e650f0d3f31d982eb9b8e396
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBib+56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bad-4.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-10.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-19.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-31.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-66.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-60.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-55.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c33-118.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c32-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c2c-115.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bae-114.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1a-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-98.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-84.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4828-49-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	xmrig
behavioral2/memory/1460-44-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	xmrig
behavioral2/memory/4184-80-0x00007FF685BF0000-0x00007FF685F41000-memory.dmp	xmrig
behavioral2/memory/1968-93-0x00007FF678600000-0x00007FF678951000-memory.dmp	xmrig
behavioral2/memory/3724-108-0x00007FF609900000-0x00007FF609C51000-memory.dmp	xmrig
behavioral2/memory/4268-112-0x00007FF7C7470000-0x00007FF7C77C1000-memory.dmp	xmrig
behavioral2/memory/2596-120-0x00007FF6902A0000-0x00007FF6905F1000-memory.dmp	xmrig
behavioral2/memory/4864-122-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	xmrig
behavioral2/memory/3744-121-0x00007FF788280000-0x00007FF7885D1000-memory.dmp	xmrig
behavioral2/memory/5092-111-0x00007FF684B80000-0x00007FF684ED1000-memory.dmp	xmrig
behavioral2/memory/680-110-0x00007FF72A6C0000-0x00007FF72AA11000-memory.dmp	xmrig
behavioral2/memory/4676-95-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp	xmrig
behavioral2/memory/412-71-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp	xmrig
behavioral2/memory/4376-124-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	xmrig
behavioral2/memory/968-131-0x00007FF645340000-0x00007FF645691000-memory.dmp	xmrig
behavioral2/memory/3128-144-0x00007FF693B00000-0x00007FF693E51000-memory.dmp	xmrig
behavioral2/memory/4828-130-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	xmrig
behavioral2/memory/1048-128-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp	xmrig
behavioral2/memory/4004-126-0x00007FF6491C0000-0x00007FF649511000-memory.dmp	xmrig
behavioral2/memory/3124-125-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp	xmrig
behavioral2/memory/1460-129-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	xmrig
behavioral2/memory/1904-145-0x00007FF7845B0000-0x00007FF784901000-memory.dmp	xmrig
behavioral2/memory/4376-148-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	xmrig
behavioral2/memory/4376-149-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	xmrig
behavioral2/memory/3080-167-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp	xmrig
behavioral2/memory/2072-168-0x00007FF67F610000-0x00007FF67F961000-memory.dmp	xmrig
behavioral2/memory/3124-212-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp	xmrig
behavioral2/memory/4004-214-0x00007FF6491C0000-0x00007FF649511000-memory.dmp	xmrig
behavioral2/memory/412-216-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp	xmrig
behavioral2/memory/1048-218-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp	xmrig
behavioral2/memory/1460-220-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	xmrig
behavioral2/memory/1968-222-0x00007FF678600000-0x00007FF678951000-memory.dmp	xmrig
behavioral2/memory/4828-228-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	xmrig
behavioral2/memory/4676-227-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp	xmrig
behavioral2/memory/4184-225-0x00007FF685BF0000-0x00007FF685F41000-memory.dmp	xmrig
behavioral2/memory/5092-234-0x00007FF684B80000-0x00007FF684ED1000-memory.dmp	xmrig
behavioral2/memory/680-240-0x00007FF72A6C0000-0x00007FF72AA11000-memory.dmp	xmrig
behavioral2/memory/3724-242-0x00007FF609900000-0x00007FF609C51000-memory.dmp	xmrig
behavioral2/memory/968-238-0x00007FF645340000-0x00007FF645691000-memory.dmp	xmrig
behavioral2/memory/2596-237-0x00007FF6902A0000-0x00007FF6905F1000-memory.dmp	xmrig
behavioral2/memory/4268-245-0x00007FF7C7470000-0x00007FF7C77C1000-memory.dmp	xmrig
behavioral2/memory/4864-247-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	xmrig
behavioral2/memory/3744-248-0x00007FF788280000-0x00007FF7885D1000-memory.dmp	xmrig
behavioral2/memory/1904-255-0x00007FF7845B0000-0x00007FF784901000-memory.dmp	xmrig
behavioral2/memory/3128-257-0x00007FF693B00000-0x00007FF693E51000-memory.dmp	xmrig
behavioral2/memory/3080-260-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp	xmrig
behavioral2/memory/2072-261-0x00007FF67F610000-0x00007FF67F961000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3124	jgJsYxg.exe
4004	QnDZefc.exe
412	BycMhDU.exe
1048	klgKUeN.exe
1460	DJOqphS.exe
968	KKjtWEa.exe
4828	ishmyZn.exe
4184	kMjGdyT.exe
1968	bQdTlRy.exe
2596	nkjZiqH.exe
4676	csWjmCY.exe
3724	mnKbxUq.exe
680	TVdGyzX.exe
5092	IluQpvO.exe
3744	OndxRts.exe
4268	lodvuhh.exe
4864	erYJBEL.exe
3080	VHicrxK.exe
2072	Tvsnfpr.exe
3128	nBtUezl.exe
1904	xSzfZCZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4376-0-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	upx
behavioral2/files/0x000c000000023bad-4.dat	upx
behavioral2/files/0x000e000000023bd7-10.dat	upx
behavioral2/files/0x0009000000023bd3-19.dat	upx
behavioral2/files/0x0008000000023bd9-23.dat	upx
behavioral2/files/0x0008000000023bdd-31.dat	upx
behavioral2/files/0x0008000000023bdf-41.dat	upx
behavioral2/files/0x0008000000023c12-67.dat	upx
behavioral2/files/0x0008000000023c11-66.dat	upx
behavioral2/files/0x0008000000023c0e-61.dat	upx
behavioral2/files/0x0008000000023c10-60.dat	upx
behavioral2/files/0x0008000000023c0f-55.dat	upx
behavioral2/files/0x0008000000023bde-52.dat	upx
behavioral2/memory/4828-49-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	upx
behavioral2/memory/1460-44-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	upx
behavioral2/files/0x0008000000023bdc-35.dat	upx
behavioral2/memory/1048-37-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp	upx
behavioral2/memory/4004-27-0x00007FF6491C0000-0x00007FF649511000-memory.dmp	upx
behavioral2/memory/3124-7-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp	upx
behavioral2/memory/4184-80-0x00007FF685BF0000-0x00007FF685F41000-memory.dmp	upx
behavioral2/memory/1968-93-0x00007FF678600000-0x00007FF678951000-memory.dmp	upx
behavioral2/memory/3724-108-0x00007FF609900000-0x00007FF609C51000-memory.dmp	upx
behavioral2/memory/4268-112-0x00007FF7C7470000-0x00007FF7C77C1000-memory.dmp	upx
behavioral2/memory/2596-120-0x00007FF6902A0000-0x00007FF6905F1000-memory.dmp	upx
behavioral2/memory/1904-123-0x00007FF7845B0000-0x00007FF784901000-memory.dmp	upx
behavioral2/memory/4864-122-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	upx
behavioral2/memory/3744-121-0x00007FF788280000-0x00007FF7885D1000-memory.dmp	upx
behavioral2/memory/3128-119-0x00007FF693B00000-0x00007FF693E51000-memory.dmp	upx
behavioral2/files/0x0008000000023c33-118.dat	upx
behavioral2/memory/2072-117-0x00007FF67F610000-0x00007FF67F961000-memory.dmp	upx
behavioral2/files/0x0008000000023c32-116.dat	upx
behavioral2/files/0x0008000000023c2c-115.dat	upx
behavioral2/files/0x000c000000023bae-114.dat	upx
behavioral2/memory/3080-113-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp	upx
behavioral2/memory/5092-111-0x00007FF684B80000-0x00007FF684ED1000-memory.dmp	upx
behavioral2/memory/680-110-0x00007FF72A6C0000-0x00007FF72AA11000-memory.dmp	upx
behavioral2/files/0x0008000000023c19-105.dat	upx
behavioral2/files/0x0008000000023c1a-100.dat	upx
behavioral2/files/0x0008000000023c18-98.dat	upx
behavioral2/memory/4676-95-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c13-84.dat	upx
behavioral2/memory/968-79-0x00007FF645340000-0x00007FF645691000-memory.dmp	upx
behavioral2/memory/412-71-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp	upx
behavioral2/memory/4376-124-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	upx
behavioral2/memory/968-131-0x00007FF645340000-0x00007FF645691000-memory.dmp	upx
behavioral2/memory/3128-144-0x00007FF693B00000-0x00007FF693E51000-memory.dmp	upx
behavioral2/memory/4828-130-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	upx
behavioral2/memory/1048-128-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp	upx
behavioral2/memory/4004-126-0x00007FF6491C0000-0x00007FF649511000-memory.dmp	upx
behavioral2/memory/3124-125-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp	upx
behavioral2/memory/1460-129-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	upx
behavioral2/memory/1904-145-0x00007FF7845B0000-0x00007FF784901000-memory.dmp	upx
behavioral2/memory/4376-148-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	upx
behavioral2/memory/4376-149-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp	upx
behavioral2/memory/3080-167-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp	upx
behavioral2/memory/2072-168-0x00007FF67F610000-0x00007FF67F961000-memory.dmp	upx
behavioral2/memory/3124-212-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp	upx
behavioral2/memory/4004-214-0x00007FF6491C0000-0x00007FF649511000-memory.dmp	upx
behavioral2/memory/412-216-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp	upx
behavioral2/memory/1048-218-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp	upx
behavioral2/memory/1460-220-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp	upx
behavioral2/memory/1968-222-0x00007FF678600000-0x00007FF678951000-memory.dmp	upx
behavioral2/memory/4828-228-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp	upx
behavioral2/memory/4676-227-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lodvuhh.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\erYJBEL.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHicrxK.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nBtUezl.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xSzfZCZ.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BycMhDU.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\klgKUeN.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkjZiqH.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\csWjmCY.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IluQpvO.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Tvsnfpr.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OndxRts.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgJsYxg.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KKjtWEa.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kMjGdyT.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bQdTlRy.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mnKbxUq.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVdGyzX.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QnDZefc.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DJOqphS.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ishmyZn.exe	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3124	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4376 wrote to memory of 3124	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4376 wrote to memory of 4004	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4376 wrote to memory of 4004	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4376 wrote to memory of 412	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4376 wrote to memory of 412	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4376 wrote to memory of 1048	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4376 wrote to memory of 1048	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4376 wrote to memory of 1460	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4376 wrote to memory of 1460	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4376 wrote to memory of 4828	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4376 wrote to memory of 4828	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4376 wrote to memory of 968	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4376 wrote to memory of 968	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4376 wrote to memory of 4184	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4376 wrote to memory of 4184	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4376 wrote to memory of 1968	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4376 wrote to memory of 1968	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4376 wrote to memory of 2596	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4376 wrote to memory of 2596	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4376 wrote to memory of 4676	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4376 wrote to memory of 4676	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4376 wrote to memory of 3724	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4376 wrote to memory of 3724	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4376 wrote to memory of 680	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4376 wrote to memory of 680	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4376 wrote to memory of 5092	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4376 wrote to memory of 5092	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4376 wrote to memory of 3744	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4376 wrote to memory of 3744	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4376 wrote to memory of 4268	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4376 wrote to memory of 4268	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4376 wrote to memory of 4864	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4376 wrote to memory of 4864	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4376 wrote to memory of 3080	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4376 wrote to memory of 3080	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4376 wrote to memory of 2072	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4376 wrote to memory of 2072	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4376 wrote to memory of 3128	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4376 wrote to memory of 3128	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4376 wrote to memory of 1904	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4376 wrote to memory of 1904	4376	2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_ab121c4ea54c859b5668bad2165b10bf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\System\jgJsYxg.exe
  C:\Windows\System\jgJsYxg.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\QnDZefc.exe
  C:\Windows\System\QnDZefc.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\BycMhDU.exe
  C:\Windows\System\BycMhDU.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\klgKUeN.exe
  C:\Windows\System\klgKUeN.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\DJOqphS.exe
  C:\Windows\System\DJOqphS.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\ishmyZn.exe
  C:\Windows\System\ishmyZn.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\KKjtWEa.exe
  C:\Windows\System\KKjtWEa.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\kMjGdyT.exe
  C:\Windows\System\kMjGdyT.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\bQdTlRy.exe
  C:\Windows\System\bQdTlRy.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\nkjZiqH.exe
  C:\Windows\System\nkjZiqH.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\csWjmCY.exe
  C:\Windows\System\csWjmCY.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\mnKbxUq.exe
  C:\Windows\System\mnKbxUq.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\TVdGyzX.exe
  C:\Windows\System\TVdGyzX.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\IluQpvO.exe
  C:\Windows\System\IluQpvO.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\OndxRts.exe
  C:\Windows\System\OndxRts.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\lodvuhh.exe
  C:\Windows\System\lodvuhh.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\erYJBEL.exe
  C:\Windows\System\erYJBEL.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\VHicrxK.exe
  C:\Windows\System\VHicrxK.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\Tvsnfpr.exe
  C:\Windows\System\Tvsnfpr.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\nBtUezl.exe
  C:\Windows\System\nBtUezl.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\xSzfZCZ.exe
  C:\Windows\System\xSzfZCZ.exe
  2⤵
  - Executes dropped EXE
  PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BycMhDU.exe

Filesize
5.2MB

MD5
b301ea8cda3ee6039e23c3b1d6ddc50b

SHA1
3289f77275dd6e2076477194cb3c96298e9580e9

SHA256
4106d579fe4c8e37767e81dedb3ecef93cde1bb67615aa1907a6d4e3f3f0667e

SHA512
35904fcf58b4c34ed139b7653d8f7c1f95a3794c8a5893ec4bd0a664625685dbb92a329a68b45dd44d382f29a51ab65bacef3c8f8837a2ee6241cce40252fdf2

Download Submit
C:\Windows\System\DJOqphS.exe

Filesize
5.2MB

MD5
d3d80f189e520fd3aac396354b20dbef

SHA1
7982b7cbd8fca26f0bab0bde993c4be8ac9c3916

SHA256
84f9dcb94b0e19a2e0ee32dd341e9cf8b42de7403d90f0f7a4ce51e9e6ecff63

SHA512
7c24ef980a86de5964a627ba869e33282de87dc2fe95d76fc413520c02694f81cff987fd3f032ca23600f5095aec40402c2e652cdeb9d8d87329731f81fffed7

Download Submit
C:\Windows\System\IluQpvO.exe

Filesize
5.2MB

MD5
c5920b8b6ce95ac9b6fc30eda1f413a5

SHA1
404cf80b74bb5f43ac68bd13102af6f0edf301ed

SHA256
ae0e92ef0f270efdab98f2eabcd299585ed0ab461a78356c99d2b4e24f2638d0

SHA512
e7473f876fdad6283ac7dd48c9dca859ef8989cb4a70bef928dc6c9911c67265de35a4f0658ea16cba06fe69709ef89b1815256e7c5b23e8adaa557d56f86089

Download Submit
C:\Windows\System\KKjtWEa.exe

Filesize
5.2MB

MD5
10e3e18dcd3d156eb077d2cf0d4e375d

SHA1
adbf75a7775e98e4e824f39909577eccd71179a2

SHA256
dd5bbc8c46528f40944eb85b6843a2cd9d180c0ff527330ef886d3860579e2ea

SHA512
bc7ad0b261f886e51600242f5b1f5251c915e536d9850e4423bb45d2cf88f0cce9feecf4f98c592be8fe0b7d95a40f1215c10e56e6321de7bfc98c7828f98ae1

Download Submit
C:\Windows\System\OndxRts.exe

Filesize
5.2MB

MD5
dfd930b941fff55f503ae99c7219c94b

SHA1
b4b1c1cba2c9edcd364ccea770a9ddc04368da42

SHA256
065104feddaef065d76e07ab51c6ed219a3f8613705597073c27402cfbaf89d5

SHA512
35eb77db5b3106d95c11c547e6c1fb3871827d80cb55dad23f98391a8b6d2d67fd2c504cfb3dc8744cc116fe55fbc83501a470705034ec4cce0bef60deba80d2

Download Submit
C:\Windows\System\QnDZefc.exe

Filesize
5.2MB

MD5
06fc7fac7799aab4a99aaed946415968

SHA1
7b0b2a8bf40cdc02ed156420b0c076f31a901ce7

SHA256
020a97a74420345cc5ab40f0805088f6fe0c14d74dfc8cc43233475d61e93ed6

SHA512
cfd880527dafe6c16808e7e5836efe8a861bc265cf2371617e31e9e5cabe5cef5878fa74f6e6eb59c29d983183deb2f96df265db7293d6ee37bff28ff1239fe1

Download Submit
C:\Windows\System\TVdGyzX.exe

Filesize
5.2MB

MD5
2726a207d75316c965a9bdd40b6f8e79

SHA1
a967820211b1c08aafe7fea209f56331283f2e19

SHA256
4c95d28fc48abb2a77b112ec04cec07ed5a26dfab1a5ad55d5af9fdb66435e6d

SHA512
99d1f7ff9b50f06384d8d8e2cb1313b6b3ff6d7b7705fa69fa3cbee4a1a2cd1b39678a08f4a1497bc37d2d67b1f1d16752f801d092a7c363e3e52f393c3fa288

Download Submit
C:\Windows\System\Tvsnfpr.exe

Filesize
5.2MB

MD5
114187c90d47e7010f29019ebd8ec94a

SHA1
cf7dc97e70053c80907eb2c1bd2242108ce29cfa

SHA256
a89e4515fda2fecc60e8ce6643b82d4d798c05130d528d8a29612af84f820824

SHA512
259c0955140654640a6cea49955765e4ac4fd904dd1d52e8192d3dc14d7f64c8bb9d87051e954c5c6ab22dadbd04c3cd33ac5a743cd937116080a92126b911ce

Download Submit
C:\Windows\System\VHicrxK.exe

Filesize
5.2MB

MD5
2c7341bf503a2631ebe3de7c05c97526

SHA1
d491ec7e95fee7d942ae859188a8e347b6afb5aa

SHA256
ecc0f55c10f45b534ca35ee6a07fcb473323e0f75009190d0bfe49c7ed413ba3

SHA512
e6ad4bc1344bbaf1fd9082166415d81354d38f60ed6e705a6687d0d1e36da1df021b4e8be2655f26f7b57711a82263296ae4fdf77328241077d9f8c25a9f3002

Download Submit
C:\Windows\System\bQdTlRy.exe

Filesize
5.2MB

MD5
f18c21826bd35c68498f1716065d8f21

SHA1
8adc6429bdfe15b2ecad226342f6377adfda4be6

SHA256
01039b8ec24d1f24f0ad520a5448fcd0bb37ad387b605d352f69ed6e2bc76d52

SHA512
72a9e386ec44da121691e5bef23ba47073cddd9591d4bf6824261fe30d41c41c18557bf3d469e57dcb6f9b06f4390d560fe6f13937b0369da27fe200dc7b305b

Download Submit
C:\Windows\System\csWjmCY.exe

Filesize
5.2MB

MD5
8629dbc9b22d204a4be17249b5e1e87e

SHA1
d23642249aa149afb21153ba2116ebd1d0c5e01e

SHA256
ccf30a088e5648b0178f01d768c8e2217e2d29303e04610a4df542a6086e5e73

SHA512
53db2cc7921c74eb6fba9be2bbd1f639061e0fbd78be3cde1f8a1cf136bffd1a6fa97496d7842ade542feaee1378510767d4b02f741eb6aa57589112fde26f09

Download Submit
C:\Windows\System\erYJBEL.exe

Filesize
5.2MB

MD5
b57c57c6ea03d6fbb7de738d54cd9f4c

SHA1
335c575c333b1526fbf0958ac0d5e7b066c9dc9b

SHA256
2588104da581cfd979a4eaf76f0828299495db33ee4086b6b66c7b0b79917007

SHA512
1451c134ffb3e7ed76a94ee2a2f309fa87d9d79b38354c2f7d55a0751a9fa99340af678d37619be58c686cf5630f88e6772c4c34fd1576872c3d282f06c57251

Download Submit
C:\Windows\System\ishmyZn.exe

Filesize
5.2MB

MD5
d9bcfef1125777d93a122eff40970843

SHA1
7ebe9f8cae7805816b595b283ad541d109072959

SHA256
1d49b0aedafef619de38f6ed55b78cbd58ded4a046abab09aff35d2a07b956c2

SHA512
da1a7b3370c61ad0404bb0dc27f53849b66a57a5ebe77bc23889edc6a94ee6140d89484cb743910ef8196d4d66fbcef1c6bef6b27f3b8b3746e4a97a1aa48e94

Download Submit
C:\Windows\System\jgJsYxg.exe

Filesize
5.2MB

MD5
26f2a8c6223224b9ae50c888d3b574ad

SHA1
f2396b3651faf1a3b63587ecb2e74cd8a33673c0

SHA256
7228d6e69b9e0b6341ea8abc593a1b8010f3bbedff96a033ec0f19fe9a680719

SHA512
67fa3d49f0f2bf0f3c6a28a9f3d4cda50155d9dab11b55ee135407b782ed813f8fcd3a63d6e4f2c620e7fe69ab8900862058c80b0e988c5b8a9d75511fce1b23

Download Submit
C:\Windows\System\kMjGdyT.exe

Filesize
5.2MB

MD5
19a7ee90e3dee37f46c0b2057b5c43f6

SHA1
9371caf3c869f60686d091981b57252fbfd76628

SHA256
92cdfdafb3a85deef43bc88f9f409213ccbc2e27763eb35f8236a910a40ccc50

SHA512
84009010d29656e2228ec994706cfe5c9a667d7132542007a54357f700e89fee8f9a44724d6a7ffbf2cf79dd02f21fdffadf22b07f8cc23de6b9923cec262cc5

Download Submit
C:\Windows\System\klgKUeN.exe

Filesize
5.2MB

MD5
da935f442a504bd5af4538cc0efc56a3

SHA1
1e6ced72bd93485e7fa9738dc836ee6252cdfa3e

SHA256
576a1c5cf22f5e1680e4e904eddab687c6685f15fe5c4029b286740eb2fd3605

SHA512
dd4ac5c8142b9498f47843ad69e7af64bca251f6480ea22895276f581ddf8b6beb2ce2fb96968e353d37444c3980c36ae83bbc4550471983fcd0c052fe2c814f

Download Submit
C:\Windows\System\lodvuhh.exe

Filesize
5.2MB

MD5
f89dc1b0ed8508880d19cdb00489edee

SHA1
88d7f1cb516c49c8188acdd6e0671dbeb44194f7

SHA256
e79d7e84b17d66dfa4784d41879a6038eb27b6d4535c9335557b1075bb1bf73f

SHA512
48997e87fb3d17821fb0e09af917f22b86d54f7cecc70a542ac2c38743efeb58a4fa328049a12f26a6e779c17d8d0971f1aa9b1c4fc04bb8e18fdfa955e02834

Download Submit
C:\Windows\System\mnKbxUq.exe

Filesize
5.2MB

MD5
1e9c71a64d776c45230d1b9f4aa59bb2

SHA1
446963f9b34330f5fdad787e1eca5c5dd6e3737b

SHA256
87273a9f44b157aef2d13a89394f52bfe254703d6f39b1e4bd7ae390f7bcb22f

SHA512
afde49c1f24bec39dc29ce6a430880df3b1067c40bb365a45f4e0575ea28923cd85ca4c28f539694a38a7bb33333ce684c7e3aa710bdd1433b533308a29436c2

Download Submit
C:\Windows\System\nBtUezl.exe

Filesize
5.2MB

MD5
b9aa8e4390250ae6d0da73c456a14569

SHA1
078cf6f3f67048d515c872aafa73b11e9bd11a7e

SHA256
57b14d54ad857eb51cc9971b8b106bc1c79015d1dc43042de3d9b2e08db33735

SHA512
d9c0235ca5f344039b2252d726f9e2232ac6f900a5a20b6c22a7e3a6acb258244e5ff2b8a2cad8608d14a5d60986d60def36e1185fe129d88421d382c236fe06

Download Submit
C:\Windows\System\nkjZiqH.exe

Filesize
5.2MB

MD5
30aee3b9ad762dbdc04776387c62a46c

SHA1
cb1d465fce3aa78a8ac0dc7a324fc08938d09a56

SHA256
5cab63748910d1c208941261548cfb51ad3397e9e6e364bb3388fa0dc3ac6792

SHA512
7bc7fcfa49a365ddc9ac4f7ca8f61405fd20f7281f0461aecd0e18188e8e44fde4a776348373f05ee626f666101061ffb824b35be7609bd1fb7dba5adecfaa21

Download Submit
C:\Windows\System\xSzfZCZ.exe

Filesize
5.2MB

MD5
251b42c27533c1f08db41ef8e0538e7a

SHA1
28b69e62fd97a57548a903a38b7d633641402bfc

SHA256
608210955562b3dc52d844d86b7e82b832cda258b55235daea5f13f69b25cf2e

SHA512
52d973eb733b3b58a020ac7adca3cabc9b7d07a04e864042a9a06478ca2a90b40d06eefac15abf10e7c94eb0074fcdc329fd36491e9e7769c8917bdf48495c80

Download Submit
memory/412-71-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp

Filesize
3.3MB

Download
memory/412-216-0x00007FF7F62E0000-0x00007FF7F6631000-memory.dmp

Filesize
3.3MB

Download
memory/680-240-0x00007FF72A6C0000-0x00007FF72AA11000-memory.dmp

Filesize
3.3MB

Download
memory/680-110-0x00007FF72A6C0000-0x00007FF72AA11000-memory.dmp

Filesize
3.3MB

Download
memory/968-79-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/968-131-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/968-238-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/1048-218-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-128-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-37-0x00007FF7EEFA0000-0x00007FF7EF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-220-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp

Filesize
3.3MB

Download
memory/1460-129-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp

Filesize
3.3MB

Download
memory/1460-44-0x00007FF6E75F0000-0x00007FF6E7941000-memory.dmp

Filesize
3.3MB

Download
memory/1904-255-0x00007FF7845B0000-0x00007FF784901000-memory.dmp

Filesize
3.3MB

Download
memory/1904-123-0x00007FF7845B0000-0x00007FF784901000-memory.dmp

Filesize
3.3MB

Download
memory/1904-145-0x00007FF7845B0000-0x00007FF784901000-memory.dmp

Filesize
3.3MB

Download
memory/1968-93-0x00007FF678600000-0x00007FF678951000-memory.dmp

Filesize
3.3MB

Download
memory/1968-222-0x00007FF678600000-0x00007FF678951000-memory.dmp

Filesize
3.3MB

Download
memory/2072-168-0x00007FF67F610000-0x00007FF67F961000-memory.dmp

Filesize
3.3MB

Download
memory/2072-261-0x00007FF67F610000-0x00007FF67F961000-memory.dmp

Filesize
3.3MB

Download
memory/2072-117-0x00007FF67F610000-0x00007FF67F961000-memory.dmp

Filesize
3.3MB

Download
memory/2596-237-0x00007FF6902A0000-0x00007FF6905F1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-120-0x00007FF6902A0000-0x00007FF6905F1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-113-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-260-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-167-0x00007FF60BF80000-0x00007FF60C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-212-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp

Filesize
3.3MB

Download
memory/3124-7-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp

Filesize
3.3MB

Download
memory/3124-125-0x00007FF73CBB0000-0x00007FF73CF01000-memory.dmp

Filesize
3.3MB

Download
memory/3128-119-0x00007FF693B00000-0x00007FF693E51000-memory.dmp

Filesize
3.3MB

Download
memory/3128-144-0x00007FF693B00000-0x00007FF693E51000-memory.dmp

Filesize
3.3MB

Download
memory/3128-257-0x00007FF693B00000-0x00007FF693E51000-memory.dmp

Filesize
3.3MB

Download
memory/3724-242-0x00007FF609900000-0x00007FF609C51000-memory.dmp

Filesize
3.3MB

Download
memory/3724-108-0x00007FF609900000-0x00007FF609C51000-memory.dmp

Filesize
3.3MB

Download
memory/3744-248-0x00007FF788280000-0x00007FF7885D1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-121-0x00007FF788280000-0x00007FF7885D1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-27-0x00007FF6491C0000-0x00007FF649511000-memory.dmp

Filesize
3.3MB

Download
memory/4004-214-0x00007FF6491C0000-0x00007FF649511000-memory.dmp

Filesize
3.3MB

Download
memory/4004-126-0x00007FF6491C0000-0x00007FF649511000-memory.dmp

Filesize
3.3MB

Download
memory/4184-80-0x00007FF685BF0000-0x00007FF685F41000-memory.dmp

Filesize
3.3MB

Download
memory/4184-225-0x00007FF685BF0000-0x00007FF685F41000-memory.dmp

Filesize
3.3MB

Download
memory/4268-112-0x00007FF7C7470000-0x00007FF7C77C1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-245-0x00007FF7C7470000-0x00007FF7C77C1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-124-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp

Filesize
3.3MB

Download
memory/4376-148-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp

Filesize
3.3MB

Download
memory/4376-149-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp

Filesize
3.3MB

Download
memory/4376-0-0x00007FF7A6E30000-0x00007FF7A7181000-memory.dmp

Filesize
3.3MB

Download
memory/4376-1-0x000001C98A7F0000-0x000001C98A800000-memory.dmp

Filesize
64KB

Download
memory/4676-227-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-95-0x00007FF63E060000-0x00007FF63E3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-228-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-49-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-130-0x00007FF61C490000-0x00007FF61C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-247-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-122-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-234-0x00007FF684B80000-0x00007FF684ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-111-0x00007FF684B80000-0x00007FF684ED1000-memory.dmp

Filesize
3.3MB

Download