cobaltstrike | ba3e61205af7c4a2ba429e82dc8fc592ceceb64f39d68db31962c87295f0211b

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

64d4c8424fd3174ff82f2819fa22969d
SHA1

0b5164721ed863025d6da85d905ad483646f05be
SHA256

ba3e61205af7c4a2ba429e82dc8fc592ceceb64f39d68db31962c87295f0211b
SHA512

56e1298775d445963cc2dcbad9375d9b19667f9ad1a94ae01dc06020475df117f142fcb4751094c36d911e86ca572cd1e93a75fbede0a7c3c1240035027c4973
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBib+56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c88-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-7.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c89-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-112.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1760-54-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp	xmrig
behavioral2/memory/2808-53-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	xmrig
behavioral2/memory/4760-68-0x00007FF772EB0000-0x00007FF773201000-memory.dmp	xmrig
behavioral2/memory/1424-71-0x00007FF627300000-0x00007FF627651000-memory.dmp	xmrig
behavioral2/memory/4816-110-0x00007FF762C10000-0x00007FF762F61000-memory.dmp	xmrig
behavioral2/memory/3128-113-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp	xmrig
behavioral2/memory/1968-118-0x00007FF615270000-0x00007FF6155C1000-memory.dmp	xmrig
behavioral2/memory/4160-126-0x00007FF743810000-0x00007FF743B61000-memory.dmp	xmrig
behavioral2/memory/3044-132-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp	xmrig
behavioral2/memory/2276-114-0x00007FF66AA90000-0x00007FF66ADE1000-memory.dmp	xmrig
behavioral2/memory/4004-111-0x00007FF6FBBB0000-0x00007FF6FBF01000-memory.dmp	xmrig
behavioral2/memory/4524-108-0x00007FF7A8C70000-0x00007FF7A8FC1000-memory.dmp	xmrig
behavioral2/memory/2968-84-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp	xmrig
behavioral2/memory/2304-76-0x00007FF647ED0000-0x00007FF648221000-memory.dmp	xmrig
behavioral2/memory/2808-136-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	xmrig
behavioral2/memory/4512-140-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp	xmrig
behavioral2/memory/2984-144-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp	xmrig
behavioral2/memory/1116-145-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp	xmrig
behavioral2/memory/1848-150-0x00007FF680C30000-0x00007FF680F81000-memory.dmp	xmrig
behavioral2/memory/2128-151-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp	xmrig
behavioral2/memory/1500-161-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp	xmrig
behavioral2/memory/220-162-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp	xmrig
behavioral2/memory/1972-160-0x00007FF794CC0000-0x00007FF795011000-memory.dmp	xmrig
behavioral2/memory/1968-163-0x00007FF615270000-0x00007FF6155C1000-memory.dmp	xmrig
behavioral2/memory/2808-164-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	xmrig
behavioral2/memory/1760-214-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp	xmrig
behavioral2/memory/4760-216-0x00007FF772EB0000-0x00007FF773201000-memory.dmp	xmrig
behavioral2/memory/2304-220-0x00007FF647ED0000-0x00007FF648221000-memory.dmp	xmrig
behavioral2/memory/3128-222-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp	xmrig
behavioral2/memory/2968-224-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp	xmrig
behavioral2/memory/4160-230-0x00007FF743810000-0x00007FF743B61000-memory.dmp	xmrig
behavioral2/memory/3044-232-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp	xmrig
behavioral2/memory/2984-234-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp	xmrig
behavioral2/memory/4512-236-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp	xmrig
behavioral2/memory/1116-243-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp	xmrig
behavioral2/memory/1424-245-0x00007FF627300000-0x00007FF627651000-memory.dmp	xmrig
behavioral2/memory/1848-247-0x00007FF680C30000-0x00007FF680F81000-memory.dmp	xmrig
behavioral2/memory/2128-249-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp	xmrig
behavioral2/memory/4524-259-0x00007FF7A8C70000-0x00007FF7A8FC1000-memory.dmp	xmrig
behavioral2/memory/2276-258-0x00007FF66AA90000-0x00007FF66ADE1000-memory.dmp	xmrig
behavioral2/memory/4816-263-0x00007FF762C10000-0x00007FF762F61000-memory.dmp	xmrig
behavioral2/memory/4004-262-0x00007FF6FBBB0000-0x00007FF6FBF01000-memory.dmp	xmrig
behavioral2/memory/1968-265-0x00007FF615270000-0x00007FF6155C1000-memory.dmp	xmrig
behavioral2/memory/1972-267-0x00007FF794CC0000-0x00007FF795011000-memory.dmp	xmrig
behavioral2/memory/1500-269-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp	xmrig
behavioral2/memory/220-271-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1760	CZsutTy.exe
4760	MACHqfg.exe
2304	DfKRleR.exe
2968	YIdUwhU.exe
3128	FUydWDO.exe
4160	TDgcYAG.exe
3044	wbjTffe.exe
4512	jUEfTHi.exe
2984	ZpTyRLU.exe
1116	BuHmMNp.exe
1424	QJZlCKL.exe
1848	aYaxmWW.exe
2128	ANeTkeG.exe
2276	FFGoXBY.exe
4524	tgKzTYb.exe
4816	hMYdrXe.exe
4004	XwHsMTq.exe
1968	sxNkNJU.exe
1972	plQApWt.exe
1500	VbyPsFl.exe
220	OKEeiab.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2808-0-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	upx
behavioral2/files/0x0008000000023c88-5.dat	upx
behavioral2/memory/1760-9-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-8.dat	upx
behavioral2/memory/4760-12-0x00007FF772EB0000-0x00007FF773201000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-7.dat	upx
behavioral2/memory/2304-18-0x00007FF647ED0000-0x00007FF648221000-memory.dmp	upx
behavioral2/files/0x0008000000023c89-23.dat	upx
behavioral2/files/0x0007000000023c8f-28.dat	upx
behavioral2/memory/3128-29-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp	upx
behavioral2/memory/2968-24-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-35.dat	upx
behavioral2/files/0x0007000000023c91-39.dat	upx
behavioral2/memory/4512-48-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-49.dat	upx
behavioral2/files/0x0007000000023c93-51.dat	upx
behavioral2/memory/2984-55-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp	upx
behavioral2/memory/1760-54-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp	upx
behavioral2/memory/2808-53-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	upx
behavioral2/memory/3044-42-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp	upx
behavioral2/memory/4160-36-0x00007FF743810000-0x00007FF743B61000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-62.dat	upx
behavioral2/memory/1116-64-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp	upx
behavioral2/memory/4760-68-0x00007FF772EB0000-0x00007FF773201000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-69.dat	upx
behavioral2/memory/1424-71-0x00007FF627300000-0x00007FF627651000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-75.dat	upx
behavioral2/files/0x0007000000023c97-80.dat	upx
behavioral2/files/0x0007000000023c98-90.dat	upx
behavioral2/files/0x0007000000023c99-92.dat	upx
behavioral2/files/0x0007000000023c9a-101.dat	upx
behavioral2/files/0x0007000000023c9b-100.dat	upx
behavioral2/memory/4816-110-0x00007FF762C10000-0x00007FF762F61000-memory.dmp	upx
behavioral2/memory/3128-113-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp	upx
behavioral2/memory/1968-118-0x00007FF615270000-0x00007FF6155C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-121.dat	upx
behavioral2/memory/4160-126-0x00007FF743810000-0x00007FF743B61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-134.dat	upx
behavioral2/memory/220-133-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp	upx
behavioral2/memory/3044-132-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-129.dat	upx
behavioral2/memory/1500-128-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp	upx
behavioral2/memory/1972-120-0x00007FF794CC0000-0x00007FF795011000-memory.dmp	upx
behavioral2/memory/2276-114-0x00007FF66AA90000-0x00007FF66ADE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-112.dat	upx
behavioral2/memory/4004-111-0x00007FF6FBBB0000-0x00007FF6FBF01000-memory.dmp	upx
behavioral2/memory/4524-108-0x00007FF7A8C70000-0x00007FF7A8FC1000-memory.dmp	upx
behavioral2/memory/2128-107-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp	upx
behavioral2/memory/2968-84-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp	upx
behavioral2/memory/1848-77-0x00007FF680C30000-0x00007FF680F81000-memory.dmp	upx
behavioral2/memory/2304-76-0x00007FF647ED0000-0x00007FF648221000-memory.dmp	upx
behavioral2/memory/2808-136-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	upx
behavioral2/memory/4512-140-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp	upx
behavioral2/memory/2984-144-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp	upx
behavioral2/memory/1116-145-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp	upx
behavioral2/memory/1848-150-0x00007FF680C30000-0x00007FF680F81000-memory.dmp	upx
behavioral2/memory/2128-151-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp	upx
behavioral2/memory/1500-161-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp	upx
behavioral2/memory/220-162-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp	upx
behavioral2/memory/1972-160-0x00007FF794CC0000-0x00007FF795011000-memory.dmp	upx
behavioral2/memory/1968-163-0x00007FF615270000-0x00007FF6155C1000-memory.dmp	upx
behavioral2/memory/2808-164-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp	upx
behavioral2/memory/1760-214-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp	upx
behavioral2/memory/4760-216-0x00007FF772EB0000-0x00007FF773201000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CZsutTy.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YIdUwhU.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbjTffe.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ANeTkeG.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tgKzTYb.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OKEeiab.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FUydWDO.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZpTyRLU.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FFGoXBY.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwHsMTq.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sxNkNJU.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plQApWt.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MACHqfg.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDgcYAG.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QJZlCKL.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aYaxmWW.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DfKRleR.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jUEfTHi.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BuHmMNp.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMYdrXe.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VbyPsFl.exe	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1760	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2808 wrote to memory of 1760	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2808 wrote to memory of 4760	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2808 wrote to memory of 4760	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2808 wrote to memory of 2304	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2808 wrote to memory of 2304	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2808 wrote to memory of 2968	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2808 wrote to memory of 2968	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2808 wrote to memory of 3128	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2808 wrote to memory of 3128	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2808 wrote to memory of 4160	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2808 wrote to memory of 4160	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2808 wrote to memory of 3044	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2808 wrote to memory of 3044	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2808 wrote to memory of 4512	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2808 wrote to memory of 4512	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2808 wrote to memory of 2984	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2808 wrote to memory of 2984	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2808 wrote to memory of 1116	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2808 wrote to memory of 1116	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2808 wrote to memory of 1424	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2808 wrote to memory of 1424	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2808 wrote to memory of 1848	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2808 wrote to memory of 1848	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2808 wrote to memory of 2128	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2808 wrote to memory of 2128	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2808 wrote to memory of 2276	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2808 wrote to memory of 2276	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2808 wrote to memory of 4524	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2808 wrote to memory of 4524	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2808 wrote to memory of 4816	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2808 wrote to memory of 4816	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2808 wrote to memory of 4004	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2808 wrote to memory of 4004	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2808 wrote to memory of 1968	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2808 wrote to memory of 1968	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2808 wrote to memory of 1972	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2808 wrote to memory of 1972	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2808 wrote to memory of 1500	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2808 wrote to memory of 1500	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2808 wrote to memory of 220	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2808 wrote to memory of 220	2808	2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_64d4c8424fd3174ff82f2819fa22969d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\System\CZsutTy.exe
  C:\Windows\System\CZsutTy.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\MACHqfg.exe
  C:\Windows\System\MACHqfg.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\DfKRleR.exe
  C:\Windows\System\DfKRleR.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\YIdUwhU.exe
  C:\Windows\System\YIdUwhU.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\FUydWDO.exe
  C:\Windows\System\FUydWDO.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\TDgcYAG.exe
  C:\Windows\System\TDgcYAG.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\wbjTffe.exe
  C:\Windows\System\wbjTffe.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\jUEfTHi.exe
  C:\Windows\System\jUEfTHi.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\ZpTyRLU.exe
  C:\Windows\System\ZpTyRLU.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\BuHmMNp.exe
  C:\Windows\System\BuHmMNp.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\QJZlCKL.exe
  C:\Windows\System\QJZlCKL.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\aYaxmWW.exe
  C:\Windows\System\aYaxmWW.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ANeTkeG.exe
  C:\Windows\System\ANeTkeG.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\FFGoXBY.exe
  C:\Windows\System\FFGoXBY.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\tgKzTYb.exe
  C:\Windows\System\tgKzTYb.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\hMYdrXe.exe
  C:\Windows\System\hMYdrXe.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\XwHsMTq.exe
  C:\Windows\System\XwHsMTq.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\sxNkNJU.exe
  C:\Windows\System\sxNkNJU.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\plQApWt.exe
  C:\Windows\System\plQApWt.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\VbyPsFl.exe
  C:\Windows\System\VbyPsFl.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\OKEeiab.exe
  C:\Windows\System\OKEeiab.exe
  2⤵
  - Executes dropped EXE
  PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ANeTkeG.exe

Filesize
5.2MB

MD5
373346b75aaee61541a9de87a57a2ec0

SHA1
476fbfcbf162d05f871529e9a53c33e2320cdb43

SHA256
58f0c7d13e0256870e2f05cc456dd3f6774b5fbff0c94cc19ddac6e1c67f5f63

SHA512
835ca16afa7e294ad8ccfe949f4715b710657b965496f33e4be864ae41110bf7e3a8efd9e80c81edc12601fe9dea3b8b727eec5c7b25bfc71381f602a79473c8

Download Submit
C:\Windows\System\BuHmMNp.exe

Filesize
5.2MB

MD5
3da81eab4b7ce30ea282495b35dbc259

SHA1
5b517f914e2ff6276153b573c9940ae52e253712

SHA256
56884df122495d5794c0df2338a0df8257c7be1771c755011477c4f633e72698

SHA512
8be6d2fa171102aca64a03802a4e9994f3ddf5aac3855a66e22b7d60ea844af63be43c5f13ee0b349679a94f7bccf866e26ff4455cabb2ef4e0005eda9d50b58

Download Submit
C:\Windows\System\CZsutTy.exe

Filesize
5.2MB

MD5
9860ba8a5befd35598667c9bee2d61e6

SHA1
a3675503ac0ae8f3bdc6efc12b1caaea3ec5ac72

SHA256
efd49b73a741fd755e42c668edb0d0287672c06fc1108c6b054bfbbe1e9cfe10

SHA512
ae35ee1029bae1cb2cdaed90c26635e6764a9894d47389bcc00fd4e415d0b61b6b9c3e36d3c817c389c7bc9a2a869f7ebc1f27ae7939d5ad692c63773471c3b0

Download Submit
C:\Windows\System\DfKRleR.exe

Filesize
5.2MB

MD5
33123b8ef9596a1a4f39183ba3207488

SHA1
106d5d80334abe65d5ad2dc1d318021c845f0127

SHA256
ebbf715d60a872d3842fd8c2bdfd45ffcd6e0f99fdb7ed4e1bb365933246b8a6

SHA512
a86b1e65e94956eca3f1c154c82b2fe3f45d178d1bae62844166b1bfe6ce769e6449fc0226447bc8385f59c41845a9b9e5dacc1cfba3197a5937524972cdc855

Download Submit
C:\Windows\System\FFGoXBY.exe

Filesize
5.2MB

MD5
999fadff74e9494a6e5d902a5ee024b1

SHA1
677f6568c042584e752c83273f69c374a9d7a81d

SHA256
c60d91d780501b578c3f66e4bef53456de23bd449f95b4daa1ef1d3743e90fff

SHA512
8d57378b618f93b9cd78396e0b1fa65128d84aedb2bfbcc1b446aba8df9086225660f9e68e32bed80f1da6b6cbb7754618787744ba2cb99697b93d86a83cf644

Download Submit
C:\Windows\System\FUydWDO.exe

Filesize
5.2MB

MD5
621604e501e3eb5ad6668816bcd69bac

SHA1
29c16d8a9cec4a20444f8c22c1b8348d594756a2

SHA256
ae0ff49f0d6e07a0b56994f632d418d21442f226a79bfadae0c99c3ddc304712

SHA512
2cad08329e0020fa2c79359d9a7707fa13e714500af9f3104c52b423f7b25e3567190234071026fe786bdf324816c021786b4f552c77c0831c844f0eb89545dd

Download Submit
C:\Windows\System\MACHqfg.exe

Filesize
5.2MB

MD5
4146d1214f2c248923923593891dc495

SHA1
f684980d8905933623ced78702d925f4ff0bbbe0

SHA256
84d44c5c67629c01b91563abd04641cee2df283cb541e26cb34ae1b82c4ae9a6

SHA512
884a2e218abc6ba45feddba891d48dd5305b756f38c0453c0ac7871e3ab5e0e171e40edb26641964d705355a39e64c24807ca2048f228aacb208e8e18bb41f15

Download Submit
C:\Windows\System\OKEeiab.exe

Filesize
5.2MB

MD5
6010786be04c3dc3e97d4300780f5e34

SHA1
53758296c1774471faca559874ea8b61ec229fec

SHA256
281b79e78861194cb821127623d904ca00d2b682106533aafead4a1d3c5a6fab

SHA512
0aeac3299ad958175273e39a72d9a084ebf2f668707970b9136501aa2c8c78191ecfb83604b6b99fc9539c7e900e83dfc875156a53a354866d999255eadfbc9b

Download Submit
C:\Windows\System\QJZlCKL.exe

Filesize
5.2MB

MD5
55d9ecf6003ed50cf22fb3bd8977fc98

SHA1
81208a40dc28c4c24b914a6db9102def75694f65

SHA256
b8210ca6d1ceeee28f75b05a8d444c3407bd2346630b965ad6922733040fd9e7

SHA512
32d679aed417b231b4c72f83f089a7e2d17e0c444b8924a129b26bcd040ad601f55883fdf52bc726ba7c9c805ffc0596fdeb7ae25bf7ef8b8ec9f7e96e3ce448

Download Submit
C:\Windows\System\TDgcYAG.exe

Filesize
5.2MB

MD5
a1c1ce00aeaad1b93bf17e46fba35461

SHA1
7107e4ccc50bf61a47bfac5b51051905c6adca36

SHA256
c1e293859ca91acb6b6223e53ebdfe327616f720ee6fdc44d98c2a0459423de3

SHA512
09f37e330f003e3772d585e5753baee3d65f4f1ef7793aad9b9105750e633134db289c8e0c2039a9a2e59a255574cf3a7d6ddc83217f674179232b3284fc8d49

Download Submit
C:\Windows\System\VbyPsFl.exe

Filesize
5.2MB

MD5
d3299f16541623d370ca3da8b33bea8e

SHA1
1abf5648efe85e151583b69295d4c59ed23dd11a

SHA256
11427a3b42751a81cfd9726f5a7840b4e33b85320c24f1eacb1b011109c5546c

SHA512
d2a4ce5cb9b998ef85266a1300d524c030497966563ee282abb738f74f7baebb9fd0af8ab68b00842e0b0eca0ca89f8000ecc5a7b38f151322dfaf572733f9d5

Download Submit
C:\Windows\System\XwHsMTq.exe

Filesize
5.2MB

MD5
4a4979ab82c58fc3e31d2aba391bf936

SHA1
d5fa2fc8a6c3957af3f5cb76c8dce6440f4cdbee

SHA256
2944254126b9f1e62e7f19d3aeb99cf175cf99e7a91aa93af26713da91deb292

SHA512
06fbbd57993e78c73b416712cb1795c42e7a5858d49834bef6fc057939e0526036a3912c16772510e4bf3668c0c16bb66261b498a3e73ed1e2c1b358ada3df97

Download Submit
C:\Windows\System\YIdUwhU.exe

Filesize
5.2MB

MD5
e9bd1309e394364a8cdf669c4f04543f

SHA1
59146fc902cc7326f5e81ae7e68b8ba3663dc4b9

SHA256
c969dc871080a60b9d703a642f6c4bff313c9c638c22aa7e1cd6ad1b98b94665

SHA512
917ba22e5aa16581656f34cb7ae872225a9c86e873a2375d5a2abf99db04ce3ef3888bef23605d18c3a0aacaef0aa3215acdfe4f62890297614ec0c3bdb95fc7

Download Submit
C:\Windows\System\ZpTyRLU.exe

Filesize
5.2MB

MD5
04c9193cd49838d26e7476a8a5f071f7

SHA1
e95c3efd9578cdc0317d7e10ad183fa70ea7769c

SHA256
082a11821495eb4a5cf8a20a1e8ecad2c2bcf8d35578089c870621430cf34189

SHA512
be1e67e5ff42d2fbe0e6138d934353ba6fd0bb41a2308bd9916384fb9ef41ea8cab83434996d030027aa6ea17c433bc3f8476d2b964714ef79f79abc32f600dd

Download Submit
C:\Windows\System\aYaxmWW.exe

Filesize
5.2MB

MD5
eb3bd4d64e209cf8f8f3eef35b403dc3

SHA1
38da27e3ff6e0fec6ab5da02c31cf093b40d44ad

SHA256
94682cf77d1a265419c1655f08d112d1f250433b251c00756773522a55b0bce0

SHA512
7d86a23f31a6aacba5b880d5bb257054a1c3bf7e92b2842cb95a838a6b653a3b659ed09a6f3510c0ca004ae9ea40b960cfda6bc104e8c5eee7b655b07fb8bfa9

Download Submit
C:\Windows\System\hMYdrXe.exe

Filesize
5.2MB

MD5
604ac2302596d67b5e2a54852337e4a1

SHA1
12c0919ae45205f668fe78dab7643779ef8c0c1a

SHA256
b9a751dec87df26c4a2030a97d9caad0d07ca6c5312dcac07147cff54e0e193f

SHA512
fbd36376cb65189161338aa9d9caefdc7e0b60d3a958133e8c9fcab614538b7614028af7d4852ffcc15edee9c3c98731e5b5e8537914097b1a2e56e0c3f97c94

Download Submit
C:\Windows\System\jUEfTHi.exe

Filesize
5.2MB

MD5
d2a4b5873d59f25815b4f236260d804e

SHA1
d7a8947b064d9269294a961ae6415f5be0919c6f

SHA256
0b02f515a9473b4351b7db3b8ed91435737931976709799cb71cdb7eec4a94b5

SHA512
7a04bc339e3b0ff116fdfb01e51ff0fa5a223c5f56b9c196d486de2c523ca70cfed87d5454eddd13b21842ad1c4f6a5f0ef45e1803829d1c13e9ff0cc88ad501

Download Submit
C:\Windows\System\plQApWt.exe

Filesize
5.2MB

MD5
7773583b70705932eb49abc6fd5f0ae8

SHA1
04bbd5d7a1bc55ea56e74ee2bea51041366fa963

SHA256
ec48b472502006d467197560d65fa54075a03b7dddd4ac0662291a75f760d69d

SHA512
90175ae862c69f1c4831e22709f09b6c9398de736f710d7377a00e0acb8de3505063d9fd53ce40908c2782d09f3755cd64653f383a4fc1372f4d8fb6ac5979d1

Download Submit
C:\Windows\System\sxNkNJU.exe

Filesize
5.2MB

MD5
251ff96e7648c335d00874561ca95734

SHA1
6c6c1ed158af5baefff05db6b3437c1c985aff99

SHA256
2f0291f7e356b1a0f1defabf278cd0241035f7437e44d41617021dc13857efc0

SHA512
8cfd4c50dc53cfd01cd6003bf334e4327b11a5b6d9e56f4653147bd248bbad6ec42909ba551c9688b64b78ca13cee5817fd9fb13625b1784ceed808abe653ccf

Download Submit
C:\Windows\System\tgKzTYb.exe

Filesize
5.2MB

MD5
7a3a0b0a70be65ff4157cda241a7ba32

SHA1
cbc6e13e1b4776c82a62357b4a42e67f10206ec3

SHA256
414ef8fa2f9b837ecdd2b56c2b932bafd67ec6d267609650a35955ef0e134094

SHA512
62ec35b167c8b0cfccf05d97ac6a2d70edef3e412935a141163897a4ff7f97ea205b058ea6c16c30bcda46b961b120bfb4d2a25af2ea87957f6c7f2c8fc76681

Download Submit
C:\Windows\System\wbjTffe.exe

Filesize
5.2MB

MD5
7ec6fb63e5cd2891980987aa1eb20794

SHA1
9280d32d511f2975c3b8dd93d28a106eb59bb63e

SHA256
7e20198551bc28089fbe27751ed7e3c63066c624125a0fa7f0576e4a47dcb25a

SHA512
4aa2519e8001f3740d808404275cbbdbd8ee24a7f93980f8eba2c8ebad8630751a5e27af3db86e040b0bc0f4f728c567b56995a0301ed04f08d98647e139be2e

Download Submit
memory/220-133-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp

Filesize
3.3MB

Download
memory/220-162-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp

Filesize
3.3MB

Download
memory/220-271-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp

Filesize
3.3MB

Download
memory/1116-64-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp

Filesize
3.3MB

Download
memory/1116-243-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp

Filesize
3.3MB

Download
memory/1116-145-0x00007FF7AE040000-0x00007FF7AE391000-memory.dmp

Filesize
3.3MB

Download
memory/1424-245-0x00007FF627300000-0x00007FF627651000-memory.dmp

Filesize
3.3MB

Download
memory/1424-71-0x00007FF627300000-0x00007FF627651000-memory.dmp

Filesize
3.3MB

Download
memory/1500-128-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp

Filesize
3.3MB

Download
memory/1500-269-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp

Filesize
3.3MB

Download
memory/1500-161-0x00007FF68E2B0000-0x00007FF68E601000-memory.dmp

Filesize
3.3MB

Download
memory/1760-214-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-9-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-54-0x00007FF7E0A60000-0x00007FF7E0DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-150-0x00007FF680C30000-0x00007FF680F81000-memory.dmp

Filesize
3.3MB

Download
memory/1848-247-0x00007FF680C30000-0x00007FF680F81000-memory.dmp

Filesize
3.3MB

Download
memory/1848-77-0x00007FF680C30000-0x00007FF680F81000-memory.dmp

Filesize
3.3MB

Download
memory/1968-118-0x00007FF615270000-0x00007FF6155C1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-163-0x00007FF615270000-0x00007FF6155C1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-265-0x00007FF615270000-0x00007FF6155C1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-267-0x00007FF794CC0000-0x00007FF795011000-memory.dmp

Filesize
3.3MB

Download
memory/1972-160-0x00007FF794CC0000-0x00007FF795011000-memory.dmp

Filesize
3.3MB

Download
memory/1972-120-0x00007FF794CC0000-0x00007FF795011000-memory.dmp

Filesize
3.3MB

Download
memory/2128-151-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp

Filesize
3.3MB

Download
memory/2128-107-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp

Filesize
3.3MB

Download
memory/2128-249-0x00007FF6A1A20000-0x00007FF6A1D71000-memory.dmp

Filesize
3.3MB

Download
memory/2276-114-0x00007FF66AA90000-0x00007FF66ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-258-0x00007FF66AA90000-0x00007FF66ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-18-0x00007FF647ED0000-0x00007FF648221000-memory.dmp

Filesize
3.3MB

Download
memory/2304-220-0x00007FF647ED0000-0x00007FF648221000-memory.dmp

Filesize
3.3MB

Download
memory/2304-76-0x00007FF647ED0000-0x00007FF648221000-memory.dmp

Filesize
3.3MB

Download
memory/2808-164-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2808-0-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2808-1-0x000001EC24E00000-0x000001EC24E10000-memory.dmp

Filesize
64KB

Download
memory/2808-136-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2808-53-0x00007FF6B9AD0000-0x00007FF6B9E21000-memory.dmp

Filesize
3.3MB

Download
memory/2968-224-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-24-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-84-0x00007FF720F50000-0x00007FF7212A1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-234-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2984-55-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2984-144-0x00007FF79F940000-0x00007FF79FC91000-memory.dmp

Filesize
3.3MB

Download
memory/3044-42-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp

Filesize
3.3MB

Download
memory/3044-132-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp

Filesize
3.3MB

Download
memory/3044-232-0x00007FF62B1F0000-0x00007FF62B541000-memory.dmp

Filesize
3.3MB

Download
memory/3128-222-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp

Filesize
3.3MB

Download
memory/3128-29-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp

Filesize
3.3MB

Download
memory/3128-113-0x00007FF6A6F30000-0x00007FF6A7281000-memory.dmp

Filesize
3.3MB

Download
memory/4004-262-0x00007FF6FBBB0000-0x00007FF6FBF01000-memory.dmp

Filesize
3.3MB

Download
memory/4004-111-0x00007FF6FBBB0000-0x00007FF6FBF01000-memory.dmp

Filesize
3.3MB

Download
memory/4160-126-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/4160-230-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/4160-36-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/4512-140-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp

Filesize
3.3MB

Download
memory/4512-236-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp

Filesize
3.3MB

Download
memory/4512-48-0x00007FF7F83D0000-0x00007FF7F8721000-memory.dmp

Filesize
3.3MB

Download
memory/4524-259-0x00007FF7A8C70000-0x00007FF7A8FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4524-108-0x00007FF7A8C70000-0x00007FF7A8FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-68-0x00007FF772EB0000-0x00007FF773201000-memory.dmp

Filesize
3.3MB

Download
memory/4760-216-0x00007FF772EB0000-0x00007FF773201000-memory.dmp

Filesize
3.3MB

Download
memory/4760-12-0x00007FF772EB0000-0x00007FF773201000-memory.dmp

Filesize
3.3MB

Download
memory/4816-263-0x00007FF762C10000-0x00007FF762F61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-110-0x00007FF762C10000-0x00007FF762F61000-memory.dmp

Filesize
3.3MB

Download