cobaltstrike | c22f7e444297c0bba817aa59470acefe8f2e23580ad738d1f7b264d8222c7670

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c96f1fab16ad6195c61814e86f7ac0c1
SHA1

8f0d677b8cf206d78bc0f1c29573279e711829ea
SHA256

c22f7e444297c0bba817aa59470acefe8f2e23580ad738d1f7b264d8222c7670
SHA512

52ea5d2a66389bc1b5c4e033a1892d12a7e07275ca91a61467cec0d7ee09ebe7a3e1781a931a18e41cf4a5cf61d2830405d00569a65dfd4664e7026755d91541
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibd56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b69-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-34.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b6a-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-46.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b73-52.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b74-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-130.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1288-56-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	xmrig
behavioral2/memory/4780-81-0x00007FF793060000-0x00007FF7933B1000-memory.dmp	xmrig
behavioral2/memory/3204-90-0x00007FF7F0E80000-0x00007FF7F11D1000-memory.dmp	xmrig
behavioral2/memory/3748-89-0x00007FF740CB0000-0x00007FF741001000-memory.dmp	xmrig
behavioral2/memory/952-88-0x00007FF777470000-0x00007FF7777C1000-memory.dmp	xmrig
behavioral2/memory/4976-75-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp	xmrig
behavioral2/memory/696-61-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp	xmrig
behavioral2/memory/2956-97-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp	xmrig
behavioral2/memory/4484-95-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp	xmrig
behavioral2/memory/4068-107-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp	xmrig
behavioral2/memory/4904-102-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp	xmrig
behavioral2/memory/1604-112-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp	xmrig
behavioral2/memory/560-116-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp	xmrig
behavioral2/memory/3660-122-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp	xmrig
behavioral2/memory/1260-138-0x00007FF7D9190000-0x00007FF7D94E1000-memory.dmp	xmrig
behavioral2/memory/2160-135-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp	xmrig
behavioral2/memory/1196-139-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp	xmrig
behavioral2/memory/2956-140-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp	xmrig
behavioral2/memory/3032-144-0x00007FF648930000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/1288-141-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	xmrig
behavioral2/memory/3720-152-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp	xmrig
behavioral2/memory/1400-159-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp	xmrig
behavioral2/memory/3524-163-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp	xmrig
behavioral2/memory/3628-162-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp	xmrig
behavioral2/memory/1288-168-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	xmrig
behavioral2/memory/696-220-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp	xmrig
behavioral2/memory/4976-222-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp	xmrig
behavioral2/memory/3748-224-0x00007FF740CB0000-0x00007FF741001000-memory.dmp	xmrig
behavioral2/memory/4484-226-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp	xmrig
behavioral2/memory/4904-231-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp	xmrig
behavioral2/memory/4068-233-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp	xmrig
behavioral2/memory/1604-235-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp	xmrig
behavioral2/memory/560-237-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp	xmrig
behavioral2/memory/3660-239-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp	xmrig
behavioral2/memory/2160-247-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp	xmrig
behavioral2/memory/4780-249-0x00007FF793060000-0x00007FF7933B1000-memory.dmp	xmrig
behavioral2/memory/952-252-0x00007FF777470000-0x00007FF7777C1000-memory.dmp	xmrig
behavioral2/memory/1196-255-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp	xmrig
behavioral2/memory/3204-254-0x00007FF7F0E80000-0x00007FF7F11D1000-memory.dmp	xmrig
behavioral2/memory/2956-259-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp	xmrig
behavioral2/memory/3032-261-0x00007FF648930000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/3720-263-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp	xmrig
behavioral2/memory/1400-269-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp	xmrig
behavioral2/memory/3628-271-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp	xmrig
behavioral2/memory/3524-273-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp	xmrig
behavioral2/memory/1260-275-0x00007FF7D9190000-0x00007FF7D94E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
696	hbxizNc.exe
4976	qIUzDyO.exe
3748	qZhTclX.exe
4484	xUameKy.exe
4904	iNgaMvv.exe
4068	MomdZRR.exe
1604	MCVFjJd.exe
560	ZpjyWtB.exe
3660	OIvbHDZ.exe
2160	FRvrqJo.exe
4780	VHcEEbM.exe
952	VeJOCzz.exe
3204	ZQKEZlD.exe
1196	wDqAKLb.exe
2956	rYmLAYk.exe
3032	WOWrHzW.exe
3720	BxojUIK.exe
1400	qsfZOIB.exe
3628	EarXjVm.exe
3524	ACRNfqf.exe
1260	JWRgnps.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1288-0-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	upx
behavioral2/files/0x000b000000023b69-4.dat	upx
behavioral2/memory/696-7-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-12.dat	upx
behavioral2/memory/4976-13-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-11.dat	upx
behavioral2/memory/3748-20-0x00007FF740CB0000-0x00007FF741001000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-22.dat	upx
behavioral2/memory/4484-27-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-29.dat	upx
behavioral2/memory/4904-31-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-34.dat	upx
behavioral2/files/0x000b000000023b6a-41.dat	upx
behavioral2/memory/1604-43-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-46.dat	upx
behavioral2/memory/560-47-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp	upx
behavioral2/memory/4068-38-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp	upx
behavioral2/files/0x0031000000023b73-52.dat	upx
behavioral2/memory/3660-53-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp	upx
behavioral2/memory/1288-56-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	upx
behavioral2/files/0x0031000000023b74-60.dat	upx
behavioral2/memory/2160-62-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-73.dat	upx
behavioral2/files/0x000a000000023b77-80.dat	upx
behavioral2/memory/4780-81-0x00007FF793060000-0x00007FF7933B1000-memory.dmp	upx
behavioral2/memory/1196-87-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp	upx
behavioral2/memory/3204-90-0x00007FF7F0E80000-0x00007FF7F11D1000-memory.dmp	upx
behavioral2/memory/3748-89-0x00007FF740CB0000-0x00007FF741001000-memory.dmp	upx
behavioral2/memory/952-88-0x00007FF777470000-0x00007FF7777C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-84.dat	upx
behavioral2/files/0x000a000000023b79-79.dat	upx
behavioral2/memory/4976-75-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp	upx
behavioral2/memory/696-61-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp	upx
behavioral2/memory/2956-97-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp	upx
behavioral2/memory/4484-95-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-99.dat	upx
behavioral2/memory/3032-103-0x00007FF648930000-0x00007FF648C81000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-109.dat	upx
behavioral2/memory/3720-108-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp	upx
behavioral2/memory/4068-107-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp	upx
behavioral2/memory/4904-102-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-94.dat	upx
behavioral2/memory/1604-112-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp	upx
behavioral2/memory/560-116-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-121.dat	upx
behavioral2/files/0x000a000000023b7f-131.dat	upx
behavioral2/files/0x000a000000023b80-130.dat	upx
behavioral2/memory/3628-127-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-125.dat	upx
behavioral2/memory/3660-122-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp	upx
behavioral2/memory/1400-117-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp	upx
behavioral2/memory/1260-138-0x00007FF7D9190000-0x00007FF7D94E1000-memory.dmp	upx
behavioral2/memory/2160-135-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp	upx
behavioral2/memory/3524-133-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp	upx
behavioral2/memory/1196-139-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp	upx
behavioral2/memory/2956-140-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp	upx
behavioral2/memory/3032-144-0x00007FF648930000-0x00007FF648C81000-memory.dmp	upx
behavioral2/memory/1288-141-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	upx
behavioral2/memory/3720-152-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp	upx
behavioral2/memory/1400-159-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp	upx
behavioral2/memory/3524-163-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp	upx
behavioral2/memory/3628-162-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp	upx
behavioral2/memory/1288-168-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp	upx
behavioral2/memory/696-220-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qZhTclX.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUameKy.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MCVFjJd.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OIvbHDZ.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHcEEbM.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYmLAYk.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EarXjVm.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ACRNfqf.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZpjyWtB.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOWrHzW.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BxojUIK.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hbxizNc.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iNgaMvv.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MomdZRR.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDqAKLb.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIUzDyO.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FRvrqJo.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VeJOCzz.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQKEZlD.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsfZOIB.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JWRgnps.exe	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 696	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1288 wrote to memory of 696	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1288 wrote to memory of 4976	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1288 wrote to memory of 4976	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1288 wrote to memory of 3748	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1288 wrote to memory of 3748	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1288 wrote to memory of 4484	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1288 wrote to memory of 4484	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1288 wrote to memory of 4904	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1288 wrote to memory of 4904	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1288 wrote to memory of 4068	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1288 wrote to memory of 4068	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1288 wrote to memory of 1604	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1288 wrote to memory of 1604	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1288 wrote to memory of 560	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1288 wrote to memory of 560	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1288 wrote to memory of 3660	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1288 wrote to memory of 3660	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1288 wrote to memory of 2160	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1288 wrote to memory of 2160	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1288 wrote to memory of 4780	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1288 wrote to memory of 4780	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1288 wrote to memory of 952	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1288 wrote to memory of 952	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1288 wrote to memory of 3204	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1288 wrote to memory of 3204	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1288 wrote to memory of 1196	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1288 wrote to memory of 1196	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1288 wrote to memory of 2956	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1288 wrote to memory of 2956	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1288 wrote to memory of 3032	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1288 wrote to memory of 3032	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1288 wrote to memory of 3720	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1288 wrote to memory of 3720	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1288 wrote to memory of 1400	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1288 wrote to memory of 1400	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1288 wrote to memory of 3628	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1288 wrote to memory of 3628	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1288 wrote to memory of 1260	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1288 wrote to memory of 1260	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1288 wrote to memory of 3524	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1288 wrote to memory of 3524	1288	2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_c96f1fab16ad6195c61814e86f7ac0c1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System\hbxizNc.exe
  C:\Windows\System\hbxizNc.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\qIUzDyO.exe
  C:\Windows\System\qIUzDyO.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\qZhTclX.exe
  C:\Windows\System\qZhTclX.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\xUameKy.exe
  C:\Windows\System\xUameKy.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\iNgaMvv.exe
  C:\Windows\System\iNgaMvv.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\MomdZRR.exe
  C:\Windows\System\MomdZRR.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\MCVFjJd.exe
  C:\Windows\System\MCVFjJd.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\ZpjyWtB.exe
  C:\Windows\System\ZpjyWtB.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\OIvbHDZ.exe
  C:\Windows\System\OIvbHDZ.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\FRvrqJo.exe
  C:\Windows\System\FRvrqJo.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\VHcEEbM.exe
  C:\Windows\System\VHcEEbM.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\VeJOCzz.exe
  C:\Windows\System\VeJOCzz.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\ZQKEZlD.exe
  C:\Windows\System\ZQKEZlD.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\wDqAKLb.exe
  C:\Windows\System\wDqAKLb.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\rYmLAYk.exe
  C:\Windows\System\rYmLAYk.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\WOWrHzW.exe
  C:\Windows\System\WOWrHzW.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\BxojUIK.exe
  C:\Windows\System\BxojUIK.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\qsfZOIB.exe
  C:\Windows\System\qsfZOIB.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\EarXjVm.exe
  C:\Windows\System\EarXjVm.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\JWRgnps.exe
  C:\Windows\System\JWRgnps.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\ACRNfqf.exe
  C:\Windows\System\ACRNfqf.exe
  2⤵
  - Executes dropped EXE
  PID:3524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ACRNfqf.exe

Filesize
5.2MB

MD5
16a8530372e0bffc0f0ff5d96c12f7ee

SHA1
06c910db066ab15acaed03f617381a7e356a6c6b

SHA256
82b57f2d3307e62ce9a77eb40d78b6ec3b88214f5481ab86270858fe6b264306

SHA512
841b720baad21da8ce2d05cb53ccce22479cedbc1193f443f27bd7276d328572f88aba31b5287b63f8817e95fcfd37b81c554987ecb8dfc620d613d973c2a85a

Download Submit
C:\Windows\System\BxojUIK.exe

Filesize
5.2MB

MD5
8617e61ea11fe45fe83d6b33528c2d3a

SHA1
71dde796784ec9911c424dfdd5b384f3b30d584a

SHA256
f98e13a72ec4b1161fd241f1854b83978c407e1f529d32d080a4525b0a935fc3

SHA512
67885e03d70ddf9ec3e43b8d32c5a5c969e0dcbca4b9af72c68826df0596e0410f4e6fd714d3e3f9cc8e61d0bcaef686ab53fc8f9911dff43b75e5656eb32884

Download Submit
C:\Windows\System\EarXjVm.exe

Filesize
5.2MB

MD5
e0fb7f97eb52023f084b3c90d456ec1a

SHA1
444681356016061f32b977ffb50e6d0ccc76f47c

SHA256
9ca1be1dae9c563d5238bd2106cd81d4f786f9df296620becd827f2205cca372

SHA512
7713ad71fe53096bd0e3ce80e80310f1a4b66e5281bffef558ebb63e2953f2f96305dd88d270ab53efd69536f0e57b4246077692d132305f4c0363b704a4549f

Download Submit
C:\Windows\System\FRvrqJo.exe

Filesize
5.2MB

MD5
92a6bf9bc8be52c9ca94e4b8cada3315

SHA1
7baf2b64b8135dcd3c36e5534a274659931a61a5

SHA256
0919754dc659e5813dd1774ebc6006e38fc91f502a51ffa4cf112599d2364ad3

SHA512
50c1744bd2449830f178c536ea481ca8c3b74e896e02dc93b210ca9a11635225e43b5cd95e53e75b6b2824683c6956f0e88c8f73f09afaba591139aefa26317f

Download Submit
C:\Windows\System\JWRgnps.exe

Filesize
5.2MB

MD5
ee64da34347205a6a8c46268e5c5a1cf

SHA1
b7c83ce2e82ebaa89c3d4223082c8eeae2e23922

SHA256
564afc3e185c312be220aaccb76c56aaab09562e28d26e8dc03c7b584eb08e58

SHA512
4b7e0617c41cf3037b9db5f35a2022ae67cb6c3da9bf525b747ee87419da89a7d8f4c847e110ad7b268b0039c89423df00331d629fad87c737c83f4b9b9adf0e

Download Submit
C:\Windows\System\MCVFjJd.exe

Filesize
5.2MB

MD5
ce450f6ae49dc5a17c294d470e35e00d

SHA1
35fa4028c10fe361d995b48872a143bb0a5eb1a7

SHA256
c2b8322c3a5e6f8a0325333bd262f99d65a16186e91f6bd90603ee791973fd54

SHA512
4e8eb46fe3579e3070ae8d21ae655503ac1b33c2eb5b0a7f9b394befe2a26df95f53df1023cefc03d2a95af4e8fe2254da6fe3ebb5d26641ac093e47860f2eef

Download Submit
C:\Windows\System\MomdZRR.exe

Filesize
5.2MB

MD5
111ad4136a47c784bcefef30f64540d4

SHA1
c2366e20ebaf9d59afd3f6048ca64c5ea6cb944f

SHA256
62ea4e7abc1a1d0d32dd6ff068575e47400fe89e459a4d129ca76c7f1b3194b4

SHA512
c89369dad1d3ff6fbf88fa568d29cf12d5cec67cf31513ad1e7713dd7f3d8c41da4d9e7e615cc58d9c3bd9af00cf3c66d8d66487469cc52d9ae035cee9eeff98

Download Submit
C:\Windows\System\OIvbHDZ.exe

Filesize
5.2MB

MD5
8fa7207a4e74d6a627d2bfa05f49391a

SHA1
13c7280c8e7452d58e99174d9f69d41223697f68

SHA256
3ad5943c784049663559ba856f8d3be724dfc51add542ccbca84dc778bf2725f

SHA512
8e865b9f86edd3d75061f741f98d05cc14d68959833cb2a4e4060d1ef38bb0dc7848e8cf4997775bb37323481ae63e93f9d34cc7c02829c550df0ce41c511081

Download Submit
C:\Windows\System\VHcEEbM.exe

Filesize
5.2MB

MD5
9093ee4517003761d9295b7820d8bcd3

SHA1
7000aa0e89121cc26ec506170033cfaa4d5dc32c

SHA256
e8afe147dd38e12d6dba48bc5e59189800a495d3c2fca07b5466ddbddb74ccfd

SHA512
ca7316cbd7a45c8670a8f1cc308fdec210beb36bb4683dc8f10b22ca228a18d66230e587616b4629cfc8b213936c26531858ea84265b2ae7a8a67d5454d628a6

Download Submit
C:\Windows\System\VeJOCzz.exe

Filesize
5.2MB

MD5
29369004a4d9407ef22a61227f2bcf93

SHA1
709dbf497bf0f290ffd44a259e9a79415426cb29

SHA256
010f5f81161e434e8fc6b17b24412c6159d58eaefbbe961058b8c5d4c1994021

SHA512
219b2013fe79fcbef0c88e11fd811dc0609d78a86a63894b541f29b2bffc73deff2a23b6351aed27d6f687fb5cb6c37947c2fb2c693a12bbbf7290dfd258242d

Download Submit
C:\Windows\System\WOWrHzW.exe

Filesize
5.2MB

MD5
73c6766a0015858af20e1be3e89579c2

SHA1
53dd43916e3fd0ad2660554c549cc5c1ad114148

SHA256
dea656e391006280a9eed406625afe1cc265d563fb85c0aa78c9e4caaa44260d

SHA512
d89d7acf7b27c1a3170bd7355ee4158d664414240d974a156e5f93bc74527940c5f9a6c539700469048dd0cb4a6078b428975179fe79daf0be568dd02d17483d

Download Submit
C:\Windows\System\ZQKEZlD.exe

Filesize
5.2MB

MD5
26f5e3b2f82b1b3461e4fbeae3520f99

SHA1
292e814cb4c017952b894eeb89708056f49c461d

SHA256
5987c4f4b1a1e9abaf1a1187497f6edba3bc72158c1f7a0e4bdfa79e795cea8e

SHA512
5caeb20555293851e22e9013cb6d5de54b93029823809436753f57b006e937862cf4297e08200dda6113c609485091d57eb50ef3db4482f2cca8407071e892d3

Download Submit
C:\Windows\System\ZpjyWtB.exe

Filesize
5.2MB

MD5
694b9a03f4f4c7bcb92b2819ad075e64

SHA1
6031e2d3ef935c6019601e3a99e0e92cbb257772

SHA256
f6f8f4d4265ddc89248a20e5f694ecafe1c9e0469e03ee57afef53c5f17e1c18

SHA512
6cce6c3f203a38de4f3dead976e3ae61d6d8cd22a37999169facdc91a5dc0c4c95de4238ca2f6f168a366327fd328c55d97e274d83c37641374b694682459b0d

Download Submit
C:\Windows\System\hbxizNc.exe

Filesize
5.2MB

MD5
3f1c617bc8d72386ed57503b54f3afcc

SHA1
ddc2d6ad87231d8e80c22e46fcc239d85e96292d

SHA256
6c3aaeaccf2ce0b5c43cf58c69d340dbfd54a91ef01b3f2e5c151bdd685bf65e

SHA512
4eed78d59f8abc3d94503e2b582b0a5b1255dc28c3554abba9bd62fe550afcd474dcc1ec8419a7e660976155e2407c5a6763900abdbb5a80a899975d638e71fb

Download Submit
C:\Windows\System\iNgaMvv.exe

Filesize
5.2MB

MD5
56e31c0d3de4f992b59f9bf89134e59e

SHA1
634f8590a1592088ddab7aee762f3b596db10719

SHA256
91c13c9a43d16cdb43a0d5f1ad760130a1f70dcb59f06297fdae329eb70ea81f

SHA512
b44c74da09b59b963444aaaa9219b4402faf6a1e2d465d018660e6220fc44e802209ad8c52400dfee8df2edc63551cccc7d903335efbb92cb13238fda218967e

Download Submit
C:\Windows\System\qIUzDyO.exe

Filesize
5.2MB

MD5
689b4aa6e3a9e4838baf4f03a48917a1

SHA1
f36ee0449b5dfd04e78c807e340450faf358f841

SHA256
6de0b2ba1dfbb5b022470942283c6645b1c25e89b7d5d6e7ec171fefb7a5737c

SHA512
8f7743f65d86741ec6acd010d21f6e36f7e833a50ad16225c9ca4cd44a0617098755fce511c9827d529dec537029152ed0a275870f86b58a0fd1157d1d47bcc7

Download Submit
C:\Windows\System\qZhTclX.exe

Filesize
5.2MB

MD5
6abac97529c9cf2fcca0c5fa20e9f6e2

SHA1
99cfa14eccdd67c6870e9f1d6ae9a146b3acdb40

SHA256
a1fb1164eeedb7b5b0e5e5776a7b55b936f877f05861d7c79ea1292d9db38c9b

SHA512
dd7e1297ab6b9130d2b347e48b163139034b34867e8ba8aff35e5c5aa664ab30a4b72f6c67dfb3295fd81d100984a655cac67507dfa25689fa593e8579b18fc0

Download Submit
C:\Windows\System\qsfZOIB.exe

Filesize
5.2MB

MD5
9f666ba4185bf448d411f5bacf86b7cb

SHA1
2d757a86354597bffbb8269adbfe74c7f61c909d

SHA256
155297849039d678eeb68dcdf65a13794dd3b01197757d7a4a2f1a0532e67ea5

SHA512
161865ffc295207eaa98a3ec0781d7faf771decf710d7a9db01a8136e6d8b4624dfe926c870b25f1067f696f9d58ebb27be604e36072ab2f5e5ac2ee67713f2b

Download Submit
C:\Windows\System\rYmLAYk.exe

Filesize
5.2MB

MD5
ee147de2415c431dfb0f907deb94cdb6

SHA1
b6ece78ed9050beeb6c1e759ae63b29ceaf52d94

SHA256
58d030b3783f6cbf9046b60ddf5fab6c1c2c97e9cd469032fb26eb618a523a00

SHA512
a5dcbfcccdbc72accf2c32626d6c8198a4a21bf44bfa82f902bdc6b2897573ec2b5d5eef3f83af808d29f9813decc667561275268ea024a6715dfc597d62cc68

Download Submit
C:\Windows\System\wDqAKLb.exe

Filesize
5.2MB

MD5
7891dc51357d8d4392567c2ce40c1b59

SHA1
d77c207ca72f0020e3720d628c93096ad7d609b0

SHA256
d1b36ed09e894bcbedbfba9420387c96aaa03ca9281d204dbb271d14d63cc1b8

SHA512
107fd2dd38f312cbdb8192f20d493099d32c0b87555cc915ad20f7981bb0c9876d3fd4a91097000f4e54f4d17c89550bb82835bd99abcc00ab4b7d277793dd4e

Download Submit
C:\Windows\System\xUameKy.exe

Filesize
5.2MB

MD5
e16da82b678b22bdcbd3a436520ed1a0

SHA1
6ddc0683d8e904f566267c8c2756f1d2a384585d

SHA256
7e4797979bc21800c1e3a1a5d19bb95402a0db0075ec58e48aa6956c3e84ac6c

SHA512
837f9185546b41e143648d20b7734383d554e83f14f21c71279aa936f80067cb8d009509def75bf19b45fe8bfa4c047133904d683f4789491e5b993d98af204d

Download Submit
memory/560-237-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp

Filesize
3.3MB

Download
memory/560-47-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp

Filesize
3.3MB

Download
memory/560-116-0x00007FF6C8410000-0x00007FF6C8761000-memory.dmp

Filesize
3.3MB

Download
memory/696-220-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

Filesize
3.3MB

Download
memory/696-7-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

Filesize
3.3MB

Download
memory/696-61-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

Filesize
3.3MB

Download
memory/952-252-0x00007FF777470000-0x00007FF7777C1000-memory.dmp

Filesize
3.3MB

Download
memory/952-88-0x00007FF777470000-0x00007FF7777C1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-87-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-139-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-255-0x00007FF6DB280000-0x00007FF6DB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-138-0x00007FF7D9190000-0x00007FF7D94E1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-275-0x00007FF7D9190000-0x00007FF7D94E1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-168-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-56-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-1-0x0000020195430000-0x0000020195440000-memory.dmp

Filesize
64KB

Download
memory/1288-0-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-141-0x00007FF6535A0000-0x00007FF6538F1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-269-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp

Filesize
3.3MB

Download
memory/1400-159-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp

Filesize
3.3MB

Download
memory/1400-117-0x00007FF6CF110000-0x00007FF6CF461000-memory.dmp

Filesize
3.3MB

Download
memory/1604-235-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp

Filesize
3.3MB

Download
memory/1604-43-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp

Filesize
3.3MB

Download
memory/1604-112-0x00007FF6F7FF0000-0x00007FF6F8341000-memory.dmp

Filesize
3.3MB

Download
memory/2160-62-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp

Filesize
3.3MB

Download
memory/2160-247-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp

Filesize
3.3MB

Download
memory/2160-135-0x00007FF6C02E0000-0x00007FF6C0631000-memory.dmp

Filesize
3.3MB

Download
memory/2956-140-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp

Filesize
3.3MB

Download
memory/2956-97-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp

Filesize
3.3MB

Download
memory/2956-259-0x00007FF688AF0000-0x00007FF688E41000-memory.dmp

Filesize
3.3MB

Download
memory/3032-261-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/3032-103-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/3032-144-0x00007FF648930000-0x00007FF648C81000-memory.dmp

Filesize
3.3MB

Download
memory/3204-90-0x00007FF7F0E80000-0x00007FF7F11D1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-254-0x00007FF7F0E80000-0x00007FF7F11D1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-133-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp

Filesize
3.3MB

Download
memory/3524-273-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp

Filesize
3.3MB

Download
memory/3524-163-0x00007FF741BD0000-0x00007FF741F21000-memory.dmp

Filesize
3.3MB

Download
memory/3628-162-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp

Filesize
3.3MB

Download
memory/3628-271-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp

Filesize
3.3MB

Download
memory/3628-127-0x00007FF7ADD20000-0x00007FF7AE071000-memory.dmp

Filesize
3.3MB

Download
memory/3660-239-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-122-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-53-0x00007FF7B1F50000-0x00007FF7B22A1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-108-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp

Filesize
3.3MB

Download
memory/3720-263-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp

Filesize
3.3MB

Download
memory/3720-152-0x00007FF7DD8C0000-0x00007FF7DDC11000-memory.dmp

Filesize
3.3MB

Download
memory/3748-89-0x00007FF740CB0000-0x00007FF741001000-memory.dmp

Filesize
3.3MB

Download
memory/3748-20-0x00007FF740CB0000-0x00007FF741001000-memory.dmp

Filesize
3.3MB

Download
memory/3748-224-0x00007FF740CB0000-0x00007FF741001000-memory.dmp

Filesize
3.3MB

Download
memory/4068-38-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp

Filesize
3.3MB

Download
memory/4068-107-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp

Filesize
3.3MB

Download
memory/4068-233-0x00007FF7F5AD0000-0x00007FF7F5E21000-memory.dmp

Filesize
3.3MB

Download
memory/4484-226-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-27-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-95-0x00007FF6B9AA0000-0x00007FF6B9DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-249-0x00007FF793060000-0x00007FF7933B1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-81-0x00007FF793060000-0x00007FF7933B1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-231-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp

Filesize
3.3MB

Download
memory/4904-31-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp

Filesize
3.3MB

Download
memory/4904-102-0x00007FF7E48D0000-0x00007FF7E4C21000-memory.dmp

Filesize
3.3MB

Download
memory/4976-13-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp

Filesize
3.3MB

Download
memory/4976-222-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp

Filesize
3.3MB

Download
memory/4976-75-0x00007FF6759D0000-0x00007FF675D21000-memory.dmp

Filesize
3.3MB

Download