cobaltstrike | 371e10530b032b62fb618d5a53467fa4900f7e78dbd5d6161a4a9092ef5a8908

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

37b8631b25d6cfba39ea63f9c6856cd4
SHA1

2810a54efde37e6db3608e19e7323fdb4c18c6a5
SHA256

371e10530b032b62fb618d5a53467fa4900f7e78dbd5d6161a4a9092ef5a8908
SHA512

d8ff9eef1d609605c90e63cbf16da0d74325fbf8d73f26398df4494d326e4ddf0ff0fce4f4e4ed2e7e2228a8a907e9e2fd06ddb06f86f72c6c990fd96e7ae1c4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023ba9-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-31.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c91-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-139.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e754-142.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4036-57-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	xmrig
behavioral2/memory/4808-64-0x00007FF6BF770000-0x00007FF6BFAC1000-memory.dmp	xmrig
behavioral2/memory/5064-74-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp	xmrig
behavioral2/memory/4084-76-0x00007FF713CD0000-0x00007FF714021000-memory.dmp	xmrig
behavioral2/memory/2560-71-0x00007FF699150000-0x00007FF6994A1000-memory.dmp	xmrig
behavioral2/memory/4448-68-0x00007FF784680000-0x00007FF7849D1000-memory.dmp	xmrig
behavioral2/memory/4816-62-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp	xmrig
behavioral2/memory/2652-85-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp	xmrig
behavioral2/memory/3704-81-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp	xmrig
behavioral2/memory/3200-91-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp	xmrig
behavioral2/memory/3380-104-0x00007FF791CE0000-0x00007FF792031000-memory.dmp	xmrig
behavioral2/memory/4844-125-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp	xmrig
behavioral2/memory/2580-113-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp	xmrig
behavioral2/memory/4948-140-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp	xmrig
behavioral2/memory/2720-148-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp	xmrig
behavioral2/memory/4884-151-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp	xmrig
behavioral2/memory/2204-155-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp	xmrig
behavioral2/memory/2892-156-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp	xmrig
behavioral2/memory/1432-157-0x00007FF652300000-0x00007FF652651000-memory.dmp	xmrig
behavioral2/memory/4844-159-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp	xmrig
behavioral2/memory/4036-160-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	xmrig
behavioral2/memory/844-167-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp	xmrig
behavioral2/memory/208-175-0x00007FF614010000-0x00007FF614361000-memory.dmp	xmrig
behavioral2/memory/3136-176-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	xmrig
behavioral2/memory/4036-183-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	xmrig
behavioral2/memory/4816-215-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp	xmrig
behavioral2/memory/4448-223-0x00007FF784680000-0x00007FF7849D1000-memory.dmp	xmrig
behavioral2/memory/4084-225-0x00007FF713CD0000-0x00007FF714021000-memory.dmp	xmrig
behavioral2/memory/2560-227-0x00007FF699150000-0x00007FF6994A1000-memory.dmp	xmrig
behavioral2/memory/3704-229-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp	xmrig
behavioral2/memory/3200-232-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp	xmrig
behavioral2/memory/2652-233-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp	xmrig
behavioral2/memory/3380-238-0x00007FF791CE0000-0x00007FF792031000-memory.dmp	xmrig
behavioral2/memory/2580-240-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp	xmrig
behavioral2/memory/4808-245-0x00007FF6BF770000-0x00007FF6BFAC1000-memory.dmp	xmrig
behavioral2/memory/5064-247-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp	xmrig
behavioral2/memory/4948-250-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp	xmrig
behavioral2/memory/2720-252-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp	xmrig
behavioral2/memory/4884-256-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp	xmrig
behavioral2/memory/2204-259-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp	xmrig
behavioral2/memory/2892-265-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp	xmrig
behavioral2/memory/1432-267-0x00007FF652300000-0x00007FF652651000-memory.dmp	xmrig
behavioral2/memory/4844-269-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp	xmrig
behavioral2/memory/844-271-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp	xmrig
behavioral2/memory/3136-275-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	xmrig
behavioral2/memory/208-276-0x00007FF614010000-0x00007FF614361000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4816	JvKWAoD.exe
4448	GduxatE.exe
4084	WGBbaRy.exe
2560	FfadoOz.exe
3704	FVrkpJg.exe
2652	fGrdyjU.exe
3200	nZhyDhm.exe
3380	tsBMHEG.exe
2580	sbJWrKK.exe
4808	feQtaqM.exe
5064	OelIdZM.exe
4948	KhRtabU.exe
2720	enCocbI.exe
4884	DuMpAdO.exe
2204	JuBYhfe.exe
2892	VgsREEF.exe
1432	oqaXPrE.exe
4844	QobmDtp.exe
844	DuRaTBO.exe
208	uBJdpmP.exe
3136	vvpvVnU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4036-0-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	upx
behavioral2/files/0x000c000000023ba9-5.dat	upx
behavioral2/memory/4816-8-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-10.dat	upx
behavioral2/files/0x0007000000023c94-12.dat	upx
behavioral2/memory/4448-16-0x00007FF784680000-0x00007FF7849D1000-memory.dmp	upx
behavioral2/memory/4084-25-0x00007FF713CD0000-0x00007FF714021000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-31.dat	upx
behavioral2/memory/2560-28-0x00007FF699150000-0x00007FF6994A1000-memory.dmp	upx
behavioral2/memory/2652-39-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp	upx
behavioral2/files/0x0008000000023c91-42.dat	upx
behavioral2/memory/3200-44-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-40.dat	upx
behavioral2/memory/3704-34-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-27.dat	upx
behavioral2/files/0x0007000000023c99-47.dat	upx
behavioral2/memory/3380-48-0x00007FF791CE0000-0x00007FF792031000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-51.dat	upx
behavioral2/memory/2580-53-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp	upx
behavioral2/memory/4036-57-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-59.dat	upx
behavioral2/memory/4808-64-0x00007FF6BF770000-0x00007FF6BFAC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-75.dat	upx
behavioral2/memory/5064-74-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp	upx
behavioral2/memory/4948-77-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp	upx
behavioral2/memory/4084-76-0x00007FF713CD0000-0x00007FF714021000-memory.dmp	upx
behavioral2/memory/2560-71-0x00007FF699150000-0x00007FF6994A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-69.dat	upx
behavioral2/memory/4448-68-0x00007FF784680000-0x00007FF7849D1000-memory.dmp	upx
behavioral2/memory/4816-62-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp	upx
behavioral2/memory/2720-86-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp	upx
behavioral2/memory/2652-85-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-84.dat	upx
behavioral2/memory/3704-81-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-90.dat	upx
behavioral2/memory/4884-92-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp	upx
behavioral2/memory/3200-91-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp	upx
behavioral2/memory/2204-98-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-103.dat	upx
behavioral2/memory/2892-105-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp	upx
behavioral2/memory/3380-104-0x00007FF791CE0000-0x00007FF792031000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-99.dat	upx
behavioral2/files/0x0007000000023ca3-110.dat	upx
behavioral2/files/0x0007000000023ca4-120.dat	upx
behavioral2/memory/1432-119-0x00007FF652300000-0x00007FF652651000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-128.dat	upx
behavioral2/memory/844-127-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp	upx
behavioral2/memory/4844-125-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp	upx
behavioral2/memory/2580-113-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-139.dat	upx
behavioral2/files/0x000300000001e754-142.dat	upx
behavioral2/memory/3136-144-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	upx
behavioral2/memory/208-141-0x00007FF614010000-0x00007FF614361000-memory.dmp	upx
behavioral2/memory/4948-140-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp	upx
behavioral2/memory/2720-148-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp	upx
behavioral2/memory/4884-151-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp	upx
behavioral2/memory/2204-155-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp	upx
behavioral2/memory/2892-156-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp	upx
behavioral2/memory/1432-157-0x00007FF652300000-0x00007FF652651000-memory.dmp	upx
behavioral2/memory/4844-159-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp	upx
behavioral2/memory/4036-160-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp	upx
behavioral2/memory/844-167-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp	upx
behavioral2/memory/208-175-0x00007FF614010000-0x00007FF614361000-memory.dmp	upx
behavioral2/memory/3136-176-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FfadoOz.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fGrdyjU.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\enCocbI.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgsREEF.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqaXPrE.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DuRaTBO.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GduxatE.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZhyDhm.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QobmDtp.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBJdpmP.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WGBbaRy.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FVrkpJg.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tsBMHEG.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sbJWrKK.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OelIdZM.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DuMpAdO.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JvKWAoD.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feQtaqM.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KhRtabU.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JuBYhfe.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vvpvVnU.exe	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4816	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4036 wrote to memory of 4816	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4036 wrote to memory of 4448	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4036 wrote to memory of 4448	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4036 wrote to memory of 4084	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4036 wrote to memory of 4084	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4036 wrote to memory of 2560	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4036 wrote to memory of 2560	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4036 wrote to memory of 3704	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4036 wrote to memory of 3704	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4036 wrote to memory of 2652	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4036 wrote to memory of 2652	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4036 wrote to memory of 3200	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4036 wrote to memory of 3200	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4036 wrote to memory of 3380	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4036 wrote to memory of 3380	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4036 wrote to memory of 2580	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4036 wrote to memory of 2580	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4036 wrote to memory of 4808	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4036 wrote to memory of 4808	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4036 wrote to memory of 5064	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4036 wrote to memory of 5064	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4036 wrote to memory of 4948	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4036 wrote to memory of 4948	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4036 wrote to memory of 2720	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4036 wrote to memory of 2720	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4036 wrote to memory of 4884	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4036 wrote to memory of 4884	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4036 wrote to memory of 2204	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4036 wrote to memory of 2204	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4036 wrote to memory of 2892	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4036 wrote to memory of 2892	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4036 wrote to memory of 1432	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4036 wrote to memory of 1432	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4036 wrote to memory of 4844	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4036 wrote to memory of 4844	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4036 wrote to memory of 844	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4036 wrote to memory of 844	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4036 wrote to memory of 208	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4036 wrote to memory of 208	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4036 wrote to memory of 3136	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4036 wrote to memory of 3136	4036	2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_37b8631b25d6cfba39ea63f9c6856cd4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\System\JvKWAoD.exe
  C:\Windows\System\JvKWAoD.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\GduxatE.exe
  C:\Windows\System\GduxatE.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\WGBbaRy.exe
  C:\Windows\System\WGBbaRy.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\FfadoOz.exe
  C:\Windows\System\FfadoOz.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\FVrkpJg.exe
  C:\Windows\System\FVrkpJg.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\fGrdyjU.exe
  C:\Windows\System\fGrdyjU.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\nZhyDhm.exe
  C:\Windows\System\nZhyDhm.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\tsBMHEG.exe
  C:\Windows\System\tsBMHEG.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\sbJWrKK.exe
  C:\Windows\System\sbJWrKK.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\feQtaqM.exe
  C:\Windows\System\feQtaqM.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\OelIdZM.exe
  C:\Windows\System\OelIdZM.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\KhRtabU.exe
  C:\Windows\System\KhRtabU.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\enCocbI.exe
  C:\Windows\System\enCocbI.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\DuMpAdO.exe
  C:\Windows\System\DuMpAdO.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\JuBYhfe.exe
  C:\Windows\System\JuBYhfe.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\VgsREEF.exe
  C:\Windows\System\VgsREEF.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\oqaXPrE.exe
  C:\Windows\System\oqaXPrE.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\QobmDtp.exe
  C:\Windows\System\QobmDtp.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\DuRaTBO.exe
  C:\Windows\System\DuRaTBO.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\uBJdpmP.exe
  C:\Windows\System\uBJdpmP.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\vvpvVnU.exe
  C:\Windows\System\vvpvVnU.exe
  2⤵
  - Executes dropped EXE
  PID:3136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DuMpAdO.exe

Filesize
5.2MB

MD5
6ea356e7c6a794f448f795b2086ba66c

SHA1
7d0c01ae99abaa2954c79e17b63891c54a48544d

SHA256
ac157f9491b6ba8ad60c0bd9dca1d6ebaf533f14c3fdc92b11f3d1f526251143

SHA512
0abcd79d819c2391af1682bac0cbc0a894166bc5dd86d9da688559394097afc86c02ece2b142d0ba3ed006a10a3b85eeec374f4c704dfd1d29bbfef92290213a

Download Submit
C:\Windows\System\DuRaTBO.exe

Filesize
5.2MB

MD5
c1c541a210849037fb3098b9b1cfeb4f

SHA1
02055e439ec96f7bd84572af6ca67571a7cea2f1

SHA256
a2b274f58fda29a69311d4286e68aa1c374e847c09f89d1a4ec8787cc473f0a6

SHA512
167fc9035421f087d4ad12bd5d3cd156e8f9cf5d6a4b054a69dd4062f243dcdd430892f2a2a2afbf6b9fe605f5cfb22c15478d229251c85644bd3869dce48e2d

Download Submit
C:\Windows\System\FVrkpJg.exe

Filesize
5.2MB

MD5
4d66d381834efb1c398ddc5172d44bc7

SHA1
6d160c9db362f74d3475baf4c0ab75ffdaff4bca

SHA256
968a59213408b69e1fcb84bb655cd11b990e2e856ae1c1546f737969572433e4

SHA512
a9636d0ec54231ded1753be9c55f6d6cbe45c850de9dd037ca62e6fc96e7bc6b2e0c42d49c3f845a4ca743a8a9b0e0e8cd1ff6fdd617da8c3ffcefba9e7806cc

Download Submit
C:\Windows\System\FfadoOz.exe

Filesize
5.2MB

MD5
872456bc35892469cfda8324b18d454f

SHA1
b882b564ba5a807500ce8206d4f1891bd61962a2

SHA256
b5492fc104122c98469b3dfdca16537fad6b73c36f0c0dee04e9de1c2f8fdb56

SHA512
9badb1c46ab98a4f4fc9a6e8925cc133a5f13bca145abcac92a17bae3a6c14df54540172a3db4d9f6033b7c02e8b9006d5b85acce797f5598aaf0f4107f9de1c

Download Submit
C:\Windows\System\GduxatE.exe

Filesize
5.2MB

MD5
0989e64454ca9d71c020fa3a1d95dfca

SHA1
8a3412c268c5d4816e4e588286eb69dfaa888180

SHA256
8dafe2fe4a0dc25d1d53add1b00e4bfa3ebc4265130539c4bbae51cf1628de1d

SHA512
2f7f8f2ce26ff91d06b27756567cae6b3545514f9e4f61464f12088872a455ef59942e1cc00a81c25b2e193d217955c17785e6d0351cc884a26b31bf940d739a

Download Submit
C:\Windows\System\JuBYhfe.exe

Filesize
5.2MB

MD5
5aaa24382b85077cdb4388ef95cd55f1

SHA1
5d516aa1093f5f7f6dd4809460073a96c5eb1fc8

SHA256
ec3176e76cc0e36704912e68911e459c8493398c89c0826f1a304c41b25f756c

SHA512
86c011e743c733637d6203bb5f9eea398a80e843b0508dfc4bd918c12e0f240bc5c62418cbbbb7d03ea80f258ed772de5f20c80e3e841c17c172c1afc8f913f2

Download Submit
C:\Windows\System\JvKWAoD.exe

Filesize
5.2MB

MD5
68e432dfaea7f67f5d594b65a75fec99

SHA1
6ea61c731fa0d97cd5c6227c17c321026581b921

SHA256
01fa660b6cf01613fcf0d9509bae6c6828616046fba34e7ea480717cf1fa72f4

SHA512
e9d1cafcdf7301c2a142acb96e221a20b744e352cde4b7e57c2bbd79dec86fa139243596c59ac710997c012162a3729511facc341220bae09bc9b41ae087ee31

Download Submit
C:\Windows\System\KhRtabU.exe

Filesize
5.2MB

MD5
184d37d9c2fd8f93a37ddbb0de6c56ea

SHA1
a050e5d15afb368f98c3dd87c3160c43e6ccebf1

SHA256
3e1a7426b03e2c087f96d28032aad00e21a221e2e1b95ffc291f9e4e2ac2dd86

SHA512
65ffb09944d574ba60cf1a561487b231e091515b1a9b1773e8ace9afeb29f88f189512986e82852d9458bf2dc9a6daeb1c9ef0a9cb1f6ee9fc640d9756837daa

Download Submit
C:\Windows\System\OelIdZM.exe

Filesize
5.2MB

MD5
9d7cb26d930f18612d2a53b4046e671c

SHA1
0892c1de6908bc3c2f3168d2e7c864c5cdf155bc

SHA256
b1c4a5ba1ef8d04955cfa4246cc74c80cab1cb0a0a005ddf78804ff3a2c26fae

SHA512
6ef5b90fdac3777501dcc11ccb79bb6695946de1af2ea9afeef13e01089e4615933b876ea71fbcc18e4d5342a354f24f820b21a4b85f065273588b77e8b01963

Download Submit
C:\Windows\System\QobmDtp.exe

Filesize
5.2MB

MD5
4df6ab9d16f3f7b6ec36777cb1dccf87

SHA1
e80d16697d2a5cd5d2638f08b11506960916a8bb

SHA256
f511b6a1ea074c38dbeae814425775ea2fb52f1866ae16ade8e432d16f0b5987

SHA512
a5658305de6020fdc76b0c9f1a1feabe0c1da825a1688291be160ad2b57ddd7370ee1a5992d06027c615ae8fc091170ca5dbabade8839920f796d46f09eba535

Download Submit
C:\Windows\System\VgsREEF.exe

Filesize
5.2MB

MD5
5e4659f03e6657e9fe215c0402ba840f

SHA1
895a644d8add9ee22a31dfa7ff771d3b8671d7e3

SHA256
4133aa2fa0a7a1503867c8b29ad8e4750c6be1f955c80139019eb919ad64d2be

SHA512
ce69ec98daf638e576ee35fb49aa280e7d94ebbc5c91c440e5d614de5d23923c6530eef9ed2b952efefae17832906ebe4615b9b545d403bacad3ea10114fea7e

Download Submit
C:\Windows\System\WGBbaRy.exe

Filesize
5.2MB

MD5
285ccce93ea1cfd76599cc509ee77d10

SHA1
e4074ceb3b8095dae59ed789eea42623b0dfd8e8

SHA256
7780ffa3494f4837b8c52df89749ac90028aee4a6f2230ed2478fee56f5f3838

SHA512
d2b93bafe833528b5b5a698a8c8f1bcb2f6158a73c02996ad61c674256cbeb3b559406ecf0c55f859715570a4d4d4a9fefa40f34a32877682c0f03ff50bf01c8

Download Submit
C:\Windows\System\enCocbI.exe

Filesize
5.2MB

MD5
c6196f0cda01ec830eb25f54104af09b

SHA1
40bd29e578bb6e8a54ee20acf8b0fb4620d9cb21

SHA256
eb869a6050ecf5639e7910b3487436e7d052cf59b000b114a51cb3c806cb7849

SHA512
efb92c409060313a8c7128075d140a82c8b9ff6af767455f61738ee7222a6fbdc0dd9397f717e67c7c82dd68eb7ec09452b8f6bc04e76974083f8cefa87abf90

Download Submit
C:\Windows\System\fGrdyjU.exe

Filesize
5.2MB

MD5
fd0b6101f5f4a210fef5096eb0c86b6a

SHA1
a8a508b2ddc2591f6b34e879ce4714ea02cba479

SHA256
996b076e47208d749b8edd68331dfd024367ab4a8efaaf008f04daffdec0a6f5

SHA512
4e5675fc960d4f5859a4415131c3cbad047c932d090147de5beb3c6c11a9bcf43248aba0992bbc6cb4d07d9494422e4373cf2a4c83ea2ad7f99721916d389a7e

Download Submit
C:\Windows\System\feQtaqM.exe

Filesize
5.2MB

MD5
cd0b05b4605a7b88995464ef5c4ccf7b

SHA1
a702cbd6675e3e984c5dfabb4cc0c7a98d63e8de

SHA256
48fd6a31dc815c6d96e2c66bbab211f25dc482981064910e69f4cb1f7ebfea03

SHA512
e2d3026ad353d54eb38d0f70aeee2d542dcd7e0ffa354cf25f77e161ad84881966d13b84c5d0d8be7c85f49e90e0f082da2a9e2ba9c92246b28f3ad923742d89

Download Submit
C:\Windows\System\nZhyDhm.exe

Filesize
5.2MB

MD5
8a83e20673bb9cce96affd5a9ea8948f

SHA1
f88b3c9cf30116296a4d2e90ca1e3d706b8b4c29

SHA256
bed93c51af8bdb77b3da0321635be2fb3f5abf43a28a4fa7049035ba432187e2

SHA512
92ea0eb1f39e91dd01951e193b40350548637c329f24d8c1247e903cb821ec60d7be4baec43706a6d9add425556650adfbba57ae485e895ae5a32550d2c7fdd7

Download Submit
C:\Windows\System\oqaXPrE.exe

Filesize
5.2MB

MD5
86ff37ce0772474fbdace4aaeb9e81c8

SHA1
ae1731305ab0cbd58927fc2070ef734437103eb8

SHA256
6c7a8ddfe0557babc5f1ea8b1b0adb1c76bf6af433f02b9db6aa342b74e9871a

SHA512
e785d3b96a37a632ed0a9bc78dbd2ebe4fb877c86e14d610108ab0f3883e7e73c17b64d15abcff979a064d59d5f049f310122d6234df3ec8995104f417904fa9

Download Submit
C:\Windows\System\sbJWrKK.exe

Filesize
5.2MB

MD5
9dfa6c9bf86f1f2678ce9cd06a944a9d

SHA1
646f85206b310f666761fd0c48ca4a396c169b59

SHA256
b23e96fd2fc3d2cc0d3c53f99735d8dc43048a657b1a6abcda9981206a015f63

SHA512
a322c3c4e3c3cefcfac2f2d1caceed2c8bcbdf87076e7a77467ddec99d7b309b5fdbfff2ea5c1c726ffb500b57c8fd73f3edf576b1194437950faf591c2393d6

Download Submit
C:\Windows\System\tsBMHEG.exe

Filesize
5.2MB

MD5
ec11ebb4a0287d347a603a916c61f979

SHA1
3884cbe5600ee436a40afff7c45733286e629e31

SHA256
8290a917c101b7cb3402cacafd2ed6035cb6544f51acdf4c7b24b2da2c92dfcf

SHA512
64ca06070ab975273612fd463b300464f8967a6014a4780bc39f8e09855ff5eb673729b0befe695f3df8015b99d1feadffe8c91dd8d0fb8cf47422e1b223799c

Download Submit
C:\Windows\System\uBJdpmP.exe

Filesize
5.2MB

MD5
391f0346167db96fdccadfd951ab3fd4

SHA1
32246726bfb6ca45438d96c61534f22459516dbb

SHA256
89a392efe0f79c7d4709139600161329b2ab0f04eb46bedb992579c1a62b5ab5

SHA512
1791bee289c51cd5bdc74eabfb0ae6046d57f09538549a00585f06ed27d9e929ec91a3564435193b161f6f79bf8fe218d3b2837f57091b027b3fbd2ab2b7e26f

Download Submit
C:\Windows\System\vvpvVnU.exe

Filesize
5.2MB

MD5
704f16122581fbbf1557a507db334555

SHA1
885776331bc688bf597391e358aa19e38d560914

SHA256
0d00aa5f335b8dbbb1849a96fc61c88fc6915c33e997500ed5230fe8dec84adc

SHA512
c9c92555604cc6d2c849a54e11e05c5db3c66fed8c675485a612be8d572380813f2e7de4d441e5a1d58d6e18288e8ea318fd6ea1851d4a32d77619ebaf1204ab

Download Submit
memory/208-141-0x00007FF614010000-0x00007FF614361000-memory.dmp

Filesize
3.3MB

Download
memory/208-175-0x00007FF614010000-0x00007FF614361000-memory.dmp

Filesize
3.3MB

Download
memory/208-276-0x00007FF614010000-0x00007FF614361000-memory.dmp

Filesize
3.3MB

Download
memory/844-167-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp

Filesize
3.3MB

Download
memory/844-127-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp

Filesize
3.3MB

Download
memory/844-271-0x00007FF6E32C0000-0x00007FF6E3611000-memory.dmp

Filesize
3.3MB

Download
memory/1432-119-0x00007FF652300000-0x00007FF652651000-memory.dmp

Filesize
3.3MB

Download
memory/1432-157-0x00007FF652300000-0x00007FF652651000-memory.dmp

Filesize
3.3MB

Download
memory/1432-267-0x00007FF652300000-0x00007FF652651000-memory.dmp

Filesize
3.3MB

Download
memory/2204-259-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp

Filesize
3.3MB

Download
memory/2204-98-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp

Filesize
3.3MB

Download
memory/2204-155-0x00007FF6A01E0000-0x00007FF6A0531000-memory.dmp

Filesize
3.3MB

Download
memory/2560-71-0x00007FF699150000-0x00007FF6994A1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-227-0x00007FF699150000-0x00007FF6994A1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-28-0x00007FF699150000-0x00007FF6994A1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-113-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp

Filesize
3.3MB

Download
memory/2580-240-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp

Filesize
3.3MB

Download
memory/2580-53-0x00007FF7B9AF0000-0x00007FF7B9E41000-memory.dmp

Filesize
3.3MB

Download
memory/2652-85-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp

Filesize
3.3MB

Download
memory/2652-39-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp

Filesize
3.3MB

Download
memory/2652-233-0x00007FF6CB610000-0x00007FF6CB961000-memory.dmp

Filesize
3.3MB

Download
memory/2720-86-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp

Filesize
3.3MB

Download
memory/2720-252-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp

Filesize
3.3MB

Download
memory/2720-148-0x00007FF68B1D0000-0x00007FF68B521000-memory.dmp

Filesize
3.3MB

Download
memory/2892-156-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp

Filesize
3.3MB

Download
memory/2892-105-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp

Filesize
3.3MB

Download
memory/2892-265-0x00007FF6C0800000-0x00007FF6C0B51000-memory.dmp

Filesize
3.3MB

Download
memory/3136-176-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-144-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-275-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-232-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-44-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-91-0x00007FF6A8A90000-0x00007FF6A8DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3380-238-0x00007FF791CE0000-0x00007FF792031000-memory.dmp

Filesize
3.3MB

Download
memory/3380-104-0x00007FF791CE0000-0x00007FF792031000-memory.dmp

Filesize
3.3MB

Download
memory/3380-48-0x00007FF791CE0000-0x00007FF792031000-memory.dmp

Filesize
3.3MB

Download
memory/3704-34-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp

Filesize
3.3MB

Download
memory/3704-81-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp

Filesize
3.3MB

Download
memory/3704-229-0x00007FF656AF0000-0x00007FF656E41000-memory.dmp

Filesize
3.3MB

Download
memory/4036-0-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp

Filesize
3.3MB

Download
memory/4036-57-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp

Filesize
3.3MB

Download
memory/4036-183-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp

Filesize
3.3MB

Download
memory/4036-1-0x0000029CE52E0000-0x0000029CE52F0000-memory.dmp

Filesize
64KB

Download
memory/4036-160-0x00007FF7B4E20000-0x00007FF7B5171000-memory.dmp

Filesize
3.3MB

Download
memory/4084-225-0x00007FF713CD0000-0x00007FF714021000-memory.dmp

Filesize
3.3MB

Download
memory/4084-25-0x00007FF713CD0000-0x00007FF714021000-memory.dmp

Filesize
3.3MB

Download
memory/4084-76-0x00007FF713CD0000-0x00007FF714021000-memory.dmp

Filesize
3.3MB

Download
memory/4448-223-0x00007FF784680000-0x00007FF7849D1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-68-0x00007FF784680000-0x00007FF7849D1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-16-0x00007FF784680000-0x00007FF7849D1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-64-0x00007FF6BF770000-0x00007FF6BFAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-245-0x00007FF6BF770000-0x00007FF6BFAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-215-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-62-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-8-0x00007FF76A790000-0x00007FF76AAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-159-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp

Filesize
3.3MB

Download
memory/4844-269-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp

Filesize
3.3MB

Download
memory/4844-125-0x00007FF6A24F0000-0x00007FF6A2841000-memory.dmp

Filesize
3.3MB

Download
memory/4884-256-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp

Filesize
3.3MB

Download
memory/4884-92-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp

Filesize
3.3MB

Download
memory/4884-151-0x00007FF7087F0000-0x00007FF708B41000-memory.dmp

Filesize
3.3MB

Download
memory/4948-250-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

Filesize
3.3MB

Download
memory/4948-77-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

Filesize
3.3MB

Download
memory/4948-140-0x00007FF628AF0000-0x00007FF628E41000-memory.dmp

Filesize
3.3MB

Download
memory/5064-247-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-74-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp

Filesize
3.3MB

Download