cobaltstrike | d3d90b17c7f422b7978ee194ab8ceb68d3ce6bcb853e02ea61ab0cddbc029ebf

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d13dc3f757198a67d306a5ac93483a0c
SHA1

722a5df16d7af113fdff42d9e4c12d9dad20990d
SHA256

d3d90b17c7f422b7978ee194ab8ceb68d3ce6bcb853e02ea61ab0cddbc029ebf
SHA512

0619250d308b4b6cc683c1fecf95490b35dd07616f39849ef899905f29e71d1887697e7481c81cf65b5bf220211f758958effd44ede8b782bdb4599fe81db307
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBib+56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b8f-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c77-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-63.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1528-74-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp	xmrig
behavioral2/memory/3744-88-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp	xmrig
behavioral2/memory/2980-136-0x00007FF662980000-0x00007FF662CD1000-memory.dmp	xmrig
behavioral2/memory/4540-131-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp	xmrig
behavioral2/memory/4864-125-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp	xmrig
behavioral2/memory/1060-116-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp	xmrig
behavioral2/memory/1560-111-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp	xmrig
behavioral2/memory/4032-102-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp	xmrig
behavioral2/memory/3956-95-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp	xmrig
behavioral2/memory/4904-81-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp	xmrig
behavioral2/memory/3888-66-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp	xmrig
behavioral2/memory/3564-60-0x00007FF788040000-0x00007FF788391000-memory.dmp	xmrig
behavioral2/memory/4612-149-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp	xmrig
behavioral2/memory/3564-140-0x00007FF788040000-0x00007FF788391000-memory.dmp	xmrig
behavioral2/memory/2852-159-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	xmrig
behavioral2/memory/4584-158-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp	xmrig
behavioral2/memory/4872-157-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp	xmrig
behavioral2/memory/2340-155-0x00007FF612A00000-0x00007FF612D51000-memory.dmp	xmrig
behavioral2/memory/4160-156-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp	xmrig
behavioral2/memory/4852-163-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp	xmrig
behavioral2/memory/2992-162-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp	xmrig
behavioral2/memory/396-161-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp	xmrig
behavioral2/memory/5040-160-0x00007FF669910000-0x00007FF669C61000-memory.dmp	xmrig
behavioral2/memory/3564-164-0x00007FF788040000-0x00007FF788391000-memory.dmp	xmrig
behavioral2/memory/3888-215-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp	xmrig
behavioral2/memory/1528-217-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp	xmrig
behavioral2/memory/4904-219-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp	xmrig
behavioral2/memory/3744-221-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp	xmrig
behavioral2/memory/3956-230-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp	xmrig
behavioral2/memory/4032-232-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp	xmrig
behavioral2/memory/1060-234-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp	xmrig
behavioral2/memory/1560-237-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp	xmrig
behavioral2/memory/4864-238-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp	xmrig
behavioral2/memory/4540-251-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp	xmrig
behavioral2/memory/2980-249-0x00007FF662980000-0x00007FF662CD1000-memory.dmp	xmrig
behavioral2/memory/2852-255-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	xmrig
behavioral2/memory/4612-254-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp	xmrig
behavioral2/memory/2340-257-0x00007FF612A00000-0x00007FF612D51000-memory.dmp	xmrig
behavioral2/memory/4160-259-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp	xmrig
behavioral2/memory/5040-267-0x00007FF669910000-0x00007FF669C61000-memory.dmp	xmrig
behavioral2/memory/396-266-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp	xmrig
behavioral2/memory/4584-271-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp	xmrig
behavioral2/memory/4872-270-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp	xmrig
behavioral2/memory/4852-264-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp	xmrig
behavioral2/memory/2992-262-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3888	kyYctAJ.exe
1528	Vcekmke.exe
4904	wLtyUSp.exe
3744	HuBZmGj.exe
3956	PPMerXn.exe
4032	oAKmlek.exe
1560	sGOxtFu.exe
1060	qJDARcy.exe
4864	JbIAybI.exe
4540	FdzuWYb.exe
2980	lOOioTT.exe
4612	rKwDDSP.exe
2852	yxdlesc.exe
2340	hDeSRYw.exe
4160	XJFQxLC.exe
4872	LeKOCHY.exe
4584	rKiZWXM.exe
5040	OaDhLXi.exe
396	isgPjsG.exe
2992	OReuPRb.exe
4852	JsddbUi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3564-0-0x00007FF788040000-0x00007FF788391000-memory.dmp	upx
behavioral2/files/0x000d000000023b8f-4.dat	upx
behavioral2/memory/3888-7-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-12.dat	upx
behavioral2/files/0x0007000000023c7b-16.dat	upx
behavioral2/memory/4904-19-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-23.dat	upx
behavioral2/memory/3744-25-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp	upx
behavioral2/memory/1528-13-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-28.dat	upx
behavioral2/memory/3956-31-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp	upx
behavioral2/files/0x0008000000023c77-35.dat	upx
behavioral2/memory/4032-36-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-40.dat	upx
behavioral2/files/0x0007000000023c80-46.dat	upx
behavioral2/memory/1060-48-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp	upx
behavioral2/memory/4864-53-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c81-55.dat	upx
behavioral2/memory/4540-61-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-64.dat	upx
behavioral2/memory/1528-74-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp	upx
behavioral2/memory/2852-82-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	upx
behavioral2/memory/3744-88-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-94.dat	upx
behavioral2/files/0x0007000000023c89-108.dat	upx
behavioral2/memory/4584-112-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-123.dat	upx
behavioral2/files/0x0007000000023c8d-133.dat	upx
behavioral2/memory/4852-137-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp	upx
behavioral2/memory/2980-136-0x00007FF662980000-0x00007FF662CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-134.dat	upx
behavioral2/memory/2992-132-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp	upx
behavioral2/memory/4540-131-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-129.dat	upx
behavioral2/memory/396-126-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp	upx
behavioral2/memory/4864-125-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp	upx
behavioral2/memory/5040-117-0x00007FF669910000-0x00007FF669C61000-memory.dmp	upx
behavioral2/memory/1060-116-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp	upx
behavioral2/memory/1560-111-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-106.dat	upx
behavioral2/memory/4872-103-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp	upx
behavioral2/memory/4032-102-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp	upx
behavioral2/memory/4160-96-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp	upx
behavioral2/memory/3956-95-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-90.dat	upx
behavioral2/memory/2340-89-0x00007FF612A00000-0x00007FF612D51000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-84.dat	upx
behavioral2/memory/4904-81-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-76.dat	upx
behavioral2/memory/4612-75-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp	upx
behavioral2/memory/2980-67-0x00007FF662980000-0x00007FF662CD1000-memory.dmp	upx
behavioral2/memory/3888-66-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-63.dat	upx
behavioral2/memory/3564-60-0x00007FF788040000-0x00007FF788391000-memory.dmp	upx
behavioral2/memory/1560-42-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp	upx
behavioral2/memory/4612-149-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp	upx
behavioral2/memory/3564-140-0x00007FF788040000-0x00007FF788391000-memory.dmp	upx
behavioral2/memory/2852-159-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	upx
behavioral2/memory/4584-158-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp	upx
behavioral2/memory/4872-157-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp	upx
behavioral2/memory/2340-155-0x00007FF612A00000-0x00007FF612D51000-memory.dmp	upx
behavioral2/memory/4160-156-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp	upx
behavioral2/memory/4852-163-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp	upx
behavioral2/memory/2992-162-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oAKmlek.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGOxtFu.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qJDARcy.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Vcekmke.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HuBZmGj.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JbIAybI.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FdzuWYb.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJFQxLC.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kyYctAJ.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxdlesc.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LeKOCHY.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKiZWXM.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OaDhLXi.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsddbUi.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wLtyUSp.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PPMerXn.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOOioTT.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKwDDSP.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hDeSRYw.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\isgPjsG.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OReuPRb.exe	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 3888	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3564 wrote to memory of 3888	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3564 wrote to memory of 1528	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3564 wrote to memory of 1528	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3564 wrote to memory of 4904	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3564 wrote to memory of 4904	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3564 wrote to memory of 3744	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3564 wrote to memory of 3744	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3564 wrote to memory of 3956	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3564 wrote to memory of 3956	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3564 wrote to memory of 4032	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3564 wrote to memory of 4032	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3564 wrote to memory of 1560	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3564 wrote to memory of 1560	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3564 wrote to memory of 1060	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3564 wrote to memory of 1060	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3564 wrote to memory of 4864	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3564 wrote to memory of 4864	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3564 wrote to memory of 4540	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3564 wrote to memory of 4540	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3564 wrote to memory of 2980	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3564 wrote to memory of 2980	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3564 wrote to memory of 4612	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3564 wrote to memory of 4612	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3564 wrote to memory of 2852	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3564 wrote to memory of 2852	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3564 wrote to memory of 2340	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3564 wrote to memory of 2340	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3564 wrote to memory of 4160	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3564 wrote to memory of 4160	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3564 wrote to memory of 4872	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3564 wrote to memory of 4872	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3564 wrote to memory of 4584	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3564 wrote to memory of 4584	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3564 wrote to memory of 5040	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3564 wrote to memory of 5040	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3564 wrote to memory of 396	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3564 wrote to memory of 396	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3564 wrote to memory of 2992	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3564 wrote to memory of 2992	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3564 wrote to memory of 4852	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3564 wrote to memory of 4852	3564	2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_d13dc3f757198a67d306a5ac93483a0c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\System\kyYctAJ.exe
  C:\Windows\System\kyYctAJ.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\Vcekmke.exe
  C:\Windows\System\Vcekmke.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\wLtyUSp.exe
  C:\Windows\System\wLtyUSp.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\HuBZmGj.exe
  C:\Windows\System\HuBZmGj.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\PPMerXn.exe
  C:\Windows\System\PPMerXn.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\oAKmlek.exe
  C:\Windows\System\oAKmlek.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\sGOxtFu.exe
  C:\Windows\System\sGOxtFu.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\qJDARcy.exe
  C:\Windows\System\qJDARcy.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\JbIAybI.exe
  C:\Windows\System\JbIAybI.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\FdzuWYb.exe
  C:\Windows\System\FdzuWYb.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\lOOioTT.exe
  C:\Windows\System\lOOioTT.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\rKwDDSP.exe
  C:\Windows\System\rKwDDSP.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\yxdlesc.exe
  C:\Windows\System\yxdlesc.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\hDeSRYw.exe
  C:\Windows\System\hDeSRYw.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\XJFQxLC.exe
  C:\Windows\System\XJFQxLC.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\LeKOCHY.exe
  C:\Windows\System\LeKOCHY.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\rKiZWXM.exe
  C:\Windows\System\rKiZWXM.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\OaDhLXi.exe
  C:\Windows\System\OaDhLXi.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\isgPjsG.exe
  C:\Windows\System\isgPjsG.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\OReuPRb.exe
  C:\Windows\System\OReuPRb.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\JsddbUi.exe
  C:\Windows\System\JsddbUi.exe
  2⤵
  - Executes dropped EXE
  PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FdzuWYb.exe

Filesize
5.2MB

MD5
f39876e00072eacc2cbc5b923ec016a6

SHA1
97f4a6a4a8f7180d442177e2a46c65a4eec6da68

SHA256
a24b50023e88274da10110f6f308684a8caaf7dddd439b0850c5cafca3849e47

SHA512
1a38f7b4a890cf82b3ac7b8ca81d711632c3a0c4dfd820b0be3a520f9c548b194af752bb9f55a6643ddfd12c125e63ba7aa97bb5a71818a41a3c26dec0b5b159

Download Submit
C:\Windows\System\HuBZmGj.exe

Filesize
5.2MB

MD5
5be488ddcd354f22a07d30274d36ab54

SHA1
9432f3bf9ab357eba61ab7bcde412929dc604d71

SHA256
406fbef12c53168c543d93fc17bcf38da53c3aae3e6eeec54832e987bfaab536

SHA512
a6361de2014e69e55b4f0b3265b59e3897e37e61398a030d18dfd83fd45c17dff42991420ddbd381295e8ab5668cf51b24d2da30802529a7d9664a01c5e2c8a2

Download Submit
C:\Windows\System\JbIAybI.exe

Filesize
5.2MB

MD5
759cae26a78460ebf14e30c9cea72da5

SHA1
f7a34c92d80d6b5ccaeb0f0d38bb0ebd8124b86e

SHA256
e778fdc60066e6de306b207af4de35961370de671f510211c5c6cc7009a9659c

SHA512
ebfd66a759ac7ba87124c41728d31288231bf6c2a0b9a25a8b37ef9214713156e775427a38946b76918b96cdcac05383719a5670b02dc9efb4c96e1939515173

Download Submit
C:\Windows\System\JsddbUi.exe

Filesize
5.2MB

MD5
0e1581716e6066dbb8863b18a3d73b7b

SHA1
8ca46be2e2bac4dbc080ab50b0fdccea6c54b3a7

SHA256
42c65c3c93eb38fd0c17039b20cf956d0e68f4934b914cd3cdb45d720317f905

SHA512
82cd7421318a53f10c3c42338559f1583f6d3ce2f2dc2ffeb81837bf2da4c0db368bc0d04bccb96345c10021326f86d65b87198d5719c79e9f99ab1456a5532e

Download Submit
C:\Windows\System\LeKOCHY.exe

Filesize
5.2MB

MD5
7a7af5450dcde76ce25f842184318f20

SHA1
8febb5eeeaa694266885990e412bcf254ffb59ec

SHA256
952fdc17d461641adb1b2a42e1e7e55e793de61907737710a43fb17b042996a8

SHA512
d2d0812574e81266f5d48f40e06f5b2961006f32261be44dbc1f6f71b6b09424dbefbaae28134128a6c21a9a8e201f0797616f6a2ed7cc79047c597c68e8ed28

Download Submit
C:\Windows\System\OReuPRb.exe

Filesize
5.2MB

MD5
c807356e4b8f4cf7c9751830a04c72fa

SHA1
9fb65bde52accd54491ca0723b1351e369dde3fc

SHA256
5c223ddbc299ec51389e7ceb6114bd97b76a81a1f7fbf606e471f7612a00cca2

SHA512
e152eff5fd567f9bceeb60d08cd33b21779472732922e1b5d0ea46722cdc562d59f63ca1e5d6cd831f601965b326a128fbd08d8291cf134fd53d83d51ae970c8

Download Submit
C:\Windows\System\OaDhLXi.exe

Filesize
5.2MB

MD5
641d4005834ae759e728a5c8cf76f233

SHA1
7f16975294ccfb1ff60ce3e149e8ffd49dcfdd7c

SHA256
b63177f384ffb1fe8c8332261db3cbc5c0d8b91350c416181ca2398d41295f42

SHA512
826c5fa13496240d2c8d5b9c69736bccef6ea2127ff3498a76bd8f41a6d4f2ced79540eaed1f08071fc967f558ceeed8b64cc425e82591bcf36e6c50b7f1c796

Download Submit
C:\Windows\System\PPMerXn.exe

Filesize
5.2MB

MD5
e89bf0722f1bfdfde4aa938f15299d71

SHA1
8298e3bdfc08421dbda48e6c95d8104642ceff8e

SHA256
42725ba7cccc31db77f9976ebfabf90856fab996d8d318fd4ce345b952cec840

SHA512
7403071d94d53f689ebfd08af5b3ec0b82ad46746f9f2898a7b31b976e1bb59e86b16172478b671cb4e664a9315817ee0e24b2182a22bdc9b381772ca0f1d214

Download Submit
C:\Windows\System\Vcekmke.exe

Filesize
5.2MB

MD5
17b9f74a7a44556d0f491f5d649c8c4b

SHA1
5445f3011eac8c88b9e32d89e3b27a35c62689d8

SHA256
01d1f8ab62daee3ce11a5910e49a3c3ddf3dd99521beb6c139b14e929b09f92e

SHA512
463e189ea04d7f66e67b556e570512a2734c3b3fe6603c303123050c1b957b480e6e47d8c18a8b429042a368c5cbec4d519b91e91f61003e9110d7bc0aa1d17f

Download Submit
C:\Windows\System\XJFQxLC.exe

Filesize
5.2MB

MD5
5df106cb21dc9c42ecb4a5ef4eee48fd

SHA1
d4a30bfec5e31874284ee0ccb5739b5dafeab515

SHA256
d211056cdb834a7310d2f108369d6816e34abcc2d506772cb54fe457fde69c90

SHA512
b6d01e3ca37b3110a15ff093b43e66bfc1286e1e7c8453ea955c9e15b95f4c8cfac6aed9c4a1925a7078197835af37840ca7b98bf97e92e7d2d0416650d6e065

Download Submit
C:\Windows\System\hDeSRYw.exe

Filesize
5.2MB

MD5
69e3266eff855cb011df575c8b8028cf

SHA1
470a3ad8fe65ba18cc9da204ef15d1c097e8cea6

SHA256
3623330e8b15e03cfde2f89b23adbd231fea683cb924fda94ab7123628c3df8b

SHA512
90281bb419fef3a0189d135ae40a9e285181197e7168f326c8d392e943f0d0f5ceddc4f868f005dcd1fdba19325a4c15a1f45627611ef4bf7746728214f98687

Download Submit
C:\Windows\System\isgPjsG.exe

Filesize
5.2MB

MD5
36727270ef2f6639602ba6c0685bd676

SHA1
3f3f6ac80a73ee7e4b84f17c477a37b82052e415

SHA256
61eaab4e2c5ec3d2387bc5d19955ad5f5f9243dae6f640564e2aecdc9b7ac901

SHA512
a664575fa23c786eedf0f3a4645e7207e73b06ae783998ae42cddbbc8fbe12ed4e3f4ece344aaed63b435f36097418c7b026ce8d78501c50885251323a5304c2

Download Submit
C:\Windows\System\kyYctAJ.exe

Filesize
5.2MB

MD5
8eec871aa46082063efb666fb9571f64

SHA1
3c9bd651b779e2330ea3eac01787b2072afd8141

SHA256
a5d86b0c1e82b5abe6125fc6dd0183084dad1422b0779693d11edeac9b25b7a1

SHA512
0e0e9070d97c5eb76dd59a4faf1cc7610661b072d9f4cb6f946417946fed6a7cf8dbc152a988186a50678c0d72c2390ff67ca7974893b2d2d7449653224065bd

Download Submit
C:\Windows\System\lOOioTT.exe

Filesize
5.2MB

MD5
dcc40a6f0407820358bd8ba412364143

SHA1
8060169e1ab1e037a5a827828200c84ec2664560

SHA256
0766fae97d7e25eccd084194f8397538cdbebc4dfd605d4751d1bdb0026c6e96

SHA512
74a56755e3b541f3d61a07e662ccd1f612d424b19d03518260a1d004d07987e81b93401343d0c2498e73e95f9bb6fca6409cf1a99a6d21d2f46490e27c1f3389

Download Submit
C:\Windows\System\oAKmlek.exe

Filesize
5.2MB

MD5
f9690d3db9deb0857b6eaad166cd6f15

SHA1
d2f370715bcfe89b16c9ea3b924093b89ce150e5

SHA256
b2545c83a70ce2ff878f3c0a9e68a226d85f805716680d58146ffe7d014061a9

SHA512
9afa4aac1c5823590b3cea27574e81f0172554375f4bd0551dd441cdf838d00d9df4a18fb6cdc74e4912ca773fe7f5bbbe5713894500efa3ee4a2adc6695ff5c

Download Submit
C:\Windows\System\qJDARcy.exe

Filesize
5.2MB

MD5
4f5321fed6cdd5938cc22fa3ef8672ff

SHA1
d807b99683f55ad18f60e7ce69d27e88c714e7b2

SHA256
1f376cab4d8de22d06efbc5c2c6ed7ec501b01aae2a42ea56188aef35c8ad73b

SHA512
8269b631a3bd8865be30f63bff51765cca9c08492ccc72e0fef3f83be06a8ffb261d7a119526fda403ac5948cba43b9287273aabf64ada42b10aeacdbf187971

Download Submit
C:\Windows\System\rKiZWXM.exe

Filesize
5.2MB

MD5
83e57a0765e7216ac476da486a33a0fd

SHA1
abb9e0ff70735d6f9e429892343c3aa5075d7255

SHA256
0746b15651b88f6dd9370671c3458fd40683721df45079f50538a486e7b41466

SHA512
69546bf0ecebbebfb06ea1a6b5e417c9a12d887848337b81da2903eed560f0d1ba73ed5869525efff6b5a9786308b3299b12c5f9c18429149bc69263305aad9b

Download Submit
C:\Windows\System\rKwDDSP.exe

Filesize
5.2MB

MD5
252e51efb8c1166004b83144be5bc659

SHA1
76324fcce7ad840254078b6c77e2ffc2b36c4076

SHA256
ed5d0ad94911572ff1c2462d905569f0734accdc62fb64675eec846819575c2a

SHA512
b6f143e42d635eafb55df61687da437ba36c4265f2a3501c61c3285e5f669c708b8224d7fd3e894be897941bf52d889ab2f66c5d5201f0ee4a5eb5b3c814b8ac

Download Submit
C:\Windows\System\sGOxtFu.exe

Filesize
5.2MB

MD5
f6346f8bbb389dda44fb71ed7bb9e125

SHA1
0efd1d2ef350e9b4fa28f3753593d5f457d59aaa

SHA256
2349592673368d4581b62cd5e3445c74cfd84436f1ff896e6fbb818d80ed4695

SHA512
d057e7c58aa79cf64e71c2694f9c91caeac951b716e6d040b9c344df26861c3c5e0a9c603015e9ef1db74bfce4114a014c80542cd208091fdd4e58bc44ed60e0

Download Submit
C:\Windows\System\wLtyUSp.exe

Filesize
5.2MB

MD5
ff334ddeff4baff2f23aa5e7ec9873b7

SHA1
67a53fbac7071e6e781c4f2711a406abcf1cd2f1

SHA256
13a291580b6d6f41118c9685ed4ef32e341f08f8ece472935c3d9dec83f49197

SHA512
08c84efe92c1ffe5508ec95110deea8acfc3140bbce2a3f627a35de08b3c465de5cc0c8d7f6d93f904e6dafcffc24fbaff9e59a265f2b0875ecd61d4bf5ae94d

Download Submit
C:\Windows\System\yxdlesc.exe

Filesize
5.2MB

MD5
2b0a1ba91e978711034cb2c50befa4f7

SHA1
ca0184384582ac6ec54cd6c8860a34b1a3341939

SHA256
8123be878fa34dc01992842b15cd94120018119c79c586e304546c3fa5f75b67

SHA512
060510c304ebdf380dfdae9ee22efbb5f915c64bf56133edc07bc2c68856f14f5eaf3643bc1d960e438203129faed4fe47e7478486d569dacb4bfd337b76fa69

Download Submit
memory/396-266-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp

Filesize
3.3MB

Download
memory/396-126-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp

Filesize
3.3MB

Download
memory/396-161-0x00007FF6A6CD0000-0x00007FF6A7021000-memory.dmp

Filesize
3.3MB

Download
memory/1060-48-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1060-234-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1060-116-0x00007FF6E7940000-0x00007FF6E7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1528-74-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-13-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-217-0x00007FF67D1A0000-0x00007FF67D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-111-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp

Filesize
3.3MB

Download
memory/1560-42-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp

Filesize
3.3MB

Download
memory/1560-237-0x00007FF6D8410000-0x00007FF6D8761000-memory.dmp

Filesize
3.3MB

Download
memory/2340-257-0x00007FF612A00000-0x00007FF612D51000-memory.dmp

Filesize
3.3MB

Download
memory/2340-155-0x00007FF612A00000-0x00007FF612D51000-memory.dmp

Filesize
3.3MB

Download
memory/2340-89-0x00007FF612A00000-0x00007FF612D51000-memory.dmp

Filesize
3.3MB

Download
memory/2852-159-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/2852-82-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/2852-255-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/2980-136-0x00007FF662980000-0x00007FF662CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-67-0x00007FF662980000-0x00007FF662CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-249-0x00007FF662980000-0x00007FF662CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-132-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-162-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-262-0x00007FF7F6B80000-0x00007FF7F6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-164-0x00007FF788040000-0x00007FF788391000-memory.dmp

Filesize
3.3MB

Download
memory/3564-60-0x00007FF788040000-0x00007FF788391000-memory.dmp

Filesize
3.3MB

Download
memory/3564-0-0x00007FF788040000-0x00007FF788391000-memory.dmp

Filesize
3.3MB

Download
memory/3564-1-0x000001EBCABC0000-0x000001EBCABD0000-memory.dmp

Filesize
64KB

Download
memory/3564-140-0x00007FF788040000-0x00007FF788391000-memory.dmp

Filesize
3.3MB

Download
memory/3744-221-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp

Filesize
3.3MB

Download
memory/3744-88-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp

Filesize
3.3MB

Download
memory/3744-25-0x00007FF6BDD10000-0x00007FF6BE061000-memory.dmp

Filesize
3.3MB

Download
memory/3888-66-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-7-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-215-0x00007FF6DD580000-0x00007FF6DD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-31-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp

Filesize
3.3MB

Download
memory/3956-230-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp

Filesize
3.3MB

Download
memory/3956-95-0x00007FF65AF00000-0x00007FF65B251000-memory.dmp

Filesize
3.3MB

Download
memory/4032-232-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp

Filesize
3.3MB

Download
memory/4032-36-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp

Filesize
3.3MB

Download
memory/4032-102-0x00007FF75BBC0000-0x00007FF75BF11000-memory.dmp

Filesize
3.3MB

Download
memory/4160-259-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp

Filesize
3.3MB

Download
memory/4160-156-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp

Filesize
3.3MB

Download
memory/4160-96-0x00007FF67CEC0000-0x00007FF67D211000-memory.dmp

Filesize
3.3MB

Download
memory/4540-131-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp

Filesize
3.3MB

Download
memory/4540-251-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp

Filesize
3.3MB

Download
memory/4540-61-0x00007FF7F8CB0000-0x00007FF7F9001000-memory.dmp

Filesize
3.3MB

Download
memory/4584-112-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-271-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-158-0x00007FF6B7F70000-0x00007FF6B82C1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-254-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-149-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-75-0x00007FF6BF160000-0x00007FF6BF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-137-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp

Filesize
3.3MB

Download
memory/4852-264-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp

Filesize
3.3MB

Download
memory/4852-163-0x00007FF6006D0000-0x00007FF600A21000-memory.dmp

Filesize
3.3MB

Download
memory/4864-238-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-53-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-125-0x00007FF70F8A0000-0x00007FF70FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-157-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-270-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-103-0x00007FF67BDA0000-0x00007FF67C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-219-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-19-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-81-0x00007FF6C1590000-0x00007FF6C18E1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-160-0x00007FF669910000-0x00007FF669C61000-memory.dmp

Filesize
3.3MB

Download
memory/5040-267-0x00007FF669910000-0x00007FF669C61000-memory.dmp

Filesize
3.3MB

Download
memory/5040-117-0x00007FF669910000-0x00007FF669C61000-memory.dmp

Filesize
3.3MB

Download