cobaltstrike | e5a096e7ed3ee1d3bd4269492ca8ac1aa131f86213e8772d6e8128c56fe3c043

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

32d7bae9a57e0da5d4e081064d258bdb
SHA1

cd532d6b056127c7f563e6e53d2289ba76e2aa36
SHA256

e5a096e7ed3ee1d3bd4269492ca8ac1aa131f86213e8772d6e8128c56fe3c043
SHA512

06e87a85a4d0ff7ec9b3327d6e710a8434ac268c1c287e1fd71fbdc5a948467dd03c1c8f93e9f079cc08c99dd2235b5cb7a9d03542573ff25b0a5c5bcac01332
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibd56utgpPFotBER/mQ32lUI

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b9a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bae-14.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b9d-15.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb7-22.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-30.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc2-39.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-43.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc4-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc7-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc9-65.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf9-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfa-88.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfb-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfc-103.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfd-109.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfe-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c03-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c04-133.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4880-60-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	xmrig
behavioral2/memory/1116-68-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp	xmrig
behavioral2/memory/436-81-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp	xmrig
behavioral2/memory/640-67-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp	xmrig
behavioral2/memory/3276-85-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp	xmrig
behavioral2/memory/4516-96-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp	xmrig
behavioral2/memory/3168-93-0x00007FF6DDB90000-0x00007FF6DDEE1000-memory.dmp	xmrig
behavioral2/memory/3060-90-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp	xmrig
behavioral2/memory/740-110-0x00007FF794E40000-0x00007FF795191000-memory.dmp	xmrig
behavioral2/memory/4976-106-0x00007FF7700B0000-0x00007FF770401000-memory.dmp	xmrig
behavioral2/memory/5016-104-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp	xmrig
behavioral2/memory/3624-118-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp	xmrig
behavioral2/memory/3492-124-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp	xmrig
behavioral2/memory/2252-132-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp	xmrig
behavioral2/memory/3004-114-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp	xmrig
behavioral2/memory/2084-139-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp	xmrig
behavioral2/memory/1648-141-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp	xmrig
behavioral2/memory/312-143-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp	xmrig
behavioral2/memory/4880-142-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	xmrig
behavioral2/memory/4976-152-0x00007FF7700B0000-0x00007FF770401000-memory.dmp	xmrig
behavioral2/memory/4136-155-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp	xmrig
behavioral2/memory/4944-162-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp	xmrig
behavioral2/memory/3476-164-0x00007FF7053C0000-0x00007FF705711000-memory.dmp	xmrig
behavioral2/memory/1648-168-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp	xmrig
behavioral2/memory/2496-169-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp	xmrig
behavioral2/memory/4880-170-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	xmrig
behavioral2/memory/640-220-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp	xmrig
behavioral2/memory/1116-222-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp	xmrig
behavioral2/memory/436-228-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp	xmrig
behavioral2/memory/3276-230-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp	xmrig
behavioral2/memory/3060-232-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp	xmrig
behavioral2/memory/5016-234-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp	xmrig
behavioral2/memory/4516-236-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp	xmrig
behavioral2/memory/740-241-0x00007FF794E40000-0x00007FF795191000-memory.dmp	xmrig
behavioral2/memory/3004-243-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp	xmrig
behavioral2/memory/3624-245-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp	xmrig
behavioral2/memory/3492-250-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp	xmrig
behavioral2/memory/2252-252-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp	xmrig
behavioral2/memory/2084-254-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp	xmrig
behavioral2/memory/3168-258-0x00007FF6DDB90000-0x00007FF6DDEE1000-memory.dmp	xmrig
behavioral2/memory/312-260-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp	xmrig
behavioral2/memory/4976-263-0x00007FF7700B0000-0x00007FF770401000-memory.dmp	xmrig
behavioral2/memory/4136-265-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp	xmrig
behavioral2/memory/4944-271-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp	xmrig
behavioral2/memory/3476-273-0x00007FF7053C0000-0x00007FF705711000-memory.dmp	xmrig
behavioral2/memory/2496-275-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp	xmrig
behavioral2/memory/1648-277-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
640	dzTGBSn.exe
1116	jhjmmii.exe
436	CnHjhAL.exe
3276	ddJtJUs.exe
3060	zpXTXlz.exe
4516	AgZsQMf.exe
5016	DhlKyet.exe
740	CaudyPu.exe
3004	AvVkWwU.exe
3624	ohaRdqm.exe
3492	BgWYCPC.exe
2252	UaRQppC.exe
2084	PdWIXYr.exe
3168	YfuhXHs.exe
312	ykGOyYN.exe
4976	fbArIIp.exe
4136	plfhdys.exe
4944	UnGwTwX.exe
3476	BkGgpGM.exe
2496	IxxMEah.exe
1648	lTpXSIX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-0-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	upx
behavioral2/files/0x000c000000023b9a-5.dat	upx
behavioral2/memory/640-8-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp	upx
behavioral2/files/0x000e000000023bae-14.dat	upx
behavioral2/files/0x000c000000023b9d-15.dat	upx
behavioral2/memory/1116-16-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp	upx
behavioral2/memory/436-18-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp	upx
behavioral2/files/0x0008000000023bb7-22.dat	upx
behavioral2/memory/3276-25-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp	upx
behavioral2/files/0x0009000000023bbd-30.dat	upx
behavioral2/memory/3060-29-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp	upx
behavioral2/memory/4516-35-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp	upx
behavioral2/files/0x000e000000023bc2-39.dat	upx
behavioral2/files/0x0009000000023bbe-43.dat	upx
behavioral2/memory/5016-40-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp	upx
behavioral2/files/0x0008000000023bc4-47.dat	upx
behavioral2/memory/740-49-0x00007FF794E40000-0x00007FF795191000-memory.dmp	upx
behavioral2/files/0x0008000000023bc7-53.dat	upx
behavioral2/memory/3004-56-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp	upx
behavioral2/files/0x0008000000023bc8-59.dat	upx
behavioral2/memory/3624-61-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp	upx
behavioral2/memory/4880-60-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-65.dat	upx
behavioral2/memory/1116-68-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-77.dat	upx
behavioral2/files/0x0008000000023bf9-80.dat	upx
behavioral2/memory/2084-82-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp	upx
behavioral2/memory/436-81-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp	upx
behavioral2/memory/2252-79-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp	upx
behavioral2/memory/3492-69-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp	upx
behavioral2/memory/640-67-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp	upx
behavioral2/memory/3276-85-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bfa-88.dat	upx
behavioral2/files/0x0008000000023bfb-94.dat	upx
behavioral2/memory/312-99-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp	upx
behavioral2/memory/4516-96-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp	upx
behavioral2/memory/3168-93-0x00007FF6DDB90000-0x00007FF6DDEE1000-memory.dmp	upx
behavioral2/memory/3060-90-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bfc-103.dat	upx
behavioral2/files/0x0008000000023bfd-109.dat	upx
behavioral2/memory/4136-111-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp	upx
behavioral2/memory/740-110-0x00007FF794E40000-0x00007FF795191000-memory.dmp	upx
behavioral2/memory/4976-106-0x00007FF7700B0000-0x00007FF770401000-memory.dmp	upx
behavioral2/memory/5016-104-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp	upx
behavioral2/files/0x0008000000023bfe-116.dat	upx
behavioral2/memory/3624-118-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp	upx
behavioral2/memory/3492-124-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp	upx
behavioral2/memory/3476-127-0x00007FF7053C0000-0x00007FF705711000-memory.dmp	upx
behavioral2/files/0x0008000000023c03-126.dat	upx
behavioral2/files/0x0008000000023c04-133.dat	upx
behavioral2/memory/2252-132-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp	upx
behavioral2/memory/4944-119-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp	upx
behavioral2/memory/3004-114-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp	upx
behavioral2/files/0x0008000000023c05-137.dat	upx
behavioral2/memory/2084-139-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp	upx
behavioral2/memory/2496-135-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp	upx
behavioral2/memory/1648-141-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp	upx
behavioral2/memory/312-143-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp	upx
behavioral2/memory/4880-142-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp	upx
behavioral2/memory/4976-152-0x00007FF7700B0000-0x00007FF770401000-memory.dmp	upx
behavioral2/memory/4136-155-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp	upx
behavioral2/memory/4944-162-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp	upx
behavioral2/memory/3476-164-0x00007FF7053C0000-0x00007FF705711000-memory.dmp	upx
behavioral2/memory/1648-168-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ddJtJUs.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CaudyPu.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BgWYCPC.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UaRQppC.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fbArIIp.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CnHjhAL.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DhlKyet.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AvVkWwU.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IxxMEah.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lTpXSIX.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzTGBSn.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AgZsQMf.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohaRdqm.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ykGOyYN.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plfhdys.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UnGwTwX.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkGgpGM.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhjmmii.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PdWIXYr.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YfuhXHs.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpXTXlz.exe	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 640	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4880 wrote to memory of 640	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4880 wrote to memory of 1116	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4880 wrote to memory of 1116	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4880 wrote to memory of 436	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4880 wrote to memory of 436	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4880 wrote to memory of 3276	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4880 wrote to memory of 3276	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4880 wrote to memory of 3060	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4880 wrote to memory of 3060	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4880 wrote to memory of 4516	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4880 wrote to memory of 4516	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4880 wrote to memory of 5016	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4880 wrote to memory of 5016	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4880 wrote to memory of 740	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4880 wrote to memory of 740	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4880 wrote to memory of 3004	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4880 wrote to memory of 3004	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4880 wrote to memory of 3624	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4880 wrote to memory of 3624	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4880 wrote to memory of 3492	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4880 wrote to memory of 3492	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4880 wrote to memory of 2252	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4880 wrote to memory of 2252	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4880 wrote to memory of 2084	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4880 wrote to memory of 2084	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4880 wrote to memory of 3168	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4880 wrote to memory of 3168	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4880 wrote to memory of 312	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4880 wrote to memory of 312	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4880 wrote to memory of 4976	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4880 wrote to memory of 4976	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4880 wrote to memory of 4136	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4880 wrote to memory of 4136	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4880 wrote to memory of 4944	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4880 wrote to memory of 4944	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4880 wrote to memory of 3476	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4880 wrote to memory of 3476	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4880 wrote to memory of 2496	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4880 wrote to memory of 2496	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4880 wrote to memory of 1648	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4880 wrote to memory of 1648	4880	2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_32d7bae9a57e0da5d4e081064d258bdb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System\dzTGBSn.exe
  C:\Windows\System\dzTGBSn.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\jhjmmii.exe
  C:\Windows\System\jhjmmii.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\CnHjhAL.exe
  C:\Windows\System\CnHjhAL.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\ddJtJUs.exe
  C:\Windows\System\ddJtJUs.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\zpXTXlz.exe
  C:\Windows\System\zpXTXlz.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\AgZsQMf.exe
  C:\Windows\System\AgZsQMf.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\DhlKyet.exe
  C:\Windows\System\DhlKyet.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\CaudyPu.exe
  C:\Windows\System\CaudyPu.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\AvVkWwU.exe
  C:\Windows\System\AvVkWwU.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\ohaRdqm.exe
  C:\Windows\System\ohaRdqm.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\BgWYCPC.exe
  C:\Windows\System\BgWYCPC.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\UaRQppC.exe
  C:\Windows\System\UaRQppC.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\PdWIXYr.exe
  C:\Windows\System\PdWIXYr.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\YfuhXHs.exe
  C:\Windows\System\YfuhXHs.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\ykGOyYN.exe
  C:\Windows\System\ykGOyYN.exe
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\System\fbArIIp.exe
  C:\Windows\System\fbArIIp.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\plfhdys.exe
  C:\Windows\System\plfhdys.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\UnGwTwX.exe
  C:\Windows\System\UnGwTwX.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\BkGgpGM.exe
  C:\Windows\System\BkGgpGM.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\IxxMEah.exe
  C:\Windows\System\IxxMEah.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\lTpXSIX.exe
  C:\Windows\System\lTpXSIX.exe
  2⤵
  - Executes dropped EXE
  PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AgZsQMf.exe

Filesize
5.2MB

MD5
05c69a8cefe669725d87775d7eb05e1b

SHA1
910e5e794f1cc6e6ccfd481e5cb4ed866e380e28

SHA256
20a07df7af15e7f2517ca8fc2d13dc891929cc47f7ac5b4f7c708e976c0c228e

SHA512
841102e8c0bb8d24e6f7c9cea945b3a90a77ca160c8397b081454fdddd2fb6f04bfaf2b78c2f01f5af86bcb780bb1a4a194994cf19466ddbbb4536c23cdee158

Download Submit
C:\Windows\System\AvVkWwU.exe

Filesize
5.2MB

MD5
228ebbe27a47690c8bb0dc8bd855937c

SHA1
4ee1edf6b91e4016ab7e51b0f056b58d618a6e39

SHA256
29160f126289f35b8ebaf4d13e5e022575b0276520b4fcf8cffb462a84a19944

SHA512
59ce653b0c0624c835c742d88585b6e1dedfc33d3654b4e2e5c13a56baf6fda5f153669442e910771da1e672d8bb15a6911bd61cdbc570600d77ab85f33fcf0c

Download Submit
C:\Windows\System\BgWYCPC.exe

Filesize
5.2MB

MD5
d60f860e16261fe143dd0260fc05a93b

SHA1
5b3df341ec46cb01125154c67b221359b1ade896

SHA256
a688c839126703ebfe9a751c12e746b39b7ab169ee7969131a40682b989f76a9

SHA512
8ec59bc274a4f518cd13deedadbde4a9b42c924c3d8c9b379323be74d6d1b3c18612dd4e2371f82ed964d5d5fd57f9d73f83db07891fad54d05880e0236ad565

Download Submit
C:\Windows\System\BkGgpGM.exe

Filesize
5.2MB

MD5
24ceaf27cd610f905b2f4c0d77418a89

SHA1
f306fe59401cfb04f598c96998b34cc97453128b

SHA256
3ef24def013bd30a51cd38632ad3ec03f7f03e4a4ca38ecf883e4e9191d63026

SHA512
9d0b238289e575f24180323a4c844e5f6e0cfd601213d9caadacf0e1bd1de73c8069e7b6d3aa67f9590bfcdc21e5c55d1ea61aa77fa3025278b6b444bab87fba

Download Submit
C:\Windows\System\CaudyPu.exe

Filesize
5.2MB

MD5
4e1e730e6560cbbfcdd34f0855fb9dba

SHA1
c61566d594a2328a58e404929f226380f26f55cf

SHA256
9666400a5f61f1a56ef13691a0bac683406250b72668cff83a8eaf2ad40e8853

SHA512
1a5eb2465d3f3a8b6c5b61ce04cefd22b1136e08f8b7ca5444955220c8b0b2ccda8b16f2894ddf3a1e93e2d314d554559319aca43c9585cd77c838600c07ef79

Download Submit
C:\Windows\System\CnHjhAL.exe

Filesize
5.2MB

MD5
b5c72ac0d3c962d41fd7c1b78c1dda35

SHA1
940626b8d7beed348153137adea6d90580b9deb1

SHA256
ccff8b771b0ea1d11e3845e3430727c068baf2104db4291a227a467ed5de434f

SHA512
39d5b2c91351d970791dadb87c4b83fa9b7513e2897aacc4153a878257f10dd384526c9fa122c6a831e86cc0e49a71eaead279c8dd0b531b5eae1b11af8552c3

Download Submit
C:\Windows\System\DhlKyet.exe

Filesize
5.2MB

MD5
54754a7c14ad53cb39f9a96e72d0ea1c

SHA1
e84fe34347cf0bb63541d092b3feb7a0cf9316b1

SHA256
0a596f4148edada08fb117f2fa5d6826989238fa3f6a29204fe5b480deece824

SHA512
fb55b5d6163d1f46617a2857ce1e1b5e4a1c0a341d16140e905423cbd4c48bae43b85c53f6140c6d733dd02a9a51fb1778af5987437aaa4d4ffc44e19c531418

Download Submit
C:\Windows\System\IxxMEah.exe

Filesize
5.2MB

MD5
7d8be54a08b970637da0a62851ea7b1c

SHA1
d0b30cf61eb10b0ab1d845144a0aa46dd4d3ab64

SHA256
67bdd32b87e6e099a78b93327d66838779b87be07ddaa71567c98c97fbee2c84

SHA512
a35ce64553a16bfb2a50c093674a4b9d9ca7044549c564877182621b8742a3585ab3344cc66b8acde4975e76b32aa5035623f86ae5fee2e37947e89547bfb54a

Download Submit
C:\Windows\System\PdWIXYr.exe

Filesize
5.2MB

MD5
c299224f9ac56c12de7d0c470aa9b5cc

SHA1
cc8c1cab7b4d5e3f463fa118b62c61ea3f2512f9

SHA256
80fe3410e7afa0a85e80eb6543d7509883c2de1002057ffa0ed05015ffcf997c

SHA512
ac4d666f24bc7cde9fb380928549c23d9c93ff6e68b5345018b727c75493444d7dc19cc03751f385a2eb80f7b9fe41f906fd586012386bfedbee6ca8b35ed6b2

Download Submit
C:\Windows\System\UaRQppC.exe

Filesize
5.2MB

MD5
0666a486343c40f2ca08d8c1ab349d7f

SHA1
46aaa68d3621796344f6073387cd8a5e34f5c60c

SHA256
35a30826cb7ddcbea88f0e098715caa28221a1282e5327088f0564c4d939fb73

SHA512
ab6b885ac3ea8b48c5b0118ca39789edecd827668afe5e4285c4fea9b65efbab1859fd15031ff6713c166453c8845f9b1b5e755e10d7699a4920f32f17611cea

Download Submit
C:\Windows\System\UnGwTwX.exe

Filesize
5.2MB

MD5
693e7c251023607fe6c96378144afc46

SHA1
0b2ebf6e7783b91087c891d14f8d7869bbb851df

SHA256
eff5f2a59ccb50acb2311b8bc57c8e0484accc94a9582385754038083058e8ce

SHA512
522e1da567bf21acea78ca8363accb85d3a2d60c6e43cd59656d7cd2a7c83cda812e08db8e1a1e95312b7c67fa8ab9f297ee433105a9b008872a65d2dd39c0b6

Download Submit
C:\Windows\System\YfuhXHs.exe

Filesize
5.2MB

MD5
1f70d1b07adf3589132c0d6bc0cf6b28

SHA1
e03f3d05a7b2ed9dae4c0328a6f7ab7ee4daed94

SHA256
ba2dd412703faf3ae9c09aeb52ca4494ddefc17631455784a993b89af8ecd9d7

SHA512
b98a173c9bc273cf8bb3a931273f2b5a7416b433d0ddc5bc4fdc33ac9dd0e2efbd5f4cde4ba067ea1059f09181268d7e778fd5fbe4106349b7fd70c04840d6b0

Download Submit
C:\Windows\System\ddJtJUs.exe

Filesize
5.2MB

MD5
38052a10ae580c2a72ce5ebc250488fc

SHA1
9a43a858baf1f4deac451c22a156eaf45135f115

SHA256
d002fbeb8eb47b3f47bd35ded96a33898c49ad24f26536bf2914dc1ee5ed9eec

SHA512
0a338ec8e22d4aef6b0e1ffca6091101c662d0284238bf9f08997c78dfb204673d52c0d2dfe1ae6d6de42a4a6f29a4b47360255ced99caf36884f389f4c36751

Download Submit
C:\Windows\System\dzTGBSn.exe

Filesize
5.2MB

MD5
338623840edabe18741f05d904128690

SHA1
a30d90532af6379662326d64df3ca3f27b6e11ba

SHA256
56168a135090949580622696cfcf7dc358a5c92c6c92b22672025b4f9200704b

SHA512
91242b15fa7f69399d7573741d2e4d480301e67bba3b201651a6d35f2fb9ee7f9e0d8777948bae1351eea12b386261b0b36c40f805405e3de20b054be04f8d4b

Download Submit
C:\Windows\System\fbArIIp.exe

Filesize
5.2MB

MD5
62aa85f5e56b5df349c64c574e9d7e2b

SHA1
cd14c410ceafc718c1541ee186884adc52503998

SHA256
78a893d23d07f13f4068dd9bb89454376324933fb3b207e5cc2afa669ae77b57

SHA512
b4fc035e207eb336bbbb5c2fafd6ad6e494c16c159ce8a4a439f4c36fb6c1fd5be359a52ddcfc5dac0afcf18e25fc3f31a8d2986a0d32720d3568e5a9772600b

Download Submit
C:\Windows\System\jhjmmii.exe

Filesize
5.2MB

MD5
c6598e3e27710e0e7b3a0492ff1806a4

SHA1
d3acc5d804b6369a7bc48a9aa92591c36d33d34e

SHA256
53319dced54a76059fad27d6f7e2eaefcde2d549fbcb9ddc860a2ccac513296d

SHA512
6f0ec1387e4f608f29c0ac160560b46a20c1217b677442b0ae5b136f83d888e59d96b629058c2df34695fa7551754638089918010802d40ab2d4c3904c1f4c74

Download Submit
C:\Windows\System\lTpXSIX.exe

Filesize
5.2MB

MD5
d4db66df5a8930dcafad1b0d938a2f24

SHA1
4171fe6b1b486009a6e82367a76c253682ae0b29

SHA256
5c9c6d06513d562d68ca3011b899f20488c3e6ad1fbf39953951eb189a227326

SHA512
ac9551251ecd8eb11035116ca40f73d9b5a1dc3eab20820f86b45c85050868e75fc724eddec0438884f103b1ab3d63fd71119a3de4366533852f5750327b61d3

Download Submit
C:\Windows\System\ohaRdqm.exe

Filesize
5.2MB

MD5
f96e13c139f9272b89971c0784d4413b

SHA1
3f75216fde2862b04439b2e23ff46eabb1777c15

SHA256
f801186cec5129a697129a450dffc45ae7f85b722ae02cc063aca53d44ee9d10

SHA512
371ec3470700ed6f2cd033dbc3d106f0177872f7246070f72801d4ffa4f57dcc457a50cf9cf91e47700605447ce0d4d282f590a5c82674371218af573be89fa2

Download Submit
C:\Windows\System\plfhdys.exe

Filesize
5.2MB

MD5
9902d66d1ed2cd9fe49b9ea4c3db11f5

SHA1
eadb32ba8464ae79f15b95d941d7d6acd4c3d4df

SHA256
1bacb9ce73a1331039bbd72a5d44fb3dcf1bee1fafbc54b65e9324a2ff6d8dba

SHA512
703fe13dbe2cd77faededf949fad4b5c56756dec0cad1ef703f6d0ab917930ebe57ceff27b27bed1b8795245a3c92f7ad572ecd0a9ef57401d014c54ce190b74

Download Submit
C:\Windows\System\ykGOyYN.exe

Filesize
5.2MB

MD5
027075996e1bbdb7894268b3c37d3ab4

SHA1
3bb047762d078e183aca3d601243dca8b36d8a80

SHA256
074000b622a87a3deaa7b7570e416fa0d8d9f8d96695a4a3e73955b72624f128

SHA512
1f867a9d6c9cdb540e52d804cb27889bf233c547da2e5b8e56f516a0029feda150a6beff7bc30fd45111ebff003fe6fa596b6438c6ba3bade9769202e9694bd9

Download Submit
C:\Windows\System\zpXTXlz.exe

Filesize
5.2MB

MD5
197e61b275de8d3a846955f1290c7444

SHA1
9846e0717eb08cfed6b01b1f992ee029416d4667

SHA256
2a2e1117412fb4458329969c04504cc216abafab3a8667a10dc3a45bd4f0afc8

SHA512
ec690b60908c0b217c53d0caf1a3bc62b162c59bb6e34c16f0743db2de682915e1668f379630fcefa6253da2cd440a7216f0cae9fd52ac5ef4e1f30aadc3bf62

Download Submit
memory/312-260-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/312-143-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/312-99-0x00007FF78D980000-0x00007FF78DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/436-18-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp

Filesize
3.3MB

Download
memory/436-228-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp

Filesize
3.3MB

Download
memory/436-81-0x00007FF7A4D30000-0x00007FF7A5081000-memory.dmp

Filesize
3.3MB

Download
memory/640-67-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp

Filesize
3.3MB

Download
memory/640-8-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp

Filesize
3.3MB

Download
memory/640-220-0x00007FF6CD1E0000-0x00007FF6CD531000-memory.dmp

Filesize
3.3MB

Download
memory/740-49-0x00007FF794E40000-0x00007FF795191000-memory.dmp

Filesize
3.3MB

Download
memory/740-241-0x00007FF794E40000-0x00007FF795191000-memory.dmp

Filesize
3.3MB

Download
memory/740-110-0x00007FF794E40000-0x00007FF795191000-memory.dmp

Filesize
3.3MB

Download
memory/1116-222-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp

Filesize
3.3MB

Download
memory/1116-68-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp

Filesize
3.3MB

Download
memory/1116-16-0x00007FF6C0500000-0x00007FF6C0851000-memory.dmp

Filesize
3.3MB

Download
memory/1648-168-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp

Filesize
3.3MB

Download
memory/1648-141-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp

Filesize
3.3MB

Download
memory/1648-277-0x00007FF72C7D0000-0x00007FF72CB21000-memory.dmp

Filesize
3.3MB

Download
memory/2084-254-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp

Filesize
3.3MB

Download
memory/2084-139-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp

Filesize
3.3MB

Download
memory/2084-82-0x00007FF7E9FE0000-0x00007FF7EA331000-memory.dmp

Filesize
3.3MB

Download
memory/2252-252-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp

Filesize
3.3MB

Download
memory/2252-79-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp

Filesize
3.3MB

Download
memory/2252-132-0x00007FF6A4F20000-0x00007FF6A5271000-memory.dmp

Filesize
3.3MB

Download
memory/2496-169-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-135-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-275-0x00007FF7FD690000-0x00007FF7FD9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-243-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp

Filesize
3.3MB

Download
memory/3004-56-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp

Filesize
3.3MB

Download
memory/3004-114-0x00007FF65CD10000-0x00007FF65D061000-memory.dmp

Filesize
3.3MB

Download
memory/3060-90-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-29-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-232-0x00007FF7DFD70000-0x00007FF7E00C1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-258-0x00007FF6DDB90000-0x00007FF6DDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-93-0x00007FF6DDB90000-0x00007FF6DDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-25-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-230-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-85-0x00007FF7C0D50000-0x00007FF7C10A1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-273-0x00007FF7053C0000-0x00007FF705711000-memory.dmp

Filesize
3.3MB

Download
memory/3476-127-0x00007FF7053C0000-0x00007FF705711000-memory.dmp

Filesize
3.3MB

Download
memory/3476-164-0x00007FF7053C0000-0x00007FF705711000-memory.dmp

Filesize
3.3MB

Download
memory/3492-124-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-250-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-69-0x00007FF61B070000-0x00007FF61B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-61-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp

Filesize
3.3MB

Download
memory/3624-118-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp

Filesize
3.3MB

Download
memory/3624-245-0x00007FF7BA410000-0x00007FF7BA761000-memory.dmp

Filesize
3.3MB

Download
memory/4136-155-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4136-265-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4136-111-0x00007FF78F900000-0x00007FF78FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4516-35-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp

Filesize
3.3MB

Download
memory/4516-96-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp

Filesize
3.3MB

Download
memory/4516-236-0x00007FF6DF7F0000-0x00007FF6DFB41000-memory.dmp

Filesize
3.3MB

Download
memory/4880-0-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp

Filesize
3.3MB

Download
memory/4880-142-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp

Filesize
3.3MB

Download
memory/4880-1-0x000001EBA57D0000-0x000001EBA57E0000-memory.dmp

Filesize
64KB

Download
memory/4880-170-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp

Filesize
3.3MB

Download
memory/4880-60-0x00007FF7F86E0000-0x00007FF7F8A31000-memory.dmp

Filesize
3.3MB

Download
memory/4944-119-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-271-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-162-0x00007FF6853A0000-0x00007FF6856F1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-106-0x00007FF7700B0000-0x00007FF770401000-memory.dmp

Filesize
3.3MB

Download
memory/4976-263-0x00007FF7700B0000-0x00007FF770401000-memory.dmp

Filesize
3.3MB

Download
memory/4976-152-0x00007FF7700B0000-0x00007FF770401000-memory.dmp

Filesize
3.3MB

Download
memory/5016-104-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp

Filesize
3.3MB

Download
memory/5016-40-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp

Filesize
3.3MB

Download
memory/5016-234-0x00007FF71ACB0000-0x00007FF71B001000-memory.dmp

Filesize
3.3MB

Download