cobaltstrike | 312fbea17ce94b00caf957452b8b9e2b5b0d62d47fe096e627f2e625b86a16ef

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4b6668ec395d332c7dae0b6e7cc25e8d
SHA1

3ac69c66c2c500befb8ef76cc94c87cb6ab29782
SHA256

312fbea17ce94b00caf957452b8b9e2b5b0d62d47fe096e627f2e625b86a16ef
SHA512

d8d7156393ad7dfcb64ae6b66a5cb9e1e31e5e007565a83716d6a8f35463de874fba989a7634c8614ba57ffdae0484ba96e967e3a8971b7ab3b14dbe333d782d
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibj56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023b63-8.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b0e-13.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-20.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b5f-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-102.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b60-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-146.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b75-142.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2500-16-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp	xmrig
behavioral2/memory/4032-92-0x00007FF678010000-0x00007FF678361000-memory.dmp	xmrig
behavioral2/memory/5060-104-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	xmrig
behavioral2/memory/4592-106-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp	xmrig
behavioral2/memory/4028-105-0x00007FF7F0FF0000-0x00007FF7F1341000-memory.dmp	xmrig
behavioral2/memory/216-98-0x00007FF63AA90000-0x00007FF63ADE1000-memory.dmp	xmrig
behavioral2/memory/4392-97-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/852-93-0x00007FF734380000-0x00007FF7346D1000-memory.dmp	xmrig
behavioral2/memory/1132-118-0x00007FF7681C0000-0x00007FF768511000-memory.dmp	xmrig
behavioral2/memory/2244-117-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp	xmrig
behavioral2/memory/2108-121-0x00007FF7842E0000-0x00007FF784631000-memory.dmp	xmrig
behavioral2/memory/1740-115-0x00007FF78E010000-0x00007FF78E361000-memory.dmp	xmrig
behavioral2/memory/2992-114-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp	xmrig
behavioral2/memory/4868-113-0x00007FF715670000-0x00007FF7159C1000-memory.dmp	xmrig
behavioral2/memory/3564-112-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp	xmrig
behavioral2/memory/3660-111-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	xmrig
behavioral2/memory/4996-139-0x00007FF720420000-0x00007FF720771000-memory.dmp	xmrig
behavioral2/memory/4820-132-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp	xmrig
behavioral2/memory/3840-148-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp	xmrig
behavioral2/memory/4392-149-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/3804-169-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp	xmrig
behavioral2/memory/2560-170-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp	xmrig
behavioral2/memory/2352-171-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp	xmrig
behavioral2/memory/4392-172-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/2500-209-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp	xmrig
behavioral2/memory/4592-211-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp	xmrig
behavioral2/memory/3660-213-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	xmrig
behavioral2/memory/4868-215-0x00007FF715670000-0x00007FF7159C1000-memory.dmp	xmrig
behavioral2/memory/3564-218-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp	xmrig
behavioral2/memory/2992-220-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp	xmrig
behavioral2/memory/1740-221-0x00007FF78E010000-0x00007FF78E361000-memory.dmp	xmrig
behavioral2/memory/1132-237-0x00007FF7681C0000-0x00007FF768511000-memory.dmp	xmrig
behavioral2/memory/852-235-0x00007FF734380000-0x00007FF7346D1000-memory.dmp	xmrig
behavioral2/memory/216-239-0x00007FF63AA90000-0x00007FF63ADE1000-memory.dmp	xmrig
behavioral2/memory/2108-243-0x00007FF7842E0000-0x00007FF784631000-memory.dmp	xmrig
behavioral2/memory/4820-242-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp	xmrig
behavioral2/memory/2244-234-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp	xmrig
behavioral2/memory/4032-231-0x00007FF678010000-0x00007FF678361000-memory.dmp	xmrig
behavioral2/memory/4996-247-0x00007FF720420000-0x00007FF720771000-memory.dmp	xmrig
behavioral2/memory/4028-245-0x00007FF7F0FF0000-0x00007FF7F1341000-memory.dmp	xmrig
behavioral2/memory/5060-249-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	xmrig
behavioral2/memory/3840-256-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp	xmrig
behavioral2/memory/2352-258-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp	xmrig
behavioral2/memory/2560-260-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp	xmrig
behavioral2/memory/3804-262-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4592	YoCmvuL.exe
2500	aOOVWdr.exe
3660	oTkDmaf.exe
3564	SZjmybs.exe
4868	rYhiGgi.exe
2992	KNicFKY.exe
1740	TUfDpKI.exe
2244	TJmXUPb.exe
1132	DPGeNSR.exe
852	pKxdXyx.exe
2108	CNSzdfK.exe
216	GQmifco.exe
4820	RrySumd.exe
4032	AFxcsTb.exe
4996	nubIsgo.exe
5060	lBVBHyw.exe
4028	SdCPxtX.exe
3840	UodkAWH.exe
2352	hmRkGBT.exe
3804	GYoEkEc.exe
2560	axWFFew.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4392-0-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b63-8.dat	upx
behavioral2/memory/4592-7-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp	upx
behavioral2/files/0x000c000000023b0e-13.dat	upx
behavioral2/files/0x000a000000023b65-24.dat	upx
behavioral2/memory/3660-22-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-20.dat	upx
behavioral2/memory/2500-16-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp	upx
behavioral2/files/0x000b000000023b5f-10.dat	upx
behavioral2/files/0x000a000000023b66-35.dat	upx
behavioral2/files/0x000a000000023b6a-57.dat	upx
behavioral2/files/0x000a000000023b6d-67.dat	upx
behavioral2/files/0x000a000000023b6e-80.dat	upx
behavioral2/memory/4032-92-0x00007FF678010000-0x00007FF678361000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-99.dat	upx
behavioral2/memory/5060-104-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	upx
behavioral2/memory/4592-106-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp	upx
behavioral2/memory/4028-105-0x00007FF7F0FF0000-0x00007FF7F1341000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-102.dat	upx
behavioral2/memory/4996-101-0x00007FF720420000-0x00007FF720771000-memory.dmp	upx
behavioral2/memory/216-98-0x00007FF63AA90000-0x00007FF63ADE1000-memory.dmp	upx
behavioral2/memory/4392-97-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/files/0x000b000000023b60-94.dat	upx
behavioral2/memory/852-93-0x00007FF734380000-0x00007FF7346D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-89.dat	upx
behavioral2/files/0x000a000000023b6c-85.dat	upx
behavioral2/memory/4820-82-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-75.dat	upx
behavioral2/memory/2108-71-0x00007FF7842E0000-0x00007FF784631000-memory.dmp	upx
behavioral2/memory/1132-61-0x00007FF7681C0000-0x00007FF768511000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-56.dat	upx
behavioral2/memory/2244-52-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-51.dat	upx
behavioral2/memory/1740-46-0x00007FF78E010000-0x00007FF78E361000-memory.dmp	upx
behavioral2/memory/2992-41-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp	upx
behavioral2/memory/4868-31-0x00007FF715670000-0x00007FF7159C1000-memory.dmp	upx
behavioral2/memory/3564-25-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp	upx
behavioral2/memory/1132-118-0x00007FF7681C0000-0x00007FF768511000-memory.dmp	upx
behavioral2/memory/2244-117-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-126.dat	upx
behavioral2/memory/3840-125-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp	upx
behavioral2/memory/2108-121-0x00007FF7842E0000-0x00007FF784631000-memory.dmp	upx
behavioral2/memory/1740-115-0x00007FF78E010000-0x00007FF78E361000-memory.dmp	upx
behavioral2/memory/2992-114-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp	upx
behavioral2/memory/4868-113-0x00007FF715670000-0x00007FF7159C1000-memory.dmp	upx
behavioral2/memory/3564-112-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp	upx
behavioral2/memory/3660-111-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-131.dat	upx
behavioral2/memory/2352-135-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp	upx
behavioral2/memory/2560-140-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp	upx
behavioral2/memory/3804-144-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-146.dat	upx
behavioral2/files/0x0031000000023b75-142.dat	upx
behavioral2/memory/4996-139-0x00007FF720420000-0x00007FF720771000-memory.dmp	upx
behavioral2/memory/4820-132-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp	upx
behavioral2/memory/3840-148-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp	upx
behavioral2/memory/4392-149-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/memory/3804-169-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp	upx
behavioral2/memory/2560-170-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp	upx
behavioral2/memory/2352-171-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp	upx
behavioral2/memory/4392-172-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/memory/2500-209-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp	upx
behavioral2/memory/4592-211-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp	upx
behavioral2/memory/3660-213-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YoCmvuL.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SdCPxtX.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\axWFFew.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UodkAWH.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTkDmaf.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYhiGgi.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TJmXUPb.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CNSzdfK.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RrySumd.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBVBHyw.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nubIsgo.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GYoEkEc.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOOVWdr.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZjmybs.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUfDpKI.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pKxdXyx.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GQmifco.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AFxcsTb.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNicFKY.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPGeNSR.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hmRkGBT.exe	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4592	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4392 wrote to memory of 4592	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4392 wrote to memory of 2500	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4392 wrote to memory of 2500	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4392 wrote to memory of 3660	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4392 wrote to memory of 3660	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4392 wrote to memory of 3564	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4392 wrote to memory of 3564	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4392 wrote to memory of 4868	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4392 wrote to memory of 4868	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4392 wrote to memory of 2992	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4392 wrote to memory of 2992	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4392 wrote to memory of 1740	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4392 wrote to memory of 1740	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4392 wrote to memory of 2244	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4392 wrote to memory of 2244	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4392 wrote to memory of 1132	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4392 wrote to memory of 1132	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4392 wrote to memory of 852	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4392 wrote to memory of 852	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4392 wrote to memory of 2108	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4392 wrote to memory of 2108	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4392 wrote to memory of 216	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4392 wrote to memory of 216	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4392 wrote to memory of 4820	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4392 wrote to memory of 4820	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4392 wrote to memory of 4032	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4392 wrote to memory of 4032	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4392 wrote to memory of 4996	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4392 wrote to memory of 4996	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4392 wrote to memory of 5060	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4392 wrote to memory of 5060	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4392 wrote to memory of 4028	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4392 wrote to memory of 4028	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4392 wrote to memory of 3840	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4392 wrote to memory of 3840	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4392 wrote to memory of 2352	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4392 wrote to memory of 2352	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4392 wrote to memory of 3804	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4392 wrote to memory of 3804	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4392 wrote to memory of 2560	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4392 wrote to memory of 2560	4392	2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_4b6668ec395d332c7dae0b6e7cc25e8d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\System\YoCmvuL.exe
  C:\Windows\System\YoCmvuL.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\aOOVWdr.exe
  C:\Windows\System\aOOVWdr.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\oTkDmaf.exe
  C:\Windows\System\oTkDmaf.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\SZjmybs.exe
  C:\Windows\System\SZjmybs.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\rYhiGgi.exe
  C:\Windows\System\rYhiGgi.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\KNicFKY.exe
  C:\Windows\System\KNicFKY.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\TUfDpKI.exe
  C:\Windows\System\TUfDpKI.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\TJmXUPb.exe
  C:\Windows\System\TJmXUPb.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\DPGeNSR.exe
  C:\Windows\System\DPGeNSR.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\pKxdXyx.exe
  C:\Windows\System\pKxdXyx.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\CNSzdfK.exe
  C:\Windows\System\CNSzdfK.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\GQmifco.exe
  C:\Windows\System\GQmifco.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\RrySumd.exe
  C:\Windows\System\RrySumd.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\AFxcsTb.exe
  C:\Windows\System\AFxcsTb.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\nubIsgo.exe
  C:\Windows\System\nubIsgo.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\lBVBHyw.exe
  C:\Windows\System\lBVBHyw.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\SdCPxtX.exe
  C:\Windows\System\SdCPxtX.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\UodkAWH.exe
  C:\Windows\System\UodkAWH.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\hmRkGBT.exe
  C:\Windows\System\hmRkGBT.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\GYoEkEc.exe
  C:\Windows\System\GYoEkEc.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\axWFFew.exe
  C:\Windows\System\axWFFew.exe
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFxcsTb.exe

Filesize
5.2MB

MD5
f906057797ab47a89e085e5fcfa77698

SHA1
c64376178ec222b227e5206124aa088b9a67f60d

SHA256
2dac203dee0221343fe8d49471cd7fba1cc1c8e91d965f9bcb4c899b8c35dd39

SHA512
c878195f96b6fb9e9cefa887a26dbd538f009bb07c1d32960f9fb9cf7da84159e1e6506aa9e89830e766b39621644e27ee30af90c5b923aa01954d0195f53cb9

Download Submit
C:\Windows\System\CNSzdfK.exe

Filesize
5.2MB

MD5
6770b0bf0c9302b48a308ddb83174465

SHA1
f329ed5c41b93ba654ff13c8947561ebf6b30ee9

SHA256
7cf27ef9a1f9d682443e7b3b186adc6f2ac50df6447a190c46e6fb5e8f550dd5

SHA512
fe5e27d5fbe9beef157cb635c245a153736b019a1313f850a8cdd424480529c27e0fc11750ef9b2b31b816c6460ab9affb7b15b4f0bebc54c283804ba97eb693

Download Submit
C:\Windows\System\DPGeNSR.exe

Filesize
5.2MB

MD5
248cb3c4a054982a36891730f9d70194

SHA1
6cae064d196d41204bd36561cabdaed642662e53

SHA256
1d2844e3ef2d60fb7026e67862e67595ca342f021b1a61ab96ceac4480772b95

SHA512
883f446a53e79f90d7b8a87d6b8198640441e3bf5c522aad301f06847b85ca00f90e5ed81666e9412ad1fcb277b9cc6da22c7a700e467de2f7b182dd429c70ad

Download Submit
C:\Windows\System\GQmifco.exe

Filesize
5.2MB

MD5
90209be4a12bee09c92d4cd3777ecc3d

SHA1
e9d0013dbcf3a393c8a46b70e027ef792101fa9c

SHA256
6e38b7697f01298a8984d8d76943e58d8b480b47692b8748efb07c2a275d313f

SHA512
b5fa106f7ac215995d1309c0ea856175f56b0f228b11a3e34132f122352233769626c6c4fa22091d98380103f6e72a068334a929ad60cba0d926c9b0f46f2191

Download Submit
C:\Windows\System\GYoEkEc.exe

Filesize
5.2MB

MD5
f321ac27053eb2d1139fd4e44a1bb1c5

SHA1
3affe27421254408b8da9c910f6c0d7def9a2089

SHA256
b63701a92f974f9f59e68e6e60247b2c356bce2d40c57636eb2a562a46fb266e

SHA512
b938559d3b1b0f239ce689be7c34475c843aefcf0c5a5ad2f2a10dd695011f5dce1db34d90f004f943d5606d26a1b4bb559d888e8d38cd0068524913ce492fad

Download Submit
C:\Windows\System\KNicFKY.exe

Filesize
5.2MB

MD5
786edbc0ae2bc3bd076bf48db8cc2175

SHA1
c07d7da5dba72afe3aa2e1677d53c355326f7664

SHA256
4afc912126a189b8cb80893386568f99f542540c92a72fbbc7c1f9cec13289b7

SHA512
2eb7c738b4637f98a209e702f7cc46e0dbaf3b0367bc01e130dec2df603dcfc201b288d0350c85c347ce08aa2c83df44635a61cd9e43833d23ad44cb4713f257

Download Submit
C:\Windows\System\RrySumd.exe

Filesize
5.2MB

MD5
62081c44b5ad46f1a374adfedf8b14e3

SHA1
dfa2bed9f0db593bb2a1fdc316d2742f97936a75

SHA256
f7909ff5493a22175b487541bb5bb7c92974719c84fd1f4c7d9306f5793aaad4

SHA512
b8bce31befc9b1be9f3d41becca0f2bf478e90243bbe0cb65c8b61f240a56da562a06ded369b69806a025916cfb0bcc793772c218e86e46995b4f521d0171c36

Download Submit
C:\Windows\System\SZjmybs.exe

Filesize
5.2MB

MD5
7cf643aafff6a2a08ed69bcaaf6098a4

SHA1
f47803eee4b2f21d338f284caec6cd51fbc84985

SHA256
5ca32dbfd120aae67decc1593b56c8dc20ee2d49a54d42eafc711055d1e6ccfc

SHA512
e43965049c0ae0b08d88b5bf412e5b3cab8ee15bd073bbc2772fa439261d5f090a36c420b150adfc3f6c1197f73609fd05600ca6213da64deb8d31befc6ac34b

Download Submit
C:\Windows\System\SdCPxtX.exe

Filesize
5.2MB

MD5
2f835267452c1d7ca0ae27ced29fbc09

SHA1
cd37bf3a1840f6deb926bfe520396d162c228277

SHA256
85f22b69e45cc0419d33b21f35d5cbf35708d265a836f7717ed59f252af7f48a

SHA512
631a3b514904f24fddd8e493cf7b86ba6ee1848ec3eba3d3790f8451995769626dd1695d7e0075d2c53bbc0adea8281a6470f3dec5558e0d1bc1828146a386f0

Download Submit
C:\Windows\System\TJmXUPb.exe

Filesize
5.2MB

MD5
b7ada3f9c0ce190284acd1aa93a17c59

SHA1
2a1fdde2fe79df8cb76e348cdba1399af20913cc

SHA256
eab898f187612fbfbf2c0bdddd1fa5f912ff9e6f3f75245db177e6f0fccc01a4

SHA512
36fe4b9319c6d7d3f0651b7c779190f5c6ab742117d283420705722d12c087857356ff4dbdcf20be0d0194d41d824d6a911532a8fb215e3bd9e63de72ef10e30

Download Submit
C:\Windows\System\TUfDpKI.exe

Filesize
5.2MB

MD5
5ad02c22a5141a38e266af7daddee152

SHA1
f1364827e0b772d0fa809c2500220be839afee78

SHA256
cc6bec5140c03162eb325673954ffd064f89939c5c2c19c51759acfb2da4c4a8

SHA512
05cf9f28f245b17d99441cf404a8321bb736c06a6c0c2f0fc23723b4b4dbe32c03d437057b8ddadbb5d6f6e381e7e6c46a5e74dd8e06d49bc4b611c24c2b40a4

Download Submit
C:\Windows\System\UodkAWH.exe

Filesize
5.2MB

MD5
3103de78e8f8dc86f30b889ad23fe7e1

SHA1
7746d6fe2c8938a812123a8e4e30fdab82f8510d

SHA256
ab09a42f6e1944e5b4ef2599db99254ab4e6700922389cd87f23ec1ba7729b1e

SHA512
e1a0a05fc7190d69e9e173e7a2163f3c9129f5703089d45f7bbd5740d1cd62dc71a5b928dbd35e1c03c413ddeac9a249228594ef9773cf81d6ae067ee30d4e4d

Download Submit
C:\Windows\System\YoCmvuL.exe

Filesize
5.2MB

MD5
f68d4b37450484dd98fd02b4c06b316d

SHA1
828cb937713bf4a04853b414eec20c3e1560f435

SHA256
74b2d533a3038e0221c7e6a7271d2825f874de0dde23914448ffdf5b290531a9

SHA512
a6172a54dccabbfcb6204a664d227b12cdae524b9e279b35174e3a19c7e514411a10743f0062a95123883f4ada82cfbd1f61a9ee9373c0264cad213c9ec00e2e

Download Submit
C:\Windows\System\aOOVWdr.exe

Filesize
5.2MB

MD5
8628866946e034b9cf3d930dfeb08845

SHA1
f8d53e06b549d7bed8eef69034fb156e36653d41

SHA256
dce64b62e14884eeda669abf1c3ca27ae1cbfba99695b81b25d3ceb77501507c

SHA512
7bc613b4043aad035e774109551487e61d5ed792d98cd87cd961a0d314e147eaa9666f86e9328bec750ca75a55bc28a0412cc218114108a4c53fee8a634e587c

Download Submit
C:\Windows\System\axWFFew.exe

Filesize
5.2MB

MD5
3d8ad1bdec02c45341d05e4f33422c1b

SHA1
2c09a4af06fbdb96914675ce3957c8a25010d7d9

SHA256
01a91b125185ec473d97cdd15cc362721c8bc6ce83711cc8bc5003a20ecd9c0b

SHA512
035a45dc273a3c7be3af225d01e2eb631a575bbc99292e54e5ca1721a8754ed7161d2708b83efc45d0e376750671660ccdbdd3ef332e77819e0053de503a40a3

Download Submit
C:\Windows\System\hmRkGBT.exe

Filesize
5.2MB

MD5
d325a119fe3e52a23c5e9db5af274ff3

SHA1
ca2023a0379e027a2091366ea9e19a991cbcf77b

SHA256
0765809253f08b4426618fafafc8a7ed3018c49c0e46effc06a7214312e80aa0

SHA512
fafffee807b1c80b9dc058f41e70ea8c07f0067ea044f251f9a39915a6d1c2ceccf43b82ac6f9da23b5a7a9d7ef71fe9c1beff7c45756d9b8624df82ccf0655c

Download Submit
C:\Windows\System\lBVBHyw.exe

Filesize
5.2MB

MD5
02f537920aec3916b97ab92b531ec187

SHA1
0d845d4a214511887697ffcbd7ce86d6491cf78f

SHA256
0e73421919924f51d7d1d8c4326a082f45728d56fb9e05bb11db0af7cf20c56a

SHA512
66a3301dc83b4355a9d7837f65b1864b2036bc0240d8e50470760f43a0902a9bc67fdac6bf04e9ea20727f64d120b7abe2e8feaeb0ebe7342c22f11b735a7417

Download Submit
C:\Windows\System\nubIsgo.exe

Filesize
5.2MB

MD5
2871dd3e11e1011684d7b722e3395e24

SHA1
4dedf924c1535e898b2a6a9cf55d53c6015a902a

SHA256
2f606b66ab39fe2ad0112c500d3e75df222236bfe12b77430e9860d9ea68c739

SHA512
360902322b267f8b86fae1144ba45782ed345968e35aacddf5efac916cef434c448ea5571d160622f49bbbff7256e3dd9c3043a1565f21046001a46d31d2b261

Download Submit
C:\Windows\System\oTkDmaf.exe

Filesize
5.2MB

MD5
d45c72b3d85d2a58cca4639575ec8f71

SHA1
453f2ca6ac5cdbe95d16a026cca59a0b242941ff

SHA256
d5a7d4acfb85ed0eb1396c654e0b87f63acf54ca1b10eea78c123aa26112f1d9

SHA512
571172a7058e8df2879bbd7787e92b14e582f1554cad5b5f74d8ed91c9fa9c73034ddbebe207d6b77767abc831d3a618d05181a0824212395b0508aaadba74b2

Download Submit
C:\Windows\System\pKxdXyx.exe

Filesize
5.2MB

MD5
0d1e91225216b446c96a8fda7e6d1e82

SHA1
f2e3eed7c37ddff378cfd83fd4b65f5a01bed9cc

SHA256
4cb167ddea13b764609e8d424b6674d3aebe7bdf8fd54aa2655719617786ec36

SHA512
abd0491a419d3cf3fc1644deda7463dc64592383be27be73ffe15f615e2bd46dc9ed6c3e634e72079a5b5202b91fb76c1e56920ac58326d68ef63f7cf988d142

Download Submit
C:\Windows\System\rYhiGgi.exe

Filesize
5.2MB

MD5
8e130b4cc4b627113b4da73bafd53952

SHA1
7022ccdbf957b61b9677ea55f34260ca5623c702

SHA256
fd745de7acaa511d724759930c9f35888aa56e37d22aae971473d6df4fe8b827

SHA512
3d64719a0a40e379666d8a92de1859a20a98a77d78379f54370561baea768b6d3057e19e3be342801ea22ec642afb5371b2f6b36f35b955181cba68ca210fcc2

Download Submit
memory/216-239-0x00007FF63AA90000-0x00007FF63ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/216-98-0x00007FF63AA90000-0x00007FF63ADE1000-memory.dmp

Filesize
3.3MB

Download
memory/852-93-0x00007FF734380000-0x00007FF7346D1000-memory.dmp

Filesize
3.3MB

Download
memory/852-235-0x00007FF734380000-0x00007FF7346D1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-237-0x00007FF7681C0000-0x00007FF768511000-memory.dmp

Filesize
3.3MB

Download
memory/1132-61-0x00007FF7681C0000-0x00007FF768511000-memory.dmp

Filesize
3.3MB

Download
memory/1132-118-0x00007FF7681C0000-0x00007FF768511000-memory.dmp

Filesize
3.3MB

Download
memory/1740-46-0x00007FF78E010000-0x00007FF78E361000-memory.dmp

Filesize
3.3MB

Download
memory/1740-115-0x00007FF78E010000-0x00007FF78E361000-memory.dmp

Filesize
3.3MB

Download
memory/1740-221-0x00007FF78E010000-0x00007FF78E361000-memory.dmp

Filesize
3.3MB

Download
memory/2108-121-0x00007FF7842E0000-0x00007FF784631000-memory.dmp

Filesize
3.3MB

Download
memory/2108-71-0x00007FF7842E0000-0x00007FF784631000-memory.dmp

Filesize
3.3MB

Download
memory/2108-243-0x00007FF7842E0000-0x00007FF784631000-memory.dmp

Filesize
3.3MB

Download
memory/2244-117-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-52-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-234-0x00007FF74FD60000-0x00007FF7500B1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-258-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp

Filesize
3.3MB

Download
memory/2352-135-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp

Filesize
3.3MB

Download
memory/2352-171-0x00007FF7C9100000-0x00007FF7C9451000-memory.dmp

Filesize
3.3MB

Download
memory/2500-209-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-16-0x00007FF61B950000-0x00007FF61BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-260-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp

Filesize
3.3MB

Download
memory/2560-140-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp

Filesize
3.3MB

Download
memory/2560-170-0x00007FF7C2DB0000-0x00007FF7C3101000-memory.dmp

Filesize
3.3MB

Download
memory/2992-41-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-114-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-220-0x00007FF70C480000-0x00007FF70C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-112-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-218-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-25-0x00007FF781B60000-0x00007FF781EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-111-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/3660-213-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/3660-22-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/3804-262-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3804-169-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3804-144-0x00007FF7DC890000-0x00007FF7DCBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3840-256-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp

Filesize
3.3MB

Download
memory/3840-148-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp

Filesize
3.3MB

Download
memory/3840-125-0x00007FF7A9350000-0x00007FF7A96A1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-105-0x00007FF7F0FF0000-0x00007FF7F1341000-memory.dmp

Filesize
3.3MB

Download
memory/4028-245-0x00007FF7F0FF0000-0x00007FF7F1341000-memory.dmp

Filesize
3.3MB

Download
memory/4032-92-0x00007FF678010000-0x00007FF678361000-memory.dmp

Filesize
3.3MB

Download
memory/4032-231-0x00007FF678010000-0x00007FF678361000-memory.dmp

Filesize
3.3MB

Download
memory/4392-149-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-97-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-172-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-1-0x000001B3EBD70000-0x000001B3EBD80000-memory.dmp

Filesize
64KB

Download
memory/4392-0-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-211-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp

Filesize
3.3MB

Download
memory/4592-106-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp

Filesize
3.3MB

Download
memory/4592-7-0x00007FF722BE0000-0x00007FF722F31000-memory.dmp

Filesize
3.3MB

Download
memory/4820-242-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-82-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-132-0x00007FF73F080000-0x00007FF73F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-215-0x00007FF715670000-0x00007FF7159C1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-113-0x00007FF715670000-0x00007FF7159C1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-31-0x00007FF715670000-0x00007FF7159C1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-101-0x00007FF720420000-0x00007FF720771000-memory.dmp

Filesize
3.3MB

Download
memory/4996-247-0x00007FF720420000-0x00007FF720771000-memory.dmp

Filesize
3.3MB

Download
memory/4996-139-0x00007FF720420000-0x00007FF720771000-memory.dmp

Filesize
3.3MB

Download
memory/5060-249-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp

Filesize
3.3MB

Download
memory/5060-104-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp

Filesize
3.3MB

Download