cobaltstrike | 182529da1e3726e0bd1fe21b221edad7513b240e1a0e5ed3f43ee9235e209631

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f6a5f2a13f66a3e1038739d0f233b3ad
SHA1

b678bae1c30937d26d72b8e329f3820c79b1a203
SHA256

182529da1e3726e0bd1fe21b221edad7513b240e1a0e5ed3f43ee9235e209631
SHA512

7d5038b1a94cb4c8e95385ffb4bc4987fb45dd540666c5e9c4a81e53c4859475cf28632c0dc1e697248790bfb28b3e68cf0f3ae70287b34a0a96fc5c2a1d53ab
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b7f-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-63.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b88-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-102.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e747-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-134.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-135.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/228-20-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp	xmrig
behavioral2/memory/3604-68-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	xmrig
behavioral2/memory/3148-87-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp	xmrig
behavioral2/memory/4176-81-0x00007FF7B7340000-0x00007FF7B7691000-memory.dmp	xmrig
behavioral2/memory/4492-78-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp	xmrig
behavioral2/memory/536-75-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp	xmrig
behavioral2/memory/4052-94-0x00007FF6366C0000-0x00007FF636A11000-memory.dmp	xmrig
behavioral2/memory/4188-100-0x00007FF67D4E0000-0x00007FF67D831000-memory.dmp	xmrig
behavioral2/memory/4708-99-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp	xmrig
behavioral2/memory/4756-97-0x00007FF68FC50000-0x00007FF68FFA1000-memory.dmp	xmrig
behavioral2/memory/4460-112-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp	xmrig
behavioral2/memory/724-114-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp	xmrig
behavioral2/memory/624-132-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp	xmrig
behavioral2/memory/2008-137-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp	xmrig
behavioral2/memory/1832-139-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	xmrig
behavioral2/memory/1412-141-0x00007FF781920000-0x00007FF781C71000-memory.dmp	xmrig
behavioral2/memory/4740-142-0x00007FF72FB90000-0x00007FF72FEE1000-memory.dmp	xmrig
behavioral2/memory/1076-138-0x00007FF7A28D0000-0x00007FF7A2C21000-memory.dmp	xmrig
behavioral2/memory/4840-115-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp	xmrig
behavioral2/memory/4004-110-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp	xmrig
behavioral2/memory/2656-149-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp	xmrig
behavioral2/memory/3604-151-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	xmrig
behavioral2/memory/5040-166-0x00007FF74C610000-0x00007FF74C961000-memory.dmp	xmrig
behavioral2/memory/3604-173-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	xmrig
behavioral2/memory/536-210-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp	xmrig
behavioral2/memory/228-212-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp	xmrig
behavioral2/memory/4492-214-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp	xmrig
behavioral2/memory/4708-216-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp	xmrig
behavioral2/memory/3148-218-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp	xmrig
behavioral2/memory/4004-220-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp	xmrig
behavioral2/memory/724-222-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp	xmrig
behavioral2/memory/4460-224-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp	xmrig
behavioral2/memory/4840-226-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp	xmrig
behavioral2/memory/2008-231-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp	xmrig
behavioral2/memory/624-232-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp	xmrig
behavioral2/memory/4176-240-0x00007FF7B7340000-0x00007FF7B7691000-memory.dmp	xmrig
behavioral2/memory/4052-242-0x00007FF6366C0000-0x00007FF636A11000-memory.dmp	xmrig
behavioral2/memory/4756-244-0x00007FF68FC50000-0x00007FF68FFA1000-memory.dmp	xmrig
behavioral2/memory/2656-246-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp	xmrig
behavioral2/memory/4188-248-0x00007FF67D4E0000-0x00007FF67D831000-memory.dmp	xmrig
behavioral2/memory/1076-255-0x00007FF7A28D0000-0x00007FF7A2C21000-memory.dmp	xmrig
behavioral2/memory/1832-259-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	xmrig
behavioral2/memory/1412-258-0x00007FF781920000-0x00007FF781C71000-memory.dmp	xmrig
behavioral2/memory/4740-263-0x00007FF72FB90000-0x00007FF72FEE1000-memory.dmp	xmrig
behavioral2/memory/5040-262-0x00007FF74C610000-0x00007FF74C961000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
536	dqUrGnH.exe
228	NhrhVEb.exe
4492	MOWYQnf.exe
4708	dMsaXsY.exe
3148	ltBnFse.exe
4004	IrPgvVO.exe
4460	uAtDoVL.exe
724	UGHnQnM.exe
4840	XohnNfT.exe
624	JcwdOqe.exe
2008	QjSlPtv.exe
4176	OzEmymS.exe
4052	gOMKwHD.exe
4756	nmRohqL.exe
4188	IIstAlC.exe
2656	VcdRNPe.exe
1076	EmSlbiX.exe
1832	uwyzQwe.exe
1412	mdXzKsn.exe
4740	Sutfxhk.exe
5040	YmfYtNd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3604-0-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	upx
behavioral2/files/0x000d000000023b7f-4.dat	upx
behavioral2/files/0x000a000000023b8c-9.dat	upx
behavioral2/files/0x000a000000023b8b-15.dat	upx
behavioral2/files/0x000a000000023b8e-24.dat	upx
behavioral2/files/0x000a000000023b91-42.dat	upx
behavioral2/files/0x000a000000023b8f-43.dat	upx
behavioral2/memory/724-46-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-51.dat	upx
behavioral2/files/0x000a000000023b92-58.dat	upx
behavioral2/files/0x000a000000023b93-63.dat	upx
behavioral2/files/0x000b000000023b88-66.dat	upx
behavioral2/memory/2008-65-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp	upx
behavioral2/memory/624-60-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp	upx
behavioral2/memory/4840-55-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp	upx
behavioral2/memory/4460-45-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp	upx
behavioral2/memory/4004-36-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp	upx
behavioral2/memory/3148-33-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp	upx
behavioral2/memory/4708-29-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-27.dat	upx
behavioral2/memory/4492-26-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp	upx
behavioral2/memory/228-20-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp	upx
behavioral2/memory/536-7-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp	upx
behavioral2/memory/3604-68-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-71.dat	upx
behavioral2/files/0x000a000000023b97-83.dat	upx
behavioral2/files/0x000a000000023b98-91.dat	upx
behavioral2/memory/3148-87-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-85.dat	upx
behavioral2/memory/4176-81-0x00007FF7B7340000-0x00007FF7B7691000-memory.dmp	upx
behavioral2/memory/4492-78-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp	upx
behavioral2/memory/536-75-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp	upx
behavioral2/memory/4052-94-0x00007FF6366C0000-0x00007FF636A11000-memory.dmp	upx
behavioral2/memory/4188-100-0x00007FF67D4E0000-0x00007FF67D831000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-102.dat	upx
behavioral2/memory/2656-101-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp	upx
behavioral2/memory/4708-99-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp	upx
behavioral2/memory/4756-97-0x00007FF68FC50000-0x00007FF68FFA1000-memory.dmp	upx
behavioral2/memory/4460-112-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp	upx
behavioral2/memory/724-114-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp	upx
behavioral2/files/0x000300000001e747-125.dat	upx
behavioral2/files/0x000a000000023b9c-124.dat	upx
behavioral2/memory/624-132-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-134.dat	upx
behavioral2/files/0x000a000000023b9d-135.dat	upx
behavioral2/memory/2008-137-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp	upx
behavioral2/memory/1832-139-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	upx
behavioral2/memory/1412-141-0x00007FF781920000-0x00007FF781C71000-memory.dmp	upx
behavioral2/memory/4740-142-0x00007FF72FB90000-0x00007FF72FEE1000-memory.dmp	upx
behavioral2/memory/5040-143-0x00007FF74C610000-0x00007FF74C961000-memory.dmp	upx
behavioral2/memory/1076-138-0x00007FF7A28D0000-0x00007FF7A2C21000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-119.dat	upx
behavioral2/memory/4840-115-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp	upx
behavioral2/memory/4004-110-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp	upx
behavioral2/memory/2656-149-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp	upx
behavioral2/memory/3604-151-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	upx
behavioral2/memory/5040-166-0x00007FF74C610000-0x00007FF74C961000-memory.dmp	upx
behavioral2/memory/3604-173-0x00007FF789080000-0x00007FF7893D1000-memory.dmp	upx
behavioral2/memory/536-210-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp	upx
behavioral2/memory/228-212-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp	upx
behavioral2/memory/4492-214-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp	upx
behavioral2/memory/4708-216-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp	upx
behavioral2/memory/3148-218-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp	upx
behavioral2/memory/4004-220-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VcdRNPe.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Sutfxhk.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOWYQnf.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dMsaXsY.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGHnQnM.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjSlPtv.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmRohqL.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IIstAlC.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmSlbiX.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mdXzKsn.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IrPgvVO.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uAtDoVL.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XohnNfT.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JcwdOqe.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OzEmymS.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dqUrGnH.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltBnFse.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gOMKwHD.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwyzQwe.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhrhVEb.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YmfYtNd.exe	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 536	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3604 wrote to memory of 536	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3604 wrote to memory of 228	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3604 wrote to memory of 228	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3604 wrote to memory of 4492	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3604 wrote to memory of 4492	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3604 wrote to memory of 4708	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3604 wrote to memory of 4708	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3604 wrote to memory of 3148	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3604 wrote to memory of 3148	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3604 wrote to memory of 4004	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3604 wrote to memory of 4004	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3604 wrote to memory of 4460	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3604 wrote to memory of 4460	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3604 wrote to memory of 724	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3604 wrote to memory of 724	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3604 wrote to memory of 4840	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3604 wrote to memory of 4840	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3604 wrote to memory of 624	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3604 wrote to memory of 624	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3604 wrote to memory of 2008	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3604 wrote to memory of 2008	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3604 wrote to memory of 4176	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3604 wrote to memory of 4176	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3604 wrote to memory of 4052	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3604 wrote to memory of 4052	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3604 wrote to memory of 4756	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3604 wrote to memory of 4756	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3604 wrote to memory of 4188	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3604 wrote to memory of 4188	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3604 wrote to memory of 2656	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3604 wrote to memory of 2656	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3604 wrote to memory of 1076	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3604 wrote to memory of 1076	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3604 wrote to memory of 1832	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3604 wrote to memory of 1832	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3604 wrote to memory of 1412	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3604 wrote to memory of 1412	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3604 wrote to memory of 4740	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3604 wrote to memory of 4740	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3604 wrote to memory of 5040	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3604 wrote to memory of 5040	3604	2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_f6a5f2a13f66a3e1038739d0f233b3ad_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\System\dqUrGnH.exe
  C:\Windows\System\dqUrGnH.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\NhrhVEb.exe
  C:\Windows\System\NhrhVEb.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\MOWYQnf.exe
  C:\Windows\System\MOWYQnf.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\dMsaXsY.exe
  C:\Windows\System\dMsaXsY.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\ltBnFse.exe
  C:\Windows\System\ltBnFse.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\IrPgvVO.exe
  C:\Windows\System\IrPgvVO.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\uAtDoVL.exe
  C:\Windows\System\uAtDoVL.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\UGHnQnM.exe
  C:\Windows\System\UGHnQnM.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\XohnNfT.exe
  C:\Windows\System\XohnNfT.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\JcwdOqe.exe
  C:\Windows\System\JcwdOqe.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\QjSlPtv.exe
  C:\Windows\System\QjSlPtv.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\OzEmymS.exe
  C:\Windows\System\OzEmymS.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\gOMKwHD.exe
  C:\Windows\System\gOMKwHD.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\nmRohqL.exe
  C:\Windows\System\nmRohqL.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\IIstAlC.exe
  C:\Windows\System\IIstAlC.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\VcdRNPe.exe
  C:\Windows\System\VcdRNPe.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\EmSlbiX.exe
  C:\Windows\System\EmSlbiX.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\uwyzQwe.exe
  C:\Windows\System\uwyzQwe.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\mdXzKsn.exe
  C:\Windows\System\mdXzKsn.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\Sutfxhk.exe
  C:\Windows\System\Sutfxhk.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\YmfYtNd.exe
  C:\Windows\System\YmfYtNd.exe
  2⤵
  - Executes dropped EXE
  PID:5040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EmSlbiX.exe

Filesize
5.2MB

MD5
48998252e3c19f15c1d37ccfaa25c65a

SHA1
77dbaabc44fa2145b50cbf544b2a3012f23d5b27

SHA256
e0d96a9202e178860c6cc30dfe10e8068ae41d5d92b90e9f50edb0209a522a18

SHA512
b345d4ddb7ebd38384b937463d8aae0d5c38a503d2925151dd3d2ee3782a7bf51b30dbbe64d3a9ac2258391d040910a99e7302387e4f955b20865f9a7898184b

Download Submit
C:\Windows\System\IIstAlC.exe

Filesize
5.2MB

MD5
3eafaf9f5d963271cf2a70c28455f99e

SHA1
6cc68f05e4c4943a6b7e09fbac3c36e256d18c1f

SHA256
e8a614c17d3bf9900f69c068ef4af165e5e1f9a49e1ea5d3015c9be0916f0be5

SHA512
2a906cbb61f5e276a8ee118c4d81b4b70a04a253457a8d8e4b115b9707361e925e42c5e7816288027d8d4056607c777ac9b5d2f322bf99dbed8adf77f63c6253

Download Submit
C:\Windows\System\IrPgvVO.exe

Filesize
5.2MB

MD5
9028e540569a6b900a0fc1f46d56256a

SHA1
aeec10847385a68519ee11fe2bdb4e08bb87601a

SHA256
76085a78df9e740d7d802cc2cefd957cd0c19bdf065098c0b9b22c6a89d5cddd

SHA512
41f8c9b4b952b21d5ca2b7d635a0775ce9d99a657ab2189f8b706f9a7aa44a94f2e534b5303a23221715bc716076fee4caca4b7765285557559d83c2b262e027

Download Submit
C:\Windows\System\JcwdOqe.exe

Filesize
5.2MB

MD5
396e235a9697d07b11107baf99745e9d

SHA1
f39aac935b7ab038fbfab3a7d2dbdebb7212f57d

SHA256
f95a0be882f70bd86494a6294639c6f7d1748b4d271ba1b774b7b4e49efa6596

SHA512
153c15e7db90c8e34d23d90eb44f4a35df9ca263560f3a4cf70dcf7dce249691f149087b9790c64c6f4071c8164412ffbbb4fd65dde3be240aa5994a3b362900

Download Submit
C:\Windows\System\MOWYQnf.exe

Filesize
5.2MB

MD5
c269cb57a4b511a350ad876f58265f06

SHA1
72b7659175c1fc25a708b28e20ab9d48c147c2e6

SHA256
476d35c3e12593636659ded00978f169246d63d0e1bcbc72c2602ad816562a50

SHA512
a4e98cae21bc06b02400f1e02780d80fd618d9d8ce72313a4b388629f3bd713ac6948b5fbb84282a09077f1d50b20ec4891b559387fbfe49caf30f1207838022

Download Submit
C:\Windows\System\NhrhVEb.exe

Filesize
5.2MB

MD5
d6ab36479f9b03c198531dc26497608b

SHA1
98d7ccafa46865ffff1273a09161f561da1719df

SHA256
4a5002352f79b9212ebbd29770016a91584916e328b2abf483cadb8d589b5efe

SHA512
5e0074f55dbf06814dc3d26d96346d26cc42bdc60437aaa09a7c20c01723aaad899a96dd6fd1fbe4a7126a438345aac954c6cd7cae5227a4b1de9fcbe0114e25

Download Submit
C:\Windows\System\OzEmymS.exe

Filesize
5.2MB

MD5
79ad0ce9365301f1b0d59f847d837703

SHA1
2870af378c525ed69048240d962ce376c5ad1eab

SHA256
d1244a55107f72a2f3a95fef4ea22c521f78cd6771e6da3f176f2581e5324a4c

SHA512
37e27d3ff823838c34c7fe10e5473df370d8d5023a116f1086c4a5904f1e7335b21c75379526e5f0d4a8358e35a7bf0f1ab0c738682d449abdc1c4a3be8272d9

Download Submit
C:\Windows\System\QjSlPtv.exe

Filesize
5.2MB

MD5
ed37bf952be38b45b0a0362f420c56a2

SHA1
5a2b1595eb030b7b445ace11d0642d98b425d5c4

SHA256
3d521a42373904272d957c5216db717bb8fa30158140e5f507711f33555c533a

SHA512
634c18d9fd6fc5f8225a85d8a8c268b6ec46c1672e5b40e13d6d7d2a054d00b758203c179422558512a9cacdd880a3f204ea27f91df2eb75e521e6229a445103

Download Submit
C:\Windows\System\Sutfxhk.exe

Filesize
5.2MB

MD5
75086463125136bf7ecf62ba177e3f7b

SHA1
c7a983510f9fb512d38c600f9d0e4c83a8154af2

SHA256
8cec1327848a0a674b5cc7aafca30a67b667e3a929219df77653378b0c2767a7

SHA512
c0e4db606bee917724d40d5b3603a4e39ea198400215ce041fec55fd3ec109cd1a42a303ff9bf8580b414c1fb294237098ebb48a6871b3ef5a4b780736692241

Download Submit
C:\Windows\System\UGHnQnM.exe

Filesize
5.2MB

MD5
11dfcc37b1f59a060c7288ee0b38a1d0

SHA1
d63e435f3fc29d7e1bff2aee2505b1758fd478fd

SHA256
cc1f098c88773278ec3f7aff1f4b6545dcce1a703e514ebacb0be8333b7c20c6

SHA512
a6007782738a69b4e1e982a42df2cb231dac9cb7e84d85ff7e2a7dc520c21b761a2d8abd99e7f6511af169cc2a2e2db0dfaea7c018b29619a98fed599fc10071

Download Submit
C:\Windows\System\VcdRNPe.exe

Filesize
5.2MB

MD5
cd8ad680248166917b08c2b01da862bf

SHA1
d4d1f67aa9bb9aab29d61f26134df23547415bac

SHA256
2c268fd0424dc6e7471d1a3539b4427ade22bbc2eb26abe978d0e621bf19ea20

SHA512
aed3fa78997eb61906caa4174f8b52b1fa814b3d97d964021bfe93d406fed0a1461a91b65b4adcfef62ac95444ffc8978ee7b3e53e8b72271b83e9ecf99ec2cc

Download Submit
C:\Windows\System\XohnNfT.exe

Filesize
5.2MB

MD5
48b484eae87c591c875a85e28a82a12a

SHA1
5acbc32b494b4e2803f77b777a27fecc3ae46c43

SHA256
f7909cd0a3d7f29442c950db3720f81b6ef26c8dc0f0fbc8c82fb330e1f07bbc

SHA512
c0a33f65acf6509c2667e32a1152e51a9157fd620fdfc447aad5d1a9105c2fe513ab561f3d924db6b10d4f488886f55da00cbcfb53b9323b610306eaf61b99bb

Download Submit
C:\Windows\System\YmfYtNd.exe

Filesize
5.2MB

MD5
e4da7fe08d73fb3348036eb99681433f

SHA1
4335d2f2a649b828810d10aff9a07b1ecec4d65e

SHA256
4f92d87f602fcc18c9574ce29a423bbdf2f09ab6ebdc17895808687a8c75f6c2

SHA512
32384c8d54194e269247721ac9e096d37dbce83eb8f5fd141f1255745cffe04434b7e281eb1dfb0f6e549edaf4767e239ca96199250f96e50c5859150f84bb21

Download Submit
C:\Windows\System\dMsaXsY.exe

Filesize
5.2MB

MD5
b0f78e0311bd665a9729d5af50bcb74a

SHA1
fa577ac3a2029247da307900d54fae431416e3ee

SHA256
5f23be7160d851bef6ed226fb4b96a14868887f3902715d2d07ad572704c9f60

SHA512
ac36e75f383634cc1a5c04e158ef9e1120af9721bb40b3e4a3142408226916246f01e77b9bcf173625efcb511ab2a29920f9e57076d6dc0fb0366c1f9d919646

Download Submit
C:\Windows\System\dqUrGnH.exe

Filesize
5.2MB

MD5
4945f5b8cc5015da2b80f1bf19caef6d

SHA1
bd33170c0ca41385c3422baceac35240c29dac7e

SHA256
00691ecd0b8967a25e8e5459a39e1e942b171993ec45faa76b943f2502ba9131

SHA512
582157d6da6438af17671c6869533fb028bb4ada0b956cf3a48da9b2cb9c5db559fc62280a6b53a91c7cf60d7a53dcc474e2fe9291c4042c5f8dfc0f4fac2f78

Download Submit
C:\Windows\System\gOMKwHD.exe

Filesize
5.2MB

MD5
a8feade12cdd7198a06fb08137f36c7b

SHA1
e12b191cf57b26e75e77b12057eeb01f44cf0af4

SHA256
ca6c3d513b3a2746b87f12ff8ce9da5a4066191cd4fc9353aca9b240d2e28d83

SHA512
31540ad083aad2d6076d4c92f67e5b7cac8324a47c9c4706f0070f79094278c748fcd0d77d913ae38f738c687eb808a5b308c14b84f54f543d6f698d5780c01f

Download Submit
C:\Windows\System\ltBnFse.exe

Filesize
5.2MB

MD5
611c1a242f00518d071ff7ce610aae55

SHA1
2bb0602a77f83fcbfacb8f3742489ef49f1fd4b7

SHA256
6fb6a68cb5dbd4107b18365d2234304bd4d169555678cfa0d4086a78f871d3a3

SHA512
c2012d02bfe1e11dc866b5b779e0284dad8fce04e1755141ea583fb67a032c779060ad29b7be56769ff4e285a4291b2f9db05c734115e347750e38e03c1c19e0

Download Submit
C:\Windows\System\mdXzKsn.exe

Filesize
5.2MB

MD5
b8d28026c648b4fe2e8f28010f6d9235

SHA1
12c706cfd6620cbbbdafab540dcab521c17c9682

SHA256
07740253e00f6681febbede922a4ff05568b1dbc1f0d8eb0e253ac017c393685

SHA512
b405d4491f34be187a8cac0c76d38f29254b5630d9dd1afeda741b44043240c534fcd1d58a7b263b0a383ead2ac590fe25de3bfebf5f85166361fafd802d6354

Download Submit
C:\Windows\System\nmRohqL.exe

Filesize
5.2MB

MD5
576129f5abceb50706af82d27012ffad

SHA1
9edef40215554287d5d5706f96e2841dc024c092

SHA256
8bc77afc981d5e0fd3959d6b08130020a031fedb5967f7572ac92bcd9533e30c

SHA512
af9bf227e703c1de06fdc0deca86c081348c1a271ba900f38db173b6b67d3129c0295f412e5c15947321ac22733722299b68385e99208795395516d47de28629

Download Submit
C:\Windows\System\uAtDoVL.exe

Filesize
5.2MB

MD5
021b176b81ea2d2595d044cd7ba39063

SHA1
406773d5b71d3e6e9ed60063a0f41f202467645e

SHA256
0638be61cd0e5d422c51bd660c7484c1b5f3dd5f9bbdbdbb9322ab5fc9c2fe1e

SHA512
d397638ededa2d4aafae1b37940355988a95b96d4181a544d6e13c9162b1b7666b9e4230978b97c9ceab103e8fb64504d7a4b4c677c855e87b354f24c7a3d800

Download Submit
C:\Windows\System\uwyzQwe.exe

Filesize
5.2MB

MD5
3a132ba23f792fac2ca0830a607fedbd

SHA1
d63e9aa1d29151148b37632c72642682343f3f37

SHA256
bae789f3b7e7c09aea10b15fe0e3feca46120f325333ee94aeecdba9213d2974

SHA512
a4fedf530f3c4e8fd39e7a875cad7a0910d87962718f325ca68421ed0f170d20761c8f63da1f300a474677f4d0ad6257e4368518ebb68b8f314b66a6df9f72bb

Download Submit
memory/228-20-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp

Filesize
3.3MB

Download
memory/228-212-0x00007FF6C7B30000-0x00007FF6C7E81000-memory.dmp

Filesize
3.3MB

Download
memory/536-7-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/536-210-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/536-75-0x00007FF6FD5A0000-0x00007FF6FD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/624-132-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp

Filesize
3.3MB

Download
memory/624-60-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp

Filesize
3.3MB

Download
memory/624-232-0x00007FF62EC20000-0x00007FF62EF71000-memory.dmp

Filesize
3.3MB

Download
memory/724-114-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/724-46-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/724-222-0x00007FF68B660000-0x00007FF68B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-255-0x00007FF7A28D0000-0x00007FF7A2C21000-memory.dmp

Filesize
3.3MB

Download
memory/1076-138-0x00007FF7A28D0000-0x00007FF7A2C21000-memory.dmp

Filesize
3.3MB

Download
memory/1412-258-0x00007FF781920000-0x00007FF781C71000-memory.dmp

Filesize
3.3MB

Download
memory/1412-141-0x00007FF781920000-0x00007FF781C71000-memory.dmp

Filesize
3.3MB

Download
memory/1832-259-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp

Filesize
3.3MB

Download
memory/1832-139-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp

Filesize
3.3MB

Download
memory/2008-137-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2008-65-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2008-231-0x00007FF6E1740000-0x00007FF6E1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2656-101-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-149-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-246-0x00007FF65E190000-0x00007FF65E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-33-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-87-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-218-0x00007FF7D7B50000-0x00007FF7D7EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-0-0x00007FF789080000-0x00007FF7893D1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-68-0x00007FF789080000-0x00007FF7893D1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-1-0x0000020F13890000-0x0000020F138A0000-memory.dmp

Filesize
64KB

Download
memory/3604-173-0x00007FF789080000-0x00007FF7893D1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-151-0x00007FF789080000-0x00007FF7893D1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-220-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp

Filesize
3.3MB

Download
memory/4004-110-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp

Filesize
3.3MB

Download
memory/4004-36-0x00007FF7008E0000-0x00007FF700C31000-memory.dmp

Filesize
3.3MB

Download
memory/4052-94-0x00007FF6366C0000-0x00007FF636A11000-memory.dmp

Filesize
3.3MB

Download
memory/4052-242-0x00007FF6366C0000-0x00007FF636A11000-memory.dmp

Filesize
3.3MB

Download
memory/4176-81-0x00007FF7B7340000-0x00007FF7B7691000-memory.dmp

Filesize
3.3MB

Download
memory/4176-240-0x00007FF7B7340000-0x00007FF7B7691000-memory.dmp

Filesize
3.3MB

Download
memory/4188-100-0x00007FF67D4E0000-0x00007FF67D831000-memory.dmp

Filesize
3.3MB

Download
memory/4188-248-0x00007FF67D4E0000-0x00007FF67D831000-memory.dmp

Filesize
3.3MB

Download
memory/4460-224-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-112-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-45-0x00007FF77A250000-0x00007FF77A5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-26-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp

Filesize
3.3MB

Download
memory/4492-78-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp

Filesize
3.3MB

Download
memory/4492-214-0x00007FF6D53C0000-0x00007FF6D5711000-memory.dmp

Filesize
3.3MB

Download
memory/4708-99-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp

Filesize
3.3MB

Download
memory/4708-216-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp

Filesize
3.3MB

Download
memory/4708-29-0x00007FF7EF110000-0x00007FF7EF461000-memory.dmp

Filesize
3.3MB

Download
memory/4740-263-0x00007FF72FB90000-0x00007FF72FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-142-0x00007FF72FB90000-0x00007FF72FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-244-0x00007FF68FC50000-0x00007FF68FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-97-0x00007FF68FC50000-0x00007FF68FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-226-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp

Filesize
3.3MB

Download
memory/4840-55-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp

Filesize
3.3MB

Download
memory/4840-115-0x00007FF6FA1F0000-0x00007FF6FA541000-memory.dmp

Filesize
3.3MB

Download
memory/5040-166-0x00007FF74C610000-0x00007FF74C961000-memory.dmp

Filesize
3.3MB

Download
memory/5040-143-0x00007FF74C610000-0x00007FF74C961000-memory.dmp

Filesize
3.3MB

Download
memory/5040-262-0x00007FF74C610000-0x00007FF74C961000-memory.dmp

Filesize
3.3MB

Download