cobaltstrike | 17599344f8771ed8185b2ffc42c41a4a1867a7fa85db1aad55edf711880fafd1

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

32749dea18a574efe9e6cb6825051e93
SHA1

d5f5344a2ddeecfd66e5c0fa005c8800ef785502
SHA256

17599344f8771ed8185b2ffc42c41a4a1867a7fa85db1aad55edf711880fafd1
SHA512

0879f5cefd71613718d30b8e9d7d7493e14128f0e7ca261e441e4a1991c01e445f3181efaa889223c335c1eaf36a5b0c657882e045a526fb1f330c6387477593
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:Q+856utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023545-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354a-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023549-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354b-24.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354c-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023546-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354d-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354e-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023550-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023551-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023554-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023555-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023552-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023553-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023556-92.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e707-101.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000023121-105.dat	cobalt_reflective_dll
behavioral2/files/0x000d0000000234a9-113.dat	cobalt_reflective_dll
behavioral2/files/0x000b0000000234be-120.dat	cobalt_reflective_dll
behavioral2/files/0x000d0000000234bf-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023559-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp	xmrig
behavioral2/files/0x0008000000023545-4.dat	xmrig
behavioral2/memory/4328-7-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	xmrig
behavioral2/files/0x000700000002354a-9.dat	xmrig
behavioral2/files/0x0007000000023549-11.dat	xmrig
behavioral2/files/0x000700000002354b-24.dat	xmrig
behavioral2/memory/1356-20-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	xmrig
behavioral2/memory/4184-14-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	xmrig
behavioral2/memory/1648-26-0x00007FF626FF0000-0x00007FF627344000-memory.dmp	xmrig
behavioral2/files/0x000700000002354c-30.dat	xmrig
behavioral2/files/0x0008000000023546-35.dat	xmrig
behavioral2/memory/3904-36-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	xmrig
behavioral2/files/0x000700000002354d-41.dat	xmrig
behavioral2/memory/1832-34-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	xmrig
behavioral2/memory/876-43-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp	xmrig
behavioral2/files/0x000700000002354e-47.dat	xmrig
behavioral2/memory/3452-48-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	xmrig
behavioral2/files/0x0007000000023550-53.dat	xmrig
behavioral2/files/0x0007000000023551-65.dat	xmrig
behavioral2/memory/2624-69-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023554-76.dat	xmrig
behavioral2/memory/4780-83-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023555-88.dat	xmrig
behavioral2/memory/4736-87-0x00007FF672050000-0x00007FF6723A4000-memory.dmp	xmrig
behavioral2/memory/4184-84-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	xmrig
behavioral2/memory/4328-81-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	xmrig
behavioral2/memory/2984-80-0x00007FF66F270000-0x00007FF66F5C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023552-74.dat	xmrig
behavioral2/memory/5112-72-0x00007FF622E70000-0x00007FF6231C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023553-70.dat	xmrig
behavioral2/memory/4872-67-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp	xmrig
behavioral2/memory/1524-63-0x00007FF640520000-0x00007FF640874000-memory.dmp	xmrig
behavioral2/files/0x0007000000023556-92.dat	xmrig
behavioral2/memory/1356-95-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	xmrig
behavioral2/memory/4916-99-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	xmrig
behavioral2/files/0x000400000001e707-101.dat	xmrig
behavioral2/memory/4268-100-0x00007FF758340000-0x00007FF758694000-memory.dmp	xmrig
behavioral2/files/0x0002000000023121-105.dat	xmrig
behavioral2/files/0x000d0000000234a9-113.dat	xmrig
behavioral2/files/0x000b0000000234be-120.dat	xmrig
behavioral2/memory/2220-118-0x00007FF7CC530000-0x00007FF7CC884000-memory.dmp	xmrig
behavioral2/memory/4716-122-0x00007FF7159C0000-0x00007FF715D14000-memory.dmp	xmrig
behavioral2/memory/3904-115-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	xmrig
behavioral2/memory/3628-111-0x00007FF686710000-0x00007FF686A64000-memory.dmp	xmrig
behavioral2/memory/1832-108-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	xmrig
behavioral2/files/0x000d0000000234bf-126.dat	xmrig
behavioral2/memory/1524-130-0x00007FF640520000-0x00007FF640874000-memory.dmp	xmrig
behavioral2/memory/3452-128-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	xmrig
behavioral2/files/0x0008000000023559-132.dat	xmrig
behavioral2/memory/4336-131-0x00007FF789A60000-0x00007FF789DB4000-memory.dmp	xmrig
behavioral2/memory/3476-136-0x00007FF6EA790000-0x00007FF6EAAE4000-memory.dmp	xmrig
behavioral2/memory/4872-135-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp	xmrig
behavioral2/memory/4780-137-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp	xmrig
behavioral2/memory/4736-138-0x00007FF672050000-0x00007FF6723A4000-memory.dmp	xmrig
behavioral2/memory/4268-139-0x00007FF758340000-0x00007FF758694000-memory.dmp	xmrig
behavioral2/memory/4328-140-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	xmrig
behavioral2/memory/4184-141-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	xmrig
behavioral2/memory/1356-142-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	xmrig
behavioral2/memory/1648-143-0x00007FF626FF0000-0x00007FF627344000-memory.dmp	xmrig
behavioral2/memory/1832-144-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	xmrig
behavioral2/memory/3904-146-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	xmrig
behavioral2/memory/876-145-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp	xmrig
behavioral2/memory/3452-147-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	xmrig
behavioral2/memory/1524-148-0x00007FF640520000-0x00007FF640874000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4328	QThtvZW.exe
4184	zWgIjsV.exe
1356	OUPkzuy.exe
1648	NjikMhV.exe
1832	ZVmoiEj.exe
3904	yRVztiW.exe
876	nTgxBfc.exe
3452	QhxfcDq.exe
1524	tWmuQre.exe
5112	wKgSIZq.exe
4872	mcRaOUF.exe
2984	xEGOuDM.exe
4780	qBmBgvs.exe
4736	gdFOECB.exe
4916	SuGkimT.exe
4268	NEsFXwQ.exe
3628	HKFFCeQ.exe
2220	gWWfsxz.exe
4716	SWqGCyC.exe
4336	plxoWmZ.exe
3476	CMukjJG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp	upx
behavioral2/files/0x0008000000023545-4.dat	upx
behavioral2/memory/4328-7-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	upx
behavioral2/files/0x000700000002354a-9.dat	upx
behavioral2/files/0x0007000000023549-11.dat	upx
behavioral2/files/0x000700000002354b-24.dat	upx
behavioral2/memory/1356-20-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	upx
behavioral2/memory/4184-14-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	upx
behavioral2/memory/1648-26-0x00007FF626FF0000-0x00007FF627344000-memory.dmp	upx
behavioral2/files/0x000700000002354c-30.dat	upx
behavioral2/files/0x0008000000023546-35.dat	upx
behavioral2/memory/3904-36-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	upx
behavioral2/files/0x000700000002354d-41.dat	upx
behavioral2/memory/1832-34-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	upx
behavioral2/memory/876-43-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp	upx
behavioral2/files/0x000700000002354e-47.dat	upx
behavioral2/memory/3452-48-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	upx
behavioral2/files/0x0007000000023550-53.dat	upx
behavioral2/files/0x0007000000023551-65.dat	upx
behavioral2/memory/2624-69-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp	upx
behavioral2/files/0x0007000000023554-76.dat	upx
behavioral2/memory/4780-83-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp	upx
behavioral2/files/0x0007000000023555-88.dat	upx
behavioral2/memory/4736-87-0x00007FF672050000-0x00007FF6723A4000-memory.dmp	upx
behavioral2/memory/4184-84-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	upx
behavioral2/memory/4328-81-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	upx
behavioral2/memory/2984-80-0x00007FF66F270000-0x00007FF66F5C4000-memory.dmp	upx
behavioral2/files/0x0007000000023552-74.dat	upx
behavioral2/memory/5112-72-0x00007FF622E70000-0x00007FF6231C4000-memory.dmp	upx
behavioral2/files/0x0007000000023553-70.dat	upx
behavioral2/memory/4872-67-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp	upx
behavioral2/memory/1524-63-0x00007FF640520000-0x00007FF640874000-memory.dmp	upx
behavioral2/files/0x0007000000023556-92.dat	upx
behavioral2/memory/1356-95-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	upx
behavioral2/memory/4916-99-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	upx
behavioral2/files/0x000400000001e707-101.dat	upx
behavioral2/memory/4268-100-0x00007FF758340000-0x00007FF758694000-memory.dmp	upx
behavioral2/files/0x0002000000023121-105.dat	upx
behavioral2/files/0x000d0000000234a9-113.dat	upx
behavioral2/files/0x000b0000000234be-120.dat	upx
behavioral2/memory/2220-118-0x00007FF7CC530000-0x00007FF7CC884000-memory.dmp	upx
behavioral2/memory/4716-122-0x00007FF7159C0000-0x00007FF715D14000-memory.dmp	upx
behavioral2/memory/3904-115-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	upx
behavioral2/memory/3628-111-0x00007FF686710000-0x00007FF686A64000-memory.dmp	upx
behavioral2/memory/1832-108-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	upx
behavioral2/files/0x000d0000000234bf-126.dat	upx
behavioral2/memory/1524-130-0x00007FF640520000-0x00007FF640874000-memory.dmp	upx
behavioral2/memory/3452-128-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	upx
behavioral2/files/0x0008000000023559-132.dat	upx
behavioral2/memory/4336-131-0x00007FF789A60000-0x00007FF789DB4000-memory.dmp	upx
behavioral2/memory/3476-136-0x00007FF6EA790000-0x00007FF6EAAE4000-memory.dmp	upx
behavioral2/memory/4872-135-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp	upx
behavioral2/memory/4780-137-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp	upx
behavioral2/memory/4736-138-0x00007FF672050000-0x00007FF6723A4000-memory.dmp	upx
behavioral2/memory/4268-139-0x00007FF758340000-0x00007FF758694000-memory.dmp	upx
behavioral2/memory/4328-140-0x00007FF7445F0000-0x00007FF744944000-memory.dmp	upx
behavioral2/memory/4184-141-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp	upx
behavioral2/memory/1356-142-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp	upx
behavioral2/memory/1648-143-0x00007FF626FF0000-0x00007FF627344000-memory.dmp	upx
behavioral2/memory/1832-144-0x00007FF784FE0000-0x00007FF785334000-memory.dmp	upx
behavioral2/memory/3904-146-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp	upx
behavioral2/memory/876-145-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp	upx
behavioral2/memory/3452-147-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp	upx
behavioral2/memory/1524-148-0x00007FF640520000-0x00007FF640874000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NjikMhV.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWmuQre.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWqGCyC.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plxoWmZ.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QThtvZW.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zWgIjsV.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVmoiEj.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yRVztiW.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nTgxBfc.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gdFOECB.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NEsFXwQ.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OUPkzuy.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wKgSIZq.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SuGkimT.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HKFFCeQ.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMukjJG.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhxfcDq.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mcRaOUF.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xEGOuDM.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBmBgvs.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gWWfsxz.exe	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 4328	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2624 wrote to memory of 4328	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2624 wrote to memory of 4184	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 4184	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 1356	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 1356	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 1648	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 1648	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 1832	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 1832	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 3904	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 3904	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 876	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 876	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 3452	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 3452	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 1524	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 1524	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 5112	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 5112	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 4872	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 4872	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 2984	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 2984	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 4780	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 4780	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 4736	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 4736	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 4916	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 4916	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 4268	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 4268	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 3628	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 3628	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 2220	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 2220	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 4716	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2624 wrote to memory of 4716	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2624 wrote to memory of 4336	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2624 wrote to memory of 4336	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2624 wrote to memory of 3476	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2624 wrote to memory of 3476	2624	2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_32749dea18a574efe9e6cb6825051e93_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System\QThtvZW.exe
  C:\Windows\System\QThtvZW.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\zWgIjsV.exe
  C:\Windows\System\zWgIjsV.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\OUPkzuy.exe
  C:\Windows\System\OUPkzuy.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\NjikMhV.exe
  C:\Windows\System\NjikMhV.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\ZVmoiEj.exe
  C:\Windows\System\ZVmoiEj.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\yRVztiW.exe
  C:\Windows\System\yRVztiW.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\nTgxBfc.exe
  C:\Windows\System\nTgxBfc.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\QhxfcDq.exe
  C:\Windows\System\QhxfcDq.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\tWmuQre.exe
  C:\Windows\System\tWmuQre.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\wKgSIZq.exe
  C:\Windows\System\wKgSIZq.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\mcRaOUF.exe
  C:\Windows\System\mcRaOUF.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\xEGOuDM.exe
  C:\Windows\System\xEGOuDM.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\qBmBgvs.exe
  C:\Windows\System\qBmBgvs.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\gdFOECB.exe
  C:\Windows\System\gdFOECB.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\SuGkimT.exe
  C:\Windows\System\SuGkimT.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\NEsFXwQ.exe
  C:\Windows\System\NEsFXwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\HKFFCeQ.exe
  C:\Windows\System\HKFFCeQ.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\gWWfsxz.exe
  C:\Windows\System\gWWfsxz.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\SWqGCyC.exe
  C:\Windows\System\SWqGCyC.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\plxoWmZ.exe
  C:\Windows\System\plxoWmZ.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\CMukjJG.exe
  C:\Windows\System\CMukjJG.exe
  2⤵
  - Executes dropped EXE
  PID:3476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CMukjJG.exe

Filesize
5.9MB

MD5
a3aefbb27f91e76dffdd938ed2cd0a1b

SHA1
73fb9e94ba3b2212e5eb3090df941ed52648b3c7

SHA256
e1ac8f9c99c692c158a9ec9998bafb8528ca7be80009b9452d9f85a23e96a80c

SHA512
a6b7a54d8caa7f70053ecf76b3a495a25c45fe5521fa734aab70d0e0b772cd44142e502618e65bf26b49f8592dbfe9d4e1c2d5b6dffe91bcbdf27e432b5c5d9c

Download Submit
C:\Windows\System\HKFFCeQ.exe

Filesize
5.9MB

MD5
f015e8082a8637824239552820922e4e

SHA1
467eb4c46414ee5dc28a6f03f50af84725ec633b

SHA256
0ac6c7d0ed54948abca0114c9e651161c1711317fd56efb0c9e5d52b581ad463

SHA512
8e3e8ff9da4d435a1ffd758fe8c5d21bbd43f9e789b92585a1dfe519e82ab4975d06dc7628e173bf88dcd1f3be25b224dd85b7b3a7f29dad11246aa34783f7d0

Download Submit
C:\Windows\System\NEsFXwQ.exe

Filesize
5.9MB

MD5
d79c2de6cc87d25a57f92839f338a8f0

SHA1
86f951fcbf4867162d0932436f478e6d41bced14

SHA256
eb866b2ac337d9953fc703d2043c0d7b058898a56f9da9d2e63d0e09d99dda15

SHA512
1b3afba2621a8387ff7d76bd9d5631e5b57211c94af0e71f38cb249c1d6c0536900382a6496c2f1c7099c1600b7f0322bb4e8edddd5a1f7b57fdc7e56df362b1

Download Submit
C:\Windows\System\NjikMhV.exe

Filesize
5.9MB

MD5
c2b804c695bfcf0655ec139688b87486

SHA1
15bddb640450bb821dc15ca1e4d8dee10ca9d41c

SHA256
df2f3b4dc833f177fcfcd6c245acc0d95c071cbdfdd166ad89286cfe465e5535

SHA512
10a1e5009051c70b5fe503d19cb145d44354266fb2eb703052a3d5e027c8d3d0e00479f1e7e802772a92d1cfe8fd6e90f6b114770dcefe1bc0c839f2e1a20f48

Download Submit
C:\Windows\System\OUPkzuy.exe

Filesize
5.9MB

MD5
e6aa7b6d4263139c5039fa358cf69df1

SHA1
e879250a3a4b36a5ade67754f789b2e9842cb3cb

SHA256
64d3199285b4e50bde1a2dbc09b3d8593681e49c7460dc2c3b17d37836a8aa0c

SHA512
7eb6e710e3b142c4e8a8219f7316deaca2fe4ffe6604d8ffd803e066e9696f97c1d199c0629ed198abc3bfaaf6000c6141e045cf1bd20cdecb9ad157055ef3b6

Download Submit
C:\Windows\System\QThtvZW.exe

Filesize
5.9MB

MD5
190d7fd5dc00594c8f80a7af9ac54941

SHA1
e195ac5716a1270341652001daf0320f590ce560

SHA256
8c48234f24be31e20939ac0a5ed07cc045b7074778002dac5c0440d4ed26121d

SHA512
cdf55e2a66171e4a625f27a5e2a4b591d445fb0e9e07f9accd627d2aa13604ebea7c6682da8a8d4812344a6318f8921cde146f46a8fd5898754551c9fb104716

Download Submit
C:\Windows\System\QhxfcDq.exe

Filesize
5.9MB

MD5
00b46a7bcb621a24e5b3fd10d333f528

SHA1
898b21029a2be06b30169626cb73f13c3342a135

SHA256
4109fb99094ead9121de63e21cfea88b1d1e15dc231a49f59ca3a339b135dd79

SHA512
6a99a6c7f1fc858bbf8c91bb5449ae3e5ca15b47abe33fc0a967c95affe39e8e013e587096bd29939f63fd7177f3d1a2ac2351af1fe80b3b215b5164b915e5c0

Download Submit
C:\Windows\System\SWqGCyC.exe

Filesize
5.9MB

MD5
fe05f6c5121e08a44a55e0e22ab70292

SHA1
1bbf995f964c25a7be85b682f96143f6962629c7

SHA256
0d1222d12bd1c4de9e5ab8a6ba016e2dbd7168ef99bbcf9433b5f8dcc4147e89

SHA512
b10a8371a1af7f39b163a17396263fc43186becf6f60bba4cc5e69da47c5ab0b0faccb2206887c5ebb8767d95613e5b19eb5dbc3e96aad5d04712cdf328042e5

Download Submit
C:\Windows\System\SuGkimT.exe

Filesize
5.9MB

MD5
e010229b379a5ea212ba4a47b4a470e8

SHA1
fbefb8a367aeef190eeb1352d115aa1fe589dc33

SHA256
e05661eeaf217159f115e96ad7dded395a05442d1c4a7e24addf6163f44f63b4

SHA512
b07018be34ac97bf6f5e434ea48c37fd0f801264bbdb8b4d0de38c15660b8636befa4192655fb0afd77f7cbf0b29401e02aa1369824e2780a9cee91e248d2d75

Download Submit
C:\Windows\System\ZVmoiEj.exe

Filesize
5.9MB

MD5
2519d582e6d9ce792370a1687905ddbf

SHA1
2d6d96649a0c7a29c3834c1c7e5d1b6551c598ed

SHA256
a287bbbed51ec630755b7ac44d90991a0a716954757b32bf6884a5c02cd0c6ed

SHA512
78280fd1899eec3b2754b6d0c05e50f642f8640d7df7eff907c0f3843a276ed368ce34ef226fb23ff18695683e145477d1579b9fd2905c0b65ff70ab4006a7d4

Download Submit
C:\Windows\System\gWWfsxz.exe

Filesize
5.9MB

MD5
410c9422c893a365bd12cf6f15e7bbb7

SHA1
0933aea042dc3c1387674c33df082a17ffee772b

SHA256
1bca19b1c653d3c36c3973ccebc0839a43ad30b73ebe63494827cb3309cd27d8

SHA512
f98717d4e0ebd235c064bc092109ca7074ea5640aa15ae785f91fd1bcdf2f9a6c002ead2c5415c73af7f39e38ee88ad0a843334a8cd6643f797c13c1cea7877c

Download Submit
C:\Windows\System\gdFOECB.exe

Filesize
5.9MB

MD5
d2f12625f0c38b01e8cb244ef7ead224

SHA1
cff1ffc5b646099f3f184f87633d941ed387a91d

SHA256
c6a4d7247d6dde8fde6a87a1100238b6f2c4ac1cf59f7f7ceb5a3162e3f4200e

SHA512
9fc25f3535802c8aa833b6ff90a0de1e8ec830ec241b1c018307a14f6835ecdc615d6e4a609487950afcb3a3302b7d83f98d7c1c71abb7f0e2a56d397cfe1725

Download Submit
C:\Windows\System\mcRaOUF.exe

Filesize
5.9MB

MD5
c4243dd70c9bdba63089b2b14762218e

SHA1
e9297e65cbbf75f3126bd6a1cde739e6c73045fe

SHA256
a1816344d13723f0bb167ec7f51084d5a277306c95530cff72ff6a79323bc04e

SHA512
d0de182dc545ce1b7f563cb932c37056e1152cad560d8d3aa1132384e365958e834494beb8cd9fe0acb57c9ff409171a6fe505877e6f909e13784c4e2ef384b7

Download Submit
C:\Windows\System\nTgxBfc.exe

Filesize
5.9MB

MD5
137c4b6825131d29de38052353f9fcaa

SHA1
76652edb8b529e46305bd165b90a8a8d05e0246c

SHA256
11c762c5096d69fe59e5ff828aecc269864073d8f3e788f42cc99ea146ad9872

SHA512
28838cedf3f93116feb6079ec550b8a29eb309bf262d0d5b5a65b2c3b38694f6738a274b636a54c810dd238ddba59e241179d4f1dab78ca934ae8f5213d2fb96

Download Submit
C:\Windows\System\plxoWmZ.exe

Filesize
5.9MB

MD5
f055ce83d6b969fd284d4119eba5be8e

SHA1
72cb57d5940b9f1234f4a05cbb8697cb9f57c57e

SHA256
96a224ec0a65185158c764112b0e9baad378e3f97fc7cdeb993e8d15e798a991

SHA512
68c5e4cacd9da6f67c86874241be71c9cc487fa1c24a71d7c9bad22547b20fdb89130239dcb57d284e8defc9c69350998bf1be15cdb88237b392e13097b28033

Download Submit
C:\Windows\System\qBmBgvs.exe

Filesize
5.9MB

MD5
a61b3d324dce946ebb3fc449339a8ea2

SHA1
82b02cde6abf28aad189696f76e4fcaf542349b8

SHA256
8a9f454fad87d32643292eb4db2a2076b96ac852f6444d1f04d4613f6a37f95f

SHA512
cd6e3a27f77f38d9e6b581ea3ae8bc11b5a07353139471fdf361908a5850adbe1c8d123e0877ccc208517c6e2cd188763c08390d515bdb9b15446ec7ac57aded

Download Submit
C:\Windows\System\tWmuQre.exe

Filesize
5.9MB

MD5
c1ffcd82a7d4fcffbd5c3b2b6182c463

SHA1
21f1e40af8b8b4b92b38c52d6c784fc8b4db62cc

SHA256
83bfdd109c93253e0dc4d8f9f94d006e3d9fcced3d1968fa3a379c9c74369778

SHA512
87cea5515f1d9e8bf3ba9ac7f0dddb5d7fdd187cf3426c57228972a340fb287a2517f5909757cacade60b62d96180dac81b761b9e3f076f19af04d99d28fc160

Download Submit
C:\Windows\System\wKgSIZq.exe

Filesize
5.9MB

MD5
91a3fcb8535c410ed2eea2cfce3a17c6

SHA1
42648239974ed8060345713cc390f581c7d4c72c

SHA256
fb1137d8f5e3eb38e800939af19ec4a1ea85353d410d7a26c527b6e8faf3c88e

SHA512
9c65418b8abc5c71330ac1f871df657024a91129f7d14b770399209549ccc87b442e8856f1e0041aec994f5ae970262261e823239622953bbfb4b0a9c76b7997

Download Submit
C:\Windows\System\xEGOuDM.exe

Filesize
5.9MB

MD5
f908ae748c4bc070782463ee173809a1

SHA1
7f9f0d47ffff3c65c0dc6c19e26eb4bf7dbdaeed

SHA256
29326e90204b4063f3dd1871267cd96741393fa526b886de51063e3ef3c24fa6

SHA512
0cb913b6080eacd0554d93815a5a37d498dd4acc7446c111b1cca5d68fe0179ca63aff8f4d351c2076328e189078a0ff7510a6a00c46621140847683d51a3807

Download Submit
C:\Windows\System\yRVztiW.exe

Filesize
5.9MB

MD5
00212c804afbc90c94d410ad62bcb6cb

SHA1
364149eee857abecf060571a3598d6a36d3d4793

SHA256
222aa0a80db3a0b3ba15686b4ec82d54175e36e5276287a141541eace5eb93d4

SHA512
9ce17733acd0d5d5cf73d46bcb68027b8cf4449d3579329ff100912f55dc476f515ca523563cf6ee26ec36f37dd0f0b1a716744f1171506d4fa9ef285e77662f

Download Submit
C:\Windows\System\zWgIjsV.exe

Filesize
5.9MB

MD5
ee1a8532e3e8e6b5ff25885f6ff9e8c2

SHA1
c789937bcdfca2afa4f8f12ab323ea30be346065

SHA256
82ec1fddcbf8ab8ea41097d271d3587776ec436c8a84d756d2e9a2e1033a929e

SHA512
87fb60ad4af611ec140d4d22f5c77172868216052451d91c60145b733e6b4467b126cab05f6d25cbee39cb93a2e66762f2425d8356236288e9145392c1b219fc

Download Submit
memory/876-145-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp

Filesize
3.3MB

Download
memory/876-43-0x00007FF70FDE0000-0x00007FF710134000-memory.dmp

Filesize
3.3MB

Download
memory/1356-20-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-142-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-95-0x00007FF62CC70000-0x00007FF62CFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1524-130-0x00007FF640520000-0x00007FF640874000-memory.dmp

Filesize
3.3MB

Download
memory/1524-63-0x00007FF640520000-0x00007FF640874000-memory.dmp

Filesize
3.3MB

Download
memory/1524-148-0x00007FF640520000-0x00007FF640874000-memory.dmp

Filesize
3.3MB

Download
memory/1648-26-0x00007FF626FF0000-0x00007FF627344000-memory.dmp

Filesize
3.3MB

Download
memory/1648-143-0x00007FF626FF0000-0x00007FF627344000-memory.dmp

Filesize
3.3MB

Download
memory/1832-108-0x00007FF784FE0000-0x00007FF785334000-memory.dmp

Filesize
3.3MB

Download
memory/1832-144-0x00007FF784FE0000-0x00007FF785334000-memory.dmp

Filesize
3.3MB

Download
memory/1832-34-0x00007FF784FE0000-0x00007FF785334000-memory.dmp

Filesize
3.3MB

Download
memory/2220-157-0x00007FF7CC530000-0x00007FF7CC884000-memory.dmp

Filesize
3.3MB

Download
memory/2220-118-0x00007FF7CC530000-0x00007FF7CC884000-memory.dmp

Filesize
3.3MB

Download
memory/2624-1-0x000001D831440000-0x000001D831450000-memory.dmp

Filesize
64KB

Download
memory/2624-69-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp

Filesize
3.3MB

Download
memory/2624-0-0x00007FF7C8A40000-0x00007FF7C8D94000-memory.dmp

Filesize
3.3MB

Download
memory/2984-80-0x00007FF66F270000-0x00007FF66F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-150-0x00007FF66F270000-0x00007FF66F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3452-48-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

Filesize
3.3MB

Download
memory/3452-147-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

Filesize
3.3MB

Download
memory/3452-128-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

Filesize
3.3MB

Download
memory/3476-136-0x00007FF6EA790000-0x00007FF6EAAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-160-0x00007FF6EA790000-0x00007FF6EAAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3628-111-0x00007FF686710000-0x00007FF686A64000-memory.dmp

Filesize
3.3MB

Download
memory/3628-156-0x00007FF686710000-0x00007FF686A64000-memory.dmp

Filesize
3.3MB

Download
memory/3904-146-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp

Filesize
3.3MB

Download
memory/3904-115-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp

Filesize
3.3MB

Download
memory/3904-36-0x00007FF6AEFE0000-0x00007FF6AF334000-memory.dmp

Filesize
3.3MB

Download
memory/4184-84-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-141-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-14-0x00007FF79C790000-0x00007FF79CAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-155-0x00007FF758340000-0x00007FF758694000-memory.dmp

Filesize
3.3MB

Download
memory/4268-139-0x00007FF758340000-0x00007FF758694000-memory.dmp

Filesize
3.3MB

Download
memory/4268-100-0x00007FF758340000-0x00007FF758694000-memory.dmp

Filesize
3.3MB

Download
memory/4328-140-0x00007FF7445F0000-0x00007FF744944000-memory.dmp

Filesize
3.3MB

Download
memory/4328-7-0x00007FF7445F0000-0x00007FF744944000-memory.dmp

Filesize
3.3MB

Download
memory/4328-81-0x00007FF7445F0000-0x00007FF744944000-memory.dmp

Filesize
3.3MB

Download
memory/4336-131-0x00007FF789A60000-0x00007FF789DB4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-159-0x00007FF789A60000-0x00007FF789DB4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-158-0x00007FF7159C0000-0x00007FF715D14000-memory.dmp

Filesize
3.3MB

Download
memory/4716-122-0x00007FF7159C0000-0x00007FF715D14000-memory.dmp

Filesize
3.3MB

Download
memory/4736-138-0x00007FF672050000-0x00007FF6723A4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-152-0x00007FF672050000-0x00007FF6723A4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-87-0x00007FF672050000-0x00007FF6723A4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-83-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp

Filesize
3.3MB

Download
memory/4780-153-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp

Filesize
3.3MB

Download
memory/4780-137-0x00007FF7EAC40000-0x00007FF7EAF94000-memory.dmp

Filesize
3.3MB

Download
memory/4872-151-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp

Filesize
3.3MB

Download
memory/4872-67-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp

Filesize
3.3MB

Download
memory/4872-135-0x00007FF7B7A00000-0x00007FF7B7D54000-memory.dmp

Filesize
3.3MB

Download
memory/4916-154-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp

Filesize
3.3MB

Download
memory/4916-99-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp

Filesize
3.3MB

Download
memory/5112-149-0x00007FF622E70000-0x00007FF6231C4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-72-0x00007FF622E70000-0x00007FF6231C4000-memory.dmp

Filesize
3.3MB

Download