cobaltstrike | 04560f2d8c431dbd77d2448a2aa22cfc8462a6da134771188617cb774eb88dbd

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

e04e1aebe7aef971419c036102265631
SHA1

7cb5bcda75b27af669a4693ad10f49ab75b71b96
SHA256

04560f2d8c431dbd77d2448a2aa22cfc8462a6da134771188617cb774eb88dbd
SHA512

33ffcb4daa09cb0c9c742a9cbf1c40cfec5e183b0d919863a2402c464c724db3a9a2c9bddfc2456eae6a189dd64ed227527a93326c71f104677b924e21608b2e
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:T+856utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023476-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-23.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347a-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000022721-81.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022723-90.dat	cobalt_reflective_dll
behavioral2/files/0x000b0000000233b6-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233bc-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-127.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233bd-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1764-0-0x00007FF642A00000-0x00007FF642D54000-memory.dmp	xmrig
behavioral2/files/0x0008000000023476-4.dat	xmrig
behavioral2/memory/2552-8-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	xmrig
behavioral2/files/0x000700000002347e-10.dat	xmrig
behavioral2/files/0x000700000002347d-11.dat	xmrig
behavioral2/memory/4868-14-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	xmrig
behavioral2/memory/3092-20-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	xmrig
behavioral2/files/0x000700000002347f-23.dat	xmrig
behavioral2/files/0x000800000002347a-28.dat	xmrig
behavioral2/files/0x0007000000023480-35.dat	xmrig
behavioral2/files/0x0007000000023481-41.dat	xmrig
behavioral2/files/0x0007000000023482-44.dat	xmrig
behavioral2/files/0x0007000000023483-53.dat	xmrig
behavioral2/files/0x0007000000023484-59.dat	xmrig
behavioral2/files/0x0007000000023485-66.dat	xmrig
behavioral2/memory/4836-68-0x00007FF71A240000-0x00007FF71A594000-memory.dmp	xmrig
behavioral2/memory/2552-67-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	xmrig
behavioral2/memory/4740-61-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp	xmrig
behavioral2/memory/1764-60-0x00007FF642A00000-0x00007FF642D54000-memory.dmp	xmrig
behavioral2/memory/3176-56-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp	xmrig
behavioral2/memory/5012-48-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp	xmrig
behavioral2/memory/760-43-0x00007FF757620000-0x00007FF757974000-memory.dmp	xmrig
behavioral2/memory/808-39-0x00007FF797920000-0x00007FF797C74000-memory.dmp	xmrig
behavioral2/memory/3260-30-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp	xmrig
behavioral2/memory/4368-26-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp	xmrig
behavioral2/memory/4868-71-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023486-76.dat	xmrig
behavioral2/memory/3092-75-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000022721-81.dat	xmrig
behavioral2/memory/3260-88-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp	xmrig
behavioral2/files/0x0004000000022723-90.dat	xmrig
behavioral2/memory/2980-89-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp	xmrig
behavioral2/memory/808-96-0x00007FF797920000-0x00007FF797C74000-memory.dmp	xmrig
behavioral2/files/0x000b0000000233b6-98.dat	xmrig
behavioral2/files/0x000a0000000233bc-102.dat	xmrig
behavioral2/files/0x0007000000023488-117.dat	xmrig
behavioral2/files/0x0007000000023489-127.dat	xmrig
behavioral2/files/0x000700000002348a-132.dat	xmrig
behavioral2/files/0x0007000000023487-119.dat	xmrig
behavioral2/files/0x000a0000000233bd-118.dat	xmrig
behavioral2/memory/3176-115-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp	xmrig
behavioral2/memory/4948-114-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp	xmrig
behavioral2/memory/5012-110-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp	xmrig
behavioral2/memory/1668-106-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp	xmrig
behavioral2/memory/760-105-0x00007FF757620000-0x00007FF757974000-memory.dmp	xmrig
behavioral2/memory/1972-97-0x00007FF604430000-0x00007FF604784000-memory.dmp	xmrig
behavioral2/memory/3540-84-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp	xmrig
behavioral2/memory/4368-82-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp	xmrig
behavioral2/memory/4552-78-0x00007FF6C9FA0000-0x00007FF6CA2F4000-memory.dmp	xmrig
behavioral2/memory/3040-134-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp	xmrig
behavioral2/memory/540-136-0x00007FF7F6FD0000-0x00007FF7F7324000-memory.dmp	xmrig
behavioral2/memory/4740-137-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp	xmrig
behavioral2/memory/5068-138-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp	xmrig
behavioral2/memory/3044-135-0x00007FF6B8920000-0x00007FF6B8C74000-memory.dmp	xmrig
behavioral2/memory/4836-139-0x00007FF71A240000-0x00007FF71A594000-memory.dmp	xmrig
behavioral2/memory/3540-140-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp	xmrig
behavioral2/memory/2980-141-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp	xmrig
behavioral2/memory/1972-142-0x00007FF604430000-0x00007FF604784000-memory.dmp	xmrig
behavioral2/memory/1668-143-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp	xmrig
behavioral2/memory/4948-144-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp	xmrig
behavioral2/memory/3040-145-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp	xmrig
behavioral2/memory/2552-146-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	xmrig
behavioral2/memory/4868-147-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	xmrig
behavioral2/memory/3092-148-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2552	zQpFXkH.exe
4868	ACTmEbU.exe
3092	CslFMCx.exe
4368	SeHHtBv.exe
3260	NsnRgRL.exe
808	gCsMTVD.exe
760	CLpDieD.exe
5012	bxWdUZo.exe
3176	qYxZHuj.exe
4740	krYNOLg.exe
4836	TLIhpUw.exe
4552	iMweXvF.exe
3540	qQJDsds.exe
2980	nnMMzng.exe
1972	HkTXjgc.exe
1668	BVdaYCT.exe
4948	rjSoZxX.exe
3040	CFQgbOl.exe
5068	MNBYKyK.exe
3044	BhLvnkP.exe
540	hjWWBJB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1764-0-0x00007FF642A00000-0x00007FF642D54000-memory.dmp	upx
behavioral2/files/0x0008000000023476-4.dat	upx
behavioral2/memory/2552-8-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	upx
behavioral2/files/0x000700000002347e-10.dat	upx
behavioral2/files/0x000700000002347d-11.dat	upx
behavioral2/memory/4868-14-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	upx
behavioral2/memory/3092-20-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	upx
behavioral2/files/0x000700000002347f-23.dat	upx
behavioral2/files/0x000800000002347a-28.dat	upx
behavioral2/files/0x0007000000023480-35.dat	upx
behavioral2/files/0x0007000000023481-41.dat	upx
behavioral2/files/0x0007000000023482-44.dat	upx
behavioral2/files/0x0007000000023483-53.dat	upx
behavioral2/files/0x0007000000023484-59.dat	upx
behavioral2/files/0x0007000000023485-66.dat	upx
behavioral2/memory/4836-68-0x00007FF71A240000-0x00007FF71A594000-memory.dmp	upx
behavioral2/memory/2552-67-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	upx
behavioral2/memory/4740-61-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp	upx
behavioral2/memory/1764-60-0x00007FF642A00000-0x00007FF642D54000-memory.dmp	upx
behavioral2/memory/3176-56-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp	upx
behavioral2/memory/5012-48-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp	upx
behavioral2/memory/760-43-0x00007FF757620000-0x00007FF757974000-memory.dmp	upx
behavioral2/memory/808-39-0x00007FF797920000-0x00007FF797C74000-memory.dmp	upx
behavioral2/memory/3260-30-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp	upx
behavioral2/memory/4368-26-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp	upx
behavioral2/memory/4868-71-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	upx
behavioral2/files/0x0007000000023486-76.dat	upx
behavioral2/memory/3092-75-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	upx
behavioral2/files/0x0007000000022721-81.dat	upx
behavioral2/memory/3260-88-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp	upx
behavioral2/files/0x0004000000022723-90.dat	upx
behavioral2/memory/2980-89-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp	upx
behavioral2/memory/808-96-0x00007FF797920000-0x00007FF797C74000-memory.dmp	upx
behavioral2/files/0x000b0000000233b6-98.dat	upx
behavioral2/files/0x000a0000000233bc-102.dat	upx
behavioral2/files/0x0007000000023488-117.dat	upx
behavioral2/files/0x0007000000023489-127.dat	upx
behavioral2/files/0x000700000002348a-132.dat	upx
behavioral2/files/0x0007000000023487-119.dat	upx
behavioral2/files/0x000a0000000233bd-118.dat	upx
behavioral2/memory/3176-115-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp	upx
behavioral2/memory/4948-114-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp	upx
behavioral2/memory/5012-110-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp	upx
behavioral2/memory/1668-106-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp	upx
behavioral2/memory/760-105-0x00007FF757620000-0x00007FF757974000-memory.dmp	upx
behavioral2/memory/1972-97-0x00007FF604430000-0x00007FF604784000-memory.dmp	upx
behavioral2/memory/3540-84-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp	upx
behavioral2/memory/4368-82-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp	upx
behavioral2/memory/4552-78-0x00007FF6C9FA0000-0x00007FF6CA2F4000-memory.dmp	upx
behavioral2/memory/3040-134-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp	upx
behavioral2/memory/540-136-0x00007FF7F6FD0000-0x00007FF7F7324000-memory.dmp	upx
behavioral2/memory/4740-137-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp	upx
behavioral2/memory/5068-138-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp	upx
behavioral2/memory/3044-135-0x00007FF6B8920000-0x00007FF6B8C74000-memory.dmp	upx
behavioral2/memory/4836-139-0x00007FF71A240000-0x00007FF71A594000-memory.dmp	upx
behavioral2/memory/3540-140-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp	upx
behavioral2/memory/2980-141-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp	upx
behavioral2/memory/1972-142-0x00007FF604430000-0x00007FF604784000-memory.dmp	upx
behavioral2/memory/1668-143-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp	upx
behavioral2/memory/4948-144-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp	upx
behavioral2/memory/3040-145-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp	upx
behavioral2/memory/2552-146-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp	upx
behavioral2/memory/4868-147-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	upx
behavioral2/memory/3092-148-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rjSoZxX.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CslFMCx.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NsnRgRL.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVdaYCT.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TLIhpUw.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnMMzng.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkTXjgc.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFQgbOl.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MNBYKyK.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQpFXkH.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ACTmEbU.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCsMTVD.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BhLvnkP.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLpDieD.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjWWBJB.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krYNOLg.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iMweXvF.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qQJDsds.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SeHHtBv.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bxWdUZo.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qYxZHuj.exe	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2552	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1764 wrote to memory of 2552	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1764 wrote to memory of 4868	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1764 wrote to memory of 4868	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1764 wrote to memory of 3092	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1764 wrote to memory of 3092	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1764 wrote to memory of 4368	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1764 wrote to memory of 4368	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1764 wrote to memory of 3260	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1764 wrote to memory of 3260	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1764 wrote to memory of 808	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1764 wrote to memory of 808	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1764 wrote to memory of 760	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1764 wrote to memory of 760	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1764 wrote to memory of 5012	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1764 wrote to memory of 5012	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1764 wrote to memory of 3176	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1764 wrote to memory of 3176	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1764 wrote to memory of 4740	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1764 wrote to memory of 4740	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1764 wrote to memory of 4836	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1764 wrote to memory of 4836	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1764 wrote to memory of 4552	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1764 wrote to memory of 4552	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1764 wrote to memory of 3540	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1764 wrote to memory of 3540	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1764 wrote to memory of 2980	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1764 wrote to memory of 2980	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1764 wrote to memory of 1972	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1764 wrote to memory of 1972	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1764 wrote to memory of 1668	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1764 wrote to memory of 1668	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1764 wrote to memory of 4948	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1764 wrote to memory of 4948	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1764 wrote to memory of 3040	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1764 wrote to memory of 3040	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1764 wrote to memory of 5068	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1764 wrote to memory of 5068	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1764 wrote to memory of 3044	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1764 wrote to memory of 3044	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1764 wrote to memory of 540	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1764 wrote to memory of 540	1764	2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_e04e1aebe7aef971419c036102265631_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\System\zQpFXkH.exe
  C:\Windows\System\zQpFXkH.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\ACTmEbU.exe
  C:\Windows\System\ACTmEbU.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\CslFMCx.exe
  C:\Windows\System\CslFMCx.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\SeHHtBv.exe
  C:\Windows\System\SeHHtBv.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\NsnRgRL.exe
  C:\Windows\System\NsnRgRL.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\gCsMTVD.exe
  C:\Windows\System\gCsMTVD.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\CLpDieD.exe
  C:\Windows\System\CLpDieD.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\bxWdUZo.exe
  C:\Windows\System\bxWdUZo.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\qYxZHuj.exe
  C:\Windows\System\qYxZHuj.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\krYNOLg.exe
  C:\Windows\System\krYNOLg.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\TLIhpUw.exe
  C:\Windows\System\TLIhpUw.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\iMweXvF.exe
  C:\Windows\System\iMweXvF.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\qQJDsds.exe
  C:\Windows\System\qQJDsds.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\nnMMzng.exe
  C:\Windows\System\nnMMzng.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\HkTXjgc.exe
  C:\Windows\System\HkTXjgc.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\BVdaYCT.exe
  C:\Windows\System\BVdaYCT.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\rjSoZxX.exe
  C:\Windows\System\rjSoZxX.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\CFQgbOl.exe
  C:\Windows\System\CFQgbOl.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\MNBYKyK.exe
  C:\Windows\System\MNBYKyK.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\BhLvnkP.exe
  C:\Windows\System\BhLvnkP.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\hjWWBJB.exe
  C:\Windows\System\hjWWBJB.exe
  2⤵
  - Executes dropped EXE
  PID:540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ACTmEbU.exe

Filesize
5.9MB

MD5
fc2f4a9b0c41de2cc44a43e7af563da5

SHA1
b558a1e52caa24f71d589d042374b44599b63c92

SHA256
c16254aa701ffb7c7e4b28e5539010aff2453b1188d397fca382a352150892d6

SHA512
17ba62f1e4d05974804f68c0d4a661a4ebf04b2645306d94e514e1dfae5f74038ed0d26ec2d0577a338223c5fc12b94a1224cba492c1408ced71ec2292caf922

Download Submit
C:\Windows\System\BVdaYCT.exe

Filesize
5.9MB

MD5
6666257273b5ff1990ff2f40fed84c00

SHA1
e9894b0ff4ef9fa8e09f9da899a03115888a6111

SHA256
0a664199cf1e19b949d67a51c2a4dfe69cacdf1daaa15632ed0a4986ac9025c5

SHA512
f51573cf06c50852801e4811209fcce60fdcbddfb076119c88c9f1c4c0216584e2039309d5f2731c992271ade00be69723fb61b26658c809a518488a09ddcdf1

Download Submit
C:\Windows\System\BhLvnkP.exe

Filesize
5.9MB

MD5
90a4acb22fbd16862fb1ffa231cf6960

SHA1
082cc7d6ba1bf33c231c56dd53c8758e2e96e186

SHA256
a435166d41e1cd5d8e1b0fb1e41f05419f1d4e043da126651d4d8a22498d5984

SHA512
b5dce884c3a055ef293e7b970e73508c61ae98fe1023f809db7daa1fe052b0ed23c4124521ed0b9761288e6b618aeb13f3e49367652b8c2b4cdfcb951251af46

Download Submit
C:\Windows\System\CFQgbOl.exe

Filesize
5.9MB

MD5
f60486f4ef3f4cd05369e3181896191b

SHA1
af47334ad5c3b1e6dc34fef9d92e2b22ddf93fd3

SHA256
aff90329afb7638106612bfc346076a22df936a66325fe8f0cf6d8a076e51d14

SHA512
191d386813834b44f7fd8c086fb91f8c815cb47ae0f8d887abd826b81ff56f0692830b92446813cbd8eb07b749e1b234c6bf65947e74ffe7aff1f3c77622ccb6

Download Submit
C:\Windows\System\CLpDieD.exe

Filesize
5.9MB

MD5
af94ae28d2f6756019ddfee0cd7a0887

SHA1
04202a761cca846b34bcdf95dde9d52cc76be2bc

SHA256
9a6837072a07a9f6b132b7dc6d0de159d8c946e564b3b7257728146cb4a6291d

SHA512
8be8dec4a1fd8bdcfac6ce495661553a7df716db48ed5c67bf71b5bdc73cfe19d40c6021cda55685dfec634b2cbd4236cc96f37c3fb1fd33dbca74d70666289f

Download Submit
C:\Windows\System\CslFMCx.exe

Filesize
5.9MB

MD5
20c98a8fbaf0cdc2e029fd9041ad3fff

SHA1
e9c25abc4f6624451b2609cdfa226b4fc2ac7758

SHA256
9ec0ab23dfca5e4fa930ceb574535e2df9c9f9f7c5e151753b2eedf8bb55a66b

SHA512
a2f038b566f1d113e5b780e2fc9b331d3cd414769ca4dd2b0d7fb84bf7edf554d77befeb54229d1eef2d9a224a28e9b0a0c8d0481682a76b6ff623da01da9aee

Download Submit
C:\Windows\System\HkTXjgc.exe

Filesize
5.9MB

MD5
f3549adb056e2604624e451a745b1cc8

SHA1
3c2237e8eeb16782d6ffad4aab9f8d03151eef52

SHA256
4234418b291a4bb43c65d28dc909afedfef62f121ed6f9982d0311aa6b17e3b2

SHA512
7368b22c3e45aa87d8fb7f51de8977798d498cb7db2e34318901e4780e1c7abfd78ce5db42d173628b6215e9d833cc5d46cb1fcf41bcc881c9aa8a8700692043

Download Submit
C:\Windows\System\MNBYKyK.exe

Filesize
5.9MB

MD5
7d6c7ea92e6a0f412fe4644cf44d81b1

SHA1
bb67ac7d9e24ac919b4f69e98b2efbb5c005e5b1

SHA256
09e1e056ee909d9de7eaf371772de40c58c9c0c7e66cd02f00fcbc20333e4755

SHA512
a2d01526cc7669268b869f684fa8c2634abf2546ad981c6729cff776a3b641f6f94f4fc0b55927aa25e33424a129bd89eddb56acaccb1968fbbc92ebb2afefbe

Download Submit
C:\Windows\System\NsnRgRL.exe

Filesize
5.9MB

MD5
493e99f337525dc00f8df29e5596ee25

SHA1
2bea44e9e3ddd5aeb27d75699bac1229b4607730

SHA256
b0164a0c6cea95e0334ceb4bbc6c4f68f356b4b86ec98e87d267c28e17b1701b

SHA512
94f51bd541c39a74fc65f64ec924f29b88c6a3f5c1c0af3da9762d7b9f078d49e338d8ba8388f08ebc5c6055fb62ed52763f64cf4febb90bbbd709b29ae14852

Download Submit
C:\Windows\System\SeHHtBv.exe

Filesize
5.9MB

MD5
ee5ddd38046b413b4bc9df1d3ee36a0d

SHA1
a45fc3a99c91b8da549ad686decc84223a8f8b2c

SHA256
f2972c31b27d1039a41715ce569368664ec5ef90fe7c4589c60be818ec13cd21

SHA512
84b64b37586d192dcf0a39066df3772f1f2c846ac26ebf0058dc4949069b5c5051f28b630b21d122a8cf04c1cd19c4ad6cecd131bedb91c0a2898a8a85d3253e

Download Submit
C:\Windows\System\TLIhpUw.exe

Filesize
5.9MB

MD5
65eb37af314632b9c5e3650c9336783b

SHA1
051bde0298c32ae8b7c3dc385c146c251f88ba13

SHA256
1453859f92926f9f0821c401c64269b9b4f7741650ec0efb74b0de890cd1a392

SHA512
9a0b07ae68c0b98130f2ae3f5b00de021f64399e2c51790ddb4a53667c4d46d3487530a50947b892470193a218952a067cabad7425ad3efca7ce50e0f3350be6

Download Submit
C:\Windows\System\bxWdUZo.exe

Filesize
5.9MB

MD5
0948fea94eae89c6a407fcc9fcdf41cb

SHA1
e31ee828cf8b08b30056360204739c33f272821a

SHA256
b15d09f5b7642144d3130bb840f0a5de231822a158bca9b9415ab1f20466bd1e

SHA512
ac13ec5ee56ebdaf3522243b03571db37ab9ad33af1aa0137d11e7b33abeb9ea0f3fc9ebcd2993881d55d08e1adfc5118421013ff72207366a379c597731c943

Download Submit
C:\Windows\System\gCsMTVD.exe

Filesize
5.9MB

MD5
786f33c6f8632dff322f00e6474f1ca4

SHA1
a6362654ebc43a78e38b6ad12058f8a6bfecf269

SHA256
c83b8ec24d9a015a956a0bc2b7efc3d19ab12d19f9245d2314b8c724b618cee7

SHA512
38a8055b4a851334cb3e91d7a77c0d3b80465a0faeb8766b9fbbb47deb591ab5c4a4a90c1d72d517568b4b3e69dfb88e823e96e875f8dd5ad5d04c23bd10b968

Download Submit
C:\Windows\System\hjWWBJB.exe

Filesize
5.9MB

MD5
4adc0bbdb46030f1afec441e758046ac

SHA1
953bdf36a64f7a92345f6bce0921e74934ba40f0

SHA256
bf6e2b91284b9a9815b1ecfc1fd6fdf5b8c38fbbd41cfefdca03cdc93c134680

SHA512
4f45b3b55886535acf853ad2460db22c1cb74677ce0a7f5501c7bbe3f7edbfda3843c688db7d49b6b030f6ba2b8dfc51af1587c07435f8f762e8ee37c967f75f

Download Submit
C:\Windows\System\iMweXvF.exe

Filesize
5.9MB

MD5
d6fd36fe78e589bec0284ecfb3e657c2

SHA1
a1818e0299789af810204d99cdab16c0afad73a5

SHA256
e7450dfb010315519124e04a4418d34da93279d15587563ca05fc5ccecc648cd

SHA512
aacfa572845970a900a9f7daa940844911ddc317bf948248da2b643df9cee9259fabf553bbd6c548f83626184edabc8380cc84815d31ade8ab92c6401901a49b

Download Submit
C:\Windows\System\krYNOLg.exe

Filesize
5.9MB

MD5
8aad78730d151bad3d1c7fea2e7056d7

SHA1
3f3c25ed54b650326f679c4246cd147f67a58b23

SHA256
c58650597e215c8d0601e640c2039308651dbe7b8ce14e3a1d5efd91d3a46c6e

SHA512
42860707eb07572f0ae045ec8c3bc03decfdc002b142b749ac6e46af707443fb96d5e949df93547b0f1dcd8d1ceeb7c93f8b40358a156c7ba8b45ceb79ddb1c2

Download Submit
C:\Windows\System\nnMMzng.exe

Filesize
5.9MB

MD5
e30f207a6110637bf1e8793e6ac22666

SHA1
236dbb41ef380ceaa01946a9b47c4e8aaf7aacf5

SHA256
f2a9596d72bfa1c31616abbb4bc5e118ecbf630abfe2a791e46b01c5db4d5364

SHA512
18e837e1457a40598b2115c6906bf7cd2e45bb6fd102836161b2edd7e7fcb9e1198e42f5fddf5e3230f561f7fe0599c27efa0c288d77e30e667c925b3495d399

Download Submit
C:\Windows\System\qQJDsds.exe

Filesize
5.9MB

MD5
024c8a2c99e917d38a7a5c0852790f8a

SHA1
83821d640e94cfa5a8aea2c48e2e8dcb0113d80a

SHA256
b350d2ec3c7191ee5a41a42a54218fad70edfd956dfc3324528a4b1e718e6ac6

SHA512
9f77b345b0995542d3d8e339e5460e36c3f6be70274eef9ee78d53c5a47d70cbb1d929b12d42f962cf8182f80ef0a323424abe4986c154be4699f04e30610331

Download Submit
C:\Windows\System\qYxZHuj.exe

Filesize
5.9MB

MD5
fb1e06327a6c4ad97cbd32e08abb2b24

SHA1
f9fb8f2cf4b296a65e872afc745fae2d9a21b750

SHA256
debf1f3fe35b9a617b12c93ff44504cc8974d2742042fc6c6104132426a7fe37

SHA512
b40b1e3d2630c7ba81cf4efb47fbacb0fbac758a8f887da33bdbd93ad59afb702e49dac6f6b1fb413fa32350cfb0df74448c34c25b4fdcfabc51ecd5cda64f5e

Download Submit
C:\Windows\System\rjSoZxX.exe

Filesize
5.9MB

MD5
027f5d3889430724bdb867d179e11227

SHA1
a5d82b0ec9d71708b9b1944d88913186a45c105a

SHA256
ce69bd3879831c54ead8be12d0ee8893921845a4b7f3990e94d7a6d55e982c0f

SHA512
170622288d1bd4fb727dbd97621b06200b3f45f196d216369c61adf356b9533172f94de98b7df33655e4c5af38e90dd86090d69110b5ab4c425293f050056758

Download Submit
C:\Windows\System\zQpFXkH.exe

Filesize
5.9MB

MD5
3ca66a2b2f42d925435261d8220b5716

SHA1
3c93ade02194131c750fb09ebb527c8ef80a77f7

SHA256
b3bc2376a8c7bb9c77c32f39388a61560f1341fe0d6ab36892ca2322e391710d

SHA512
f26a3b87489ff625005591ea54ecf372b57d9ab8cd8ba63df4b0bd779bf9a4f8d385e246589f761c3b2007cbbb03176d7bb9946640a6d1c82cace88114ebf860

Download Submit
memory/540-166-0x00007FF7F6FD0000-0x00007FF7F7324000-memory.dmp

Filesize
3.3MB

Download
memory/540-136-0x00007FF7F6FD0000-0x00007FF7F7324000-memory.dmp

Filesize
3.3MB

Download
memory/760-43-0x00007FF757620000-0x00007FF757974000-memory.dmp

Filesize
3.3MB

Download
memory/760-105-0x00007FF757620000-0x00007FF757974000-memory.dmp

Filesize
3.3MB

Download
memory/760-152-0x00007FF757620000-0x00007FF757974000-memory.dmp

Filesize
3.3MB

Download
memory/808-151-0x00007FF797920000-0x00007FF797C74000-memory.dmp

Filesize
3.3MB

Download
memory/808-39-0x00007FF797920000-0x00007FF797C74000-memory.dmp

Filesize
3.3MB

Download
memory/808-96-0x00007FF797920000-0x00007FF797C74000-memory.dmp

Filesize
3.3MB

Download
memory/1668-106-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-164-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-143-0x00007FF7D7460000-0x00007FF7D77B4000-memory.dmp

Filesize
3.3MB

Download
memory/1764-60-0x00007FF642A00000-0x00007FF642D54000-memory.dmp

Filesize
3.3MB

Download
memory/1764-0-0x00007FF642A00000-0x00007FF642D54000-memory.dmp

Filesize
3.3MB

Download
memory/1764-1-0x000001A628F20000-0x000001A628F30000-memory.dmp

Filesize
64KB

Download
memory/1972-142-0x00007FF604430000-0x00007FF604784000-memory.dmp

Filesize
3.3MB

Download
memory/1972-160-0x00007FF604430000-0x00007FF604784000-memory.dmp

Filesize
3.3MB

Download
memory/1972-97-0x00007FF604430000-0x00007FF604784000-memory.dmp

Filesize
3.3MB

Download
memory/2552-67-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp

Filesize
3.3MB

Download
memory/2552-8-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp

Filesize
3.3MB

Download
memory/2552-146-0x00007FF7DA240000-0x00007FF7DA594000-memory.dmp

Filesize
3.3MB

Download
memory/2980-159-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp

Filesize
3.3MB

Download
memory/2980-141-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp

Filesize
3.3MB

Download
memory/2980-89-0x00007FF68E0D0000-0x00007FF68E424000-memory.dmp

Filesize
3.3MB

Download
memory/3040-145-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp

Filesize
3.3MB

Download
memory/3040-161-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp

Filesize
3.3MB

Download
memory/3040-134-0x00007FF6A0900000-0x00007FF6A0C54000-memory.dmp

Filesize
3.3MB

Download
memory/3044-165-0x00007FF6B8920000-0x00007FF6B8C74000-memory.dmp

Filesize
3.3MB

Download
memory/3044-135-0x00007FF6B8920000-0x00007FF6B8C74000-memory.dmp

Filesize
3.3MB

Download
memory/3092-148-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-75-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-20-0x00007FF752E50000-0x00007FF7531A4000-memory.dmp

Filesize
3.3MB

Download
memory/3176-56-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp

Filesize
3.3MB

Download
memory/3176-115-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp

Filesize
3.3MB

Download
memory/3176-154-0x00007FF6743A0000-0x00007FF6746F4000-memory.dmp

Filesize
3.3MB

Download
memory/3260-88-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp

Filesize
3.3MB

Download
memory/3260-30-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp

Filesize
3.3MB

Download
memory/3260-150-0x00007FF60CD20000-0x00007FF60D074000-memory.dmp

Filesize
3.3MB

Download
memory/3540-84-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-140-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-158-0x00007FF7C2170000-0x00007FF7C24C4000-memory.dmp

Filesize
3.3MB

Download
memory/4368-149-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp

Filesize
3.3MB

Download
memory/4368-26-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp

Filesize
3.3MB

Download
memory/4368-82-0x00007FF7D4030000-0x00007FF7D4384000-memory.dmp

Filesize
3.3MB

Download
memory/4552-157-0x00007FF6C9FA0000-0x00007FF6CA2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4552-78-0x00007FF6C9FA0000-0x00007FF6CA2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-61-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

Filesize
3.3MB

Download
memory/4740-155-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

Filesize
3.3MB

Download
memory/4740-137-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

Filesize
3.3MB

Download
memory/4836-156-0x00007FF71A240000-0x00007FF71A594000-memory.dmp

Filesize
3.3MB

Download
memory/4836-68-0x00007FF71A240000-0x00007FF71A594000-memory.dmp

Filesize
3.3MB

Download
memory/4836-139-0x00007FF71A240000-0x00007FF71A594000-memory.dmp

Filesize
3.3MB

Download
memory/4868-147-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp

Filesize
3.3MB

Download
memory/4868-71-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp

Filesize
3.3MB

Download
memory/4868-14-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-144-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-162-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-114-0x00007FF7CF460000-0x00007FF7CF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-153-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp

Filesize
3.3MB

Download
memory/5012-110-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp

Filesize
3.3MB

Download
memory/5012-48-0x00007FF61BBD0000-0x00007FF61BF24000-memory.dmp

Filesize
3.3MB

Download
memory/5068-138-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp

Filesize
3.3MB

Download
memory/5068-163-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp

Filesize
3.3MB

Download