cobaltstrike | d407236d347bf9f3081d0c497f6f8c4315ab52f26fff1ca84bc897d3cc6fe649

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2591861871754df5b90ab3160c479b5c
SHA1

1e1db059283f4173612b8b38c24978807ba3f88d
SHA256

d407236d347bf9f3081d0c497f6f8c4315ab52f26fff1ca84bc897d3cc6fe649
SHA512

e2e1c73da5cfeb4f49f4580cfe49a96718d765738e1522cb5c59b3fdcfbc4588730fbbef61928e952b73e99158ad90f5a79583e4b5804c38d57ffe3be1c5cfef
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lI:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235b6-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ba-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235bd-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235bb-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235bf-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c1-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c3-67.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235b7-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ca-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c9-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c8-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c7-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c6-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c5-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c4-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c2-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c0-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235bc-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235be-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cb-144.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001686a-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/1848-119-0x00007FF708690000-0x00007FF7089E1000-memory.dmp	xmrig
behavioral2/memory/4836-118-0x00007FF621CF0000-0x00007FF622041000-memory.dmp	xmrig
behavioral2/memory/4556-117-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp	xmrig
behavioral2/memory/1844-116-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	xmrig
behavioral2/memory/5084-99-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp	xmrig
behavioral2/memory/3636-45-0x00007FF71BFE0000-0x00007FF71C331000-memory.dmp	xmrig
behavioral2/memory/1388-135-0x00007FF63F510000-0x00007FF63F861000-memory.dmp	xmrig
behavioral2/memory/4252-140-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp	xmrig
behavioral2/memory/4524-126-0x00007FF653010000-0x00007FF653361000-memory.dmp	xmrig
behavioral2/memory/1056-139-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp	xmrig
behavioral2/memory/3276-138-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp	xmrig
behavioral2/memory/724-136-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp	xmrig
behavioral2/memory/4392-134-0x00007FF69F620000-0x00007FF69F971000-memory.dmp	xmrig
behavioral2/memory/1760-133-0x00007FF655570000-0x00007FF6558C1000-memory.dmp	xmrig
behavioral2/memory/3460-132-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	xmrig
behavioral2/memory/644-131-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp	xmrig
behavioral2/memory/4624-130-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp	xmrig
behavioral2/memory/2396-128-0x00007FF707130000-0x00007FF707481000-memory.dmp	xmrig
behavioral2/memory/2016-124-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp	xmrig
behavioral2/memory/1540-129-0x00007FF626F30000-0x00007FF627281000-memory.dmp	xmrig
behavioral2/memory/1564-150-0x00007FF7027B0000-0x00007FF702B01000-memory.dmp	xmrig
behavioral2/memory/4528-151-0x00007FF711730000-0x00007FF711A81000-memory.dmp	xmrig
behavioral2/memory/5084-152-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp	xmrig
behavioral2/memory/4556-210-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp	xmrig
behavioral2/memory/4836-212-0x00007FF621CF0000-0x00007FF622041000-memory.dmp	xmrig
behavioral2/memory/2016-214-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp	xmrig
behavioral2/memory/4524-216-0x00007FF653010000-0x00007FF653361000-memory.dmp	xmrig
behavioral2/memory/3636-218-0x00007FF71BFE0000-0x00007FF71C331000-memory.dmp	xmrig
behavioral2/memory/3460-228-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	xmrig
behavioral2/memory/1848-237-0x00007FF708690000-0x00007FF7089E1000-memory.dmp	xmrig
behavioral2/memory/2396-235-0x00007FF707130000-0x00007FF707481000-memory.dmp	xmrig
behavioral2/memory/1540-234-0x00007FF626F30000-0x00007FF627281000-memory.dmp	xmrig
behavioral2/memory/4624-232-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp	xmrig
behavioral2/memory/644-229-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp	xmrig
behavioral2/memory/1388-249-0x00007FF63F510000-0x00007FF63F861000-memory.dmp	xmrig
behavioral2/memory/4252-251-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp	xmrig
behavioral2/memory/1760-253-0x00007FF655570000-0x00007FF6558C1000-memory.dmp	xmrig
behavioral2/memory/4392-248-0x00007FF69F620000-0x00007FF69F971000-memory.dmp	xmrig
behavioral2/memory/1844-244-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	xmrig
behavioral2/memory/1056-240-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp	xmrig
behavioral2/memory/724-246-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp	xmrig
behavioral2/memory/3276-242-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp	xmrig
behavioral2/memory/4528-260-0x00007FF711730000-0x00007FF711A81000-memory.dmp	xmrig
behavioral2/memory/1564-262-0x00007FF7027B0000-0x00007FF702B01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4556	uROeEnk.exe
4836	tyZSgnF.exe
2016	AmoThHc.exe
1848	QTzeJWf.exe
4524	sjeUmtU.exe
3636	mHJPvcT.exe
2396	mhGmrtT.exe
1540	OIqCyOO.exe
4624	ZraLZyX.exe
644	KcUOWvH.exe
3460	vwoyYPW.exe
1760	vLKvTft.exe
4392	jvSTlnv.exe
1388	aVHmNiF.exe
724	KxLcFiv.exe
1844	iEWixWR.exe
3276	TDLAOxO.exe
1056	LPpTWqo.exe
4252	YqDcpCK.exe
1564	tRVZMET.exe
4528	MwrvDOl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5084-0-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp	upx
behavioral2/files/0x00080000000235b6-5.dat	upx
behavioral2/memory/4556-6-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp	upx
behavioral2/files/0x00070000000235ba-11.dat	upx
behavioral2/files/0x00070000000235bd-23.dat	upx
behavioral2/files/0x00070000000235bb-26.dat	upx
behavioral2/files/0x00070000000235bf-40.dat	upx
behavioral2/files/0x00070000000235c1-61.dat	upx
behavioral2/files/0x00070000000235c3-67.dat	upx
behavioral2/memory/1760-83-0x00007FF655570000-0x00007FF6558C1000-memory.dmp	upx
behavioral2/memory/1388-84-0x00007FF63F510000-0x00007FF63F861000-memory.dmp	upx
behavioral2/files/0x00080000000235b7-101.dat	upx
behavioral2/files/0x00070000000235ca-113.dat	upx
behavioral2/memory/1848-119-0x00007FF708690000-0x00007FF7089E1000-memory.dmp	upx
behavioral2/memory/4836-118-0x00007FF621CF0000-0x00007FF622041000-memory.dmp	upx
behavioral2/memory/4556-117-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp	upx
behavioral2/memory/1844-116-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp	upx
behavioral2/memory/4252-115-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp	upx
behavioral2/files/0x00070000000235c9-111.dat	upx
behavioral2/files/0x00070000000235c8-109.dat	upx
behavioral2/files/0x00070000000235c7-107.dat	upx
behavioral2/memory/1056-106-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp	upx
behavioral2/memory/3276-105-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp	upx
behavioral2/files/0x00070000000235c6-103.dat	upx
behavioral2/memory/4392-100-0x00007FF69F620000-0x00007FF69F971000-memory.dmp	upx
behavioral2/memory/5084-99-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp	upx
behavioral2/files/0x00070000000235c5-96.dat	upx
behavioral2/memory/724-91-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp	upx
behavioral2/files/0x00070000000235c4-81.dat	upx
behavioral2/files/0x00070000000235c2-65.dat	upx
behavioral2/memory/3460-64-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	upx
behavioral2/memory/644-63-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp	upx
behavioral2/memory/4624-56-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp	upx
behavioral2/files/0x00070000000235c0-52.dat	upx
behavioral2/memory/1540-48-0x00007FF626F30000-0x00007FF627281000-memory.dmp	upx
behavioral2/memory/2396-46-0x00007FF707130000-0x00007FF707481000-memory.dmp	upx
behavioral2/memory/3636-45-0x00007FF71BFE0000-0x00007FF71C331000-memory.dmp	upx
behavioral2/files/0x00070000000235bc-41.dat	upx
behavioral2/files/0x00070000000235be-37.dat	upx
behavioral2/memory/4524-33-0x00007FF653010000-0x00007FF653361000-memory.dmp	upx
behavioral2/memory/2016-32-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp	upx
behavioral2/memory/1848-22-0x00007FF708690000-0x00007FF7089E1000-memory.dmp	upx
behavioral2/memory/4836-19-0x00007FF621CF0000-0x00007FF622041000-memory.dmp	upx
behavioral2/memory/1388-135-0x00007FF63F510000-0x00007FF63F861000-memory.dmp	upx
behavioral2/memory/4252-140-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp	upx
behavioral2/files/0x00070000000235cb-144.dat	upx
behavioral2/files/0x000500000001686a-145.dat	upx
behavioral2/memory/4524-126-0x00007FF653010000-0x00007FF653361000-memory.dmp	upx
behavioral2/memory/1056-139-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp	upx
behavioral2/memory/3276-138-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp	upx
behavioral2/memory/724-136-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp	upx
behavioral2/memory/4392-134-0x00007FF69F620000-0x00007FF69F971000-memory.dmp	upx
behavioral2/memory/1760-133-0x00007FF655570000-0x00007FF6558C1000-memory.dmp	upx
behavioral2/memory/3460-132-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	upx
behavioral2/memory/644-131-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp	upx
behavioral2/memory/4624-130-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp	upx
behavioral2/memory/2396-128-0x00007FF707130000-0x00007FF707481000-memory.dmp	upx
behavioral2/memory/2016-124-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp	upx
behavioral2/memory/1540-129-0x00007FF626F30000-0x00007FF627281000-memory.dmp	upx
behavioral2/memory/1564-150-0x00007FF7027B0000-0x00007FF702B01000-memory.dmp	upx
behavioral2/memory/4528-151-0x00007FF711730000-0x00007FF711A81000-memory.dmp	upx
behavioral2/memory/5084-152-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp	upx
behavioral2/memory/4556-210-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp	upx
behavioral2/memory/4836-212-0x00007FF621CF0000-0x00007FF622041000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tyZSgnF.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTzeJWf.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sjeUmtU.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mHJPvcT.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AmoThHc.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KcUOWvH.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vwoyYPW.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDLAOxO.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tRVZMET.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uROeEnk.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vLKvTft.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jvSTlnv.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxLcFiv.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iEWixWR.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPpTWqo.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mhGmrtT.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OIqCyOO.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZraLZyX.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aVHmNiF.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqDcpCK.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MwrvDOl.exe	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4556	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5084 wrote to memory of 4556	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5084 wrote to memory of 4836	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5084 wrote to memory of 4836	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5084 wrote to memory of 2016	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5084 wrote to memory of 2016	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5084 wrote to memory of 1848	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5084 wrote to memory of 1848	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5084 wrote to memory of 4524	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5084 wrote to memory of 4524	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5084 wrote to memory of 3636	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5084 wrote to memory of 3636	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5084 wrote to memory of 2396	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5084 wrote to memory of 2396	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5084 wrote to memory of 1540	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5084 wrote to memory of 1540	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5084 wrote to memory of 4624	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5084 wrote to memory of 4624	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5084 wrote to memory of 644	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5084 wrote to memory of 644	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5084 wrote to memory of 3460	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5084 wrote to memory of 3460	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5084 wrote to memory of 1760	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5084 wrote to memory of 1760	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5084 wrote to memory of 4392	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5084 wrote to memory of 4392	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5084 wrote to memory of 1388	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 5084 wrote to memory of 1388	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 5084 wrote to memory of 724	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 5084 wrote to memory of 724	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 5084 wrote to memory of 1844	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 5084 wrote to memory of 1844	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 5084 wrote to memory of 3276	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 5084 wrote to memory of 3276	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 5084 wrote to memory of 1056	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 5084 wrote to memory of 1056	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 5084 wrote to memory of 4252	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 5084 wrote to memory of 4252	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 5084 wrote to memory of 1564	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 5084 wrote to memory of 1564	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 5084 wrote to memory of 4528	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 5084 wrote to memory of 4528	5084	2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_2591861871754df5b90ab3160c479b5c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\System\uROeEnk.exe
  C:\Windows\System\uROeEnk.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\tyZSgnF.exe
  C:\Windows\System\tyZSgnF.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\AmoThHc.exe
  C:\Windows\System\AmoThHc.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\QTzeJWf.exe
  C:\Windows\System\QTzeJWf.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\sjeUmtU.exe
  C:\Windows\System\sjeUmtU.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\mHJPvcT.exe
  C:\Windows\System\mHJPvcT.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\mhGmrtT.exe
  C:\Windows\System\mhGmrtT.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\OIqCyOO.exe
  C:\Windows\System\OIqCyOO.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\ZraLZyX.exe
  C:\Windows\System\ZraLZyX.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\KcUOWvH.exe
  C:\Windows\System\KcUOWvH.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\vwoyYPW.exe
  C:\Windows\System\vwoyYPW.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\vLKvTft.exe
  C:\Windows\System\vLKvTft.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\jvSTlnv.exe
  C:\Windows\System\jvSTlnv.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\aVHmNiF.exe
  C:\Windows\System\aVHmNiF.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\KxLcFiv.exe
  C:\Windows\System\KxLcFiv.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\iEWixWR.exe
  C:\Windows\System\iEWixWR.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\TDLAOxO.exe
  C:\Windows\System\TDLAOxO.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\LPpTWqo.exe
  C:\Windows\System\LPpTWqo.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\YqDcpCK.exe
  C:\Windows\System\YqDcpCK.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\tRVZMET.exe
  C:\Windows\System\tRVZMET.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\MwrvDOl.exe
  C:\Windows\System\MwrvDOl.exe
  2⤵
  - Executes dropped EXE
  PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:8
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmoThHc.exe

Filesize
5.2MB

MD5
7dfa85f88e3d6ff00a859d94039faa2e

SHA1
7ef0b11e7b8ccb21d003b695fce4ac62e4597aa3

SHA256
fa250c14c96f0596bbca94602f6636a116c6a9d1d2d3d736247b8fb7aa2f7f33

SHA512
f7839d4fd2d114262a557cb85e12fdebf36535fde8aa2f66c7161d1906bd94e49248b05c75f0b682077da126ff1467343ee1ce27ca0a897c356cfa0cc5fbd8fb

Download Submit
C:\Windows\System\KcUOWvH.exe

Filesize
5.2MB

MD5
d9ce00ba3a8d11a04e8846a79d548870

SHA1
2232aa99daf13e36deefa6a9d0e32fe1a6cf5bd2

SHA256
0ff5657fe75cb881c3cc0359e3eec4a732f5623921db98bfa2708b417be4a87e

SHA512
2aae2c9e9b64ab1fef8718f8dfb8b7aeeac975877cbcb04c6e7e2fb089be71b0ebe0a839bef9d17b6a1aacea1fb71b5498685299e418f4f57ccc5c3726ceb19c

Download Submit
C:\Windows\System\KxLcFiv.exe

Filesize
5.2MB

MD5
b634e37fca93fe1131441153c6dea359

SHA1
b6a56ca361ae206b3eefcef3ad32d78ca36e4c6f

SHA256
c149d71410fc418bb8b7b14be634601954c88984d7a43132c4989ca981c943ba

SHA512
7e394e48941f9a3ece472ce8a328886c2ad3708b9a4fb61d8a508615d71325659699cd7f11c4e2d8c934c24509c9c767d10327bc38e2136a639a0b55a2d2c502

Download Submit
C:\Windows\System\LPpTWqo.exe

Filesize
5.2MB

MD5
c0dde4c6909dc514e8db68f2eda6af04

SHA1
4dc5b21654d42f42b83a6b21280eac1829df28e8

SHA256
47624df5c7de53e7e681d0e05350292aaec81fae7210eb63c21968ec4177a1c8

SHA512
0c34c12ec980153c4a924b8d2c3823588d9d5b858d5ed240e435f0c39548aae0ca47e98970caa358ef011c27bead00bbdf1a821e005443c71d78303468f5ba5c

Download Submit
C:\Windows\System\MwrvDOl.exe

Filesize
5.2MB

MD5
04719389bac8174edcc0f1a98b775d0b

SHA1
3d8d84f2f2d658501a13518f86c83b3fff8fc3dc

SHA256
9c30422689eb9668afba2595a0e280f625098753f8a6e013a87d47fc8841c554

SHA512
f58242b01992b5c7747dbc08a424467a7f7c35e7e7eb125508a9d7ac52bfb7a78432b7cce61b6075d47da67f7c134b93cddb13f7f99c363f0b2de385ca9c0b25

Download Submit
C:\Windows\System\OIqCyOO.exe

Filesize
5.2MB

MD5
fb32c1d6e82f9537a2414e87fce8b266

SHA1
a42d6ef7ca7e2dad9df55016182d911c8b40fb95

SHA256
f147fac5f998697f392789c10a2786970b9f03e524ab392fca5f976780854f0a

SHA512
f90170878344cfd803889497ee55f913bb65204adf66b055c32d48d0e1a9ed88cf6442e5018f5e77e17c6be4b0963d9a7798a4ff5d307c53b2c087bd15ab19b1

Download Submit
C:\Windows\System\QTzeJWf.exe

Filesize
5.2MB

MD5
ad0df6a751a4492222e17dd05860c806

SHA1
2c8b2b60b0d5ba8de0cbc71e89d01197130f1df1

SHA256
f5dc7a4c0c4ec6ef05cc954d4acf88f25073243ceee7ba854066cfd9e9f3a785

SHA512
cbc877b5e4d39d4bacb503e4a02b767c55046048602261a36e506b5cec32640948eb32957fd5de879c8f93ae56cd5b94bb16a8a5f2e638bc68a5bae11a84a6a5

Download Submit
C:\Windows\System\TDLAOxO.exe

Filesize
5.2MB

MD5
937241573fb8e2c926c7ebdc4f43d0dc

SHA1
ec4bb1e5ff798aaa5e8eb7cb04df383971394522

SHA256
4fe3b3f87e285c1bb18e1d91a35d9d0228f06df55b86a4e5a781a58c128eec28

SHA512
77ff3105cb125d270b7258d5a8213fe0ca3b6101b90f8978bc4effd09f2a0e92306f43eddc164224c2c9dc150cd770c747bc1e82029e9119c9cb8f1d5e611b2a

Download Submit
C:\Windows\System\YqDcpCK.exe

Filesize
5.2MB

MD5
cf650eeaf5c39900180a5c422b345ff0

SHA1
051c11d60fee4a308602eafa193d16572b47c145

SHA256
88d65154e2f7542a3b5fb66d0e9e78d2ddf547e73adb5c37f91cf119fc9de860

SHA512
7d362113cabdc73b04db59fc7ca6290554045206f41b87996b53665941b6d8281e575591a90ac97974b27abcf96cd8c815b6323a4b33231d22ec87042ea8c049

Download Submit
C:\Windows\System\ZraLZyX.exe

Filesize
5.2MB

MD5
9694013f973374753c793c346ab5215e

SHA1
a4a7169aee01f4240477e9bc99ff130172a3d626

SHA256
79c81a06e606cf3e5c36169a0df87cc7b1350d9dc60f4c4bc1ed5c528be05e43

SHA512
484f5fda06902be2d9314d317e7510190713d2a87063a0c4fc43a90d6252f0d190b460987634a5b899e4416048f4c9edf5ba3110eb4a11bd23388e854173a69f

Download Submit
C:\Windows\System\aVHmNiF.exe

Filesize
5.2MB

MD5
b6a6e1eef5216f2646c17f4abbb4cc84

SHA1
b267685280a953f6afe5968fbaf15a0706750e1c

SHA256
f5d5db812392f669a1389fccb9aebcea03ffab50077663c0fda53a89aed31782

SHA512
5c6f38646a6ca51ddff923eeb700366a5872b4993e620f2a3c24a5ec4712a16c44a87f91db656fa58e249e00c4e128463a29e315d54273c651f6291675cbbab9

Download Submit
C:\Windows\System\iEWixWR.exe

Filesize
5.2MB

MD5
7102d5a347d2d6f6904963875f4d6514

SHA1
55fd4c1e510a01b1a7dcfae908bb1f83eea69936

SHA256
6b54ce720ef07c44c30043ef60bea0bfcc7271c57ca0e990f4966b4b5c983aea

SHA512
33691d019e1768edfefa6c45919c7d904fa433ec28e295718d7104e574535825aab0de0b8cddbf16a7c72ce12c01147d1f11850e7c1c6a942823af2e4b68801f

Download Submit
C:\Windows\System\jvSTlnv.exe

Filesize
5.2MB

MD5
2f87dda77b5945cc9c9e408f61df2641

SHA1
863e8ade368f29a2c7ddcf9cd79e3acde9703bac

SHA256
8e886c6251bf7efa559c08c712fe4a817b19cba088638187bcfdf8e40a308233

SHA512
f32c5fa1da95ed5564ee85048a628eddab2399b1c63bd570e973f2500a5d73aa8ba9a6c1811f3409595cb8fae9cdb2207dc87f2698130401ce0ca390e31aa4e8

Download Submit
C:\Windows\System\mHJPvcT.exe

Filesize
5.2MB

MD5
f43b8fe876855024f7d1ccace8df79e3

SHA1
7bc56fb041bdf4031180d466ff2186a38b81f0a6

SHA256
660c6544c9ca961587a5ee85a05d1276697368e1ef29035f907768cf044e1a72

SHA512
07a4662f3c7a25eca0baeac45d19ddc8e137db79e678a21cc280618b8e23c140a184a1b5b01b3bd3d5813b5924e09fcaa3723dc11c662e686630ff5bd6034116

Download Submit
C:\Windows\System\mhGmrtT.exe

Filesize
5.2MB

MD5
4aff91f45b102b128a040330afba594a

SHA1
7d3f1bac325c97712aa0b5b50d24effc00bc7a64

SHA256
fa6bb80409a9240e5c94484fcca4cafeca4ade9c35fffe758513e1a7bf44b4ed

SHA512
6bf6db6ed20236c62a8a949eb28b7789f4abfcba8614d41f1363bb3fe4fb0c702b610b1d577af868fca450d7cc208677b3146f41df4cb2c4928fa5b06f6d7605

Download Submit
C:\Windows\System\sjeUmtU.exe

Filesize
5.2MB

MD5
7755bee1b7ed2fe7454c0d4e16967991

SHA1
873fba239fd842bab4289d866b19ed554d0b00cf

SHA256
1a52cee3ba8616a7cea1d9e4e4a3f12c37a0354df4d09cf25803e8370bb2db0c

SHA512
ec7e744e6301a8d79cd259eae2e56d0821c045dbf15330524ff483a926bd73b955083ca766ba3c31b524f6c37d30920154159776b4896fd1c4d383043f153eb2

Download Submit
C:\Windows\System\tRVZMET.exe

Filesize
5.2MB

MD5
b306394ebb659dc0f7e8b878c2e420a1

SHA1
728a521a221e46da4fde5ad9fb9e61ef56e75b02

SHA256
3e82a738ebdd2448c2b0c461afa9c1b46ebf41fd4454bc875d8ae4d66a99bf7c

SHA512
70f740411e0318751cf75af92810b6edafb25f057423724dff8fe9b0090e87fd79e84bdec6d22b4a0b82f1877661a067d0dcb1ca69dfe7a82d2fa97ba6ab04ad

Download Submit
C:\Windows\System\tyZSgnF.exe

Filesize
5.2MB

MD5
01f49e8b26ce1e52b2136f1336bcdebf

SHA1
5e1e8a2b457ce289222405444cbf7a2346a246f7

SHA256
46fdc12c8b0cead1f12cb01c3fb166684bd4b594cc7250e096bce6618031cb18

SHA512
f19522de733e016ecd7d7fd101994ff5e432ca4e70bdb43ea3ba3b9b11533b5b60b8f0a8377c04ca01e1765245d20c9c7aeb477ae6041f6d7c706b828b8641a7

Download Submit
C:\Windows\System\uROeEnk.exe

Filesize
5.2MB

MD5
cf23cc06f21585c5be614afe1fb928a3

SHA1
4e12eb12b04d970c02aac4924ddbad88f1f5ce9b

SHA256
303a478a3ef1ff27fb89fcad6a801c013bf14dbee810a6b2a087b62df5ed62bb

SHA512
ee987d838c7858cc1170594147c3ed60d5ca00abf54f2ed97a6475a7fead33503fc60ae71b727f8a093ea8dd1e8437608a9f5ae6dec8d2b6045bcfd085dbd4a3

Download Submit
C:\Windows\System\vLKvTft.exe

Filesize
5.2MB

MD5
7a579f6957cac473e5820862c3d5c670

SHA1
fa2548c5f89410d67fda450ea6b9cdc6d899e832

SHA256
5582ba869ce36a2e0643b0fae32f4d927a705fc722ab57e1a80c8bc2e16bdabe

SHA512
bca62e4683a705cb7f577f4c5528322e578f81115c8529ab4b3a1270fecaf2a7f9c7235518bc2594c2bffa0da016499fc25e9e263c80a466e4f039233cd985b6

Download Submit
C:\Windows\System\vwoyYPW.exe

Filesize
5.2MB

MD5
4b447da174c97b5f15b1d07cc23cfc8d

SHA1
e6224e85017dcfb97a14f5c306b25f0382486b8b

SHA256
6ca01ae193b7e3449a628240b23d9d2fe6c41bd1ce0364678ad4eeae65acb9ba

SHA512
186473fab68e710a351e9b344067f4bad59391e4c31798af7e83d4fa3ccb90be2fba6b7e94bd7475eb541c19e2ed58fdfa1e00706b201f2896542c765d06f331

Download Submit
memory/644-131-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp

Filesize
3.3MB

Download
memory/644-229-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp

Filesize
3.3MB

Download
memory/644-63-0x00007FF6A2410000-0x00007FF6A2761000-memory.dmp

Filesize
3.3MB

Download
memory/724-246-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp

Filesize
3.3MB

Download
memory/724-91-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp

Filesize
3.3MB

Download
memory/724-136-0x00007FF791AE0000-0x00007FF791E31000-memory.dmp

Filesize
3.3MB

Download
memory/1056-106-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-139-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-240-0x00007FF7B3970000-0x00007FF7B3CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-84-0x00007FF63F510000-0x00007FF63F861000-memory.dmp

Filesize
3.3MB

Download
memory/1388-135-0x00007FF63F510000-0x00007FF63F861000-memory.dmp

Filesize
3.3MB

Download
memory/1388-249-0x00007FF63F510000-0x00007FF63F861000-memory.dmp

Filesize
3.3MB

Download
memory/1540-234-0x00007FF626F30000-0x00007FF627281000-memory.dmp

Filesize
3.3MB

Download
memory/1540-48-0x00007FF626F30000-0x00007FF627281000-memory.dmp

Filesize
3.3MB

Download
memory/1540-129-0x00007FF626F30000-0x00007FF627281000-memory.dmp

Filesize
3.3MB

Download
memory/1564-150-0x00007FF7027B0000-0x00007FF702B01000-memory.dmp

Filesize
3.3MB

Download
memory/1564-262-0x00007FF7027B0000-0x00007FF702B01000-memory.dmp

Filesize
3.3MB

Download
memory/1760-253-0x00007FF655570000-0x00007FF6558C1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-133-0x00007FF655570000-0x00007FF6558C1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-83-0x00007FF655570000-0x00007FF6558C1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-244-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp

Filesize
3.3MB

Download
memory/1844-116-0x00007FF7B53E0000-0x00007FF7B5731000-memory.dmp

Filesize
3.3MB

Download
memory/1848-119-0x00007FF708690000-0x00007FF7089E1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-22-0x00007FF708690000-0x00007FF7089E1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-237-0x00007FF708690000-0x00007FF7089E1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-32-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp

Filesize
3.3MB

Download
memory/2016-214-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp

Filesize
3.3MB

Download
memory/2016-124-0x00007FF73DAE0000-0x00007FF73DE31000-memory.dmp

Filesize
3.3MB

Download
memory/2396-128-0x00007FF707130000-0x00007FF707481000-memory.dmp

Filesize
3.3MB

Download
memory/2396-235-0x00007FF707130000-0x00007FF707481000-memory.dmp

Filesize
3.3MB

Download
memory/2396-46-0x00007FF707130000-0x00007FF707481000-memory.dmp

Filesize
3.3MB

Download
memory/3276-105-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-242-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-138-0x00007FF7E6050000-0x00007FF7E63A1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-132-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp

Filesize
3.3MB

Download
memory/3460-64-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp

Filesize
3.3MB

Download
memory/3460-228-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp

Filesize
3.3MB

Download
memory/3636-218-0x00007FF71BFE0000-0x00007FF71C331000-memory.dmp

Filesize
3.3MB

Download
memory/3636-45-0x00007FF71BFE0000-0x00007FF71C331000-memory.dmp

Filesize
3.3MB

Download
memory/4252-140-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/4252-115-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/4252-251-0x00007FF77AF60000-0x00007FF77B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-134-0x00007FF69F620000-0x00007FF69F971000-memory.dmp

Filesize
3.3MB

Download
memory/4392-248-0x00007FF69F620000-0x00007FF69F971000-memory.dmp

Filesize
3.3MB

Download
memory/4392-100-0x00007FF69F620000-0x00007FF69F971000-memory.dmp

Filesize
3.3MB

Download
memory/4524-216-0x00007FF653010000-0x00007FF653361000-memory.dmp

Filesize
3.3MB

Download
memory/4524-126-0x00007FF653010000-0x00007FF653361000-memory.dmp

Filesize
3.3MB

Download
memory/4524-33-0x00007FF653010000-0x00007FF653361000-memory.dmp

Filesize
3.3MB

Download
memory/4528-260-0x00007FF711730000-0x00007FF711A81000-memory.dmp

Filesize
3.3MB

Download
memory/4528-151-0x00007FF711730000-0x00007FF711A81000-memory.dmp

Filesize
3.3MB

Download
memory/4556-117-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp

Filesize
3.3MB

Download
memory/4556-6-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp

Filesize
3.3MB

Download
memory/4556-210-0x00007FF6A59F0000-0x00007FF6A5D41000-memory.dmp

Filesize
3.3MB

Download
memory/4624-130-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-232-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-56-0x00007FF695D70000-0x00007FF6960C1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-118-0x00007FF621CF0000-0x00007FF622041000-memory.dmp

Filesize
3.3MB

Download
memory/4836-212-0x00007FF621CF0000-0x00007FF622041000-memory.dmp

Filesize
3.3MB

Download
memory/4836-19-0x00007FF621CF0000-0x00007FF622041000-memory.dmp

Filesize
3.3MB

Download
memory/5084-152-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-99-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-0-0x00007FF7F7690000-0x00007FF7F79E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-1-0x000002916B620000-0x000002916B630000-memory.dmp

Filesize
64KB

Download