cobaltstrike | 8dbbd0825422fb0ec9597c29fac8570df720fe889845b7b231be97d2b469f73b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b5665f5a6c6642773008fa9c09b57119
SHA1

ff3d9dc5ff1dfc6ed9d39c8b327d9588d7bb941e
SHA256

8dbbd0825422fb0ec9597c29fac8570df720fe889845b7b231be97d2b469f73b
SHA512

e31d199f6f5afad717f96262b026b75b94264828430ef9f84363ad591dfdd5a199f78d6d3ba897fc9b4976bba25871e47326011d48f656311220fdc30dc2d2a2
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233af-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023413-34.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-88.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-139.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/392-72-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp	xmrig
behavioral2/memory/4424-86-0x00007FF733230000-0x00007FF733581000-memory.dmp	xmrig
behavioral2/memory/1856-79-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp	xmrig
behavioral2/memory/1392-53-0x00007FF65E030000-0x00007FF65E381000-memory.dmp	xmrig
behavioral2/memory/2660-90-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp	xmrig
behavioral2/memory/4856-94-0x00007FF609D30000-0x00007FF60A081000-memory.dmp	xmrig
behavioral2/memory/668-101-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp	xmrig
behavioral2/memory/1436-114-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp	xmrig
behavioral2/memory/1928-113-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp	xmrig
behavioral2/memory/2076-124-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/4512-121-0x00007FF7759E0000-0x00007FF775D31000-memory.dmp	xmrig
behavioral2/memory/2392-118-0x00007FF611E20000-0x00007FF612171000-memory.dmp	xmrig
behavioral2/memory/4316-104-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp	xmrig
behavioral2/memory/3016-127-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp	xmrig
behavioral2/memory/2672-133-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp	xmrig
behavioral2/memory/2996-143-0x00007FF704600000-0x00007FF704951000-memory.dmp	xmrig
behavioral2/memory/1120-144-0x00007FF70C520000-0x00007FF70C871000-memory.dmp	xmrig
behavioral2/memory/3224-153-0x00007FF6964E0000-0x00007FF696831000-memory.dmp	xmrig
behavioral2/memory/3944-157-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp	xmrig
behavioral2/memory/4056-158-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp	xmrig
behavioral2/memory/4984-163-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp	xmrig
behavioral2/memory/3828-164-0x00007FF6051F0000-0x00007FF605541000-memory.dmp	xmrig
behavioral2/memory/392-166-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp	xmrig
behavioral2/memory/1856-216-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp	xmrig
behavioral2/memory/4424-218-0x00007FF733230000-0x00007FF733581000-memory.dmp	xmrig
behavioral2/memory/2660-231-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp	xmrig
behavioral2/memory/668-233-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp	xmrig
behavioral2/memory/4856-235-0x00007FF609D30000-0x00007FF60A081000-memory.dmp	xmrig
behavioral2/memory/4316-237-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp	xmrig
behavioral2/memory/1392-239-0x00007FF65E030000-0x00007FF65E381000-memory.dmp	xmrig
behavioral2/memory/1436-242-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp	xmrig
behavioral2/memory/2076-243-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/1928-245-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp	xmrig
behavioral2/memory/3016-247-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp	xmrig
behavioral2/memory/2672-250-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp	xmrig
behavioral2/memory/2996-252-0x00007FF704600000-0x00007FF704951000-memory.dmp	xmrig
behavioral2/memory/3224-254-0x00007FF6964E0000-0x00007FF696831000-memory.dmp	xmrig
behavioral2/memory/3944-260-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp	xmrig
behavioral2/memory/4056-262-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp	xmrig
behavioral2/memory/4512-266-0x00007FF7759E0000-0x00007FF775D31000-memory.dmp	xmrig
behavioral2/memory/2392-265-0x00007FF611E20000-0x00007FF612171000-memory.dmp	xmrig
behavioral2/memory/4984-270-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp	xmrig
behavioral2/memory/3828-273-0x00007FF6051F0000-0x00007FF605541000-memory.dmp	xmrig
behavioral2/memory/1120-275-0x00007FF70C520000-0x00007FF70C871000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1856	VvoPVnx.exe
4424	CFuUmUd.exe
2660	eWklUvm.exe
4856	nYEWTyA.exe
668	oPpLYbW.exe
4316	yKtToPF.exe
1392	CLGAOTn.exe
1928	NEVATsP.exe
1436	qqDJYjP.exe
2076	xCaSrzO.exe
3016	OeSOyBe.exe
2672	KAaMZwn.exe
2996	gccGpUT.exe
3224	oplRfQJ.exe
3944	tmnCaNP.exe
4056	yONlRWy.exe
2392	ecAxfJz.exe
4512	TywSilH.exe
4984	zJPjtLV.exe
3828	lAyZKvX.exe
1120	TUtLaMT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-0-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp	upx
behavioral2/files/0x00090000000233af-4.dat	upx
behavioral2/memory/1856-6-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023416-10.dat	upx
behavioral2/files/0x0007000000023417-11.dat	upx
behavioral2/memory/4424-13-0x00007FF733230000-0x00007FF733581000-memory.dmp	upx
behavioral2/files/0x0007000000023418-22.dat	upx
behavioral2/memory/4856-23-0x00007FF609D30000-0x00007FF60A081000-memory.dmp	upx
behavioral2/memory/668-31-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp	upx
behavioral2/files/0x0008000000023413-34.dat	upx
behavioral2/files/0x000700000002341a-40.dat	upx
behavioral2/files/0x000700000002341b-45.dat	upx
behavioral2/memory/1928-50-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp	upx
behavioral2/memory/1436-52-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp	upx
behavioral2/files/0x000700000002341d-59.dat	upx
behavioral2/files/0x000700000002341f-71.dat	upx
behavioral2/memory/392-72-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp	upx
behavioral2/files/0x0007000000023420-78.dat	upx
behavioral2/memory/4424-86-0x00007FF733230000-0x00007FF733581000-memory.dmp	upx
behavioral2/files/0x0007000000023421-88.dat	upx
behavioral2/memory/3224-87-0x00007FF6964E0000-0x00007FF696831000-memory.dmp	upx
behavioral2/memory/2996-80-0x00007FF704600000-0x00007FF704951000-memory.dmp	upx
behavioral2/memory/1856-79-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp	upx
behavioral2/memory/2672-75-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp	upx
behavioral2/files/0x000700000002341e-67.dat	upx
behavioral2/memory/3016-66-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp	upx
behavioral2/memory/2076-60-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/files/0x000700000002341c-54.dat	upx
behavioral2/memory/1392-53-0x00007FF65E030000-0x00007FF65E381000-memory.dmp	upx
behavioral2/memory/4316-47-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp	upx
behavioral2/files/0x0007000000023419-28.dat	upx
behavioral2/memory/2660-18-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp	upx
behavioral2/memory/2660-90-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp	upx
behavioral2/memory/4856-94-0x00007FF609D30000-0x00007FF60A081000-memory.dmp	upx
behavioral2/files/0x0007000000023422-96.dat	upx
behavioral2/memory/3944-95-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp	upx
behavioral2/memory/668-101-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp	upx
behavioral2/files/0x0007000000023425-108.dat	upx
behavioral2/files/0x0007000000023426-112.dat	upx
behavioral2/memory/1436-114-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp	upx
behavioral2/memory/1928-113-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp	upx
behavioral2/files/0x0007000000023427-120.dat	upx
behavioral2/memory/4984-123-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp	upx
behavioral2/memory/2076-124-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/memory/4512-121-0x00007FF7759E0000-0x00007FF775D31000-memory.dmp	upx
behavioral2/memory/2392-118-0x00007FF611E20000-0x00007FF612171000-memory.dmp	upx
behavioral2/memory/4056-107-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp	upx
behavioral2/files/0x0007000000023424-105.dat	upx
behavioral2/memory/4316-104-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp	upx
behavioral2/memory/3016-127-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp	upx
behavioral2/memory/2672-133-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp	upx
behavioral2/files/0x0007000000023428-136.dat	upx
behavioral2/files/0x0007000000023429-139.dat	upx
behavioral2/memory/3828-141-0x00007FF6051F0000-0x00007FF605541000-memory.dmp	upx
behavioral2/memory/2996-143-0x00007FF704600000-0x00007FF704951000-memory.dmp	upx
behavioral2/memory/1120-144-0x00007FF70C520000-0x00007FF70C871000-memory.dmp	upx
behavioral2/memory/3224-153-0x00007FF6964E0000-0x00007FF696831000-memory.dmp	upx
behavioral2/memory/3944-157-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp	upx
behavioral2/memory/4056-158-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp	upx
behavioral2/memory/4984-163-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp	upx
behavioral2/memory/3828-164-0x00007FF6051F0000-0x00007FF605541000-memory.dmp	upx
behavioral2/memory/392-166-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp	upx
behavioral2/memory/1856-216-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp	upx
behavioral2/memory/4424-218-0x00007FF733230000-0x00007FF733581000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CLGAOTn.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCaSrzO.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oplRfQJ.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gccGpUT.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tmnCaNP.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yONlRWy.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TywSilH.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUtLaMT.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWklUvm.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYEWTyA.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OeSOyBe.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qqDJYjP.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPpLYbW.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yKtToPF.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NEVATsP.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ecAxfJz.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJPjtLV.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lAyZKvX.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VvoPVnx.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFuUmUd.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KAaMZwn.exe	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1856	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 392 wrote to memory of 1856	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 392 wrote to memory of 4424	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 392 wrote to memory of 4424	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 392 wrote to memory of 2660	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 392 wrote to memory of 2660	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 392 wrote to memory of 4856	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 392 wrote to memory of 4856	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 392 wrote to memory of 668	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 392 wrote to memory of 668	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 392 wrote to memory of 4316	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 392 wrote to memory of 4316	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 392 wrote to memory of 1392	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 392 wrote to memory of 1392	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 392 wrote to memory of 1928	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 392 wrote to memory of 1928	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 392 wrote to memory of 1436	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 392 wrote to memory of 1436	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 392 wrote to memory of 2076	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 392 wrote to memory of 2076	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 392 wrote to memory of 3016	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 392 wrote to memory of 3016	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 392 wrote to memory of 2672	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 392 wrote to memory of 2672	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 392 wrote to memory of 2996	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 392 wrote to memory of 2996	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 392 wrote to memory of 3224	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 392 wrote to memory of 3224	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 392 wrote to memory of 3944	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 392 wrote to memory of 3944	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 392 wrote to memory of 4056	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 392 wrote to memory of 4056	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 392 wrote to memory of 2392	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 392 wrote to memory of 2392	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 392 wrote to memory of 4512	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 392 wrote to memory of 4512	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 392 wrote to memory of 4984	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 392 wrote to memory of 4984	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 392 wrote to memory of 3828	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 392 wrote to memory of 3828	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 392 wrote to memory of 1120	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 392 wrote to memory of 1120	392	2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_b5665f5a6c6642773008fa9c09b57119_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\System\VvoPVnx.exe
  C:\Windows\System\VvoPVnx.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\CFuUmUd.exe
  C:\Windows\System\CFuUmUd.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\eWklUvm.exe
  C:\Windows\System\eWklUvm.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\nYEWTyA.exe
  C:\Windows\System\nYEWTyA.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\oPpLYbW.exe
  C:\Windows\System\oPpLYbW.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\yKtToPF.exe
  C:\Windows\System\yKtToPF.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\CLGAOTn.exe
  C:\Windows\System\CLGAOTn.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\NEVATsP.exe
  C:\Windows\System\NEVATsP.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\qqDJYjP.exe
  C:\Windows\System\qqDJYjP.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\xCaSrzO.exe
  C:\Windows\System\xCaSrzO.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\OeSOyBe.exe
  C:\Windows\System\OeSOyBe.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\KAaMZwn.exe
  C:\Windows\System\KAaMZwn.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\gccGpUT.exe
  C:\Windows\System\gccGpUT.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\oplRfQJ.exe
  C:\Windows\System\oplRfQJ.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\tmnCaNP.exe
  C:\Windows\System\tmnCaNP.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\yONlRWy.exe
  C:\Windows\System\yONlRWy.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\ecAxfJz.exe
  C:\Windows\System\ecAxfJz.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\TywSilH.exe
  C:\Windows\System\TywSilH.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\zJPjtLV.exe
  C:\Windows\System\zJPjtLV.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\lAyZKvX.exe
  C:\Windows\System\lAyZKvX.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\TUtLaMT.exe
  C:\Windows\System\TUtLaMT.exe
  2⤵
  - Executes dropped EXE
  PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CFuUmUd.exe

Filesize
5.2MB

MD5
b8e026cbdb66e676a6ed0a1c57520b84

SHA1
517a76a3cdba8223194e6c30a3e54d3881f0a96d

SHA256
d252992edb8200db2ced9abd92bb6a5a9bd9808451f4a5c1d3797ebc8b5e64a8

SHA512
e84ec3b5268dc9765ec417e9679c278b1dc012d283ef509017782f594f6281605e1bd3057cae7c62ce7c13915fc41ff4787bbef761bf8ae4d21b51fe9cf3899c

Download Submit
C:\Windows\System\CLGAOTn.exe

Filesize
5.2MB

MD5
e897f4d360f4c47c370b4a04139016f6

SHA1
879ba508902e80ffe28f2c74dcd420771b5f852c

SHA256
8566d7c851398d930bdcd52685f019ce78372deae72ca70d9f25e22a733173f5

SHA512
6722e6c235a3f1e3e1ebfda8cf148db16a1f02cdeabd19590c6e9e3893b71f490e301c57567e4c89189fdfef75670c966e7f869e6175e0f3fbf0f07e3cdaddbc

Download Submit
C:\Windows\System\KAaMZwn.exe

Filesize
5.2MB

MD5
41b002678a2ea94576c78dc942a9b1ca

SHA1
d7071a904419a9907fdd8b690bf1e3e4c47d4005

SHA256
478eadc78f5f80802ae749845c5d72660b39042aa19fd4759c50d42a63dfb234

SHA512
f95b14213dca66646651dfa50572fc9a40137adc00da98b7d6dc75003768a493fad5a61af34a421292076d9187d5df09ac86eb44dbad2026641394ec30642ae3

Download Submit
C:\Windows\System\NEVATsP.exe

Filesize
5.2MB

MD5
c583ed05ac34b36cd7d9103f86f85ce2

SHA1
9d1cf387bfc4e93201bd12699a31c1ccc3dcdbca

SHA256
872cd6fbf94dcc0a3ae8c8f42dc96f19314b818f957ec4e955155e7b6e6155ef

SHA512
46388ec1d981156a93da4d9eb541c8186c683c2a8334fb13faaeab38a5eff57b1f9179cdbc9326c3a26c9ec9174a3cbab1483d1835a8a302da821b6aaef84d4c

Download Submit
C:\Windows\System\OeSOyBe.exe

Filesize
5.2MB

MD5
076c0afe49df3503d02e9eae349f08c3

SHA1
bcd248d4a6db81cee07b6faeccf86dbf75841a29

SHA256
06cdfd63ac5b15dd97b2df390caf271dbdff2cc4f075e39e86724e4588e42462

SHA512
4535b77d820ba41da80601203f15e717837af9cb04d76df526c8c5568b0acd88c62d593efd71d193994f74df4638ebe7bd8098b2aba382d2b0ca781575ce69f4

Download Submit
C:\Windows\System\TUtLaMT.exe

Filesize
5.2MB

MD5
b5e5b16379fd45692a66167f8f01e3c9

SHA1
b2570e4d580c12c8e3c24ce85e00e9ef1c24f17b

SHA256
3c59a193798e2d7ac3a1a4f52cea373986e15b61fdcb9736c5291bef3bb7064b

SHA512
d0c7bcbdf983caaeab7508b3ebd7c31b256b48b730e09f7493194903f4d0c22098219782ba0515f2d630b257f5a9cdd5ee94ed43ec9532162f099555a0e27f36

Download Submit
C:\Windows\System\TywSilH.exe

Filesize
5.2MB

MD5
2cd73b8e11469d603bfe32b543114a22

SHA1
f42ccae95845d945fd4b99854f212937e634a771

SHA256
ee522c23f52e07c6860e155887b7660dd87b4e92b1dc906cfbb0a241c7bb3708

SHA512
717c78ee06c71eac79f4a29c5583dc08b9bccf9226abffddf25daa1c097a298e0b2d831758eff27db9cbd618cce351aa7113d60c0097af62572e76c38c6c6d79

Download Submit
C:\Windows\System\VvoPVnx.exe

Filesize
5.2MB

MD5
47d64dd5cdec56fc037822adbbb72845

SHA1
7cdc17e5dbbbb3812a4d338b026cbef3590ed091

SHA256
c8d4661a0fa773cdbaa4a6c595ef2e1bd07ef5c353cb49558c23e3c349ffcdac

SHA512
119d6341d109e1bb08689401e1212e8549bcc4271b48bac4e0dbe5c98f70684fc5e65f21823e00f582172a88b9c26041e32d056d8f75d84753057fa05b5e5da2

Download Submit
C:\Windows\System\eWklUvm.exe

Filesize
5.2MB

MD5
b5dd05dd4338d1d03c165590e368af64

SHA1
54213ae5f72d29c85001b1d1940ff6ee2a271490

SHA256
642499f6a3acd750390a44d683e3773c5577c4debcaa0aeb97efe43eb1e0f5aa

SHA512
4627dd6e2f6c8596f3027662a2d23b9e55e2013c5b7086e8a78a088c9731e962173426cffa506549251c467d28f3b2930fbd7af52895d1d4b9ba3280f9010edd

Download Submit
C:\Windows\System\ecAxfJz.exe

Filesize
5.2MB

MD5
c32db0411e186b39a44c8312d5a529d4

SHA1
3cade2a4ffdd7768e55b4accfa7e2200751830fc

SHA256
d357b50a1ed68dfd07ee2c572094016743400a4708a71129016abd87bb2abd72

SHA512
1dd82833faf5b4ab6ab0b792aacd1ff538aa3390b369777dfd105a15062e993ad9cbac22ed164b7813c1c3d452088a5d79de1d09208b1baa3c20c24ecf0e0106

Download Submit
C:\Windows\System\gccGpUT.exe

Filesize
5.2MB

MD5
52ba86291125d9cb30b0bf3468181bac

SHA1
b4db2349f7c8d0145bf8faa79d7d65e0e303fee8

SHA256
62f5b054c0ac5f1d1b0ad8517673fafe050fea838d9c100b22e8c18a0428bb8a

SHA512
f054fdd3da28cb8226ccb2df5e8e8c6e163c6f78f163f3e5fd2be9c5c0f1ec63b649f22d868375da08b186b4b2a342697d7cac5f1899f5fefe5f8da2fb6cac34

Download Submit
C:\Windows\System\lAyZKvX.exe

Filesize
5.2MB

MD5
921e2c9a84fe427f1c5c20b41736be7f

SHA1
2591ac7f5a036de938d06d4c808dc5bace6b262d

SHA256
ebac05e2af008d243c9bb7dfc5b2909e4abdc1bc0fb160b4863e99a7ce291c57

SHA512
caaea502176be7d79c5bb6519182652cba3fccd9970c6f33b6818cbb3c9a018662185c2b619e8e3f7147e42b01d8738eedab25ccb9a11573c505c292e0046cb2

Download Submit
C:\Windows\System\nYEWTyA.exe

Filesize
5.2MB

MD5
b1307045e5a7db22982197ac93a08944

SHA1
c12cd36f5af4eddf3a258d3c5199bc9d655cb2e2

SHA256
a5ad44b6692d909d48d290960aaf1728ce271fad47091b46dff8fa0809b9d24b

SHA512
3f2e0771d4d58e85cef9e37fad085aa011053640bc537ee38932466aa5ebff8842cbc5908e93e9ee0809281e7373e2ed7ce39fbe3e94579e3981e77cf2a52aba

Download Submit
C:\Windows\System\oPpLYbW.exe

Filesize
5.2MB

MD5
9a32811f00e1352b6a1301bb77be9767

SHA1
753fd86f686fbd71dbb7f5fd4c02ded68756d7e4

SHA256
29dda983f55eef6f3f29b1ced5a81ffb324db7ad2eb248718b7323f50168fbc1

SHA512
49f2ec764f33bce1dafb3f06e894c13e145f4dd24613a0c03981f69c6e5b8d9994318a866f0e554c8eeec8e11414808c9105967586a211861381556f7625c220

Download Submit
C:\Windows\System\oplRfQJ.exe

Filesize
5.2MB

MD5
b55737addfb5d77aba3e275909b5006c

SHA1
ef1738e512320b52e411d255eff24253d5006d4e

SHA256
9d7cc9804abb767cda0fda50e211b65e584e8588a234d4d9de1c4fc6d1e441fa

SHA512
8c275168847ad6ae06113f3f19affcb3595f320079933711463e12fe635fb027e716e5c066dcbf9a7af433cf3feafd4b103dcc7aa0e2304b0c0da68fbc8a7238

Download Submit
C:\Windows\System\qqDJYjP.exe

Filesize
5.2MB

MD5
df6d3585947a16071c05956fa3aaa5fb

SHA1
8b2720525e51d54ffec5e308c174e71fb8a4d9d5

SHA256
f37fb902332c06890958744adbc8278bc0fa9bc272a5b4f1d116d5321f0dde8b

SHA512
b80d4f06d2e7fa3fe31c120dc390566f5984ec3b07ade1e9189d6b26e5cd09796cd4f19b6b48102e8cad0e8a1be12dd05cc240e6f5428819abbd9ae4b36fb913

Download Submit
C:\Windows\System\tmnCaNP.exe

Filesize
5.2MB

MD5
1a52d1fb0678035c2f590732d3906d67

SHA1
a47f8033c7f9b05a9aeed1a5fb92db6bdd442ca7

SHA256
05f296f1a6aa3f581a0177a48982eec1dd22e314e0ab57d877ee3d67c84838bc

SHA512
a3937c06223beafd914567c46793ca3ab9f7555fa20a1179cdfb2fe893fc754b919974111c65e711a1194ba8437bfb41d6e2b7afb5c97c437a8102d821f8f2aa

Download Submit
C:\Windows\System\xCaSrzO.exe

Filesize
5.2MB

MD5
2eb718ecd3a26342fbe67a7d7110536a

SHA1
333013a49d0ded9bcd20c13e8fa0ea0f4bc5b71d

SHA256
d02a38f9b75b1ea2b8b1136559d56d22eeb67789d2e62a6f64da8760afe74b0f

SHA512
1adc4504dc51a1eb9ddc9f6fd926b27e56d7fe02ee854edbb5164fb32fdd9ebc6abda535fe18d7f3dfee2619aa1247ba701e0f4d5bedaeb3aabe08c7772a0732

Download Submit
C:\Windows\System\yKtToPF.exe

Filesize
5.2MB

MD5
cec5baf296ab2c0a3171bf2ea90cf759

SHA1
e8c379b53528577802649eb98dbb9dbbbdccb9e8

SHA256
23149abbb52a2fd65e34f64c9ddb39a7d67b3aa60c524f3f8073556abf173425

SHA512
8cdfe8fc8a9dc3404f4634e0c5988af4346d3cb5cdaffc493a7e61780517dabd775451190c957213df7cb9bc265fac13f07fd132604e4399b87d8a5fc68844c9

Download Submit
C:\Windows\System\yONlRWy.exe

Filesize
5.2MB

MD5
286a4f3c2a99d3e95affad91ea5af9ce

SHA1
8bb5c8e96dda15702a0a02be5ab5dd204bad6774

SHA256
bedd9108e36879a286a1a3dd5c0b03fe70a45d1ba28370dfac6eb8b7f99dc244

SHA512
f2a67924c988cfb2d73d7de4a7f90e33dc94613338212ea91fc505c3d3c3b7ecc3dddd896758d7bea8884c4de7810730b7f3cf19e1f2a9966b1ae84457cd1577

Download Submit
C:\Windows\System\zJPjtLV.exe

Filesize
5.2MB

MD5
829c86f32fbc2088c6a89671a52aad88

SHA1
f6677d7737221c08574f87e08a9dede873368908

SHA256
9573b305163ac5c767b2ed11b85f67525512993f5c2388018770a33cf70e42bd

SHA512
c0b7ba707babb6e4d494242bd54e5def4ab598705683a0f23ca519c170323be4f03cb1c7abcd3be9ca181c4d88e1904e3af1eff529b0b5fe5b8158a8b087f810

Download Submit
memory/392-72-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/392-0-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/392-166-0x00007FF68C280000-0x00007FF68C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/392-1-0x000002D023620000-0x000002D023630000-memory.dmp

Filesize
64KB

Download
memory/668-233-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/668-31-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/668-101-0x00007FF72E290000-0x00007FF72E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-144-0x00007FF70C520000-0x00007FF70C871000-memory.dmp

Filesize
3.3MB

Download
memory/1120-275-0x00007FF70C520000-0x00007FF70C871000-memory.dmp

Filesize
3.3MB

Download
memory/1392-53-0x00007FF65E030000-0x00007FF65E381000-memory.dmp

Filesize
3.3MB

Download
memory/1392-239-0x00007FF65E030000-0x00007FF65E381000-memory.dmp

Filesize
3.3MB

Download
memory/1436-114-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp

Filesize
3.3MB

Download
memory/1436-242-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp

Filesize
3.3MB

Download
memory/1436-52-0x00007FF6BB230000-0x00007FF6BB581000-memory.dmp

Filesize
3.3MB

Download
memory/1856-6-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-79-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-216-0x00007FF789A60000-0x00007FF789DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-113-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp

Filesize
3.3MB

Download
memory/1928-50-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp

Filesize
3.3MB

Download
memory/1928-245-0x00007FF6E90E0000-0x00007FF6E9431000-memory.dmp

Filesize
3.3MB

Download
memory/2076-60-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-124-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-243-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-265-0x00007FF611E20000-0x00007FF612171000-memory.dmp

Filesize
3.3MB

Download
memory/2392-118-0x00007FF611E20000-0x00007FF612171000-memory.dmp

Filesize
3.3MB

Download
memory/2660-90-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2660-18-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2660-231-0x00007FF76BC20000-0x00007FF76BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2672-133-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp

Filesize
3.3MB

Download
memory/2672-250-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp

Filesize
3.3MB

Download
memory/2672-75-0x00007FF71A800000-0x00007FF71AB51000-memory.dmp

Filesize
3.3MB

Download
memory/2996-143-0x00007FF704600000-0x00007FF704951000-memory.dmp

Filesize
3.3MB

Download
memory/2996-252-0x00007FF704600000-0x00007FF704951000-memory.dmp

Filesize
3.3MB

Download
memory/2996-80-0x00007FF704600000-0x00007FF704951000-memory.dmp

Filesize
3.3MB

Download
memory/3016-127-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-247-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-66-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-153-0x00007FF6964E0000-0x00007FF696831000-memory.dmp

Filesize
3.3MB

Download
memory/3224-254-0x00007FF6964E0000-0x00007FF696831000-memory.dmp

Filesize
3.3MB

Download
memory/3224-87-0x00007FF6964E0000-0x00007FF696831000-memory.dmp

Filesize
3.3MB

Download
memory/3828-273-0x00007FF6051F0000-0x00007FF605541000-memory.dmp

Filesize
3.3MB

Download
memory/3828-141-0x00007FF6051F0000-0x00007FF605541000-memory.dmp

Filesize
3.3MB

Download
memory/3828-164-0x00007FF6051F0000-0x00007FF605541000-memory.dmp

Filesize
3.3MB

Download
memory/3944-260-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-157-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-95-0x00007FF75CA60000-0x00007FF75CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-107-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-262-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-158-0x00007FF7C1FA0000-0x00007FF7C22F1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-104-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp

Filesize
3.3MB

Download
memory/4316-237-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp

Filesize
3.3MB

Download
memory/4316-47-0x00007FF69FD20000-0x00007FF6A0071000-memory.dmp

Filesize
3.3MB

Download
memory/4424-13-0x00007FF733230000-0x00007FF733581000-memory.dmp

Filesize
3.3MB

Download
memory/4424-218-0x00007FF733230000-0x00007FF733581000-memory.dmp

Filesize
3.3MB

Download
memory/4424-86-0x00007FF733230000-0x00007FF733581000-memory.dmp

Filesize
3.3MB

Download
memory/4512-121-0x00007FF7759E0000-0x00007FF775D31000-memory.dmp

Filesize
3.3MB

Download
memory/4512-266-0x00007FF7759E0000-0x00007FF775D31000-memory.dmp

Filesize
3.3MB

Download
memory/4856-235-0x00007FF609D30000-0x00007FF60A081000-memory.dmp

Filesize
3.3MB

Download
memory/4856-94-0x00007FF609D30000-0x00007FF60A081000-memory.dmp

Filesize
3.3MB

Download
memory/4856-23-0x00007FF609D30000-0x00007FF60A081000-memory.dmp

Filesize
3.3MB

Download
memory/4984-163-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp

Filesize
3.3MB

Download
memory/4984-270-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp

Filesize
3.3MB

Download
memory/4984-123-0x00007FF7DE9B0000-0x00007FF7DED01000-memory.dmp

Filesize
3.3MB

Download