cobaltstrike | 9272966959761c5bf196a7148e11a498d11c37900b35497ee9fa7cf823508424

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

7d603e6db7d8297083ccc274fd662491
SHA1

36852420bd323b0a5ae3501abea71bec36ec4d1f
SHA256

9272966959761c5bf196a7148e11a498d11c37900b35497ee9fa7cf823508424
SHA512

46692d39c05407b9a9f123ff68718a5fd09fa2c33a29e2c201ff63716c441a50c9e465f538ec52afc26a54fd56b3d109a4867c6955fbf7cdc5f3a63bc6b746e2
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:T+856utgpPF8u/7r

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a0000000233e2-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-43.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023442-21.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp	xmrig
behavioral2/files/0x000a0000000233e2-5.dat	xmrig
behavioral2/files/0x0007000000023446-10.dat	xmrig
behavioral2/files/0x0007000000023447-23.dat	xmrig
behavioral2/files/0x0007000000023448-26.dat	xmrig
behavioral2/memory/3028-35-0x00007FF676610000-0x00007FF676964000-memory.dmp	xmrig
behavioral2/memory/2288-40-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-43.dat	xmrig
behavioral2/files/0x000700000002344a-50.dat	xmrig
behavioral2/files/0x000700000002344e-62.dat	xmrig
behavioral2/files/0x0007000000023450-76.dat	xmrig
behavioral2/memory/2544-86-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp	xmrig
behavioral2/files/0x0007000000023453-94.dat	xmrig
behavioral2/files/0x0007000000023454-103.dat	xmrig
behavioral2/files/0x0007000000023455-113.dat	xmrig
behavioral2/files/0x0007000000023458-122.dat	xmrig
behavioral2/files/0x0007000000023457-120.dat	xmrig
behavioral2/files/0x0007000000023456-111.dat	xmrig
behavioral2/files/0x0007000000023452-109.dat	xmrig
behavioral2/memory/5036-99-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	xmrig
behavioral2/memory/1176-98-0x00007FF7DC4C0000-0x00007FF7DC814000-memory.dmp	xmrig
behavioral2/files/0x0007000000023451-91.dat	xmrig
behavioral2/memory/5080-90-0x00007FF757970000-0x00007FF757CC4000-memory.dmp	xmrig
behavioral2/memory/3648-87-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344f-80.dat	xmrig
behavioral2/memory/4172-79-0x00007FF777A10000-0x00007FF777D64000-memory.dmp	xmrig
behavioral2/files/0x000700000002344c-73.dat	xmrig
behavioral2/memory/4112-66-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp	xmrig
behavioral2/memory/3784-65-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344b-61.dat	xmrig
behavioral2/memory/1764-58-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-56.dat	xmrig
behavioral2/memory/752-47-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	xmrig
behavioral2/memory/1312-45-0x00007FF637720000-0x00007FF637A74000-memory.dmp	xmrig
behavioral2/memory/5056-34-0x00007FF721120000-0x00007FF721474000-memory.dmp	xmrig
behavioral2/files/0x0008000000023442-21.dat	xmrig
behavioral2/memory/4692-20-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	xmrig
behavioral2/memory/5036-14-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	xmrig
behavioral2/memory/3648-7-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	xmrig
behavioral2/memory/828-124-0x00007FF636B10000-0x00007FF636E64000-memory.dmp	xmrig
behavioral2/memory/116-125-0x00007FF6D5270000-0x00007FF6D55C4000-memory.dmp	xmrig
behavioral2/memory/5016-126-0x00007FF606210000-0x00007FF606564000-memory.dmp	xmrig
behavioral2/memory/668-128-0x00007FF72A250000-0x00007FF72A5A4000-memory.dmp	xmrig
behavioral2/memory/4860-130-0x00007FF77CC80000-0x00007FF77CFD4000-memory.dmp	xmrig
behavioral2/memory/1140-129-0x00007FF600320000-0x00007FF600674000-memory.dmp	xmrig
behavioral2/memory/1876-127-0x00007FF6ED1C0000-0x00007FF6ED514000-memory.dmp	xmrig
behavioral2/memory/4692-131-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	xmrig
behavioral2/memory/5056-132-0x00007FF721120000-0x00007FF721474000-memory.dmp	xmrig
behavioral2/memory/3028-133-0x00007FF676610000-0x00007FF676964000-memory.dmp	xmrig
behavioral2/memory/2288-134-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	xmrig
behavioral2/memory/1312-135-0x00007FF637720000-0x00007FF637A74000-memory.dmp	xmrig
behavioral2/memory/752-136-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	xmrig
behavioral2/memory/1764-137-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp	xmrig
behavioral2/memory/2544-138-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp	xmrig
behavioral2/memory/5080-139-0x00007FF757970000-0x00007FF757CC4000-memory.dmp	xmrig
behavioral2/memory/3648-140-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	xmrig
behavioral2/memory/5036-141-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	xmrig
behavioral2/memory/4692-142-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	xmrig
behavioral2/memory/5056-143-0x00007FF721120000-0x00007FF721474000-memory.dmp	xmrig
behavioral2/memory/3028-144-0x00007FF676610000-0x00007FF676964000-memory.dmp	xmrig
behavioral2/memory/2288-145-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	xmrig
behavioral2/memory/3784-146-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp	xmrig
behavioral2/memory/752-147-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	xmrig
behavioral2/memory/4172-148-0x00007FF777A10000-0x00007FF777D64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3648	gaUReRr.exe
5036	WKsLeAw.exe
4692	BHtiVFE.exe
5056	OzmgAKo.exe
3028	PgvOQuG.exe
2288	gEzJuAG.exe
1312	ojFdRff.exe
752	wfRbZZY.exe
1764	WyDzIIB.exe
3784	zoTqMda.exe
4172	qXLIYbc.exe
1176	zvPvWlt.exe
2544	ixUzxJV.exe
828	dpYujsq.exe
5080	EimTsAw.exe
1140	ErPapkn.exe
116	HJgThfT.exe
4860	JAgNGLv.exe
5016	tWhQsiU.exe
1876	tpTNNpU.exe
668	cAMMZgl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp	upx
behavioral2/files/0x000a0000000233e2-5.dat	upx
behavioral2/files/0x0007000000023446-10.dat	upx
behavioral2/files/0x0007000000023447-23.dat	upx
behavioral2/files/0x0007000000023448-26.dat	upx
behavioral2/memory/3028-35-0x00007FF676610000-0x00007FF676964000-memory.dmp	upx
behavioral2/memory/2288-40-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	upx
behavioral2/files/0x0007000000023449-43.dat	upx
behavioral2/files/0x000700000002344a-50.dat	upx
behavioral2/files/0x000700000002344e-62.dat	upx
behavioral2/files/0x0007000000023450-76.dat	upx
behavioral2/memory/2544-86-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp	upx
behavioral2/files/0x0007000000023453-94.dat	upx
behavioral2/files/0x0007000000023454-103.dat	upx
behavioral2/files/0x0007000000023455-113.dat	upx
behavioral2/files/0x0007000000023458-122.dat	upx
behavioral2/files/0x0007000000023457-120.dat	upx
behavioral2/files/0x0007000000023456-111.dat	upx
behavioral2/files/0x0007000000023452-109.dat	upx
behavioral2/memory/5036-99-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	upx
behavioral2/memory/1176-98-0x00007FF7DC4C0000-0x00007FF7DC814000-memory.dmp	upx
behavioral2/files/0x0007000000023451-91.dat	upx
behavioral2/memory/5080-90-0x00007FF757970000-0x00007FF757CC4000-memory.dmp	upx
behavioral2/memory/3648-87-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	upx
behavioral2/files/0x000700000002344f-80.dat	upx
behavioral2/memory/4172-79-0x00007FF777A10000-0x00007FF777D64000-memory.dmp	upx
behavioral2/files/0x000700000002344c-73.dat	upx
behavioral2/memory/4112-66-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp	upx
behavioral2/memory/3784-65-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp	upx
behavioral2/files/0x000700000002344b-61.dat	upx
behavioral2/memory/1764-58-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp	upx
behavioral2/files/0x000700000002344d-56.dat	upx
behavioral2/memory/752-47-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	upx
behavioral2/memory/1312-45-0x00007FF637720000-0x00007FF637A74000-memory.dmp	upx
behavioral2/memory/5056-34-0x00007FF721120000-0x00007FF721474000-memory.dmp	upx
behavioral2/files/0x0008000000023442-21.dat	upx
behavioral2/memory/4692-20-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	upx
behavioral2/memory/5036-14-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	upx
behavioral2/memory/3648-7-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	upx
behavioral2/memory/828-124-0x00007FF636B10000-0x00007FF636E64000-memory.dmp	upx
behavioral2/memory/116-125-0x00007FF6D5270000-0x00007FF6D55C4000-memory.dmp	upx
behavioral2/memory/5016-126-0x00007FF606210000-0x00007FF606564000-memory.dmp	upx
behavioral2/memory/668-128-0x00007FF72A250000-0x00007FF72A5A4000-memory.dmp	upx
behavioral2/memory/4860-130-0x00007FF77CC80000-0x00007FF77CFD4000-memory.dmp	upx
behavioral2/memory/1140-129-0x00007FF600320000-0x00007FF600674000-memory.dmp	upx
behavioral2/memory/1876-127-0x00007FF6ED1C0000-0x00007FF6ED514000-memory.dmp	upx
behavioral2/memory/4692-131-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	upx
behavioral2/memory/5056-132-0x00007FF721120000-0x00007FF721474000-memory.dmp	upx
behavioral2/memory/3028-133-0x00007FF676610000-0x00007FF676964000-memory.dmp	upx
behavioral2/memory/2288-134-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	upx
behavioral2/memory/1312-135-0x00007FF637720000-0x00007FF637A74000-memory.dmp	upx
behavioral2/memory/752-136-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	upx
behavioral2/memory/1764-137-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp	upx
behavioral2/memory/2544-138-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp	upx
behavioral2/memory/5080-139-0x00007FF757970000-0x00007FF757CC4000-memory.dmp	upx
behavioral2/memory/3648-140-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp	upx
behavioral2/memory/5036-141-0x00007FF612890000-0x00007FF612BE4000-memory.dmp	upx
behavioral2/memory/4692-142-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp	upx
behavioral2/memory/5056-143-0x00007FF721120000-0x00007FF721474000-memory.dmp	upx
behavioral2/memory/3028-144-0x00007FF676610000-0x00007FF676964000-memory.dmp	upx
behavioral2/memory/2288-145-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp	upx
behavioral2/memory/3784-146-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp	upx
behavioral2/memory/752-147-0x00007FF62A400000-0x00007FF62A754000-memory.dmp	upx
behavioral2/memory/4172-148-0x00007FF777A10000-0x00007FF777D64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zvPvWlt.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EimTsAw.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JAgNGLv.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tpTNNpU.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAMMZgl.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BHtiVFE.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgvOQuG.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qXLIYbc.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dpYujsq.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWhQsiU.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojFdRff.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WyDzIIB.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEzJuAG.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zoTqMda.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixUzxJV.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErPapkn.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJgThfT.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WKsLeAw.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OzmgAKo.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gaUReRr.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wfRbZZY.exe	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 3648	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4112 wrote to memory of 3648	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4112 wrote to memory of 5036	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4112 wrote to memory of 5036	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4112 wrote to memory of 4692	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4112 wrote to memory of 4692	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4112 wrote to memory of 5056	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4112 wrote to memory of 5056	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4112 wrote to memory of 3028	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4112 wrote to memory of 3028	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4112 wrote to memory of 2288	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4112 wrote to memory of 2288	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4112 wrote to memory of 1312	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4112 wrote to memory of 1312	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4112 wrote to memory of 752	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4112 wrote to memory of 752	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4112 wrote to memory of 1764	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4112 wrote to memory of 1764	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4112 wrote to memory of 3784	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4112 wrote to memory of 3784	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4112 wrote to memory of 4172	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4112 wrote to memory of 4172	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4112 wrote to memory of 1176	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4112 wrote to memory of 1176	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4112 wrote to memory of 2544	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4112 wrote to memory of 2544	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4112 wrote to memory of 828	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4112 wrote to memory of 828	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4112 wrote to memory of 5080	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4112 wrote to memory of 5080	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4112 wrote to memory of 1140	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4112 wrote to memory of 1140	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4112 wrote to memory of 116	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4112 wrote to memory of 116	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4112 wrote to memory of 5016	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4112 wrote to memory of 5016	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4112 wrote to memory of 4860	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4112 wrote to memory of 4860	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4112 wrote to memory of 1876	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4112 wrote to memory of 1876	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4112 wrote to memory of 668	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4112 wrote to memory of 668	4112	2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_7d603e6db7d8297083ccc274fd662491_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System\gaUReRr.exe
  C:\Windows\System\gaUReRr.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\WKsLeAw.exe
  C:\Windows\System\WKsLeAw.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\BHtiVFE.exe
  C:\Windows\System\BHtiVFE.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\OzmgAKo.exe
  C:\Windows\System\OzmgAKo.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\PgvOQuG.exe
  C:\Windows\System\PgvOQuG.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\gEzJuAG.exe
  C:\Windows\System\gEzJuAG.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\ojFdRff.exe
  C:\Windows\System\ojFdRff.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\wfRbZZY.exe
  C:\Windows\System\wfRbZZY.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\WyDzIIB.exe
  C:\Windows\System\WyDzIIB.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\zoTqMda.exe
  C:\Windows\System\zoTqMda.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\qXLIYbc.exe
  C:\Windows\System\qXLIYbc.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\zvPvWlt.exe
  C:\Windows\System\zvPvWlt.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\ixUzxJV.exe
  C:\Windows\System\ixUzxJV.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\dpYujsq.exe
  C:\Windows\System\dpYujsq.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\EimTsAw.exe
  C:\Windows\System\EimTsAw.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\ErPapkn.exe
  C:\Windows\System\ErPapkn.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\HJgThfT.exe
  C:\Windows\System\HJgThfT.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\tWhQsiU.exe
  C:\Windows\System\tWhQsiU.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\JAgNGLv.exe
  C:\Windows\System\JAgNGLv.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\tpTNNpU.exe
  C:\Windows\System\tpTNNpU.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\cAMMZgl.exe
  C:\Windows\System\cAMMZgl.exe
  2⤵
  - Executes dropped EXE
  PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BHtiVFE.exe

Filesize
5.9MB

MD5
13ec169e7672711cacc273a093442574

SHA1
8d3368a82baf6638507adeb4f21bb91064819369

SHA256
1303b4bfc6278d642848ebacc24d01deee157edc7ec23fe8e66ecca850783655

SHA512
7a10c236d3b2e67d8eb868a5565d419eb598bb1e29051cf85ce532be07507004ae28643f647af5c9dc2916d0ec9c9c6fbf0d7c14c5fbe3c34b1a01b0b79bdbf6

Download Submit
C:\Windows\System\EimTsAw.exe

Filesize
5.9MB

MD5
3a46d5e449602de66c768944376e689c

SHA1
98ba268fe84d44b307709f8ec117886c5b579032

SHA256
f63773c68fe880cb7c7fb2448ee31fc0e6a4a8044aa4e3b3b371698db39f603f

SHA512
3fa54f6cef49fc2345f9f0e117b555bb642d587d712a2e23f285d1c930cbfdf06a4bd642b1ee25a3621f4c25a4fc259e7cd97162867f5e6529d0f3fee42471ce

Download Submit
C:\Windows\System\ErPapkn.exe

Filesize
5.9MB

MD5
cb72838f5ad018c619926709f09cd831

SHA1
2dc6cc0eb5b21dbcdf59534f8ebbbebbf4c2ec3f

SHA256
6daa51203d7fbf07c5d7975ea2547cb7b63bfd406817d105c56d4f2ac3faf4dd

SHA512
5b75fb5e9118e7f5c2e0d0c3d6be029377eff39d39ac736783ccf4ac82030186fe18ef3bce2179fbcb7bc13c3c501dd88660d72209f10df53a44b42966c109c4

Download Submit
C:\Windows\System\HJgThfT.exe

Filesize
5.9MB

MD5
08ebff36c833f749036ad147c5658b97

SHA1
740343ebf77e9382ab0ce18c4381ed140dc9a122

SHA256
eafbeb69fdbaba059ea043cdbf8519413b1300daf1f2f1907a1cc5711e8938d5

SHA512
a26775095c6d7d6eb668f362ad4033bd4b468c577f405744630f95afd4b0f094e500c663f5d5b8845d8780cf7532305b42ec73742724a52d7b6d972f4f5138ef

Download Submit
C:\Windows\System\JAgNGLv.exe

Filesize
5.9MB

MD5
66fb08b8d7eaba6d49fbe4b57310d0b6

SHA1
01542deb90e21f13887c0bba6d6a6d4488646052

SHA256
b73cb00c0a4e9d1b1accfba0dcd3818c19f65401817a8989904092cc7bc03d98

SHA512
367a7952e60ee73a187f78b51483ea9004ce9f99bf9a2d2dfbb21dc5c42923497713fd39c7f4f363baa155bd08b571d336aec3d648405652783905595f2f927d

Download Submit
C:\Windows\System\OzmgAKo.exe

Filesize
5.9MB

MD5
e5bbbc4b1e2570972b63264fda276143

SHA1
07c8b8db622fa35d17f8b5921254e1ff16d68250

SHA256
ab6a15b2255b4f6bc4696854862a9204549e67908dacc332757fed2f9a2fe960

SHA512
b97beeb61171d549c864e01959ff454fd2c1d4a86ef8345c44943e7c0673b638dce3064429d8a310d49d0769e7388416c57ccdc262d45040d6449020432a78d0

Download Submit
C:\Windows\System\PgvOQuG.exe

Filesize
5.9MB

MD5
a0b1cc8b6d798c1bd44de22b5a48275b

SHA1
dbbd8a9e91e8548c100174f2cbe1059f8fe17753

SHA256
7aa81fd76d7403255479b30c3fd0da5dec64fe5beab2ec629ca2e311071d5efe

SHA512
0fc530b2d8a551f118616a85fad9639c96133b99672efe664c72d87a5b2f2ca6fd40b52759907f9b1e8e642a532913fab7760f92d637113ec62e27ea0e4acedf

Download Submit
C:\Windows\System\WKsLeAw.exe

Filesize
5.9MB

MD5
79a6b1fa17a3240f6a9d23106fb5188d

SHA1
d4c828fe1daaae1c028fee35f88bb7298795203c

SHA256
bcd52152c25be0a4431aef04286eb25ba67794319f1bb39fb45f86675d4e538d

SHA512
e6e255709e5fceb63ff3cbbeee3365e44ff55ce42e020f418b1681ff62a2c31463f8a40c0674909ca7006e964ace7885a00a80cd33c1b8b968b041ae014ba3fb

Download Submit
C:\Windows\System\WyDzIIB.exe

Filesize
5.9MB

MD5
26cb2db3a8b519e3117312f97cc89463

SHA1
2cf138004d5e79958b7e5eec1557b33c44796b4f

SHA256
d55d9c1816f77c087f71c109030458707f4f01737b894498d62b19cef66ac9ca

SHA512
53551955ccfd02a50ecd3bcc65c5d6d6213a9532328b04a16516d4bab2172f3db2b614f9464610ebe7604fb4392a7761af3b02d7b47da961292de27e8b9ea87f

Download Submit
C:\Windows\System\cAMMZgl.exe

Filesize
5.9MB

MD5
58cd4fde356707e109b63f9373598acc

SHA1
fb69198d5f0e3f89241a9d618a38096f194ce5ec

SHA256
2d77256714834fa28c5bd6876aa68b62953eeba2204b00299d4e32ec726042c9

SHA512
3ca5c70322976fc54fc11ef5b90db64ab86ba7e4598560e39d97444be688286a1e0003788881c172bde7df26a98cd767f3ef2f683cde26b66eed4c228261507e

Download Submit
C:\Windows\System\dpYujsq.exe

Filesize
5.9MB

MD5
f3a3609419a0961abde7d100d9106633

SHA1
2fedb2e06313e8e52e9b8d66374a5b1498f6082a

SHA256
c0b7b8bfd790df61216c6f0d2c58eeaf128938683ee28c71b478faf43ea13025

SHA512
d1ddd7ab7ac16b72d2e2d65941af84baa3681c6e77bdf644aac6260a0710c972f4ea418a78e618668070243c6e9586f8f06f91682a09813bee1cf0bfa8d9c402

Download Submit
C:\Windows\System\gEzJuAG.exe

Filesize
5.9MB

MD5
5997e364fee00355eb0a7d41bf689ae8

SHA1
2f0665ef2d99ce318e0faf8ad55d4830cdaf76cf

SHA256
dfd66a357a3c1e7e681680f929a65e0544ef8f78c503a4b701ed7c36c5b973ba

SHA512
548022e9db64d95f6b6eeb46e3de72238e9793c817f0cbe5ac0d4410bdc2936ea2f7c4aefea320eeeda2f975408871df33cf160fc942e97116e23f9471beef6a

Download Submit
C:\Windows\System\gaUReRr.exe

Filesize
5.9MB

MD5
8993f4b7a173a7666ed55da893145ee5

SHA1
1eb95c9266453c1980447178a3d5761ba64290b9

SHA256
d499018b009ada91c10a6c8f9e5b41d7692e49232221a327d5a92870303a5dc6

SHA512
c8c8c607b94b32c5eb1cf378657ea27f0719904fb97ab5438ea80d1505ec952b6e3ca1960fdec58553657aa6279d36c5ab9d9b1898482ee926d6b5d50ce3838b

Download Submit
C:\Windows\System\ixUzxJV.exe

Filesize
5.9MB

MD5
d29c0f21c790132559056fad89162134

SHA1
0f8ece50498b4aa146ccce5b1b791f67408213e0

SHA256
e237a31794a9c77c3afe6320313fd9ea25155f3778bd4f309d824f632fb6e6a7

SHA512
42ca03f6d3af7863b64fc8098ebd2584230443f7a3acc605fd890e8582b9376bd4ed7eff3ce7ee703dbd3f7e14ab2f857312f53205b96246c3e69e281d9cf94a

Download Submit
C:\Windows\System\ojFdRff.exe

Filesize
5.9MB

MD5
c28f2fc724637f2ec6abfea518b1d907

SHA1
ce3106e5e5f54f42691b88cbb5d4387edfaea605

SHA256
f11d67e0e1cb65d77c7ea973d326d34f178e40f3c2cc816d0e53b90cb5afa9eb

SHA512
56774693039a0d40a81e5deff3db4f15cc3f6a518450084523a9b5cadb42dc514ea592a8b9f87394e55a837ba4f0896a949f1fff708ce4633c9099b067569b65

Download Submit
C:\Windows\System\qXLIYbc.exe

Filesize
5.9MB

MD5
667f210c80bec38d3d5a6176342cadca

SHA1
799bfaec1e743d12a8b57db32e6c1ac23f761fdd

SHA256
e97a0265bdcb1163246a5d65d89d56661a1ce0d6ee693a29370526906983146c

SHA512
716c8f0c52b12180e070563bf3c9879f86a52d6a997896426fef89e29fe40692b71b1a41186144cbbde241164aae3ddd960ff3f11d28b7b2702398486909217d

Download Submit
C:\Windows\System\tWhQsiU.exe

Filesize
5.9MB

MD5
abdf87234c12f5df517d6b4e0d5e839a

SHA1
5d0612f9f5ec0300bae5935f5544d42b1b6b35d4

SHA256
b876ac20391a3f68f3b9873884208f371c5a7f8f0e356f5b04a110fca0e9524b

SHA512
d021f22d01a0ae09716c3b2c2d00fa39e15f413585ce1cd109b083a24359c6f6da4eea38279000e7a4003e2aeff5f895067a560eb8594f0504138ed8d14ccbc6

Download Submit
C:\Windows\System\tpTNNpU.exe

Filesize
5.9MB

MD5
033ea740d70ff79acca993e6f665ac81

SHA1
821c1d191d3b66697c1bd43cbd12086fdf766b9b

SHA256
8e1182b289eff6c614287eb37b67109513657fb9602fa686e42c019686ff27ce

SHA512
dbb30c3e7bfcf348baab4cbad8f11abee753f5c40caf91590720454b6502947e17e2d405a3e4516bbbdba55428c79beb20bdf6c3595fd2776fd40c313b1aab03

Download Submit
C:\Windows\System\wfRbZZY.exe

Filesize
5.9MB

MD5
a0cbba560d34569a7b71bea71f974384

SHA1
6a4202779cc5edbdbb74aa6990165880426379ef

SHA256
eb85fe65de550e72d7a8fd76de8fdd4273b3545514393b29b844fd4942d7b1e7

SHA512
31b752f1a4fddb1f4bfac5e0028c800839b5fdb2f16c7655f8ff60cfa1152f922c9b2373ffd3288946155f056bcb2c6a3428eec2873835e719404a63bf3359cf

Download Submit
C:\Windows\System\zoTqMda.exe

Filesize
5.9MB

MD5
8493109a9018754fa38b3ca59c91f243

SHA1
1c709e0dbfddd9b27d59d8ddab48be311c472383

SHA256
69c5c3fbea92d7fed33db3c6bca5bebc29acee6d09d1a93536a4a7b4aeaf1d52

SHA512
73d149f6cbc11d22622df3c445fb555c62fa520d494f2ee501c82905c63636cd8a36ec2f63e7be341f9d6718526aec646f6dcef4d250b92b384dd4926375b2ca

Download Submit
C:\Windows\System\zvPvWlt.exe

Filesize
5.9MB

MD5
9b3c0bd5988d042bf46e63a05da7896d

SHA1
846df1be358527295f79ce625c5d64a60ac91dc3

SHA256
02db01b97591b2d4a84bcb4f8e1834753e06475e396dcdef47fbe37802b3647a

SHA512
253ffa296ee5314a56f8f7b0da2a23e67d62cb26b4e77b5ecb9940a6f8b707b0d46dffefc733ef48996633fdb67190ac2eb3c61d61e81c7159ac895430b1ec53

Download Submit
memory/116-125-0x00007FF6D5270000-0x00007FF6D55C4000-memory.dmp

Filesize
3.3MB

Download
memory/116-159-0x00007FF6D5270000-0x00007FF6D55C4000-memory.dmp

Filesize
3.3MB

Download
memory/668-128-0x00007FF72A250000-0x00007FF72A5A4000-memory.dmp

Filesize
3.3MB

Download
memory/668-153-0x00007FF72A250000-0x00007FF72A5A4000-memory.dmp

Filesize
3.3MB

Download
memory/752-136-0x00007FF62A400000-0x00007FF62A754000-memory.dmp

Filesize
3.3MB

Download
memory/752-47-0x00007FF62A400000-0x00007FF62A754000-memory.dmp

Filesize
3.3MB

Download
memory/752-147-0x00007FF62A400000-0x00007FF62A754000-memory.dmp

Filesize
3.3MB

Download
memory/828-124-0x00007FF636B10000-0x00007FF636E64000-memory.dmp

Filesize
3.3MB

Download
memory/828-152-0x00007FF636B10000-0x00007FF636E64000-memory.dmp

Filesize
3.3MB

Download
memory/1140-129-0x00007FF600320000-0x00007FF600674000-memory.dmp

Filesize
3.3MB

Download
memory/1140-158-0x00007FF600320000-0x00007FF600674000-memory.dmp

Filesize
3.3MB

Download
memory/1176-151-0x00007FF7DC4C0000-0x00007FF7DC814000-memory.dmp

Filesize
3.3MB

Download
memory/1176-98-0x00007FF7DC4C0000-0x00007FF7DC814000-memory.dmp

Filesize
3.3MB

Download
memory/1312-149-0x00007FF637720000-0x00007FF637A74000-memory.dmp

Filesize
3.3MB

Download
memory/1312-45-0x00007FF637720000-0x00007FF637A74000-memory.dmp

Filesize
3.3MB

Download
memory/1312-135-0x00007FF637720000-0x00007FF637A74000-memory.dmp

Filesize
3.3MB

Download
memory/1764-58-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp

Filesize
3.3MB

Download
memory/1764-137-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp

Filesize
3.3MB

Download
memory/1764-150-0x00007FF77DCF0000-0x00007FF77E044000-memory.dmp

Filesize
3.3MB

Download
memory/1876-127-0x00007FF6ED1C0000-0x00007FF6ED514000-memory.dmp

Filesize
3.3MB

Download
memory/1876-154-0x00007FF6ED1C0000-0x00007FF6ED514000-memory.dmp

Filesize
3.3MB

Download
memory/2288-145-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-134-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-40-0x00007FF7F96A0000-0x00007FF7F99F4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-160-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp

Filesize
3.3MB

Download
memory/2544-138-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp

Filesize
3.3MB

Download
memory/2544-86-0x00007FF7EFD20000-0x00007FF7F0074000-memory.dmp

Filesize
3.3MB

Download
memory/3028-35-0x00007FF676610000-0x00007FF676964000-memory.dmp

Filesize
3.3MB

Download
memory/3028-133-0x00007FF676610000-0x00007FF676964000-memory.dmp

Filesize
3.3MB

Download
memory/3028-144-0x00007FF676610000-0x00007FF676964000-memory.dmp

Filesize
3.3MB

Download
memory/3648-87-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-140-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-7-0x00007FF7C19A0000-0x00007FF7C1CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-146-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-65-0x00007FF6BD160000-0x00007FF6BD4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4112-0-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp

Filesize
3.3MB

Download
memory/4112-1-0x000001BEDF960000-0x000001BEDF970000-memory.dmp

Filesize
64KB

Download
memory/4112-66-0x00007FF763F50000-0x00007FF7642A4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-148-0x00007FF777A10000-0x00007FF777D64000-memory.dmp

Filesize
3.3MB

Download
memory/4172-79-0x00007FF777A10000-0x00007FF777D64000-memory.dmp

Filesize
3.3MB

Download
memory/4692-20-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp

Filesize
3.3MB

Download
memory/4692-142-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp

Filesize
3.3MB

Download
memory/4692-131-0x00007FF76DDD0000-0x00007FF76E124000-memory.dmp

Filesize
3.3MB

Download
memory/4860-130-0x00007FF77CC80000-0x00007FF77CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-156-0x00007FF77CC80000-0x00007FF77CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-126-0x00007FF606210000-0x00007FF606564000-memory.dmp

Filesize
3.3MB

Download
memory/5016-155-0x00007FF606210000-0x00007FF606564000-memory.dmp

Filesize
3.3MB

Download
memory/5036-14-0x00007FF612890000-0x00007FF612BE4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-141-0x00007FF612890000-0x00007FF612BE4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-99-0x00007FF612890000-0x00007FF612BE4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-132-0x00007FF721120000-0x00007FF721474000-memory.dmp

Filesize
3.3MB

Download
memory/5056-143-0x00007FF721120000-0x00007FF721474000-memory.dmp

Filesize
3.3MB

Download
memory/5056-34-0x00007FF721120000-0x00007FF721474000-memory.dmp

Filesize
3.3MB

Download
memory/5080-139-0x00007FF757970000-0x00007FF757CC4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-157-0x00007FF757970000-0x00007FF757CC4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-90-0x00007FF757970000-0x00007FF757CC4000-memory.dmp

Filesize
3.3MB

Download