cobaltstrike | 875c86bcbca4ae8b4a0aac2c9f14c70fe42c91358a61931621a1b000a585fa9e

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

0633a429664570671662a565cbc93efa
SHA1

642441451ab05af235717d2429d0ad8225a3f5bb
SHA256

875c86bcbca4ae8b4a0aac2c9f14c70fe42c91358a61931621a1b000a585fa9e
SHA512

e18393a6ac0d7ca1f1345b1f4fdbc98ba3223d3043df8edb2022b1cdcdfb4fa6ec0c697d4602c22071b3d5078203db437c1e72ea73e48f3cb19b037dd6971d74
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU1:T+856utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002343c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-14.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-41.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023449-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-86.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-66.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp	xmrig
behavioral2/files/0x000900000002343c-5.dat	xmrig
behavioral2/memory/5060-6-0x00007FF600340000-0x00007FF600694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023456-17.dat	xmrig
behavioral2/files/0x0007000000023457-18.dat	xmrig
behavioral2/memory/1828-23-0x00007FF615430000-0x00007FF615784000-memory.dmp	xmrig
behavioral2/files/0x0007000000023458-30.dat	xmrig
behavioral2/memory/3188-29-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	xmrig
behavioral2/memory/1336-35-0x00007FF6631D0000-0x00007FF663524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023459-36.dat	xmrig
behavioral2/memory/2636-24-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	xmrig
behavioral2/memory/1292-19-0x00007FF690F30000-0x00007FF691284000-memory.dmp	xmrig
behavioral2/files/0x0007000000023455-14.dat	xmrig
behavioral2/files/0x000700000002345a-41.dat	xmrig
behavioral2/files/0x000b000000023449-47.dat	xmrig
behavioral2/memory/2188-54-0x00007FF7593E0000-0x00007FF759734000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-55.dat	xmrig
behavioral2/files/0x000700000002345c-58.dat	xmrig
behavioral2/memory/976-62-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345e-70.dat	xmrig
behavioral2/memory/4996-71-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-82.dat	xmrig
behavioral2/files/0x0007000000023461-91.dat	xmrig
behavioral2/files/0x0007000000023462-92.dat	xmrig
behavioral2/files/0x0007000000023463-98.dat	xmrig
behavioral2/memory/1600-100-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp	xmrig
behavioral2/memory/4924-113-0x00007FF773B30000-0x00007FF773E84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023465-121.dat	xmrig
behavioral2/memory/4204-127-0x00007FF75A470000-0x00007FF75A7C4000-memory.dmp	xmrig
behavioral2/memory/1336-132-0x00007FF6631D0000-0x00007FF663524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023467-130.dat	xmrig
behavioral2/memory/636-129-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp	xmrig
behavioral2/memory/1524-128-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp	xmrig
behavioral2/memory/3188-125-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	xmrig
behavioral2/memory/2636-124-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	xmrig
behavioral2/memory/3916-120-0x00007FF6343F0000-0x00007FF634744000-memory.dmp	xmrig
behavioral2/memory/3016-119-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023464-117.dat	xmrig
behavioral2/files/0x0007000000023466-114.dat	xmrig
behavioral2/memory/1324-106-0x00007FF613060000-0x00007FF6133B4000-memory.dmp	xmrig
behavioral2/memory/1604-96-0x00007FF773FD0000-0x00007FF774324000-memory.dmp	xmrig
behavioral2/memory/1828-93-0x00007FF615430000-0x00007FF615784000-memory.dmp	xmrig
behavioral2/memory/1292-89-0x00007FF690F30000-0x00007FF691284000-memory.dmp	xmrig
behavioral2/memory/5060-87-0x00007FF600340000-0x00007FF600694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023460-86.dat	xmrig
behavioral2/memory/3564-75-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp	xmrig
behavioral2/files/0x000700000002345d-66.dat	xmrig
behavioral2/memory/5068-64-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp	xmrig
behavioral2/memory/2224-48-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp	xmrig
behavioral2/memory/2232-42-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp	xmrig
behavioral2/memory/2224-136-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp	xmrig
behavioral2/memory/2232-135-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp	xmrig
behavioral2/memory/976-138-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp	xmrig
behavioral2/memory/2188-137-0x00007FF7593E0000-0x00007FF759734000-memory.dmp	xmrig
behavioral2/memory/5068-139-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp	xmrig
behavioral2/memory/3564-140-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp	xmrig
behavioral2/memory/1600-141-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp	xmrig
behavioral2/memory/3016-142-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp	xmrig
behavioral2/memory/1524-143-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp	xmrig
behavioral2/memory/636-144-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp	xmrig
behavioral2/memory/5060-145-0x00007FF600340000-0x00007FF600694000-memory.dmp	xmrig
behavioral2/memory/1292-146-0x00007FF690F30000-0x00007FF691284000-memory.dmp	xmrig
behavioral2/memory/2636-147-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	xmrig
behavioral2/memory/3188-148-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5060	RZcNrZI.exe
1292	XxSGVOY.exe
2636	iiYJyRB.exe
1828	FCswlmi.exe
3188	fEIYgRP.exe
1336	IfzqVIt.exe
2232	tKjUbCG.exe
2224	MLigkNg.exe
2188	UUagLAa.exe
976	snHAnVU.exe
5068	eTrTmfH.exe
3564	ChqdXKH.exe
1604	fMPGWRS.exe
1324	dtPNQzl.exe
4924	EchMcKC.exe
1600	VGffKfU.exe
3016	zcChdjy.exe
3916	aOYNwhG.exe
4204	MTrxAkA.exe
1524	OtAPZTh.exe
636	DccxseZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp	upx
behavioral2/files/0x000900000002343c-5.dat	upx
behavioral2/memory/5060-6-0x00007FF600340000-0x00007FF600694000-memory.dmp	upx
behavioral2/files/0x0007000000023456-17.dat	upx
behavioral2/files/0x0007000000023457-18.dat	upx
behavioral2/memory/1828-23-0x00007FF615430000-0x00007FF615784000-memory.dmp	upx
behavioral2/files/0x0007000000023458-30.dat	upx
behavioral2/memory/3188-29-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	upx
behavioral2/memory/1336-35-0x00007FF6631D0000-0x00007FF663524000-memory.dmp	upx
behavioral2/files/0x0007000000023459-36.dat	upx
behavioral2/memory/2636-24-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	upx
behavioral2/memory/1292-19-0x00007FF690F30000-0x00007FF691284000-memory.dmp	upx
behavioral2/files/0x0007000000023455-14.dat	upx
behavioral2/files/0x000700000002345a-41.dat	upx
behavioral2/files/0x000b000000023449-47.dat	upx
behavioral2/memory/2188-54-0x00007FF7593E0000-0x00007FF759734000-memory.dmp	upx
behavioral2/files/0x000700000002345b-55.dat	upx
behavioral2/files/0x000700000002345c-58.dat	upx
behavioral2/memory/976-62-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp	upx
behavioral2/files/0x000700000002345e-70.dat	upx
behavioral2/memory/4996-71-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp	upx
behavioral2/files/0x000700000002345f-82.dat	upx
behavioral2/files/0x0007000000023461-91.dat	upx
behavioral2/files/0x0007000000023462-92.dat	upx
behavioral2/files/0x0007000000023463-98.dat	upx
behavioral2/memory/1600-100-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp	upx
behavioral2/memory/4924-113-0x00007FF773B30000-0x00007FF773E84000-memory.dmp	upx
behavioral2/files/0x0007000000023465-121.dat	upx
behavioral2/memory/4204-127-0x00007FF75A470000-0x00007FF75A7C4000-memory.dmp	upx
behavioral2/memory/1336-132-0x00007FF6631D0000-0x00007FF663524000-memory.dmp	upx
behavioral2/files/0x0007000000023467-130.dat	upx
behavioral2/memory/636-129-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp	upx
behavioral2/memory/1524-128-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp	upx
behavioral2/memory/3188-125-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	upx
behavioral2/memory/2636-124-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	upx
behavioral2/memory/3916-120-0x00007FF6343F0000-0x00007FF634744000-memory.dmp	upx
behavioral2/memory/3016-119-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp	upx
behavioral2/files/0x0007000000023464-117.dat	upx
behavioral2/files/0x0007000000023466-114.dat	upx
behavioral2/memory/1324-106-0x00007FF613060000-0x00007FF6133B4000-memory.dmp	upx
behavioral2/memory/1604-96-0x00007FF773FD0000-0x00007FF774324000-memory.dmp	upx
behavioral2/memory/1828-93-0x00007FF615430000-0x00007FF615784000-memory.dmp	upx
behavioral2/memory/1292-89-0x00007FF690F30000-0x00007FF691284000-memory.dmp	upx
behavioral2/memory/5060-87-0x00007FF600340000-0x00007FF600694000-memory.dmp	upx
behavioral2/files/0x0007000000023460-86.dat	upx
behavioral2/memory/3564-75-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp	upx
behavioral2/files/0x000700000002345d-66.dat	upx
behavioral2/memory/5068-64-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp	upx
behavioral2/memory/2224-48-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp	upx
behavioral2/memory/2232-42-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp	upx
behavioral2/memory/2224-136-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp	upx
behavioral2/memory/2232-135-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp	upx
behavioral2/memory/976-138-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp	upx
behavioral2/memory/2188-137-0x00007FF7593E0000-0x00007FF759734000-memory.dmp	upx
behavioral2/memory/5068-139-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp	upx
behavioral2/memory/3564-140-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp	upx
behavioral2/memory/1600-141-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp	upx
behavioral2/memory/3016-142-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp	upx
behavioral2/memory/1524-143-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp	upx
behavioral2/memory/636-144-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp	upx
behavioral2/memory/5060-145-0x00007FF600340000-0x00007FF600694000-memory.dmp	upx
behavioral2/memory/1292-146-0x00007FF690F30000-0x00007FF691284000-memory.dmp	upx
behavioral2/memory/2636-147-0x00007FF659660000-0x00007FF6599B4000-memory.dmp	upx
behavioral2/memory/3188-148-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fMPGWRS.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOYNwhG.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCswlmi.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tKjUbCG.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUagLAa.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtPNQzl.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VGffKfU.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zcChdjy.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MTrxAkA.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fEIYgRP.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MLigkNg.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ChqdXKH.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OtAPZTh.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DccxseZ.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\snHAnVU.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eTrTmfH.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iiYJyRB.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfzqVIt.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EchMcKC.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RZcNrZI.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XxSGVOY.exe	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 5060	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4996 wrote to memory of 5060	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4996 wrote to memory of 1292	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4996 wrote to memory of 1292	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4996 wrote to memory of 2636	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4996 wrote to memory of 2636	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4996 wrote to memory of 1828	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4996 wrote to memory of 1828	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4996 wrote to memory of 3188	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4996 wrote to memory of 3188	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4996 wrote to memory of 1336	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4996 wrote to memory of 1336	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4996 wrote to memory of 2232	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4996 wrote to memory of 2232	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4996 wrote to memory of 2224	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4996 wrote to memory of 2224	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4996 wrote to memory of 2188	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4996 wrote to memory of 2188	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4996 wrote to memory of 976	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4996 wrote to memory of 976	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4996 wrote to memory of 5068	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4996 wrote to memory of 5068	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4996 wrote to memory of 3564	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4996 wrote to memory of 3564	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4996 wrote to memory of 1604	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4996 wrote to memory of 1604	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4996 wrote to memory of 1324	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4996 wrote to memory of 1324	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4996 wrote to memory of 4924	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4996 wrote to memory of 4924	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4996 wrote to memory of 1600	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4996 wrote to memory of 1600	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4996 wrote to memory of 3016	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4996 wrote to memory of 3016	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4996 wrote to memory of 3916	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4996 wrote to memory of 3916	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4996 wrote to memory of 4204	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4996 wrote to memory of 4204	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4996 wrote to memory of 1524	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4996 wrote to memory of 1524	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4996 wrote to memory of 636	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4996 wrote to memory of 636	4996	2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_0633a429664570671662a565cbc93efa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\System\RZcNrZI.exe
  C:\Windows\System\RZcNrZI.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\XxSGVOY.exe
  C:\Windows\System\XxSGVOY.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\iiYJyRB.exe
  C:\Windows\System\iiYJyRB.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\FCswlmi.exe
  C:\Windows\System\FCswlmi.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\fEIYgRP.exe
  C:\Windows\System\fEIYgRP.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\IfzqVIt.exe
  C:\Windows\System\IfzqVIt.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\tKjUbCG.exe
  C:\Windows\System\tKjUbCG.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\MLigkNg.exe
  C:\Windows\System\MLigkNg.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\UUagLAa.exe
  C:\Windows\System\UUagLAa.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\snHAnVU.exe
  C:\Windows\System\snHAnVU.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\eTrTmfH.exe
  C:\Windows\System\eTrTmfH.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\ChqdXKH.exe
  C:\Windows\System\ChqdXKH.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\fMPGWRS.exe
  C:\Windows\System\fMPGWRS.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\dtPNQzl.exe
  C:\Windows\System\dtPNQzl.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\EchMcKC.exe
  C:\Windows\System\EchMcKC.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\VGffKfU.exe
  C:\Windows\System\VGffKfU.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\zcChdjy.exe
  C:\Windows\System\zcChdjy.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\aOYNwhG.exe
  C:\Windows\System\aOYNwhG.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\MTrxAkA.exe
  C:\Windows\System\MTrxAkA.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\OtAPZTh.exe
  C:\Windows\System\OtAPZTh.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\DccxseZ.exe
  C:\Windows\System\DccxseZ.exe
  2⤵
  - Executes dropped EXE
  PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ChqdXKH.exe

Filesize
5.9MB

MD5
5a8a8b76ed77ee583de8e3004168fad6

SHA1
cc974fd02cf3a50e40a84abf0fb1704a7bfb20f4

SHA256
49e1fe8d997eff36f298e90a04ee05cc09989112fa344a9facefb7a74171ffd6

SHA512
5bded2270b94b89d36aa1b3b943dc2a7400ca0dcdb3eb5bded0961156a34ab166a6251dde37de983eaec8b0236e89bd6704e87f8a2cdf5826de453eb99ab499f

Download Submit
C:\Windows\System\DccxseZ.exe

Filesize
5.9MB

MD5
98749493b2b023573043b411ef32aba2

SHA1
71b8015d9378a7b0284c112cf612c983b5017787

SHA256
cdfb0ae5ac1d137e5c57e5409e1c50bc7733318a600d485c81c4f3733a26c23a

SHA512
5e79074287f0d5858d7839e9ff8388de27d7ca93ba5cea1eaaa67fbae28b2282a2dd499ec72dfca5f866bfa80674dc70e67bf7b09fde4e5ee52245fbb48fa9b5

Download Submit
C:\Windows\System\EchMcKC.exe

Filesize
5.9MB

MD5
ed9579c55f261cf67303b556c6e41dbc

SHA1
fc29e721c7e75d23ecbc6694aa4939734255a257

SHA256
438f3422466294e8802813e1909ad932657943ba36b99222c4a4ae566f25aa4d

SHA512
6661eda0a2220377aa0d2867e9fefe5886de90394b494b5e64e2c381f788db0d391109a755794b29a7b5962b5e8e19350087ea5837a016119f3be248adf142e1

Download Submit
C:\Windows\System\FCswlmi.exe

Filesize
5.9MB

MD5
f927d79cff4b622f5bdc6f4b62bbd1b0

SHA1
2f3d19aaf3788ccc55857f8d6fb52c699ba3a81a

SHA256
b66f7ebeb1ddd2ad1a526e489e9d3b1e7ce891968d1de1251bd3c90fffc7ed92

SHA512
c97244375d9b7019007104549cf06a56310e9660e82394c0ee1a7f28d55c653514d82ef880f821b951939e18ad7d70f61a78dcef8fa1d60a008455c839d198b0

Download Submit
C:\Windows\System\IfzqVIt.exe

Filesize
5.9MB

MD5
bb9e20b6e8f310b9818c7ddb9a2f22a5

SHA1
b386367faea4de36647b10bf016ad830c6b51dc9

SHA256
a3aeab22d8a0dff459a56fb636652dbaa9177902e0c45a8b016b791b2d104584

SHA512
f1e710ce34f8f41c51973e761c35e8cbae9a127583a95bc50d57f4466488a3e011656865fbac0604d1631b8350284229e7a48b5bdb352a6937cfbe1b6d592694

Download Submit
C:\Windows\System\MLigkNg.exe

Filesize
5.9MB

MD5
4d0299204ac9ea28fc525473748572f5

SHA1
8f0b58bc40b7d2a2d2f4f8f3f4cf5d40c93bd98f

SHA256
8e81675869c786309b3bd6344b381af82decef9180d63511578c2c4750528e99

SHA512
bd6693517217c0424a5b71bbb5f90d81a53463418742ecad678e8534588ce8b8d1ccd6611d2b4a71497c6a52cf326ca26f6b784089f4db16dbe2bc624cef6a5f

Download Submit
C:\Windows\System\MTrxAkA.exe

Filesize
5.9MB

MD5
a2f7f71e4dcba00298f22ce46f56972d

SHA1
973c1faea015762a4d78f821522781be4bcfcadf

SHA256
ba441029ebd605021e89f52ed3cc874a5a095bac37b4cc6539cf977295cba1e8

SHA512
11b64e387f803be028f78b9e015fbec80a4fee18e4689729b9180b4cf8e274a22019bf3bc08d2485d7c670cdb82e726b5b3d7a18d34a3fb96f238c9197fa6c88

Download Submit
C:\Windows\System\OtAPZTh.exe

Filesize
5.9MB

MD5
154b5f6d88ddf82a2478b56bb733deca

SHA1
7b49952d65c21843e2a230f21b904c81c2ac999f

SHA256
f97d0781cd787058322694b656b6d08e691f49ac312d6db636e13396a9d3b2c3

SHA512
6900f89a0055963adbc865adc51e9ec0a9b2e226b19319934e54d6efc9f96c0f9d620c38de9b7ff2ab1e9dcd3f4f5cd457fccda65d0ecb66ff9e8dd60b5f8f88

Download Submit
C:\Windows\System\RZcNrZI.exe

Filesize
5.9MB

MD5
6cb7ca752a619298f4def58d946cdfa6

SHA1
b7f127d805b6b37c0f59bea83212a745e7cdbaf4

SHA256
ab3768699c7d9bd5734ee8ddb3e43bee3089d7c21cb77afbb83f748e97df51e8

SHA512
c8c28863346d02523a8fce8212966da6ebfae60be0bdea310b645d94d8bffd33c9bb8c84195d5bb4379d45f427469176f92d8a1ad5b926e96e68d1491399dc4a

Download Submit
C:\Windows\System\UUagLAa.exe

Filesize
5.9MB

MD5
7ac94371263dc15884150fba2b1cb810

SHA1
74600061b147e694c297b4b2b08d3b1f0d9e6716

SHA256
abbcb7b1a099ad4e0938ab63b552a9b272c77abaaa91791a03fc1982772e7c09

SHA512
747c1a8686c34e816ce5236f5e6c52019499f24c5de102600353139eda76d57a6811cfdecb870c755f5b5f7a6165dae128e8d2fd757f4c9de461cbe4ed375075

Download Submit
C:\Windows\System\VGffKfU.exe

Filesize
5.9MB

MD5
594e274f5acfabcbc818ec9174cf4e3d

SHA1
957a6b470501b436ac5d65d5b65c0fc6ee440b90

SHA256
f667e1aa659e1976699cce785dca04ccae3ec949bbf9156b12c5afb4ca6fb994

SHA512
21b82e090b724cdc317b2bec298091f4446b0154a3d7429dd03b50b53d5ec9e7391dff8d3ec4616506f748d5bf8b6be6910af1c375cf64a566d32fb19820e3a2

Download Submit
C:\Windows\System\XxSGVOY.exe

Filesize
5.9MB

MD5
0a4bdd8147a675e192dbd7e6743cc6ec

SHA1
b445df315e2e1cb1d6a1d5655eb3825d76f07934

SHA256
b2db33633ae671d57a293813751eb602214aeecb7aa222c02ddd5fef0fb17338

SHA512
21302dda637f5d7c70a2f7debcd367198ce10cadaab65a29d1a596f05a83c3789c2508919e924af2fc351414e6a16fdf1f32b80db90bf26386c123b065d608a4

Download Submit
C:\Windows\System\aOYNwhG.exe

Filesize
5.9MB

MD5
cd96f415c3ea0e802f5d38aa8cbf3cca

SHA1
140d52ba0ece8ca46773a9286d836a0bc40a8874

SHA256
6015fbc0897f86abdc7946b810834f38623206e651503745bfbaff59267cba5f

SHA512
dca6bd78ceae5f0a53bfb297459a569c87e2de09fdd43dd5eb07e3aa3d020127a38c620f7ebc8e5671fbf510fc8d98fc12e9d5332acba0ed1100111e4bc887b7

Download Submit
C:\Windows\System\dtPNQzl.exe

Filesize
5.9MB

MD5
f086da5b65b90475add1353a49541f9d

SHA1
439e51029ee763dc8012519bc475d826e739ce42

SHA256
700ba7620261d818b4c54236401422176b888242ee2280b14d501a95cea72d38

SHA512
bb9ad05614df8530a25cd70ca5b8bf415254c84500749ae2ecccbaad4969eaa41ad6cf682fdf9af749272690a2fb39941947a45548f0c5d9ae2209f4823199a3

Download Submit
C:\Windows\System\eTrTmfH.exe

Filesize
5.9MB

MD5
b50eef769944b66bfb1a1025053c2d4d

SHA1
b03b10d3f3c438b2428350cd9c80f910f5885f05

SHA256
cd0dfb816d18a24b7ea4d8680a4219a18935a90c830b2f40f26aa56d35094cc6

SHA512
32882577eb7447e65b4a99afb939ae13f58a025019b28be61c9516e6e1447a9330c763efbcc5fe862deb942f31a5bb8ec6e31faf650855c6813ee00651051664

Download Submit
C:\Windows\System\fEIYgRP.exe

Filesize
5.9MB

MD5
7213477c780957bdd95cd435dc190225

SHA1
2901561c30446e2a3b35116b815cb0ab0dd644e2

SHA256
532bfad2fa396c45c52cc29d9eb2129b760f0116db3001fe7471878762b961b4

SHA512
41351936597149fb442dc608c43c0dceefffe6b4ef3e52eb0151c6154e5e2d8bb9e984b7b010135943f4b3cb035d63a5cb4a8d7e48e94fc84c8813c5094359c8

Download Submit
C:\Windows\System\fMPGWRS.exe

Filesize
5.9MB

MD5
4d772e9159329fb87626b918e7ee78ae

SHA1
05a82c4411c17d433bbf76ab9d56a30b20f85bfc

SHA256
7a768fe22890ddc0ad866be6f4c7b66e0426efbfc636dc3f35a7d086f9de20ed

SHA512
1044af62d030a801173aeeb7242a3a9c21abf3ba8738bf3a21cc2b16375f80b4a7592418e841e239e132f6ad002e324c934ffe5a30194ce79dde0a38cea42a45

Download Submit
C:\Windows\System\iiYJyRB.exe

Filesize
5.9MB

MD5
5589ce4bb114bc096a3400924841a99e

SHA1
32500056c3ad55f543e151e9ab21368f0a2fcac0

SHA256
25d1506ae04719eefc230652ee6c4817f7bff9bcb16bf670b054787888449920

SHA512
5c85bc4da2b09a8c9c1a11466ed5b03965e5bbf540e1b385f1ac34d6306ec43e06de195ca4fe8cbeefbcdf7fe14f9d0b43b76b003681a0cd9a011eb7632ad894

Download Submit
C:\Windows\System\snHAnVU.exe

Filesize
5.9MB

MD5
059f77ff2f30447dcfa7503fcf8b3d42

SHA1
471c0d09057fac0ded1208300d1057aca68ea219

SHA256
c96ba4ad826c13a84f007cb4bc822451a9dc999b02b5918d6a3956d8c0c869e6

SHA512
36c74f7fc85c5f45b20d9679c66f56b488ef1ce421b8871c44470987229d1e9a01873d367eb09f27a3d6fed2123add57a6b9af32e6096654f293ff57c43384d8

Download Submit
C:\Windows\System\tKjUbCG.exe

Filesize
5.9MB

MD5
a76507f5cedcf8d84ce301fb039b1ceb

SHA1
e2ef668fd3566adce7b46ccfc9486f296f106f47

SHA256
71f3ced3dc1c1ef07ad8f55aa2c8486cf7462882af96a539a2ef7ed5a132b1cc

SHA512
9f226d04f97d1b54ac35638eea2ad28582e84c8f92ccae3ff21754a264f3c986935c6f40cab489edc3a8eced6fd610ccdc5294fc7d8d9a720397fb69147956d2

Download Submit
C:\Windows\System\zcChdjy.exe

Filesize
5.9MB

MD5
180d26fd1fc0c961f5cb67a0a8f06cbf

SHA1
fd0904ce9130144ecd57b90ff9ecdb7f9aebf5b3

SHA256
f483d3baa10ced0d62f47e08455cdb5f1cb683be5572e0f45da47bac30d1ec08

SHA512
0182481654f5f4885faecde3a92083e9a0cd29681a65a0d9e23a26a20bfff4ade7617124f84052a5317ff83fd4ee86c7b53cba6da5d64d5f599fff4f987f444a

Download Submit
memory/636-144-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp

Filesize
3.3MB

Download
memory/636-164-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp

Filesize
3.3MB

Download
memory/636-129-0x00007FF6B4B00000-0x00007FF6B4E54000-memory.dmp

Filesize
3.3MB

Download
memory/976-62-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/976-138-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/976-155-0x00007FF76F980000-0x00007FF76FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1292-89-0x00007FF690F30000-0x00007FF691284000-memory.dmp

Filesize
3.3MB

Download
memory/1292-19-0x00007FF690F30000-0x00007FF691284000-memory.dmp

Filesize
3.3MB

Download
memory/1292-146-0x00007FF690F30000-0x00007FF691284000-memory.dmp

Filesize
3.3MB

Download
memory/1324-106-0x00007FF613060000-0x00007FF6133B4000-memory.dmp

Filesize
3.3MB

Download
memory/1324-158-0x00007FF613060000-0x00007FF6133B4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-132-0x00007FF6631D0000-0x00007FF663524000-memory.dmp

Filesize
3.3MB

Download
memory/1336-150-0x00007FF6631D0000-0x00007FF663524000-memory.dmp

Filesize
3.3MB

Download
memory/1336-35-0x00007FF6631D0000-0x00007FF663524000-memory.dmp

Filesize
3.3MB

Download
memory/1524-165-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp

Filesize
3.3MB

Download
memory/1524-128-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp

Filesize
3.3MB

Download
memory/1524-143-0x00007FF65AD30000-0x00007FF65B084000-memory.dmp

Filesize
3.3MB

Download
memory/1600-100-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-141-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-160-0x00007FF6AB950000-0x00007FF6ABCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-96-0x00007FF773FD0000-0x00007FF774324000-memory.dmp

Filesize
3.3MB

Download
memory/1604-157-0x00007FF773FD0000-0x00007FF774324000-memory.dmp

Filesize
3.3MB

Download
memory/1828-93-0x00007FF615430000-0x00007FF615784000-memory.dmp

Filesize
3.3MB

Download
memory/1828-23-0x00007FF615430000-0x00007FF615784000-memory.dmp

Filesize
3.3MB

Download
memory/1828-149-0x00007FF615430000-0x00007FF615784000-memory.dmp

Filesize
3.3MB

Download
memory/2188-54-0x00007FF7593E0000-0x00007FF759734000-memory.dmp

Filesize
3.3MB

Download
memory/2188-153-0x00007FF7593E0000-0x00007FF759734000-memory.dmp

Filesize
3.3MB

Download
memory/2188-137-0x00007FF7593E0000-0x00007FF759734000-memory.dmp

Filesize
3.3MB

Download
memory/2224-48-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp

Filesize
3.3MB

Download
memory/2224-136-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp

Filesize
3.3MB

Download
memory/2224-152-0x00007FF6A5410000-0x00007FF6A5764000-memory.dmp

Filesize
3.3MB

Download
memory/2232-151-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp

Filesize
3.3MB

Download
memory/2232-42-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp

Filesize
3.3MB

Download
memory/2232-135-0x00007FF6F28E0000-0x00007FF6F2C34000-memory.dmp

Filesize
3.3MB

Download
memory/2636-147-0x00007FF659660000-0x00007FF6599B4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-24-0x00007FF659660000-0x00007FF6599B4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-124-0x00007FF659660000-0x00007FF6599B4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-161-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-142-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-119-0x00007FF6B8550000-0x00007FF6B88A4000-memory.dmp

Filesize
3.3MB

Download
memory/3188-125-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp

Filesize
3.3MB

Download
memory/3188-29-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp

Filesize
3.3MB

Download
memory/3188-148-0x00007FF789DF0000-0x00007FF78A144000-memory.dmp

Filesize
3.3MB

Download
memory/3564-140-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp

Filesize
3.3MB

Download
memory/3564-75-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp

Filesize
3.3MB

Download
memory/3564-156-0x00007FF6ACDB0000-0x00007FF6AD104000-memory.dmp

Filesize
3.3MB

Download
memory/3916-162-0x00007FF6343F0000-0x00007FF634744000-memory.dmp

Filesize
3.3MB

Download
memory/3916-120-0x00007FF6343F0000-0x00007FF634744000-memory.dmp

Filesize
3.3MB

Download
memory/4204-127-0x00007FF75A470000-0x00007FF75A7C4000-memory.dmp

Filesize
3.3MB

Download
memory/4204-163-0x00007FF75A470000-0x00007FF75A7C4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-159-0x00007FF773B30000-0x00007FF773E84000-memory.dmp

Filesize
3.3MB

Download
memory/4924-113-0x00007FF773B30000-0x00007FF773E84000-memory.dmp

Filesize
3.3MB

Download
memory/4996-71-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-0-0x00007FF62BB50000-0x00007FF62BEA4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-1-0x00000169DCC00000-0x00000169DCC10000-memory.dmp

Filesize
64KB

Download
memory/5060-145-0x00007FF600340000-0x00007FF600694000-memory.dmp

Filesize
3.3MB

Download
memory/5060-6-0x00007FF600340000-0x00007FF600694000-memory.dmp

Filesize
3.3MB

Download
memory/5060-87-0x00007FF600340000-0x00007FF600694000-memory.dmp

Filesize
3.3MB

Download
memory/5068-154-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp

Filesize
3.3MB

Download
memory/5068-64-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp

Filesize
3.3MB

Download
memory/5068-139-0x00007FF7088F0000-0x00007FF708C44000-memory.dmp

Filesize
3.3MB

Download