cobaltstrike | 702426d16bcfec8399b80af291248415654c977f19884cd30822d2fcd3364f82

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

64484c7afae991825ecb111e736e9a4d
SHA1

25ba0dcaa8d4c8f56a415b4bb2884053c2ef8068
SHA256

702426d16bcfec8399b80af291248415654c977f19884cd30822d2fcd3364f82
SHA512

a03ba06f5c8ee4ab0f8dc63233db331c093d5df5fbabef9431bf078827307ea8974e89cc52d130ed89fbca8de60f5a949c14700db5bafba9a270f7d5783d2d78
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU4:T+856utgpPF8u/74

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000234d9-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-11.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002347c-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-64.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234d6-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-84.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4628-0-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d9-12.dat	xmrig
behavioral2/files/0x00070000000234da-11.dat	xmrig
behavioral2/memory/3464-14-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	xmrig
behavioral2/memory/264-8-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	xmrig
behavioral2/files/0x000900000002347c-5.dat	xmrig
behavioral2/memory/4808-20-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e0-47.dat	xmrig
behavioral2/files/0x00070000000234de-50.dat	xmrig
behavioral2/files/0x00070000000234e1-51.dat	xmrig
behavioral2/files/0x00070000000234e2-64.dat	xmrig
behavioral2/memory/2968-65-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp	xmrig
behavioral2/files/0x00090000000234d6-73.dat	xmrig
behavioral2/memory/1052-72-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp	xmrig
behavioral2/memory/4492-69-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp	xmrig
behavioral2/memory/4628-67-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp	xmrig
behavioral2/memory/4692-60-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp	xmrig
behavioral2/files/0x00070000000234df-54.dat	xmrig
behavioral2/memory/836-53-0x00007FF720EE0000-0x00007FF721234000-memory.dmp	xmrig
behavioral2/memory/4700-43-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp	xmrig
behavioral2/files/0x00070000000234dd-39.dat	xmrig
behavioral2/memory/4108-38-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234db-33.dat	xmrig
behavioral2/files/0x00070000000234dc-30.dat	xmrig
behavioral2/memory/2244-28-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp	xmrig
behavioral2/memory/712-25-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	xmrig
behavioral2/memory/3464-76-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	xmrig
behavioral2/memory/712-81-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e6-92.dat	xmrig
behavioral2/memory/2716-96-0x00007FF6B6AE0000-0x00007FF6B6E34000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e9-113.dat	xmrig
behavioral2/files/0x00070000000234e8-111.dat	xmrig
behavioral2/memory/1688-115-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp	xmrig
behavioral2/memory/1912-116-0x00007FF6274F0000-0x00007FF627844000-memory.dmp	xmrig
behavioral2/memory/1916-108-0x00007FF6BE010000-0x00007FF6BE364000-memory.dmp	xmrig
behavioral2/memory/1500-104-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp	xmrig
behavioral2/memory/4108-103-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ea-118.dat	xmrig
behavioral2/files/0x00070000000234eb-124.dat	xmrig
behavioral2/memory/2968-127-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp	xmrig
behavioral2/memory/4384-137-0x00007FF6E8670000-0x00007FF6E89C4000-memory.dmp	xmrig
behavioral2/memory/4804-134-0x00007FF665300000-0x00007FF665654000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ec-131.dat	xmrig
behavioral2/memory/4692-126-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp	xmrig
behavioral2/memory/3648-122-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp	xmrig
behavioral2/memory/836-121-0x00007FF720EE0000-0x00007FF721234000-memory.dmp	xmrig
behavioral2/memory/4700-120-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp	xmrig
behavioral2/memory/2244-102-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e7-97.dat	xmrig
behavioral2/files/0x00070000000234e5-90.dat	xmrig
behavioral2/files/0x00070000000234e3-84.dat	xmrig
behavioral2/memory/4492-138-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp	xmrig
behavioral2/memory/1508-85-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp	xmrig
behavioral2/memory/4808-80-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	xmrig
behavioral2/memory/1052-139-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp	xmrig
behavioral2/memory/1508-140-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp	xmrig
behavioral2/memory/1500-141-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp	xmrig
behavioral2/memory/1688-142-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp	xmrig
behavioral2/memory/3648-143-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp	xmrig
behavioral2/memory/4804-144-0x00007FF665300000-0x00007FF665654000-memory.dmp	xmrig
behavioral2/memory/264-145-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	xmrig
behavioral2/memory/3464-146-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	xmrig
behavioral2/memory/4808-147-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	xmrig
behavioral2/memory/712-148-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
264	gYYmaOw.exe
3464	yxkmZNH.exe
4808	vMYuVFs.exe
712	fiynYBa.exe
2244	jwbXKeg.exe
4108	qyPGNKz.exe
4700	jcHbbBp.exe
836	tHiFDAO.exe
4692	MtuexRz.exe
2968	ZsPpKiL.exe
4492	FRSKdct.exe
1052	mwtiuGI.exe
1508	qiRyzRU.exe
2716	nDHmliB.exe
1500	eshJgYp.exe
1916	lMeonZB.exe
1912	mvweRWv.exe
1688	fkGfhEx.exe
3648	LFzyysN.exe
4804	aEnQriJ.exe
4384	QcnLZCJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-0-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-12.dat	upx
behavioral2/files/0x00070000000234da-11.dat	upx
behavioral2/memory/3464-14-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	upx
behavioral2/memory/264-8-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	upx
behavioral2/files/0x000900000002347c-5.dat	upx
behavioral2/memory/4808-20-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-47.dat	upx
behavioral2/files/0x00070000000234de-50.dat	upx
behavioral2/files/0x00070000000234e1-51.dat	upx
behavioral2/files/0x00070000000234e2-64.dat	upx
behavioral2/memory/2968-65-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp	upx
behavioral2/files/0x00090000000234d6-73.dat	upx
behavioral2/memory/1052-72-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp	upx
behavioral2/memory/4492-69-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp	upx
behavioral2/memory/4628-67-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp	upx
behavioral2/memory/4692-60-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp	upx
behavioral2/files/0x00070000000234df-54.dat	upx
behavioral2/memory/836-53-0x00007FF720EE0000-0x00007FF721234000-memory.dmp	upx
behavioral2/memory/4700-43-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-39.dat	upx
behavioral2/memory/4108-38-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp	upx
behavioral2/files/0x00070000000234db-33.dat	upx
behavioral2/files/0x00070000000234dc-30.dat	upx
behavioral2/memory/2244-28-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp	upx
behavioral2/memory/712-25-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	upx
behavioral2/memory/3464-76-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	upx
behavioral2/memory/712-81-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-92.dat	upx
behavioral2/memory/2716-96-0x00007FF6B6AE0000-0x00007FF6B6E34000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-113.dat	upx
behavioral2/files/0x00070000000234e8-111.dat	upx
behavioral2/memory/1688-115-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp	upx
behavioral2/memory/1912-116-0x00007FF6274F0000-0x00007FF627844000-memory.dmp	upx
behavioral2/memory/1916-108-0x00007FF6BE010000-0x00007FF6BE364000-memory.dmp	upx
behavioral2/memory/1500-104-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp	upx
behavioral2/memory/4108-103-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp	upx
behavioral2/files/0x00070000000234ea-118.dat	upx
behavioral2/files/0x00070000000234eb-124.dat	upx
behavioral2/memory/2968-127-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp	upx
behavioral2/memory/4384-137-0x00007FF6E8670000-0x00007FF6E89C4000-memory.dmp	upx
behavioral2/memory/4804-134-0x00007FF665300000-0x00007FF665654000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-131.dat	upx
behavioral2/memory/4692-126-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp	upx
behavioral2/memory/3648-122-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp	upx
behavioral2/memory/836-121-0x00007FF720EE0000-0x00007FF721234000-memory.dmp	upx
behavioral2/memory/4700-120-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp	upx
behavioral2/memory/2244-102-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-97.dat	upx
behavioral2/files/0x00070000000234e5-90.dat	upx
behavioral2/files/0x00070000000234e3-84.dat	upx
behavioral2/memory/4492-138-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp	upx
behavioral2/memory/1508-85-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp	upx
behavioral2/memory/4808-80-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	upx
behavioral2/memory/1052-139-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp	upx
behavioral2/memory/1508-140-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp	upx
behavioral2/memory/1500-141-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp	upx
behavioral2/memory/1688-142-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp	upx
behavioral2/memory/3648-143-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp	upx
behavioral2/memory/4804-144-0x00007FF665300000-0x00007FF665654000-memory.dmp	upx
behavioral2/memory/264-145-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	upx
behavioral2/memory/3464-146-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp	upx
behavioral2/memory/4808-147-0x00007FF6004E0000-0x00007FF600834000-memory.dmp	upx
behavioral2/memory/712-148-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eshJgYp.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mvweRWv.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fiynYBa.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwtiuGI.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jcHbbBp.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHiFDAO.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFzyysN.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QcnLZCJ.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jwbXKeg.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyPGNKz.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMYuVFs.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FRSKdct.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nDHmliB.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lMeonZB.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fkGfhEx.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gYYmaOw.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxkmZNH.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qiRyzRU.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aEnQriJ.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MtuexRz.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZsPpKiL.exe	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 264	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4628 wrote to memory of 264	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4628 wrote to memory of 3464	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4628 wrote to memory of 3464	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4628 wrote to memory of 4808	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4628 wrote to memory of 4808	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4628 wrote to memory of 2244	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4628 wrote to memory of 2244	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4628 wrote to memory of 712	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4628 wrote to memory of 712	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4628 wrote to memory of 4108	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4628 wrote to memory of 4108	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4628 wrote to memory of 4700	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4628 wrote to memory of 4700	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4628 wrote to memory of 836	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4628 wrote to memory of 836	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4628 wrote to memory of 4692	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4628 wrote to memory of 4692	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4628 wrote to memory of 2968	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4628 wrote to memory of 2968	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4628 wrote to memory of 4492	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4628 wrote to memory of 4492	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4628 wrote to memory of 1052	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4628 wrote to memory of 1052	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4628 wrote to memory of 1508	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4628 wrote to memory of 1508	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4628 wrote to memory of 2716	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4628 wrote to memory of 2716	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4628 wrote to memory of 1500	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4628 wrote to memory of 1500	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4628 wrote to memory of 1916	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4628 wrote to memory of 1916	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4628 wrote to memory of 1912	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4628 wrote to memory of 1912	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4628 wrote to memory of 1688	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4628 wrote to memory of 1688	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4628 wrote to memory of 3648	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4628 wrote to memory of 3648	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4628 wrote to memory of 4804	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4628 wrote to memory of 4804	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4628 wrote to memory of 4384	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4628 wrote to memory of 4384	4628	2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_64484c7afae991825ecb111e736e9a4d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\System\gYYmaOw.exe
  C:\Windows\System\gYYmaOw.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\yxkmZNH.exe
  C:\Windows\System\yxkmZNH.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\vMYuVFs.exe
  C:\Windows\System\vMYuVFs.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\jwbXKeg.exe
  C:\Windows\System\jwbXKeg.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\fiynYBa.exe
  C:\Windows\System\fiynYBa.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\qyPGNKz.exe
  C:\Windows\System\qyPGNKz.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\jcHbbBp.exe
  C:\Windows\System\jcHbbBp.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\tHiFDAO.exe
  C:\Windows\System\tHiFDAO.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\MtuexRz.exe
  C:\Windows\System\MtuexRz.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\ZsPpKiL.exe
  C:\Windows\System\ZsPpKiL.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\FRSKdct.exe
  C:\Windows\System\FRSKdct.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\mwtiuGI.exe
  C:\Windows\System\mwtiuGI.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\qiRyzRU.exe
  C:\Windows\System\qiRyzRU.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\nDHmliB.exe
  C:\Windows\System\nDHmliB.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\eshJgYp.exe
  C:\Windows\System\eshJgYp.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\lMeonZB.exe
  C:\Windows\System\lMeonZB.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\mvweRWv.exe
  C:\Windows\System\mvweRWv.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\fkGfhEx.exe
  C:\Windows\System\fkGfhEx.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\LFzyysN.exe
  C:\Windows\System\LFzyysN.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\aEnQriJ.exe
  C:\Windows\System\aEnQriJ.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\QcnLZCJ.exe
  C:\Windows\System\QcnLZCJ.exe
  2⤵
  - Executes dropped EXE
  PID:4384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FRSKdct.exe

Filesize
5.9MB

MD5
7457ae8ea19f839b66e39efe8b009494

SHA1
297edcbad40a00d595e105dba0662419c365c7e2

SHA256
c30da25719a8fec7264be686dd7ba3e4164eaa8ea96edb62f6c2e21bb5bf9d62

SHA512
f7aba3d6efe714f3f675f3f959d87ddae566df069f64da2c31831896f098381ee959710223f2a45aef0f35872188dfd88547e27a43e6a026bf950fc36a5b078d

Download Submit
C:\Windows\System\LFzyysN.exe

Filesize
5.9MB

MD5
2d8e72e32b4c4847db39a59d4bec3aff

SHA1
039101e09baedda1534c52cfad07c90775dc2c8a

SHA256
46a1dd45fbd940e177e1d61da29fb8067ff38ff6a0c3f5bf16d6dd4d09ef88fb

SHA512
133a5e119bca583c9b5bbb98299cdc8d6b9ee0e2798d483556067d8df68e18addb53c088cc7c7595e249b1ae4fc46dd954cf9fc4e10cc3ce1fb0a52e00dba291

Download Submit
C:\Windows\System\MtuexRz.exe

Filesize
5.9MB

MD5
e3f1fba3f3c6d46f81dedc704464e93c

SHA1
20906205e108ae5a35832848550a88e38f231c47

SHA256
1a3035b14c9c7bf748883ce89a05c2195eda4a93077b53284df91a9601f9cff3

SHA512
b05c7c1f2fccc549d1de0e574c2a595f9c45b7d3be2bc7bf64c520180d63975e0a54cdf8957521433e181a0eda1e4f2610a3ba61c702130c6ed3b45aec5197d5

Download Submit
C:\Windows\System\QcnLZCJ.exe

Filesize
5.9MB

MD5
dd07efea670a57aed2582ad0f56a7885

SHA1
6401b752ae77249737e44a0b80c50df3de2e6436

SHA256
ca4cbd5034a86f4d74a58158edf06461c8dd835ba9db8fc51416774dd1b865c5

SHA512
121cc50c968b2e906dbbc9050bb2c63e698332c0c5f274a99075eb74d92cc50f97ea20f526e21228d1b61c5a8e28d186a9476ea811453fd2220df09308e918c7

Download Submit
C:\Windows\System\ZsPpKiL.exe

Filesize
5.9MB

MD5
3eadb937a67ab9552a338b047796505f

SHA1
47865fd4368a66777ccc1fe1b7eaae8817a92994

SHA256
0b71faab463b82e299429ea79e02a747d7464371c99dfdacccf0c0fc678c5000

SHA512
71474cabbfc5f74fbcbba0344444bc6a563a04f46c44985f7327d940d70d6c4988d8677b9aea5380d0fdb54f3754afad5cdf5af0b486f95f05f879f6c5ba7b54

Download Submit
C:\Windows\System\aEnQriJ.exe

Filesize
5.9MB

MD5
c372f969045bf385af361824ba0d506f

SHA1
ac69f47665c7c7ccad780f421228b9ac377990b7

SHA256
818d182acbdf539f01289e196982f0c97376bf77f10a50c2f63fbde4c9972c72

SHA512
5c190af393204ea75a10c7ec654764e5b396a32c3604c32fbbc18ecf27cda227c4777f55ad066a863a644be42daf5329d6215967853cdad0f724aa0cec46ffad

Download Submit
C:\Windows\System\eshJgYp.exe

Filesize
5.9MB

MD5
606de998800f58762dc373b0e3d02a1a

SHA1
609a09fcdfb008be1f0ef71791d118487289df09

SHA256
4311a3ad2df0f7131226fc4835da85887b4e2d3e6822cb6b156b79bf6674a9e6

SHA512
d7145b0424e1eb729c6088551e75cf07f6cab78d6c467214b8a0fe3d5b82a129ec38b4db0c371cc6ff6504b9ebbd0d3870c05ec0703f7b6002ab7d9c6bbeed72

Download Submit
C:\Windows\System\fiynYBa.exe

Filesize
5.9MB

MD5
f67b758dc03e07a153a7ee8ae8d17354

SHA1
fc3a4d36a889ef6e230f59bf37d974d97b853f7d

SHA256
7079e56bf7a5bdc0c22db0faadd7052994506e653e2c53ee00db11c40952d6c4

SHA512
58052b123aa719ef443d8c510c7c78878a7f82a0a786ae29c23143f20bc26ee9a74a156f6fcb43cf7e4cc710da4b450ab780a5c2396b785c0466efa18a76f84c

Download Submit
C:\Windows\System\fkGfhEx.exe

Filesize
5.9MB

MD5
d83224d1d241474d48a295c91368ec99

SHA1
d5943b3d39f3663dc4f09b4a20f8543f0375d550

SHA256
5e950603ef74b38e4e82d846a2932d03476e96fa61408834fb975f6d474ebf84

SHA512
c3aa4290bdc143440c48f14336131785c321a47e4361a75751385f62841a1b9628092560b65b3760cbcd14985ccc4bde80f76d512535d361a818bd785eeea9b7

Download Submit
C:\Windows\System\gYYmaOw.exe

Filesize
5.9MB

MD5
e6c867c7de91ced8babfa684e13b8454

SHA1
5b5dcc7284f260970d179ac9476e90e9db07c3f8

SHA256
9099ba7a61d21e947292cad5cdd8bb43246dc7a68c9c5b85706abb41bd81edf7

SHA512
9f589de229a5cbd6f51d2e78f0f7f61ff7d749886060ad581db902b694e7d4b25f2f68ef602f28f0992b3d39da05945b0e1c805482849cbe315738d828a9b0a0

Download Submit
C:\Windows\System\jcHbbBp.exe

Filesize
5.9MB

MD5
efab8d3e29b5d90bfac18350c8b76f2d

SHA1
c16e36b7ce1699ab742c2ed30974a025e37aefca

SHA256
8ef7073d756338d054592d8de60be732e8a30dbae256f01c2bacea4cd54e40b4

SHA512
fcff637406f273be9333bb33b9885b47d8ef89af25afb126d50a491895409017e7be94398f24ff6ab3fbc2e2b65ca884e8f58fee733af56e8590549b238b9eee

Download Submit
C:\Windows\System\jwbXKeg.exe

Filesize
5.9MB

MD5
2622362b014ba4e9e91a7d2ab722bde1

SHA1
88102845072d46e732191a45513b2b161c75e26b

SHA256
0047edaf6eef8e98de2819545abdb10e2b92e721e559c45d08c40a900d389de5

SHA512
6534fca5a9e9008ed0aa17a2b4884c7908cfde303ece827cab6fe874047adf96daa38007b5c8f2a34e7a800b5a418cea08bc55eaf842855eab3fc990d48a0e25

Download Submit
C:\Windows\System\lMeonZB.exe

Filesize
5.9MB

MD5
20357c42461e397be9d1470cd5da732a

SHA1
62ade8ca60b8a5cf44a3017544541e42c84f76e4

SHA256
5f378b80d943d88c658935d7f774fd535e9ab6e30383ed1585b599fd8e4e7f93

SHA512
cf289a7b11b2877432b9b8dfa71cba780be82afba9b4a54ec43fa855e45be69b19c42470019d0638da7ebbaeabdf5eeb844a36f11ec6c03497494000dceb6e7f

Download Submit
C:\Windows\System\mvweRWv.exe

Filesize
5.9MB

MD5
464f5f481457deab36a82144141503b5

SHA1
fbb0e26331d1dd3729a7e7206c3b967e415df8bd

SHA256
8e8195c468824f47d7e5b4e8cd9cb4c2c850d62e7d417a3a9b1320afeb46caaa

SHA512
93be620db070de2ad6622f4f13f03968f12e5d0bac3a6f55773896c58a6938829e898fad3051c25602d9419fecd0a99138316970b0c18094935ecc55837e82c1

Download Submit
C:\Windows\System\mwtiuGI.exe

Filesize
5.9MB

MD5
02a3a4186b498b4c461fd4eae8aa476d

SHA1
11590001f1b3b90d8cabd5259c151568aea390e5

SHA256
65aa82cd783085b1073de345d40ad88cef1f8f60bb9867cf4ea08fd31648b608

SHA512
ca5ceca71dd890125021ec6cf2c56287cbd750cccb2659091b59e3694e3a452657736d50774b2d691526b67bf15db6d9831d1d96ad2e9a48170d98fa2b7b591e

Download Submit
C:\Windows\System\nDHmliB.exe

Filesize
5.9MB

MD5
24fe3f5aa3471a049728c0513d3cc006

SHA1
1fcc58068800c6f394fd1eaaebea01aa459b388f

SHA256
9d71067e4ee75fb7e633656f8fc9f5b3cd14d45268673dafb1f4ddfe1d33605c

SHA512
10198301c99ca68ddffe3e392f52898247c3ba8f9fe6223aacc500c7881cc6017367e8908ff0119e79852cc4366952894e6e020e8f96ac1093fea26970983276

Download Submit
C:\Windows\System\qiRyzRU.exe

Filesize
5.9MB

MD5
e3dce64fa2d6da3ae7e59f69c33689f6

SHA1
e2940838eb0ffef1d07bd65ed6af2b09155d3f05

SHA256
ec138221c93f00c42cb853c0fdcc9d287231d46b5a837ffc4497831fc7c976d1

SHA512
3e7ccb9655e9b7c28fe39ddd3bf3e35be90a087f5834719e343e97a38ed30eb07b09a5f0a7b8fbdbc2e82367cbe6b895813ed3f04a605c15107711ca6a687014

Download Submit
C:\Windows\System\qyPGNKz.exe

Filesize
5.9MB

MD5
57ebc1306736f7d66e61fa045dc1d773

SHA1
13679e65170c32bf5827f1123231393e8e0ca546

SHA256
26d92ed3b65c43259dd0f685e03848f0cbfcc9ebc0d959d359663ce71cc00307

SHA512
aca4bf00fff7d65300d5f6323346387e811c8d83af3b2914d383aa08da6c1b1b1093a2daf05a7f7d5cab931122095ac628b31f5b81138083b2b99b3da97aca54

Download Submit
C:\Windows\System\tHiFDAO.exe

Filesize
5.9MB

MD5
b4dece2a64e43510ffc7b7a1ed0b0ea7

SHA1
c26c4666407a10af82f7d8b24ea42c3bb6990b3e

SHA256
d0954c7ce2d853ec91e3665f6a802650b2de0c4b662e8c848b6c6536514bfc5e

SHA512
ed666db0c0495551f6e2d383ad1d7a0a1caaeaad22bd513796936f4d6a08b0afb93c290dc2bb23fc56733470a95c65c12dcde835d96b27b4b1506cd86222bff1

Download Submit
C:\Windows\System\vMYuVFs.exe

Filesize
5.9MB

MD5
979245b8864e4435fa48bce92b60668f

SHA1
4473d10ae80be49634d8d98838b5a87b5f7a47bf

SHA256
4d3f0b37826fbd7c9601b305d88f49c58f325aea4ac0db4dc0a2c60f64f00504

SHA512
c6a6cc8817e2521c38ca83dfea74b9242a04b6661dc68ffe4f84089fa80494124d3d5540352bf13aef930d404e0fdf75d1d5e8bd8bb0bef090c733bfb820338a

Download Submit
C:\Windows\System\yxkmZNH.exe

Filesize
5.9MB

MD5
7e37c1236fe28a42c5bb87465b708d47

SHA1
e7cdbdc45677bb7d54087a9b4516e83c07786d94

SHA256
1102664f38a18496ee03f164be5d09ea706651551540d7ba6f38d7011e9b354c

SHA512
1c85e9de9266367176c5b8d874b20c1cccc7dca193bdff2c40ecc5a23e2a215c10cfcb0a0e90f65b30fae5ede86a190696fb601724bb678ec7ad73ace7723426

Download Submit
memory/264-8-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp

Filesize
3.3MB

Download
memory/264-145-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp

Filesize
3.3MB

Download
memory/712-25-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp

Filesize
3.3MB

Download
memory/712-148-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp

Filesize
3.3MB

Download
memory/712-81-0x00007FF7D8470000-0x00007FF7D87C4000-memory.dmp

Filesize
3.3MB

Download
memory/836-53-0x00007FF720EE0000-0x00007FF721234000-memory.dmp

Filesize
3.3MB

Download
memory/836-152-0x00007FF720EE0000-0x00007FF721234000-memory.dmp

Filesize
3.3MB

Download
memory/836-121-0x00007FF720EE0000-0x00007FF721234000-memory.dmp

Filesize
3.3MB

Download
memory/1052-72-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp

Filesize
3.3MB

Download
memory/1052-156-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp

Filesize
3.3MB

Download
memory/1052-139-0x00007FF7C4500000-0x00007FF7C4854000-memory.dmp

Filesize
3.3MB

Download
memory/1500-141-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-162-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-104-0x00007FF7152A0000-0x00007FF7155F4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-157-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp

Filesize
3.3MB

Download
memory/1508-85-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp

Filesize
3.3MB

Download
memory/1508-140-0x00007FF7B2FC0000-0x00007FF7B3314000-memory.dmp

Filesize
3.3MB

Download
memory/1688-142-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-115-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-160-0x00007FF63A560000-0x00007FF63A8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-161-0x00007FF6274F0000-0x00007FF627844000-memory.dmp

Filesize
3.3MB

Download
memory/1912-116-0x00007FF6274F0000-0x00007FF627844000-memory.dmp

Filesize
3.3MB

Download
memory/1916-108-0x00007FF6BE010000-0x00007FF6BE364000-memory.dmp

Filesize
3.3MB

Download
memory/1916-159-0x00007FF6BE010000-0x00007FF6BE364000-memory.dmp

Filesize
3.3MB

Download
memory/2244-28-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp

Filesize
3.3MB

Download
memory/2244-149-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp

Filesize
3.3MB

Download
memory/2244-102-0x00007FF7CC1C0000-0x00007FF7CC514000-memory.dmp

Filesize
3.3MB

Download
memory/2716-158-0x00007FF6B6AE0000-0x00007FF6B6E34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-96-0x00007FF6B6AE0000-0x00007FF6B6E34000-memory.dmp

Filesize
3.3MB

Download
memory/2968-127-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-153-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-65-0x00007FF7CF290000-0x00007FF7CF5E4000-memory.dmp

Filesize
3.3MB

Download
memory/3464-146-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp

Filesize
3.3MB

Download
memory/3464-14-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp

Filesize
3.3MB

Download
memory/3464-76-0x00007FF7A4F20000-0x00007FF7A5274000-memory.dmp

Filesize
3.3MB

Download
memory/3648-122-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp

Filesize
3.3MB

Download
memory/3648-164-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp

Filesize
3.3MB

Download
memory/3648-143-0x00007FF6A8200000-0x00007FF6A8554000-memory.dmp

Filesize
3.3MB

Download
memory/4108-150-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp

Filesize
3.3MB

Download
memory/4108-38-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp

Filesize
3.3MB

Download
memory/4108-103-0x00007FF63A390000-0x00007FF63A6E4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-163-0x00007FF6E8670000-0x00007FF6E89C4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-137-0x00007FF6E8670000-0x00007FF6E89C4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-155-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp

Filesize
3.3MB

Download
memory/4492-69-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp

Filesize
3.3MB

Download
memory/4492-138-0x00007FF6AD0D0000-0x00007FF6AD424000-memory.dmp

Filesize
3.3MB

Download
memory/4628-0-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-67-0x00007FF715E60000-0x00007FF7161B4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-1-0x000002D033F10000-0x000002D033F20000-memory.dmp

Filesize
64KB

Download
memory/4692-151-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp

Filesize
3.3MB

Download
memory/4692-126-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp

Filesize
3.3MB

Download
memory/4692-60-0x00007FF6B00C0000-0x00007FF6B0414000-memory.dmp

Filesize
3.3MB

Download
memory/4700-43-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp

Filesize
3.3MB

Download
memory/4700-154-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp

Filesize
3.3MB

Download
memory/4700-120-0x00007FF7CBFB0000-0x00007FF7CC304000-memory.dmp

Filesize
3.3MB

Download
memory/4804-134-0x00007FF665300000-0x00007FF665654000-memory.dmp

Filesize
3.3MB

Download
memory/4804-144-0x00007FF665300000-0x00007FF665654000-memory.dmp

Filesize
3.3MB

Download
memory/4804-165-0x00007FF665300000-0x00007FF665654000-memory.dmp

Filesize
3.3MB

Download
memory/4808-20-0x00007FF6004E0000-0x00007FF600834000-memory.dmp

Filesize
3.3MB

Download
memory/4808-147-0x00007FF6004E0000-0x00007FF600834000-memory.dmp

Filesize
3.3MB

Download
memory/4808-80-0x00007FF6004E0000-0x00007FF600834000-memory.dmp

Filesize
3.3MB

Download