cobaltstrike | e272cfe6a25880fd96790bd008d1d3ace323f8500d132ffdcf72edd176380d8b

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

852002491b7019a7547123c6e1a25e95
SHA1

5282a0a78356d39cb531aafad9b395b90198b3d1
SHA256

e272cfe6a25880fd96790bd008d1d3ace323f8500d132ffdcf72edd176380d8b
SHA512

24617c67830ea048fabb1d0b93ff2b7a20d70808cfc3c307d94dec1df63271d1273c81372541566ea1bd480d05cf3b8fac0314c7090cd65abebad0750f1dd5bd
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUK:T+856utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023482-4.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2b-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023485-13.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2f-23.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db32-28.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001db34-35.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69c-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-81.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023496-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023495-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-112.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1964-0-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp	xmrig
behavioral2/files/0x0008000000023482-4.dat	xmrig
behavioral2/memory/3952-8-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp	xmrig
behavioral2/files/0x000500000001db2b-10.dat	xmrig
behavioral2/files/0x0008000000023485-13.dat	xmrig
behavioral2/memory/3356-18-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	xmrig
behavioral2/files/0x000500000001db2f-23.dat	xmrig
behavioral2/memory/2904-24-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp	xmrig
behavioral2/memory/4708-12-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	xmrig
behavioral2/files/0x000400000001db32-28.dat	xmrig
behavioral2/memory/8-32-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp	xmrig
behavioral2/files/0x000600000001db34-35.dat	xmrig
behavioral2/memory/4676-36-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp	xmrig
behavioral2/files/0x000200000001e69c-41.dat	xmrig
behavioral2/files/0x0007000000023489-46.dat	xmrig
behavioral2/memory/3928-47-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp	xmrig
behavioral2/files/0x000700000002348a-52.dat	xmrig
behavioral2/memory/4012-55-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp	xmrig
behavioral2/files/0x000700000002348b-60.dat	xmrig
behavioral2/memory/4200-61-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	xmrig
behavioral2/memory/4708-67-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	xmrig
behavioral2/files/0x000700000002348d-72.dat	xmrig
behavioral2/memory/2856-75-0x00007FF761650000-0x00007FF7619A4000-memory.dmp	xmrig
behavioral2/memory/3356-74-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	xmrig
behavioral2/files/0x000700000002348c-69.dat	xmrig
behavioral2/memory/2612-68-0x00007FF703B10000-0x00007FF703E64000-memory.dmp	xmrig
behavioral2/memory/1964-54-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp	xmrig
behavioral2/memory/3152-42-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	xmrig
behavioral2/files/0x000700000002348e-81.dat	xmrig
behavioral2/memory/8-87-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp	xmrig
behavioral2/files/0x000700000002348f-91.dat	xmrig
behavioral2/memory/2440-89-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp	xmrig
behavioral2/memory/4676-88-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp	xmrig
behavioral2/memory/1036-84-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp	xmrig
behavioral2/memory/2904-80-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023490-96.dat	xmrig
behavioral2/memory/3152-98-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023491-101.dat	xmrig
behavioral2/files/0x0007000000023493-114.dat	xmrig
behavioral2/files/0x0007000000023494-123.dat	xmrig
behavioral2/memory/2088-121-0x00007FF605690000-0x00007FF6059E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023496-134.dat	xmrig
behavioral2/memory/3868-136-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp	xmrig
behavioral2/memory/2440-135-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp	xmrig
behavioral2/memory/2856-133-0x00007FF761650000-0x00007FF7619A4000-memory.dmp	xmrig
behavioral2/memory/4664-132-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp	xmrig
behavioral2/memory/2612-128-0x00007FF703B10000-0x00007FF703E64000-memory.dmp	xmrig
behavioral2/memory/3420-126-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp	xmrig
behavioral2/files/0x0007000000023495-125.dat	xmrig
behavioral2/memory/4200-120-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	xmrig
behavioral2/memory/2472-118-0x00007FF7CF200000-0x00007FF7CF554000-memory.dmp	xmrig
behavioral2/memory/4012-113-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023492-112.dat	xmrig
behavioral2/memory/1636-108-0x00007FF6C0EE0000-0x00007FF6C1234000-memory.dmp	xmrig
behavioral2/memory/3928-107-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp	xmrig
behavioral2/memory/384-102-0x00007FF6B8950000-0x00007FF6B8CA4000-memory.dmp	xmrig
behavioral2/memory/1036-141-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp	xmrig
behavioral2/memory/2088-142-0x00007FF605690000-0x00007FF6059E4000-memory.dmp	xmrig
behavioral2/memory/3420-143-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp	xmrig
behavioral2/memory/4664-144-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp	xmrig
behavioral2/memory/3868-145-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp	xmrig
behavioral2/memory/3952-146-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp	xmrig
behavioral2/memory/4708-147-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	xmrig
behavioral2/memory/3356-148-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3952	rmNYFLN.exe
4708	TzlNczH.exe
3356	GGuLPtK.exe
2904	qOqsYNp.exe
8	dheAngJ.exe
4676	sOERHfX.exe
3152	hmlLCFZ.exe
3928	PDNAsTv.exe
4012	KiCOQvK.exe
4200	OIDDjDH.exe
2612	omPeUre.exe
2856	zSAGwsK.exe
1036	EQoFzzO.exe
2440	uCzJBOV.exe
384	diZBEyi.exe
1636	GxVPpRw.exe
2472	jXOmGzt.exe
2088	XviBMHi.exe
3420	GoYQNvy.exe
4664	IJGwuPH.exe
3868	MXkAReF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1964-0-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp	upx
behavioral2/files/0x0008000000023482-4.dat	upx
behavioral2/memory/3952-8-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp	upx
behavioral2/files/0x000500000001db2b-10.dat	upx
behavioral2/files/0x0008000000023485-13.dat	upx
behavioral2/memory/3356-18-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	upx
behavioral2/files/0x000500000001db2f-23.dat	upx
behavioral2/memory/2904-24-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp	upx
behavioral2/memory/4708-12-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	upx
behavioral2/files/0x000400000001db32-28.dat	upx
behavioral2/memory/8-32-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp	upx
behavioral2/files/0x000600000001db34-35.dat	upx
behavioral2/memory/4676-36-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp	upx
behavioral2/files/0x000200000001e69c-41.dat	upx
behavioral2/files/0x0007000000023489-46.dat	upx
behavioral2/memory/3928-47-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp	upx
behavioral2/files/0x000700000002348a-52.dat	upx
behavioral2/memory/4012-55-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp	upx
behavioral2/files/0x000700000002348b-60.dat	upx
behavioral2/memory/4200-61-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	upx
behavioral2/memory/4708-67-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	upx
behavioral2/files/0x000700000002348d-72.dat	upx
behavioral2/memory/2856-75-0x00007FF761650000-0x00007FF7619A4000-memory.dmp	upx
behavioral2/memory/3356-74-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	upx
behavioral2/files/0x000700000002348c-69.dat	upx
behavioral2/memory/2612-68-0x00007FF703B10000-0x00007FF703E64000-memory.dmp	upx
behavioral2/memory/1964-54-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp	upx
behavioral2/memory/3152-42-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	upx
behavioral2/files/0x000700000002348e-81.dat	upx
behavioral2/memory/8-87-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp	upx
behavioral2/files/0x000700000002348f-91.dat	upx
behavioral2/memory/2440-89-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp	upx
behavioral2/memory/4676-88-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp	upx
behavioral2/memory/1036-84-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp	upx
behavioral2/memory/2904-80-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp	upx
behavioral2/files/0x0007000000023490-96.dat	upx
behavioral2/memory/3152-98-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	upx
behavioral2/files/0x0007000000023491-101.dat	upx
behavioral2/files/0x0007000000023493-114.dat	upx
behavioral2/files/0x0007000000023494-123.dat	upx
behavioral2/memory/2088-121-0x00007FF605690000-0x00007FF6059E4000-memory.dmp	upx
behavioral2/files/0x0007000000023496-134.dat	upx
behavioral2/memory/3868-136-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp	upx
behavioral2/memory/2440-135-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp	upx
behavioral2/memory/2856-133-0x00007FF761650000-0x00007FF7619A4000-memory.dmp	upx
behavioral2/memory/4664-132-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp	upx
behavioral2/memory/2612-128-0x00007FF703B10000-0x00007FF703E64000-memory.dmp	upx
behavioral2/memory/3420-126-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp	upx
behavioral2/files/0x0007000000023495-125.dat	upx
behavioral2/memory/4200-120-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	upx
behavioral2/memory/2472-118-0x00007FF7CF200000-0x00007FF7CF554000-memory.dmp	upx
behavioral2/memory/4012-113-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp	upx
behavioral2/files/0x0007000000023492-112.dat	upx
behavioral2/memory/1636-108-0x00007FF6C0EE0000-0x00007FF6C1234000-memory.dmp	upx
behavioral2/memory/3928-107-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp	upx
behavioral2/memory/384-102-0x00007FF6B8950000-0x00007FF6B8CA4000-memory.dmp	upx
behavioral2/memory/1036-141-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp	upx
behavioral2/memory/2088-142-0x00007FF605690000-0x00007FF6059E4000-memory.dmp	upx
behavioral2/memory/3420-143-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp	upx
behavioral2/memory/4664-144-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp	upx
behavioral2/memory/3868-145-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp	upx
behavioral2/memory/3952-146-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp	upx
behavioral2/memory/4708-147-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp	upx
behavioral2/memory/3356-148-0x00007FF7132D0000-0x00007FF713624000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rmNYFLN.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TzlNczH.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dheAngJ.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOERHfX.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KiCOQvK.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OIDDjDH.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXkAReF.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSAGwsK.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCzJBOV.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XviBMHi.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GoYQNvy.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IJGwuPH.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GGuLPtK.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qOqsYNp.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hmlLCFZ.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDNAsTv.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQoFzzO.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\diZBEyi.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GxVPpRw.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jXOmGzt.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omPeUre.exe	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3952	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1964 wrote to memory of 3952	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1964 wrote to memory of 4708	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1964 wrote to memory of 4708	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1964 wrote to memory of 3356	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1964 wrote to memory of 3356	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1964 wrote to memory of 2904	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1964 wrote to memory of 2904	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1964 wrote to memory of 8	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1964 wrote to memory of 8	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1964 wrote to memory of 4676	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1964 wrote to memory of 4676	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1964 wrote to memory of 3152	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1964 wrote to memory of 3152	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1964 wrote to memory of 3928	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1964 wrote to memory of 3928	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1964 wrote to memory of 4012	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1964 wrote to memory of 4012	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1964 wrote to memory of 4200	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1964 wrote to memory of 4200	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1964 wrote to memory of 2612	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1964 wrote to memory of 2612	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1964 wrote to memory of 2856	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1964 wrote to memory of 2856	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1964 wrote to memory of 1036	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1964 wrote to memory of 1036	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1964 wrote to memory of 2440	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1964 wrote to memory of 2440	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1964 wrote to memory of 384	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1964 wrote to memory of 384	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1964 wrote to memory of 1636	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1964 wrote to memory of 1636	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1964 wrote to memory of 2472	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1964 wrote to memory of 2472	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1964 wrote to memory of 2088	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1964 wrote to memory of 2088	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1964 wrote to memory of 3420	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1964 wrote to memory of 3420	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1964 wrote to memory of 4664	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1964 wrote to memory of 4664	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1964 wrote to memory of 3868	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1964 wrote to memory of 3868	1964	2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_852002491b7019a7547123c6e1a25e95_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System\rmNYFLN.exe
  C:\Windows\System\rmNYFLN.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\TzlNczH.exe
  C:\Windows\System\TzlNczH.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\GGuLPtK.exe
  C:\Windows\System\GGuLPtK.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\qOqsYNp.exe
  C:\Windows\System\qOqsYNp.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\dheAngJ.exe
  C:\Windows\System\dheAngJ.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\sOERHfX.exe
  C:\Windows\System\sOERHfX.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\hmlLCFZ.exe
  C:\Windows\System\hmlLCFZ.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\PDNAsTv.exe
  C:\Windows\System\PDNAsTv.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\KiCOQvK.exe
  C:\Windows\System\KiCOQvK.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\OIDDjDH.exe
  C:\Windows\System\OIDDjDH.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\omPeUre.exe
  C:\Windows\System\omPeUre.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\zSAGwsK.exe
  C:\Windows\System\zSAGwsK.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\EQoFzzO.exe
  C:\Windows\System\EQoFzzO.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\uCzJBOV.exe
  C:\Windows\System\uCzJBOV.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\diZBEyi.exe
  C:\Windows\System\diZBEyi.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\GxVPpRw.exe
  C:\Windows\System\GxVPpRw.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\jXOmGzt.exe
  C:\Windows\System\jXOmGzt.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\XviBMHi.exe
  C:\Windows\System\XviBMHi.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\GoYQNvy.exe
  C:\Windows\System\GoYQNvy.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\IJGwuPH.exe
  C:\Windows\System\IJGwuPH.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\MXkAReF.exe
  C:\Windows\System\MXkAReF.exe
  2⤵
  - Executes dropped EXE
  PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EQoFzzO.exe

Filesize
5.9MB

MD5
3b95e4727da880acc54e419b4eaadbd6

SHA1
054ed6c9c334807e06a6bb9687ccf68d3b7e6526

SHA256
b692d0c5e88be77b308dab5255080910a692a66fea2f6303aa6ec7f261d7ebd7

SHA512
a1a5bfb6c5ea9f0c7ca66b2e75616caf4ead97482112145353235762227e1b6499b82f049fa2e2f4cc202403150c5e27a61d8d6f871c9efc0d99c91127b26b99

Download Submit
C:\Windows\System\GGuLPtK.exe

Filesize
5.9MB

MD5
2e04d1dfe5d510d83c80fe43ebdfeb50

SHA1
bf3e2038e53d4d56e049c4103411d71b9a1cb044

SHA256
91b0d1d6cc3d3522d17f1480181402daa07b952152af820e9595afdddcf9d4e7

SHA512
6abcd363fb48caa8e318f15a5149e27041a246113f2516b7353c6ab6e36abe125a3c8dfdf16ba73e16e01a17887e73a6dc050d24684c81d2a8e0b99fdfcbc55a

Download Submit
C:\Windows\System\GoYQNvy.exe

Filesize
5.9MB

MD5
21e0e9cc9cd714103cb6add2e76eee47

SHA1
d72afb3f6a043c7729149080315fbbe413a72f26

SHA256
fb49c5a65c79f844c371fcffe6a035daec26ffe0a21a71afb1ff3e0e1aad29b8

SHA512
e2d19ebab46dc4f15dc3ccfbcfe1fd9db0e1821b7c16d39d6c3dee6279e56b930b874fc3076883c0e742d4455778ce7e009674f081a9280e88a3b020572e20af

Download Submit
C:\Windows\System\GxVPpRw.exe

Filesize
5.9MB

MD5
388c1f0147f70ee2c2c6918913c914d0

SHA1
5564c4cca24dd32e6afb568aab1b8ead91a7d18e

SHA256
7198f9f53f10d8ed353511898c2f58ed6acab078cc4134515ee8ce53c3fe3f60

SHA512
714e423c0a6a317e5c58d1e02f0618068da95d244b11fcc2c534db441712609ff96d546491ebdba44b955a66c68e6fb6ef658d804eb4d6b5aca27a76de782c7d

Download Submit
C:\Windows\System\IJGwuPH.exe

Filesize
5.9MB

MD5
17f4fb2553a6f7da849305e24a508a8d

SHA1
e1ddc84527241076c727e00056b2120763fa0d0e

SHA256
2fa654a525b1c569725af9c84998e01ae5a387b853848abcaa6b5f92f2f09713

SHA512
b3e6285aa070b1f4faa1818454589678c672eec88e4ca139d637780a4e40163922b24128f1e70265741d4619762be4626f02551e02b766798674c2c7e6758362

Download Submit
C:\Windows\System\KiCOQvK.exe

Filesize
5.9MB

MD5
1fe5f2d52d4eb7ed1f023541564cbaff

SHA1
ed8ac0d653e7ca9ae4dacf94d4bc98c410eabad8

SHA256
e8d467454f32b05e5de5cebdc7c9a660e16a4dcb11065735ae2eba0fd77639c3

SHA512
0a2e5e04b0a551bd48c6a3f77dfff23e150d5de9d96add5952e57a0ce1803cca1b913f22891c2f3250b222f4347f8e19dd0a096bce754628d18478d48f40324e

Download Submit
C:\Windows\System\MXkAReF.exe

Filesize
5.9MB

MD5
f6e5f77842110be5df6ddbf1a3c59dda

SHA1
91cdc5a738e1e0c9704c0619302aa83647e141c9

SHA256
8849a0d2221191cf38858f799473525efddc5183b425d2d07b171cca7a384981

SHA512
2aa341dbd9fa96d6daed9a65e27da5109ba38f31ac04983fb1e89c72bf0640c1dff9bd6879a0c9119b60f32eb26705145587d72251a412fbf262613e04fa6769

Download Submit
C:\Windows\System\OIDDjDH.exe

Filesize
5.9MB

MD5
8c8ea1876cc6805de29d8b005a4196ac

SHA1
10d0fce888fea565d6d2cd7757874a5efdf3d8f2

SHA256
238af9ae98f305d307df78e8e63897ecb86da853d1df32f84a1c8d5636313f05

SHA512
14d569d27be19e819160ef468f19b459cd70786ec4be8688567d1a2edd0e6d46c876cf48a96e7a3894cb32ef75e062b1140585fd5fccf6abde3e9200259178b6

Download Submit
C:\Windows\System\PDNAsTv.exe

Filesize
5.9MB

MD5
8541a1550c627ef52c9f33398efe502d

SHA1
85f67f59cd64e6462cbdcac8aa7e36c0a6b03e80

SHA256
050a9efef03764d901a3b268a1026aa4b8c9086707bb218ee2351a37cfcf3ec1

SHA512
3d643417bd0517438d3d4c21f56c62ab9a49850e57acb10a5bc66a5957455fdac3a58e4d7e6f07a80af310d4e76650bd010d171e17c41d8438cce977f6fad91a

Download Submit
C:\Windows\System\TzlNczH.exe

Filesize
5.9MB

MD5
99ce135ee0bb4ff1c77da487f9086c20

SHA1
f4d99c12982e5bb5ecb312dd516daa13fa643ad0

SHA256
ff728a80aee0d9c58fea7838953f10b04c5b42dd95f6e7055d16ff1b58485bda

SHA512
cf7b936feb892acc37516033a9cc5267e35e3d5a1688b2415d75462b3ac8d4eb37dbb0e1648f1c99f7be46a5a202055b261326b9d44eb0c917ebdc7507ad1115

Download Submit
C:\Windows\System\XviBMHi.exe

Filesize
5.9MB

MD5
b3e1d5c6ac40517cd662115e7338d89c

SHA1
1e1e63b508a71ff4bd7126bab33a332ce7591f9d

SHA256
4283c44704efc5f9b05af188f6a02468597e9a2de15ef6fbd7803857a51b640c

SHA512
1ec54a0ad9938fd0b9eff1d9895ed20163afb7f4d9e5b64e8fbaaeb40bd2076239a0d6ce2c870317746613b8bd9263c70e765790f96a90676f0c1d86891a0e1b

Download Submit
C:\Windows\System\dheAngJ.exe

Filesize
5.9MB

MD5
50b1db50903f8e63b800df0f06ec55f1

SHA1
e8ce922f5f9e44c55ac151d01dc625e55c0cdb2e

SHA256
09392fd003e3e426a68efcd13afd68448a7a55b34272faffaecd396c3d665b97

SHA512
40b1083a81da712c087b682e34abdabf4f80dfa6c8ff1814914e5d9e4efecd18817c27d1b27a9a3a51f38cc3e60c6c1a10b5958a320124d78c298f972cb25afa

Download Submit
C:\Windows\System\diZBEyi.exe

Filesize
5.9MB

MD5
149a80967a6e864701732a7c72c3d738

SHA1
a98ff5cf9541684d7d059b8f23438fa2702b32fe

SHA256
15498f1b3ea64bbd4fff8828305dd46d125da724b6fb261b09c40cd0796ae4a4

SHA512
0902a3d24e96eed170ff7b86f34ee4674b46ad2dc1c2419ce3adaea76924da9572f07c55260b60071239381d769403bbce33fd87f0e0e20da6418ee56d5ddfa9

Download Submit
C:\Windows\System\hmlLCFZ.exe

Filesize
5.9MB

MD5
cdc7e2d0cecbe99ba35caadfc1b78cae

SHA1
1d794d7145e8c62b93a5ac0ea6a1b4e47260993a

SHA256
2ced6d3b63a8b28aa8cdcdf9d6c1537dd2460b6de7bc77844d51e0a52ccf5e3b

SHA512
d53e57264fd49a94cb6444b08bcd8f7b19e582a36a53fb0e02250a4813fa583775af965a2098a56b6c0853811c6feee7ce2b42977884155f71da74dbef4a4b21

Download Submit
C:\Windows\System\jXOmGzt.exe

Filesize
5.9MB

MD5
8a2ded36fd1649e9fe3400a87efdec1d

SHA1
c88c65e2bb5dbc61315adffea67a5e47446dd1b1

SHA256
9323507b3b06ce02ea178257574f217e6d8066c27dc97fb446fc79322f5f1135

SHA512
1a7c862acb4ba90ba15532408274504cc7cb0dcc09fbbce65f8246a193ee329a4cf6806f6824eb7e7b04124a8b2ef7cce361e3e011bad19cc4654f71d283407e

Download Submit
C:\Windows\System\omPeUre.exe

Filesize
5.9MB

MD5
d37fe52b9c62ac696ccb499a550fce2d

SHA1
7f47dac6f84c6565a312fbf44ba42018bf03ed3b

SHA256
9021534e2fa281b8bfb7d4d2284f4b2bcc842c9cbeff16c531245a3dcfc74458

SHA512
75e43dea06f7df66685589b93f6511591d56487780a8ab28cf5e49d8b367e0cc256857c421fd696e791279e3bfadcc9d37a2fce93e9c24ed3eb6c079e0498dfb

Download Submit
C:\Windows\System\qOqsYNp.exe

Filesize
5.9MB

MD5
9c1af68c343cd19a2f1745cbd066243e

SHA1
ab5850a5dc2cdf7ceadc62f7befcbedbac41d1f0

SHA256
0d216f7734deec759574b38e1ef2caeabf4a0df17c8604085648e1b275dcd49a

SHA512
7639c070c96c396447cecc31dca32deb0758a0a3c7a465d1b836a87de9f2ab41b41d0452471cf1aa55b3ea56d98dc2fc51d48144bcda7aef561a8d26b67f4958

Download Submit
C:\Windows\System\rmNYFLN.exe

Filesize
5.9MB

MD5
609fcc8b88e59627390fd0a9165676b5

SHA1
89555a8d61b997e90f7876c049a2c25e7dcedeae

SHA256
c0ed5c037c78b9ed39653c57f00a2c7cdcecdfbf7a4176f6e6e4e96bb101a3a7

SHA512
d6dd89b28e96453d2d8179c8cc4896830d82d4e40c12f7afbc76226f66dd1b20e45512009d6f6d027c6f16f679fb3e98f7c7551cf99c9736fb7cc06a148ef35e

Download Submit
C:\Windows\System\sOERHfX.exe

Filesize
5.9MB

MD5
f3ab9e76de2098ad40c3f0caa8d80fb2

SHA1
8758559d9c920003c22b66173d924a3bfcd62356

SHA256
93ae538088fd41df7ba23f3adcbc002c9971b9e4919164c862e92ba034268778

SHA512
c4f72d8b882b57c7a8118b505ee0cbae1ffffbcf689e63bd356e1f89b3b43a13897976d641879896b22e074b0f87ca17fc4b0c9f70431a11162a0437ce503769

Download Submit
C:\Windows\System\uCzJBOV.exe

Filesize
5.9MB

MD5
7b24327854c8ed57cc4e203177576090

SHA1
182a26a26bf52d1c4dc3993ce29b6ac8fb7c535a

SHA256
7bc1bb5d0cca50f466b89bda5a05d4de4d9f5f7b882c5d0060efca7e34550df6

SHA512
c127d0a20bc0ebe83ec98b18feb5590b65e95d98f0d74d3171e6af85efb17125362d8bd53bb3a3290819a40853804dabbad479980cdb01d6694d8e38c8c308ae

Download Submit
C:\Windows\System\zSAGwsK.exe

Filesize
5.9MB

MD5
a37e2a4549776e7317d04f46fba315d8

SHA1
935c3669f89cdc2fd9121cea5eb3aa487bf250c3

SHA256
4306ad49f599ef73f51469b178713cbc0844e5b76b2bba11008e2601c571486a

SHA512
7c3acc74e75a2c474923aad80a7e273be6c08043c85dbf7c0e0fe4c880d45f69149f255c7c49c243abd71ba7c7c009e546b6e316b2252c9c1465a2b49936d6e3

Download Submit
memory/8-150-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp

Filesize
3.3MB

Download
memory/8-32-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp

Filesize
3.3MB

Download
memory/8-87-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp

Filesize
3.3MB

Download
memory/384-102-0x00007FF6B8950000-0x00007FF6B8CA4000-memory.dmp

Filesize
3.3MB

Download
memory/384-160-0x00007FF6B8950000-0x00007FF6B8CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-158-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp

Filesize
3.3MB

Download
memory/1036-141-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp

Filesize
3.3MB

Download
memory/1036-84-0x00007FF6A03C0000-0x00007FF6A0714000-memory.dmp

Filesize
3.3MB

Download
memory/1636-108-0x00007FF6C0EE0000-0x00007FF6C1234000-memory.dmp

Filesize
3.3MB

Download
memory/1636-161-0x00007FF6C0EE0000-0x00007FF6C1234000-memory.dmp

Filesize
3.3MB

Download
memory/1964-0-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1964-54-0x00007FF62F940000-0x00007FF62FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1964-1-0x00000214D0010000-0x00000214D0020000-memory.dmp

Filesize
64KB

Download
memory/2088-142-0x00007FF605690000-0x00007FF6059E4000-memory.dmp

Filesize
3.3MB

Download
memory/2088-164-0x00007FF605690000-0x00007FF6059E4000-memory.dmp

Filesize
3.3MB

Download
memory/2088-121-0x00007FF605690000-0x00007FF6059E4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-135-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-159-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-89-0x00007FF7EB190000-0x00007FF7EB4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-118-0x00007FF7CF200000-0x00007FF7CF554000-memory.dmp

Filesize
3.3MB

Download
memory/2472-162-0x00007FF7CF200000-0x00007FF7CF554000-memory.dmp

Filesize
3.3MB

Download
memory/2612-68-0x00007FF703B10000-0x00007FF703E64000-memory.dmp

Filesize
3.3MB

Download
memory/2612-128-0x00007FF703B10000-0x00007FF703E64000-memory.dmp

Filesize
3.3MB

Download
memory/2612-156-0x00007FF703B10000-0x00007FF703E64000-memory.dmp

Filesize
3.3MB

Download
memory/2856-75-0x00007FF761650000-0x00007FF7619A4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-133-0x00007FF761650000-0x00007FF7619A4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-157-0x00007FF761650000-0x00007FF7619A4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-80-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-149-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-24-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/3152-42-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/3152-98-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/3152-152-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/3356-148-0x00007FF7132D0000-0x00007FF713624000-memory.dmp

Filesize
3.3MB

Download
memory/3356-74-0x00007FF7132D0000-0x00007FF713624000-memory.dmp

Filesize
3.3MB

Download
memory/3356-18-0x00007FF7132D0000-0x00007FF713624000-memory.dmp

Filesize
3.3MB

Download
memory/3420-126-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp

Filesize
3.3MB

Download
memory/3420-143-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp

Filesize
3.3MB

Download
memory/3420-163-0x00007FF6FD030000-0x00007FF6FD384000-memory.dmp

Filesize
3.3MB

Download
memory/3868-145-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp

Filesize
3.3MB

Download
memory/3868-136-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp

Filesize
3.3MB

Download
memory/3868-165-0x00007FF6F5EF0000-0x00007FF6F6244000-memory.dmp

Filesize
3.3MB

Download
memory/3928-107-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp

Filesize
3.3MB

Download
memory/3928-47-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp

Filesize
3.3MB

Download
memory/3928-153-0x00007FF63A6F0000-0x00007FF63AA44000-memory.dmp

Filesize
3.3MB

Download
memory/3952-146-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp

Filesize
3.3MB

Download
memory/3952-8-0x00007FF6B02E0000-0x00007FF6B0634000-memory.dmp

Filesize
3.3MB

Download
memory/4012-113-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-55-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-154-0x00007FF6C1F70000-0x00007FF6C22C4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-120-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/4200-155-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/4200-61-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/4664-132-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp

Filesize
3.3MB

Download
memory/4664-144-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp

Filesize
3.3MB

Download
memory/4664-166-0x00007FF7EEAC0000-0x00007FF7EEE14000-memory.dmp

Filesize
3.3MB

Download
memory/4676-88-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp

Filesize
3.3MB

Download
memory/4676-151-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp

Filesize
3.3MB

Download
memory/4676-36-0x00007FF6F8740000-0x00007FF6F8A94000-memory.dmp

Filesize
3.3MB

Download
memory/4708-67-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp

Filesize
3.3MB

Download
memory/4708-12-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp

Filesize
3.3MB

Download
memory/4708-147-0x00007FF62A7D0000-0x00007FF62AB24000-memory.dmp

Filesize
3.3MB

Download