cobaltstrike | 1e8ca3ab3df14340e4b4615ef6692e26e02bbebc8a0d0112e9a1025854eb67cb

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

a64907eb635b107471099750a8eab997
SHA1

0e12962233c889ccd338c2b8ce764ab7f391c4e5
SHA256

1e8ca3ab3df14340e4b4615ef6692e26e02bbebc8a0d0112e9a1025854eb67cb
SHA512

10da28821f7762755d8f90c6daf6d898e0181a54a3470233e35121c84b6c10e98fac1022a20156aa438b13021e06ef0a1a1aa6d46eb562bed7e3e41cd7990309
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUi:T+856utgpPF8u/7i

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002350c-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350d-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-22.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350a-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023517-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351b-100.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e59e-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351d-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023520-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023521-136.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351e-138.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1176-0-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp	xmrig
behavioral2/files/0x000800000002350c-5.dat	xmrig
behavioral2/files/0x000700000002350e-10.dat	xmrig
behavioral2/files/0x000700000002350d-12.dat	xmrig
behavioral2/memory/2680-14-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	xmrig
behavioral2/memory/2372-9-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp	xmrig
behavioral2/memory/2696-18-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp	xmrig
behavioral2/files/0x0007000000023510-22.dat	xmrig
behavioral2/files/0x000800000002350a-30.dat	xmrig
behavioral2/memory/860-24-0x00007FF650EE0000-0x00007FF651234000-memory.dmp	xmrig
behavioral2/files/0x0007000000023511-35.dat	xmrig
behavioral2/memory/2100-36-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	xmrig
behavioral2/memory/2412-32-0x00007FF6D6870000-0x00007FF6D6BC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023512-41.dat	xmrig
behavioral2/files/0x0007000000023513-46.dat	xmrig
behavioral2/memory/244-48-0x00007FF616590000-0x00007FF6168E4000-memory.dmp	xmrig
behavioral2/memory/3728-44-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023514-54.dat	xmrig
behavioral2/memory/1096-55-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023515-58.dat	xmrig
behavioral2/memory/1176-60-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp	xmrig
behavioral2/memory/3296-61-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp	xmrig
behavioral2/files/0x0007000000023516-66.dat	xmrig
behavioral2/memory/3892-67-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp	xmrig
behavioral2/memory/2680-71-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	xmrig
behavioral2/memory/2028-74-0x00007FF70F400000-0x00007FF70F754000-memory.dmp	xmrig
behavioral2/files/0x0007000000023517-75.dat	xmrig
behavioral2/files/0x0007000000023518-80.dat	xmrig
behavioral2/memory/2696-81-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp	xmrig
behavioral2/memory/860-89-0x00007FF650EE0000-0x00007FF651234000-memory.dmp	xmrig
behavioral2/memory/3652-92-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp	xmrig
behavioral2/files/0x000700000002351a-95.dat	xmrig
behavioral2/files/0x0007000000023519-93.dat	xmrig
behavioral2/memory/636-90-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp	xmrig
behavioral2/memory/2076-86-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp	xmrig
behavioral2/memory/2100-97-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002351b-100.dat	xmrig
behavioral2/memory/3728-102-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp	xmrig
behavioral2/files/0x000200000001e59e-106.dat	xmrig
behavioral2/files/0x000700000002351d-113.dat	xmrig
behavioral2/memory/1096-115-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp	xmrig
behavioral2/memory/2152-116-0x00007FF723170000-0x00007FF7234C4000-memory.dmp	xmrig
behavioral2/memory/4600-114-0x00007FF7879D0000-0x00007FF787D24000-memory.dmp	xmrig
behavioral2/memory/244-112-0x00007FF616590000-0x00007FF6168E4000-memory.dmp	xmrig
behavioral2/memory/5032-109-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp	xmrig
behavioral2/memory/3296-119-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp	xmrig
behavioral2/memory/3892-120-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023520-126.dat	xmrig
behavioral2/memory/2076-127-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp	xmrig
behavioral2/memory/2028-129-0x00007FF70F400000-0x00007FF70F754000-memory.dmp	xmrig
behavioral2/files/0x0007000000023521-136.dat	xmrig
behavioral2/memory/2852-135-0x00007FF712490000-0x00007FF7127E4000-memory.dmp	xmrig
behavioral2/memory/4932-131-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp	xmrig
behavioral2/memory/3868-128-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp	xmrig
behavioral2/files/0x000700000002351e-138.dat	xmrig
behavioral2/memory/636-140-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp	xmrig
behavioral2/memory/3652-141-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp	xmrig
behavioral2/memory/5032-142-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp	xmrig
behavioral2/memory/2152-143-0x00007FF723170000-0x00007FF7234C4000-memory.dmp	xmrig
behavioral2/memory/3868-144-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp	xmrig
behavioral2/memory/4932-145-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp	xmrig
behavioral2/memory/2852-146-0x00007FF712490000-0x00007FF7127E4000-memory.dmp	xmrig
behavioral2/memory/2372-147-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp	xmrig
behavioral2/memory/2680-148-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2372	SZmgWhL.exe
2680	HmPthBt.exe
2696	TUrDARX.exe
860	shfetWU.exe
2412	avbnZDn.exe
2100	XwLgexz.exe
3728	HPtfCor.exe
244	cxivChW.exe
1096	KCmlQOX.exe
3296	dPCubIe.exe
3892	uJRdecF.exe
2028	fdVZGay.exe
2076	XDjzBJk.exe
636	rOatEBH.exe
3652	RomHHdX.exe
5032	pgZGzbk.exe
4600	CJCOamx.exe
2152	oGsIVPe.exe
3868	ypcoypi.exe
4932	YKIehpg.exe
2852	QCisKom.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1176-0-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp	upx
behavioral2/files/0x000800000002350c-5.dat	upx
behavioral2/files/0x000700000002350e-10.dat	upx
behavioral2/files/0x000700000002350d-12.dat	upx
behavioral2/memory/2680-14-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	upx
behavioral2/memory/2372-9-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp	upx
behavioral2/memory/2696-18-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp	upx
behavioral2/files/0x0007000000023510-22.dat	upx
behavioral2/files/0x000800000002350a-30.dat	upx
behavioral2/memory/860-24-0x00007FF650EE0000-0x00007FF651234000-memory.dmp	upx
behavioral2/files/0x0007000000023511-35.dat	upx
behavioral2/memory/2100-36-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	upx
behavioral2/memory/2412-32-0x00007FF6D6870000-0x00007FF6D6BC4000-memory.dmp	upx
behavioral2/files/0x0007000000023512-41.dat	upx
behavioral2/files/0x0007000000023513-46.dat	upx
behavioral2/memory/244-48-0x00007FF616590000-0x00007FF6168E4000-memory.dmp	upx
behavioral2/memory/3728-44-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp	upx
behavioral2/files/0x0007000000023514-54.dat	upx
behavioral2/memory/1096-55-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp	upx
behavioral2/files/0x0007000000023515-58.dat	upx
behavioral2/memory/1176-60-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp	upx
behavioral2/memory/3296-61-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp	upx
behavioral2/files/0x0007000000023516-66.dat	upx
behavioral2/memory/3892-67-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp	upx
behavioral2/memory/2680-71-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	upx
behavioral2/memory/2028-74-0x00007FF70F400000-0x00007FF70F754000-memory.dmp	upx
behavioral2/files/0x0007000000023517-75.dat	upx
behavioral2/files/0x0007000000023518-80.dat	upx
behavioral2/memory/2696-81-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp	upx
behavioral2/memory/860-89-0x00007FF650EE0000-0x00007FF651234000-memory.dmp	upx
behavioral2/memory/3652-92-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp	upx
behavioral2/files/0x000700000002351a-95.dat	upx
behavioral2/files/0x0007000000023519-93.dat	upx
behavioral2/memory/636-90-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp	upx
behavioral2/memory/2076-86-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp	upx
behavioral2/memory/2100-97-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	upx
behavioral2/files/0x000700000002351b-100.dat	upx
behavioral2/memory/3728-102-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp	upx
behavioral2/files/0x000200000001e59e-106.dat	upx
behavioral2/files/0x000700000002351d-113.dat	upx
behavioral2/memory/1096-115-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp	upx
behavioral2/memory/2152-116-0x00007FF723170000-0x00007FF7234C4000-memory.dmp	upx
behavioral2/memory/4600-114-0x00007FF7879D0000-0x00007FF787D24000-memory.dmp	upx
behavioral2/memory/244-112-0x00007FF616590000-0x00007FF6168E4000-memory.dmp	upx
behavioral2/memory/5032-109-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp	upx
behavioral2/memory/3296-119-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp	upx
behavioral2/memory/3892-120-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp	upx
behavioral2/files/0x0007000000023520-126.dat	upx
behavioral2/memory/2076-127-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp	upx
behavioral2/memory/2028-129-0x00007FF70F400000-0x00007FF70F754000-memory.dmp	upx
behavioral2/files/0x0007000000023521-136.dat	upx
behavioral2/memory/2852-135-0x00007FF712490000-0x00007FF7127E4000-memory.dmp	upx
behavioral2/memory/4932-131-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp	upx
behavioral2/memory/3868-128-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp	upx
behavioral2/files/0x000700000002351e-138.dat	upx
behavioral2/memory/636-140-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp	upx
behavioral2/memory/3652-141-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp	upx
behavioral2/memory/5032-142-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp	upx
behavioral2/memory/2152-143-0x00007FF723170000-0x00007FF7234C4000-memory.dmp	upx
behavioral2/memory/3868-144-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp	upx
behavioral2/memory/4932-145-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp	upx
behavioral2/memory/2852-146-0x00007FF712490000-0x00007FF7127E4000-memory.dmp	upx
behavioral2/memory/2372-147-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp	upx
behavioral2/memory/2680-148-0x00007FF6753D0000-0x00007FF675724000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\shfetWU.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fdVZGay.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGsIVPe.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ypcoypi.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmPthBt.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwLgexz.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HPtfCor.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uJRdecF.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RomHHdX.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pgZGzbk.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CJCOamx.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCisKom.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUrDARX.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKIehpg.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCmlQOX.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\avbnZDn.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxivChW.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dPCubIe.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDjzBJk.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOatEBH.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZmgWhL.exe	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2372	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1176 wrote to memory of 2372	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1176 wrote to memory of 2680	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1176 wrote to memory of 2680	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1176 wrote to memory of 2696	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1176 wrote to memory of 2696	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1176 wrote to memory of 860	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1176 wrote to memory of 860	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1176 wrote to memory of 2412	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1176 wrote to memory of 2412	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1176 wrote to memory of 2100	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1176 wrote to memory of 2100	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1176 wrote to memory of 3728	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1176 wrote to memory of 3728	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1176 wrote to memory of 244	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1176 wrote to memory of 244	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1176 wrote to memory of 1096	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1176 wrote to memory of 1096	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1176 wrote to memory of 3296	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1176 wrote to memory of 3296	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1176 wrote to memory of 3892	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1176 wrote to memory of 3892	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1176 wrote to memory of 2028	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1176 wrote to memory of 2028	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1176 wrote to memory of 2076	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1176 wrote to memory of 2076	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1176 wrote to memory of 636	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1176 wrote to memory of 636	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1176 wrote to memory of 3652	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1176 wrote to memory of 3652	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1176 wrote to memory of 5032	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1176 wrote to memory of 5032	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1176 wrote to memory of 4600	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1176 wrote to memory of 4600	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1176 wrote to memory of 2152	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1176 wrote to memory of 2152	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1176 wrote to memory of 3868	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1176 wrote to memory of 3868	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1176 wrote to memory of 4932	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1176 wrote to memory of 4932	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1176 wrote to memory of 2852	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1176 wrote to memory of 2852	1176	2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a64907eb635b107471099750a8eab997_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\System\SZmgWhL.exe
  C:\Windows\System\SZmgWhL.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\HmPthBt.exe
  C:\Windows\System\HmPthBt.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\TUrDARX.exe
  C:\Windows\System\TUrDARX.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\shfetWU.exe
  C:\Windows\System\shfetWU.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\avbnZDn.exe
  C:\Windows\System\avbnZDn.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\XwLgexz.exe
  C:\Windows\System\XwLgexz.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\HPtfCor.exe
  C:\Windows\System\HPtfCor.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\cxivChW.exe
  C:\Windows\System\cxivChW.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System\KCmlQOX.exe
  C:\Windows\System\KCmlQOX.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\dPCubIe.exe
  C:\Windows\System\dPCubIe.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\uJRdecF.exe
  C:\Windows\System\uJRdecF.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\fdVZGay.exe
  C:\Windows\System\fdVZGay.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\XDjzBJk.exe
  C:\Windows\System\XDjzBJk.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\rOatEBH.exe
  C:\Windows\System\rOatEBH.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\RomHHdX.exe
  C:\Windows\System\RomHHdX.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\pgZGzbk.exe
  C:\Windows\System\pgZGzbk.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\CJCOamx.exe
  C:\Windows\System\CJCOamx.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\oGsIVPe.exe
  C:\Windows\System\oGsIVPe.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\ypcoypi.exe
  C:\Windows\System\ypcoypi.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\YKIehpg.exe
  C:\Windows\System\YKIehpg.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\QCisKom.exe
  C:\Windows\System\QCisKom.exe
  2⤵
  - Executes dropped EXE
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CJCOamx.exe

Filesize
5.9MB

MD5
6ef8218bbeec968e8681cbb9f9554029

SHA1
335b7b325ba6445800372cc686c4a5f130d7e546

SHA256
2f999a3e34ac665f963ad5485d083254c4b6aa1630c871373668a0c2e8d3a85a

SHA512
d25e40aaaffb6da7c3f09903be7280f319b059547608ba617961d2878bb1d6f7e0aa3109ef6e7f09d21b05cb13bb2477778cb39eb0fdc93576dd3e24b0ce5b1f

Download Submit
C:\Windows\System\HPtfCor.exe

Filesize
5.9MB

MD5
2b4a43d89f5288ad77904725f229fcb5

SHA1
2d96d7652536e3212ac34eb36e14258ebfec4f5b

SHA256
dc98b3e59c6e27243b7d0c13021ba1fd0a4cb99ccb340bb325118d3594d4a89f

SHA512
fc6c6bf4dd5968a328aa04ad9f0bb74271237083d0ca3a8123753a27a3f88c5826bae740ba6df5b781dcb057564327ee58778baaf2146f6d53a9fdd0f856d2e0

Download Submit
C:\Windows\System\HmPthBt.exe

Filesize
5.9MB

MD5
85aaaf6a9c1314c5021ca113e1ce0613

SHA1
c5632d33b58e7ceec63d38179f527c328c4e0316

SHA256
d5b0059ea80077d0664cb2e3a7ca8979bc5cc39f11fb0047979cfe588520e903

SHA512
6b874133903f0ddb4360a396c3b65c4f2ac008db2baa5111720fd2bfc17268c1c7aa4d97038982bf57015a872e44489665ef12f95949d3a77071fb6bd3cff2ee

Download Submit
C:\Windows\System\KCmlQOX.exe

Filesize
5.9MB

MD5
aab98007c890416a6bb06aa2e425ea75

SHA1
00e4b7beaae5908dc0e5bdd2ff11b92056563a59

SHA256
042d51f917becbcfd189ae2ac92d4b754c25bd2422fa18b16801c66252b0584b

SHA512
4427c4d214e6b8dd489047a32265b539e643763ce00590fc48963600bac36255a1a4fbb8ad54e3fdc0dac79bf36c056c3b7d9890ec345f174a502fc09013fb23

Download Submit
C:\Windows\System\QCisKom.exe

Filesize
5.9MB

MD5
d2a09fd98e34441f7dfa63c875d1ca42

SHA1
13224fceddb71367ced5eeb0ed96bdab21493f4d

SHA256
b01d562a5745d1135a3d4caa52d91e6208a49e90aa5179e86312d7177d8ed908

SHA512
e2e6d4caefc4e8dd396e46c698c90bc213a6b1dd81df64d46e50434509e96565eaa4f33f949c7fb30aa55d779b73a7e075e95df6efdd034f5ca693e426132e1a

Download Submit
C:\Windows\System\RomHHdX.exe

Filesize
5.9MB

MD5
6f8cf6fc08885b53d2448818c7bc3e98

SHA1
e6ea57da9a8ebc7c3a1502fedc8d618334e5c1f7

SHA256
d461163749a7977a0f51693dc97293178732ae47141b03895cd85a2c64c5d0d5

SHA512
cc71ee8c5f715eaf5a59d568d5fce2c04b26dbe514f0a6d1ea6b6c6ca52dbab6886a9a178a22e9dff7da40100367e1183799b94690d455de75a494f5abc56d4d

Download Submit
C:\Windows\System\SZmgWhL.exe

Filesize
5.9MB

MD5
5b81129cfd9ab53c35d56162da1e5ded

SHA1
aed800e0dd3a0710e86069490f7c156c384ce653

SHA256
063811fe9f626e11da6663195a853754bf5a17942dc2e1bc03679bc905379879

SHA512
88f6f8c267250ff36313967f391124ddab6ca5056ad4e32df65733bb913987b379445de55e077c2bf751aad77d7f782aa2155132e33e4d3175c4a43fe4c4e09d

Download Submit
C:\Windows\System\TUrDARX.exe

Filesize
5.9MB

MD5
6a01c5abf92e2de9ab05bbb3419546db

SHA1
88e79f657f5767e33a79a63f7300270d3b4f5664

SHA256
56cb6572649a64000a2a20b5cc000f11f0479a52491409e03c86af3fa9c838fb

SHA512
abdedf9e90b8e0b7033c4c0dafeace8bbd2db4207d8702ca67a58d25467aaa3c07c516ae4a12531a2ec3fc788862ba7f4d7119d32d2600d1d3f791340a416f1f

Download Submit
C:\Windows\System\XDjzBJk.exe

Filesize
5.9MB

MD5
ad18511f40f3371489010936d51ec5e7

SHA1
6608a703b87b78b3773e2a3e6766c91028d133b3

SHA256
c5b641b32d42a084cda4d1521372069d4894d90a9016444c13aaa2fe9b86b4ba

SHA512
ae323cb633bc8597b5c36760e76e9b872998955d0946641aaa345d49e34bb5c52c54059644ac3e2bf463edd3dceb28c9176e8b084f7b8b41e6016f0cbee3602e

Download Submit
C:\Windows\System\XwLgexz.exe

Filesize
5.9MB

MD5
63168f5fd74b0f4d4dc06a58b7042198

SHA1
4353b31242e69a88e88e658ae4b30f474babfe05

SHA256
b6d73b80c1d569f6cd77956f316fe1e5f11865b47b054a278e1a8622b590e58c

SHA512
0097c8c523437a09f6a5bdb234b87418fd2c2170a37f03a35f7e64038c772bc38ecdbe030cd23c9daa88f30319041762d1a8f348ec4a46c42cdd989a2b2f1f17

Download Submit
C:\Windows\System\YKIehpg.exe

Filesize
5.9MB

MD5
2798d08f0aed01fc600cf99b334cfe73

SHA1
89be3ef331fb32333a130e6e81ba687ee44cfc71

SHA256
e4b5f43608a7ba7ad8f1934943862a85f6954d37c5cbe4496c7fc9911039152a

SHA512
4b8e1307185e45d2aacbe743f56b7a239cdc9147a727130f41d40686e78d315d6a6a4292d9a65b1fbd476c2d0e6b806cbe6801bd19e92c0acc59d603b5bd3f00

Download Submit
C:\Windows\System\avbnZDn.exe

Filesize
5.9MB

MD5
d7677a8e3efda1d73210b6f87ad8ba10

SHA1
874d4239d979401735f9798f50bade68c13efe8e

SHA256
27988f72134cb8b018570b4d38d5d47b888ccd881b0b7e8790baf1e9cddca493

SHA512
9840d25d718c888c8156af6c5b73e3ad88149517cc4af8e5ca052dc4f83414e79a07840d31323e2f258b323530eaed26e165770ef6273e744e2b69414d39d16e

Download Submit
C:\Windows\System\cxivChW.exe

Filesize
5.9MB

MD5
4769f42d6dc27b5208b8a3813064a2cb

SHA1
dd7136b1b4705d9778a253c6ac2001b939fc1d34

SHA256
37a18fd05c432d6b27a6cb2beb7bacde1a028ce9b04b3202c17512a0e169983e

SHA512
a6e2b5b3dfd66b99d0e365d31d26d3ff93e225efd639aac1b3de61ddb6b7f0b2b530900a9c9ac4c7f25379c32014c67fec4427d0119821117d047f2d9a2a0a67

Download Submit
C:\Windows\System\dPCubIe.exe

Filesize
5.9MB

MD5
093f74512c148be2ed24c40dd895e7e9

SHA1
16eb0cb9f18186d695fc968971b027b34f2f6f7b

SHA256
06dd0344e9e6e7bc29c5cb0a8957cedbf35c7d9c1e3451e2635ae0700dadb826

SHA512
84311eaca29328d9f015605f94c349259925560bfdf2e1c9f384ab3bda4091f404d817fe75eaba7f5fdc0e086c347357bbc1c62c162ad1f1346307162f8eb816

Download Submit
C:\Windows\System\fdVZGay.exe

Filesize
5.9MB

MD5
8c59c82a9a2a29afcf6b5e501111492a

SHA1
213ad222e8b452dd2c30ae88b7f998f911790f20

SHA256
167bd1bb3b27aedc6c1dbff316d8bbb124880548a7ccc8e4d6522e57ac2cc85b

SHA512
b44186054b9733c58600b0f4765aa1502a3cdfee4399f2f5e911333ba175d19aa5fda45a5497e54c95abb842a0cd1d8c4039dc7702e769b56ff85bfb62a064ec

Download Submit
C:\Windows\System\oGsIVPe.exe

Filesize
5.9MB

MD5
df3880238d5fad86a958029463a4f752

SHA1
11d0613e53e7e54bb31da18e5d1c3af284d9cf07

SHA256
b92b3aada08f11c6b67ffb4204211070e802c454a16c893fa41dd44c3140e5a6

SHA512
0ec2926734c3fdead80b5e3663443c62954fd79fd74a4681bb7d71a5f2adf246b37b4b63e4e9d11c1cc35123f92eeb6e8e095071cdd1ababcef144eb7c0e5e40

Download Submit
C:\Windows\System\pgZGzbk.exe

Filesize
5.9MB

MD5
9804d1e5e8bd3c7bb9dc299f1be50284

SHA1
e970c48b35a4f65e60c5c30254d64a1a8e234316

SHA256
c910a73ccd44418e29a1454f4f89e555fbe9164c427bdb98991ab0fb63d21000

SHA512
7cda4f09a577a12ea089404f2217de16bac9253ed8c73d1f3e944c5579f3678caa6b1b854af6ccfebd8ceb833d9df70df347a3219d176e38b07be8d10e3064dd

Download Submit
C:\Windows\System\rOatEBH.exe

Filesize
5.9MB

MD5
f9afea13abf3b6b506664a9972b59d67

SHA1
5df510e6626cd7e3b92952f34bd58a058430d7ba

SHA256
6ea2dfb4ee46eddd17275763280d8c99b2de5129ce45d2bc63bff9832b1d7a93

SHA512
3bd4f24ff090a1740fbfc180d09888857607a531ef02bf57cd2245886f6149f27ae0d6d7e1d8fb0a3b3db4437117fe917fd6320c515d3f90eb713e892294e6cd

Download Submit
C:\Windows\System\shfetWU.exe

Filesize
5.9MB

MD5
6b2e302269d5789d1a0c094b62932f7e

SHA1
d1a0aae09ef823e86d7677430e94ec9dc4cc3ac9

SHA256
091654ed03cc22c9c5b48a436ba13b7985222b50848685555fd34d10d984badc

SHA512
11b32653384dd5e3ff86ed352373159926ecfcf00b248596854cd496798d88cc91e42998de36f318fbccdf6d2216fb645c3bbd8bf06d7dd0fb429b427269e199

Download Submit
C:\Windows\System\uJRdecF.exe

Filesize
5.9MB

MD5
9a8ba0b48682d31c065a1f25ce1c44e3

SHA1
41fe1307c530b56984775301d4aabfd3415f771f

SHA256
1ea1e5e6f132d5043f9ff12c4fc63092e994c09b68e67adc28c396ab2c93af15

SHA512
424d9fedb8a955f27478f8c258f1ed3bb676de9f8499c1b1b3a06a45bafd88036ada74bc8b5252183116bbf8beb3a21c7b1fd05b774d63967bd4d504e1fc4add

Download Submit
C:\Windows\System\ypcoypi.exe

Filesize
5.9MB

MD5
a5b22129c6430a02cc5a3ab6cd5ac95d

SHA1
c0ebf066baae7a647517f22d33024066d6b6e2e0

SHA256
7292db0cf6718ade2fc927859db08f9e0019af7fb2325a60bacf63687bab2e0f

SHA512
3e0c132070ab46f2887d70741006cbd706c25aff2b7c6c324f176c81fc16aec73806ff32d6d5b74059a4ae412a84e9901848e04f50bdc5f7f5a22f2297f29ee1

Download Submit
memory/244-112-0x00007FF616590000-0x00007FF6168E4000-memory.dmp

Filesize
3.3MB

Download
memory/244-48-0x00007FF616590000-0x00007FF6168E4000-memory.dmp

Filesize
3.3MB

Download
memory/244-154-0x00007FF616590000-0x00007FF6168E4000-memory.dmp

Filesize
3.3MB

Download
memory/636-160-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp

Filesize
3.3MB

Download
memory/636-90-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp

Filesize
3.3MB

Download
memory/636-140-0x00007FF6B47B0000-0x00007FF6B4B04000-memory.dmp

Filesize
3.3MB

Download
memory/860-89-0x00007FF650EE0000-0x00007FF651234000-memory.dmp

Filesize
3.3MB

Download
memory/860-24-0x00007FF650EE0000-0x00007FF651234000-memory.dmp

Filesize
3.3MB

Download
memory/860-150-0x00007FF650EE0000-0x00007FF651234000-memory.dmp

Filesize
3.3MB

Download
memory/1096-115-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp

Filesize
3.3MB

Download
memory/1096-155-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp

Filesize
3.3MB

Download
memory/1096-55-0x00007FF6F5900000-0x00007FF6F5C54000-memory.dmp

Filesize
3.3MB

Download
memory/1176-1-0x000001F128090000-0x000001F1280A0000-memory.dmp

Filesize
64KB

Download
memory/1176-60-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp

Filesize
3.3MB

Download
memory/1176-0-0x00007FF7BA3C0000-0x00007FF7BA714000-memory.dmp

Filesize
3.3MB

Download
memory/2028-129-0x00007FF70F400000-0x00007FF70F754000-memory.dmp

Filesize
3.3MB

Download
memory/2028-158-0x00007FF70F400000-0x00007FF70F754000-memory.dmp

Filesize
3.3MB

Download
memory/2028-74-0x00007FF70F400000-0x00007FF70F754000-memory.dmp

Filesize
3.3MB

Download
memory/2076-86-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-159-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-127-0x00007FF73DAA0000-0x00007FF73DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-152-0x00007FF787560000-0x00007FF7878B4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-97-0x00007FF787560000-0x00007FF7878B4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-36-0x00007FF787560000-0x00007FF7878B4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-116-0x00007FF723170000-0x00007FF7234C4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-164-0x00007FF723170000-0x00007FF7234C4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-143-0x00007FF723170000-0x00007FF7234C4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-9-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp

Filesize
3.3MB

Download
memory/2372-147-0x00007FF6AA0C0000-0x00007FF6AA414000-memory.dmp

Filesize
3.3MB

Download
memory/2412-32-0x00007FF6D6870000-0x00007FF6D6BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-151-0x00007FF6D6870000-0x00007FF6D6BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-71-0x00007FF6753D0000-0x00007FF675724000-memory.dmp

Filesize
3.3MB

Download
memory/2680-14-0x00007FF6753D0000-0x00007FF675724000-memory.dmp

Filesize
3.3MB

Download
memory/2680-148-0x00007FF6753D0000-0x00007FF675724000-memory.dmp

Filesize
3.3MB

Download
memory/2696-81-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

Filesize
3.3MB

Download
memory/2696-18-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

Filesize
3.3MB

Download
memory/2696-149-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

Filesize
3.3MB

Download
memory/2852-166-0x00007FF712490000-0x00007FF7127E4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-146-0x00007FF712490000-0x00007FF7127E4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-135-0x00007FF712490000-0x00007FF7127E4000-memory.dmp

Filesize
3.3MB

Download
memory/3296-156-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp

Filesize
3.3MB

Download
memory/3296-119-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp

Filesize
3.3MB

Download
memory/3296-61-0x00007FF71DF00000-0x00007FF71E254000-memory.dmp

Filesize
3.3MB

Download
memory/3652-92-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

Filesize
3.3MB

Download
memory/3652-141-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

Filesize
3.3MB

Download
memory/3652-161-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

Filesize
3.3MB

Download
memory/3728-44-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp

Filesize
3.3MB

Download
memory/3728-153-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp

Filesize
3.3MB

Download
memory/3728-102-0x00007FF74C1D0000-0x00007FF74C524000-memory.dmp

Filesize
3.3MB

Download
memory/3868-167-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp

Filesize
3.3MB

Download
memory/3868-144-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp

Filesize
3.3MB

Download
memory/3868-128-0x00007FF7B6FB0000-0x00007FF7B7304000-memory.dmp

Filesize
3.3MB

Download
memory/3892-67-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-157-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-120-0x00007FF7B6A90000-0x00007FF7B6DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4600-163-0x00007FF7879D0000-0x00007FF787D24000-memory.dmp

Filesize
3.3MB

Download
memory/4600-114-0x00007FF7879D0000-0x00007FF787D24000-memory.dmp

Filesize
3.3MB

Download
memory/4932-145-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-165-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-131-0x00007FF6FCBA0000-0x00007FF6FCEF4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-162-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

Filesize
3.3MB

Download
memory/5032-109-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

Filesize
3.3MB

Download
memory/5032-142-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

Filesize
3.3MB

Download