cobaltstrike | 06efaf9abb560be7c6700daa4255ff9fd70fc03797644aca0a7900b4f4774a1d

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

84a230300a698214a84c5cb5843709b1
SHA1

e3467c801b93e4ef3c0250fda3dc1aed363422dd
SHA256

06efaf9abb560be7c6700daa4255ff9fd70fc03797644aca0a7900b4f4774a1d
SHA512

1fbe9169f7f644dffdd2733125ca9eb1297308bbd63e1c72d3083bef4fccec68f3287840a5faf819074c5e49f2046323db2a675b0dd00df2a1726beb32a4ea10
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUG:Q+u56utgpPF8u/7G

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c7a-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c7d-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2732-0-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c7a-5.dat	xmrig
behavioral2/memory/1772-6-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c7d-11.dat	xmrig
behavioral2/files/0x0007000000023c7e-10.dat	xmrig
behavioral2/memory/4140-16-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c7f-29.dat	xmrig
behavioral2/memory/3024-28-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c80-32.dat	xmrig
behavioral2/files/0x0007000000023c81-38.dat	xmrig
behavioral2/files/0x0007000000023c82-40.dat	xmrig
behavioral2/files/0x0007000000023c83-42.dat	xmrig
behavioral2/files/0x0007000000023c85-55.dat	xmrig
behavioral2/files/0x0007000000023c88-73.dat	xmrig
behavioral2/files/0x0007000000023c8a-79.dat	xmrig
behavioral2/files/0x0007000000023c90-109.dat	xmrig
behavioral2/files/0x0007000000023c8f-107.dat	xmrig
behavioral2/files/0x0007000000023c8e-104.dat	xmrig
behavioral2/files/0x0007000000023c8d-100.dat	xmrig
behavioral2/files/0x0007000000023c8c-95.dat	xmrig
behavioral2/files/0x0007000000023c8b-88.dat	xmrig
behavioral2/files/0x0007000000023c89-77.dat	xmrig
behavioral2/files/0x0007000000023c87-65.dat	xmrig
behavioral2/files/0x0007000000023c86-60.dat	xmrig
behavioral2/files/0x0007000000023c84-50.dat	xmrig
behavioral2/memory/1500-20-0x00007FF631900000-0x00007FF631C54000-memory.dmp	xmrig
behavioral2/memory/1116-111-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	xmrig
behavioral2/memory/2956-114-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp	xmrig
behavioral2/memory/1404-113-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp	xmrig
behavioral2/memory/228-112-0x00007FF735F20000-0x00007FF736274000-memory.dmp	xmrig
behavioral2/memory/1792-115-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	xmrig
behavioral2/memory/4616-117-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp	xmrig
behavioral2/memory/3380-116-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp	xmrig
behavioral2/memory/2440-118-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp	xmrig
behavioral2/memory/4864-119-0x00007FF658E30000-0x00007FF659184000-memory.dmp	xmrig
behavioral2/memory/3028-120-0x00007FF797FC0000-0x00007FF798314000-memory.dmp	xmrig
behavioral2/memory/1168-121-0x00007FF64BD20000-0x00007FF64C074000-memory.dmp	xmrig
behavioral2/memory/4708-122-0x00007FF765060000-0x00007FF7653B4000-memory.dmp	xmrig
behavioral2/memory/804-123-0x00007FF76D7E0000-0x00007FF76DB34000-memory.dmp	xmrig
behavioral2/memory/852-124-0x00007FF7824F0000-0x00007FF782844000-memory.dmp	xmrig
behavioral2/memory/3088-126-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp	xmrig
behavioral2/memory/956-125-0x00007FF639550000-0x00007FF6398A4000-memory.dmp	xmrig
behavioral2/memory/2568-127-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp	xmrig
behavioral2/memory/2732-128-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp	xmrig
behavioral2/memory/1772-129-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	xmrig
behavioral2/memory/4140-130-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	xmrig
behavioral2/memory/1500-131-0x00007FF631900000-0x00007FF631C54000-memory.dmp	xmrig
behavioral2/memory/3024-132-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	xmrig
behavioral2/memory/1116-133-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	xmrig
behavioral2/memory/1772-134-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	xmrig
behavioral2/memory/4140-135-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	xmrig
behavioral2/memory/1500-136-0x00007FF631900000-0x00007FF631C54000-memory.dmp	xmrig
behavioral2/memory/3088-137-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp	xmrig
behavioral2/memory/3024-138-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	xmrig
behavioral2/memory/1116-139-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	xmrig
behavioral2/memory/2568-141-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp	xmrig
behavioral2/memory/228-140-0x00007FF735F20000-0x00007FF736274000-memory.dmp	xmrig
behavioral2/memory/1404-142-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp	xmrig
behavioral2/memory/1792-144-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	xmrig
behavioral2/memory/3380-145-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp	xmrig
behavioral2/memory/4616-146-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp	xmrig
behavioral2/memory/2956-143-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp	xmrig
behavioral2/memory/2440-147-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp	xmrig
behavioral2/memory/4864-148-0x00007FF658E30000-0x00007FF659184000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1772	LZPEqyo.exe
4140	MkOTGHt.exe
1500	JSiGWlu.exe
3024	xXKDlXv.exe
3088	irSmWWR.exe
1116	HEsEaDO.exe
2568	akaiXbW.exe
228	CFzDzVa.exe
1404	KxpSogQ.exe
2956	YfVXnuf.exe
1792	AVHNoiX.exe
3380	NAIfRZP.exe
4616	SIEmWKC.exe
2440	otHrQCa.exe
4864	hTkCdhT.exe
3028	IjveGys.exe
1168	zpFeBLn.exe
4708	xFzERuD.exe
804	ZrPSFjk.exe
852	itMPDoq.exe
956	TqjTKTo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-0-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp	upx
behavioral2/files/0x0008000000023c7a-5.dat	upx
behavioral2/memory/1772-6-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	upx
behavioral2/files/0x0008000000023c7d-11.dat	upx
behavioral2/files/0x0007000000023c7e-10.dat	upx
behavioral2/memory/4140-16-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-29.dat	upx
behavioral2/memory/3024-28-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-32.dat	upx
behavioral2/files/0x0007000000023c81-38.dat	upx
behavioral2/files/0x0007000000023c82-40.dat	upx
behavioral2/files/0x0007000000023c83-42.dat	upx
behavioral2/files/0x0007000000023c85-55.dat	upx
behavioral2/files/0x0007000000023c88-73.dat	upx
behavioral2/files/0x0007000000023c8a-79.dat	upx
behavioral2/files/0x0007000000023c90-109.dat	upx
behavioral2/files/0x0007000000023c8f-107.dat	upx
behavioral2/files/0x0007000000023c8e-104.dat	upx
behavioral2/files/0x0007000000023c8d-100.dat	upx
behavioral2/files/0x0007000000023c8c-95.dat	upx
behavioral2/files/0x0007000000023c8b-88.dat	upx
behavioral2/files/0x0007000000023c89-77.dat	upx
behavioral2/files/0x0007000000023c87-65.dat	upx
behavioral2/files/0x0007000000023c86-60.dat	upx
behavioral2/files/0x0007000000023c84-50.dat	upx
behavioral2/memory/1500-20-0x00007FF631900000-0x00007FF631C54000-memory.dmp	upx
behavioral2/memory/1116-111-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	upx
behavioral2/memory/2956-114-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp	upx
behavioral2/memory/1404-113-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp	upx
behavioral2/memory/228-112-0x00007FF735F20000-0x00007FF736274000-memory.dmp	upx
behavioral2/memory/1792-115-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	upx
behavioral2/memory/4616-117-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp	upx
behavioral2/memory/3380-116-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp	upx
behavioral2/memory/2440-118-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp	upx
behavioral2/memory/4864-119-0x00007FF658E30000-0x00007FF659184000-memory.dmp	upx
behavioral2/memory/3028-120-0x00007FF797FC0000-0x00007FF798314000-memory.dmp	upx
behavioral2/memory/1168-121-0x00007FF64BD20000-0x00007FF64C074000-memory.dmp	upx
behavioral2/memory/4708-122-0x00007FF765060000-0x00007FF7653B4000-memory.dmp	upx
behavioral2/memory/804-123-0x00007FF76D7E0000-0x00007FF76DB34000-memory.dmp	upx
behavioral2/memory/852-124-0x00007FF7824F0000-0x00007FF782844000-memory.dmp	upx
behavioral2/memory/3088-126-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp	upx
behavioral2/memory/956-125-0x00007FF639550000-0x00007FF6398A4000-memory.dmp	upx
behavioral2/memory/2568-127-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp	upx
behavioral2/memory/2732-128-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp	upx
behavioral2/memory/1772-129-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	upx
behavioral2/memory/4140-130-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	upx
behavioral2/memory/1500-131-0x00007FF631900000-0x00007FF631C54000-memory.dmp	upx
behavioral2/memory/3024-132-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	upx
behavioral2/memory/1116-133-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	upx
behavioral2/memory/1772-134-0x00007FF737A20000-0x00007FF737D74000-memory.dmp	upx
behavioral2/memory/4140-135-0x00007FF784DD0000-0x00007FF785124000-memory.dmp	upx
behavioral2/memory/1500-136-0x00007FF631900000-0x00007FF631C54000-memory.dmp	upx
behavioral2/memory/3088-137-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp	upx
behavioral2/memory/3024-138-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp	upx
behavioral2/memory/1116-139-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp	upx
behavioral2/memory/2568-141-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp	upx
behavioral2/memory/228-140-0x00007FF735F20000-0x00007FF736274000-memory.dmp	upx
behavioral2/memory/1404-142-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp	upx
behavioral2/memory/1792-144-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	upx
behavioral2/memory/3380-145-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp	upx
behavioral2/memory/4616-146-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp	upx
behavioral2/memory/2956-143-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp	upx
behavioral2/memory/2440-147-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp	upx
behavioral2/memory/4864-148-0x00007FF658E30000-0x00007FF659184000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IjveGys.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZrPSFjk.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JSiGWlu.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MkOTGHt.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HEsEaDO.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YfVXnuf.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SIEmWKC.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otHrQCa.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itMPDoq.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TqjTKTo.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LZPEqyo.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpFeBLn.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAIfRZP.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irSmWWR.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akaiXbW.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFzDzVa.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxpSogQ.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AVHNoiX.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hTkCdhT.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xFzERuD.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXKDlXv.exe	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1772	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2732 wrote to memory of 1772	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2732 wrote to memory of 4140	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2732 wrote to memory of 4140	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2732 wrote to memory of 1500	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2732 wrote to memory of 1500	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2732 wrote to memory of 3024	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2732 wrote to memory of 3024	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2732 wrote to memory of 3088	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2732 wrote to memory of 3088	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2732 wrote to memory of 1116	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2732 wrote to memory of 1116	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2732 wrote to memory of 2568	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2732 wrote to memory of 2568	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2732 wrote to memory of 228	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2732 wrote to memory of 228	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2732 wrote to memory of 1404	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2732 wrote to memory of 1404	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2732 wrote to memory of 2956	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2732 wrote to memory of 2956	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2732 wrote to memory of 1792	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2732 wrote to memory of 1792	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2732 wrote to memory of 3380	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2732 wrote to memory of 3380	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2732 wrote to memory of 4616	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2732 wrote to memory of 4616	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2732 wrote to memory of 2440	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2732 wrote to memory of 2440	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2732 wrote to memory of 4864	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2732 wrote to memory of 4864	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2732 wrote to memory of 3028	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2732 wrote to memory of 3028	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2732 wrote to memory of 1168	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2732 wrote to memory of 1168	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2732 wrote to memory of 4708	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2732 wrote to memory of 4708	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2732 wrote to memory of 804	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2732 wrote to memory of 804	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2732 wrote to memory of 852	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2732 wrote to memory of 852	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2732 wrote to memory of 956	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2732 wrote to memory of 956	2732	2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_84a230300a698214a84c5cb5843709b1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System\LZPEqyo.exe
  C:\Windows\System\LZPEqyo.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\MkOTGHt.exe
  C:\Windows\System\MkOTGHt.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\JSiGWlu.exe
  C:\Windows\System\JSiGWlu.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\xXKDlXv.exe
  C:\Windows\System\xXKDlXv.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\irSmWWR.exe
  C:\Windows\System\irSmWWR.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\HEsEaDO.exe
  C:\Windows\System\HEsEaDO.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\akaiXbW.exe
  C:\Windows\System\akaiXbW.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\CFzDzVa.exe
  C:\Windows\System\CFzDzVa.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\KxpSogQ.exe
  C:\Windows\System\KxpSogQ.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\YfVXnuf.exe
  C:\Windows\System\YfVXnuf.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\AVHNoiX.exe
  C:\Windows\System\AVHNoiX.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\NAIfRZP.exe
  C:\Windows\System\NAIfRZP.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\SIEmWKC.exe
  C:\Windows\System\SIEmWKC.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\otHrQCa.exe
  C:\Windows\System\otHrQCa.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\hTkCdhT.exe
  C:\Windows\System\hTkCdhT.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\IjveGys.exe
  C:\Windows\System\IjveGys.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\zpFeBLn.exe
  C:\Windows\System\zpFeBLn.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\xFzERuD.exe
  C:\Windows\System\xFzERuD.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\ZrPSFjk.exe
  C:\Windows\System\ZrPSFjk.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System\itMPDoq.exe
  C:\Windows\System\itMPDoq.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\TqjTKTo.exe
  C:\Windows\System\TqjTKTo.exe
  2⤵
  - Executes dropped EXE
  PID:956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AVHNoiX.exe

Filesize
5.9MB

MD5
6a905d193eaf7d96158015995a0d66e2

SHA1
903c0dca211d5ababb83606f50c6d10739e014fa

SHA256
19c6011520c9461f3cb4c9dc05fff27f4b7dde0675f0551e97d32025a13a5508

SHA512
c8613132d525167e447349be905ab63492453a71010ce4ea5cfc37b320d2e51e9dd43b664d54cdbd43025878e29c5c87d0212a22c176a5ffee99e246859d315a

Download Submit
C:\Windows\System\CFzDzVa.exe

Filesize
5.9MB

MD5
0b52f40b16e3add5970ac4876b76d739

SHA1
cfd6d20739419e6cbde8e63b844227fb9f6f4688

SHA256
0370de2aead31964b171fade9f515143d47cf4f6c5866622818f9b8a745fef83

SHA512
2ada1d43b1de03076a6a11ef8c4aa998554de90d028cd5f72dd73bf535ec76551ff9ab6d4309bcfcb0dee070a821b1edf4a1c9b1a9fbe76c97f109369326bfc6

Download Submit
C:\Windows\System\HEsEaDO.exe

Filesize
5.9MB

MD5
24f0b866113678b5b2e833acd2d55245

SHA1
e58f8ec696902f6968830384df3f1ca1f362defd

SHA256
5c9f5b13cc55f72b87c91f742d13b80bf3c6c50594abd354bd6bb16ca0bc751e

SHA512
351590d472858214f1780a7b6ed0d0ba711800f391f25cc976c240966f0e57f471fae320a96799efe595789fc7fef4f1e320c20738b8055cf851e916edf03404

Download Submit
C:\Windows\System\IjveGys.exe

Filesize
5.9MB

MD5
d112ca3e5fdb1cee756819dd8df40f57

SHA1
179bec999b28b86a70c04409b95ade2b929db9be

SHA256
dc7994f8a5775d6633660dfbaa3e351d8e1d7b03d8f5838a4e7187c0764c9e15

SHA512
e0b0f203d956ea9a81f6eaecb5c671093b70108a717a7938188e9cd022a989ee507865578d3fdb765cb7f1e262eaf078edcaa4e5e91b207e318b543c0aa25d4e

Download Submit
C:\Windows\System\JSiGWlu.exe

Filesize
5.9MB

MD5
9591f49b804d888f7131fabb55248640

SHA1
5e32935d2fc5e26d926992f32d86fad348963a8f

SHA256
a47bd1c218db872be5b283ab8e32177ae37e71656ef605ede8f4715ab68e8a56

SHA512
ec90c2b641b5a682ce4d2a322ceb799b2a695cdccbe49b5d946beb05d8d7bffb6e756843d6150856a32b7baf5df47f8556ccfddc101a7a6f5d7d89d060f5df12

Download Submit
C:\Windows\System\KxpSogQ.exe

Filesize
5.9MB

MD5
a84099d72a195ed96508b4c3bb90ccfb

SHA1
ac2852f08db269b3dc5e904ade429c3e2a9da3e3

SHA256
2766ab3f48f5673fa56c6d0401af38b8fb740d475841bd0a4744e78719c4cd88

SHA512
c4cb0906338ed9d154d5672724009696350f896e337ef6ab7db1f2d40a5f8128226be79540e490c02d3bea9f04f56b7a85caa113a14670109caf9a66ac84a49c

Download Submit
C:\Windows\System\LZPEqyo.exe

Filesize
5.9MB

MD5
f7fcd5e0419508b2cc2230c78d0ef3f0

SHA1
06bc3559c1cc5fb2169bf36bfd88aa3c7e353df7

SHA256
970572ac36a7cec652d7d62b7df37301d98f3595307dbd2616dc9bcc782cea8f

SHA512
bfb31dacd23a077de402a967392d9902653a68ab3234f6bf9f88c200ac8b15ce56dcde923f951af670b3f2e3f6d08ea4beb83a89bf3f2e6c22ab52d25a42d97f

Download Submit
C:\Windows\System\MkOTGHt.exe

Filesize
5.9MB

MD5
ff304455f707c32cceb222b62753a09b

SHA1
b5850ecde428986c4c527c5f3d4dfdad3631741e

SHA256
18f9a74e74fb6c5f51d8a6172496860694b5f004171069f994cc1f551ecddd74

SHA512
49c46c2a0f35424848f8954a55d1d59945d5ab17d04a3ff5398dc61895239623e95e82d8189e5ee1331b852a2f7d490a3b6d70e8cdc718819dc2e9fdc7131327

Download Submit
C:\Windows\System\NAIfRZP.exe

Filesize
5.9MB

MD5
8e5aebe8f488556a3bb64f43457039e9

SHA1
c6f0f9b6ec862afa92fdba12f65baa826679e629

SHA256
92db48443afde22758a2f49844a18e562b3b7fd976a56c51ac46a88a52504239

SHA512
40ebd070f20db56c9262ea5a825e24e6b383c4a21f265adba674b9c86e9cb2fe960149ebf309bfd2e655b0090f31aefb2c10229dbaefdcec5027c527b460831f

Download Submit
C:\Windows\System\SIEmWKC.exe

Filesize
5.9MB

MD5
c9d3b64b023c75b65809809f8896b596

SHA1
4808b0070eed95f693bb5cc7336586e0f9632ab3

SHA256
7c92a4989893dbf37e4655d53defbd7850a1497ac397ab38395705c82d16df3f

SHA512
60589f53c307fe1b67bad1908b4840dbf1060fc9f1902c1ba1bbcad3349619db58e8d6d411db08a985dac2796125a9f2694da1bd98f520cf0682b0d3218f432f

Download Submit
C:\Windows\System\TqjTKTo.exe

Filesize
5.9MB

MD5
b9e17cc769af3078c42377fa79733b6a

SHA1
64f9099e95967d60f87799dd0775a65e450784a1

SHA256
ba005c2a6084d358b15e66ae6b9d881285718cfb0ca54ffb9c55405273ceda43

SHA512
ef0bb72e9ff4312d8db837890241fc985193b560c12f0d24cf177656d85bcbe197abb45be97c0e9b71cb8a21d96986d5d1d1e979236c329e1be0f7124720b638

Download Submit
C:\Windows\System\YfVXnuf.exe

Filesize
5.9MB

MD5
4d3f30fe358ac1ff2830ba6cf1acad10

SHA1
5ab9883819640f5ed357350bb3d36eead59550b4

SHA256
0ba7f8d56b401d1e2dd0274c92cc80620e4564b369ec4822587ce51d9a8a4910

SHA512
f48058c5f27e49b9bb964962893b04a7c2515938d045da90ccb6ff8cbd7d936206507a7f720768ca50e4a0678e5a66a279e77adb293ce5ddff22a870886b634a

Download Submit
C:\Windows\System\ZrPSFjk.exe

Filesize
5.9MB

MD5
9eccca421b0847b34725d5660bfa86b1

SHA1
cebb4361b97932f91bdd20be27517ef27075a0ce

SHA256
5e6b2b4e769940a0b2646ea455309bac5412ca8a0861fda0333e704280417ac5

SHA512
9f1c8da129a51e50d04e350dc9e7e6449e4f575661e2c359006e90cf0fda8dc8144906dc1203bf2ff257a6d59357e5245359cdb793c1572359c3878282fb6b64

Download Submit
C:\Windows\System\akaiXbW.exe

Filesize
5.9MB

MD5
c0809f976c6fa58c248ab348feb11ef3

SHA1
6327ae62085eaabb010846457ff8d25862acd20b

SHA256
0f4f8693e8652d5ba541c60dfbfc1424e07a0760e1e70cdd79f118b58ffcb21f

SHA512
85eb9253edc5f93d1e3726c1505eb12f0f6b0724211b3c68249f42af6cfe90f925f898882d69786b23923d57aa7f3d5c16225a479df189fc2aa0bcdefd4289a1

Download Submit
C:\Windows\System\hTkCdhT.exe

Filesize
5.9MB

MD5
e8230655c05e643038b0dac7213f1c2d

SHA1
8cdc3bd4e7ba836c2e499050e2bdaa21e115e7e3

SHA256
0a06ac8ef5d73502ee2e574a75f3918391cc8f52a4bbc4f0e2a3a182340f447e

SHA512
f1462b544b821ac78bea09d1c9211f98f30a0f2704426d7c532529a26092c5621a6812d622b06e37ebb24a9c9f90ec4230f5ecab75a7e275489a89337adaf493

Download Submit
C:\Windows\System\irSmWWR.exe

Filesize
5.9MB

MD5
b9f20c1d316ca913e0e2bfdc38fa7f9e

SHA1
7a37fd09cb680664f0f030fb5e7c7b2b3eb20758

SHA256
9976387da8559bad810504ef78fba83f89e88d42520550c7f7d9ded940c690c8

SHA512
f970162b8f40c98a50423e0ea733c4bbb3f930b2912af873173cb40d9891465188b56f87ced8fec6df8910dcda1517dd2b222a119dfd70e1f874d2a48cc106e3

Download Submit
C:\Windows\System\itMPDoq.exe

Filesize
5.9MB

MD5
2430f899b19f213a279a2c9d23fed1e6

SHA1
d3c435a61a26e1b3eeca03e8adab2b05bec2bccc

SHA256
6750a81bc0725b2535190fd9c85333246326f5b2805b5378912a407e41b20e8f

SHA512
39c15de609ad0224fc72adb9dae7d59c128458e5b4127558a2694d182abccc26639e52f0d43558500dabeecc731243d312eaf5078c3b20ce997e239bf2862cf7

Download Submit
C:\Windows\System\otHrQCa.exe

Filesize
5.9MB

MD5
485bb10aa7b70e43c33ae282f67dc405

SHA1
c22f78cc9d30abd772492f94996854866b358818

SHA256
19b0b1cf0fdfa336645524ee1d4755575b21c47d4d6c49d713b8aba785ef6502

SHA512
76dd3cebf77859ea29cef0e158afc0a5a3bcb6afc7ad4bfe1deedb0a7d183deaea9b2d7977b09b27818a3b24cb5b69e3df52ed5b854a8a0eb62a3c7d6745127c

Download Submit
C:\Windows\System\xFzERuD.exe

Filesize
5.9MB

MD5
0c5363a77296bb881ebcf7a26335c52f

SHA1
2673cdb3941557cddbb153ecb6979ebf9a945ae1

SHA256
d17728c80915c7e5ae0da73418869236adb18eb03a5856fb0dc12f4ff30943dc

SHA512
624e76d83ebf7f163414eebc0ad34e33c899ec5a39480cec5e29eba77f2fa8f999ff48a87ad5cb450350bead87735cbdc72e55cb02a33a63f5dd2eab16e778b1

Download Submit
C:\Windows\System\xXKDlXv.exe

Filesize
5.9MB

MD5
fc8ec3d98508ccd19d592008f21632e5

SHA1
be816c58655e29988e85785dd66ca49bfe2544fb

SHA256
4f7bd3846c8a452b7571eac9397639adc270553174895bebcd8371d632ae7f96

SHA512
2b2713a32a279514036da1bd79b8c988d1c65ee53bb9e6aff4c6d39d65f959f496a43aa3750c612f663f34671819b52c51b7df5ce10b1257b05d328357b6148f

Download Submit
C:\Windows\System\zpFeBLn.exe

Filesize
5.9MB

MD5
bd1b2eabf93a84165676286e6327c914

SHA1
3409957752a72c07c1527f25aa00875348466e6e

SHA256
e622c1c4a57bc48edd5385990124b4ed41b403b271599e1d4f2def99b60cda79

SHA512
5ffe8562167add15b0d23a777e5718c823af362c4c2f45db3e42b3fb7b4d7a5211fb1592744af8a70fca3319a69f2248eb615c8c831e0d96fd8d985fd1839990

Download Submit
memory/228-140-0x00007FF735F20000-0x00007FF736274000-memory.dmp

Filesize
3.3MB

Download
memory/228-112-0x00007FF735F20000-0x00007FF736274000-memory.dmp

Filesize
3.3MB

Download
memory/804-154-0x00007FF76D7E0000-0x00007FF76DB34000-memory.dmp

Filesize
3.3MB

Download
memory/804-123-0x00007FF76D7E0000-0x00007FF76DB34000-memory.dmp

Filesize
3.3MB

Download
memory/852-153-0x00007FF7824F0000-0x00007FF782844000-memory.dmp

Filesize
3.3MB

Download
memory/852-124-0x00007FF7824F0000-0x00007FF782844000-memory.dmp

Filesize
3.3MB

Download
memory/956-152-0x00007FF639550000-0x00007FF6398A4000-memory.dmp

Filesize
3.3MB

Download
memory/956-125-0x00007FF639550000-0x00007FF6398A4000-memory.dmp

Filesize
3.3MB

Download
memory/1116-133-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp

Filesize
3.3MB

Download
memory/1116-139-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp

Filesize
3.3MB

Download
memory/1116-111-0x00007FF6EDA00000-0x00007FF6EDD54000-memory.dmp

Filesize
3.3MB

Download
memory/1168-150-0x00007FF64BD20000-0x00007FF64C074000-memory.dmp

Filesize
3.3MB

Download
memory/1168-121-0x00007FF64BD20000-0x00007FF64C074000-memory.dmp

Filesize
3.3MB

Download
memory/1404-113-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp

Filesize
3.3MB

Download
memory/1404-142-0x00007FF6B7D30000-0x00007FF6B8084000-memory.dmp

Filesize
3.3MB

Download
memory/1500-136-0x00007FF631900000-0x00007FF631C54000-memory.dmp

Filesize
3.3MB

Download
memory/1500-131-0x00007FF631900000-0x00007FF631C54000-memory.dmp

Filesize
3.3MB

Download
memory/1500-20-0x00007FF631900000-0x00007FF631C54000-memory.dmp

Filesize
3.3MB

Download
memory/1772-134-0x00007FF737A20000-0x00007FF737D74000-memory.dmp

Filesize
3.3MB

Download
memory/1772-6-0x00007FF737A20000-0x00007FF737D74000-memory.dmp

Filesize
3.3MB

Download
memory/1772-129-0x00007FF737A20000-0x00007FF737D74000-memory.dmp

Filesize
3.3MB

Download
memory/1792-144-0x00007FF70B000000-0x00007FF70B354000-memory.dmp

Filesize
3.3MB

Download
memory/1792-115-0x00007FF70B000000-0x00007FF70B354000-memory.dmp

Filesize
3.3MB

Download
memory/2440-118-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp

Filesize
3.3MB

Download
memory/2440-147-0x00007FF6B17C0000-0x00007FF6B1B14000-memory.dmp

Filesize
3.3MB

Download
memory/2568-127-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp

Filesize
3.3MB

Download
memory/2568-141-0x00007FF7F4B30000-0x00007FF7F4E84000-memory.dmp

Filesize
3.3MB

Download
memory/2732-128-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-1-0x00000247F9670000-0x00000247F9680000-memory.dmp

Filesize
64KB

Download
memory/2732-0-0x00007FF7F8660000-0x00007FF7F89B4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-143-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp

Filesize
3.3MB

Download
memory/2956-114-0x00007FF7D14E0000-0x00007FF7D1834000-memory.dmp

Filesize
3.3MB

Download
memory/3024-28-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-138-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-132-0x00007FF6EFB60000-0x00007FF6EFEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3028-149-0x00007FF797FC0000-0x00007FF798314000-memory.dmp

Filesize
3.3MB

Download
memory/3028-120-0x00007FF797FC0000-0x00007FF798314000-memory.dmp

Filesize
3.3MB

Download
memory/3088-137-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp

Filesize
3.3MB

Download
memory/3088-126-0x00007FF74AF70000-0x00007FF74B2C4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-116-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp

Filesize
3.3MB

Download
memory/3380-145-0x00007FF76A2C0000-0x00007FF76A614000-memory.dmp

Filesize
3.3MB

Download
memory/4140-16-0x00007FF784DD0000-0x00007FF785124000-memory.dmp

Filesize
3.3MB

Download
memory/4140-135-0x00007FF784DD0000-0x00007FF785124000-memory.dmp

Filesize
3.3MB

Download
memory/4140-130-0x00007FF784DD0000-0x00007FF785124000-memory.dmp

Filesize
3.3MB

Download
memory/4616-146-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp

Filesize
3.3MB

Download
memory/4616-117-0x00007FF6C2910000-0x00007FF6C2C64000-memory.dmp

Filesize
3.3MB

Download
memory/4708-151-0x00007FF765060000-0x00007FF7653B4000-memory.dmp

Filesize
3.3MB

Download
memory/4708-122-0x00007FF765060000-0x00007FF7653B4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-148-0x00007FF658E30000-0x00007FF659184000-memory.dmp

Filesize
3.3MB

Download
memory/4864-119-0x00007FF658E30000-0x00007FF659184000-memory.dmp

Filesize
3.3MB

Download