cobaltstrike | 46e976125664253216f5339e8e0f1a83637a5b7c87549328a68fe0730c312437

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

04169a2a39c3b655025e066ddfcd540d
SHA1

33030882e8c96718b7a58a3d5c621fca74193dc7
SHA256

46e976125664253216f5339e8e0f1a83637a5b7c87549328a68fe0730c312437
SHA512

14c6a50046c017e1c914349011e35d038d0afca03e68209d117c8305e4a5196bf120c2db3945ad1aeb233683a4c5beccbe4e5468f1b00f4056eb68ce77599a61
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cab-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cac-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-139.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4564-65-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp	xmrig
behavioral2/memory/1172-64-0x00007FF76C650000-0x00007FF76C9A1000-memory.dmp	xmrig
behavioral2/memory/1164-60-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	xmrig
behavioral2/memory/2532-71-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp	xmrig
behavioral2/memory/1224-77-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp	xmrig
behavioral2/memory/4524-82-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	xmrig
behavioral2/memory/2784-87-0x00007FF633FF0000-0x00007FF634341000-memory.dmp	xmrig
behavioral2/memory/536-89-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp	xmrig
behavioral2/memory/2052-84-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp	xmrig
behavioral2/memory/1304-96-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp	xmrig
behavioral2/memory/3116-111-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp	xmrig
behavioral2/memory/2068-110-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp	xmrig
behavioral2/memory/1228-97-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp	xmrig
behavioral2/memory/2188-114-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp	xmrig
behavioral2/memory/624-131-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	xmrig
behavioral2/memory/2152-136-0x00007FF667DE0000-0x00007FF668131000-memory.dmp	xmrig
behavioral2/memory/3820-135-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp	xmrig
behavioral2/memory/2868-152-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	xmrig
behavioral2/memory/2524-156-0x00007FF7703D0000-0x00007FF770721000-memory.dmp	xmrig
behavioral2/memory/3068-157-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp	xmrig
behavioral2/memory/1164-158-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	xmrig
behavioral2/memory/2188-162-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp	xmrig
behavioral2/memory/3820-168-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp	xmrig
behavioral2/memory/3028-173-0x00007FF63D320000-0x00007FF63D671000-memory.dmp	xmrig
behavioral2/memory/1420-172-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp	xmrig
behavioral2/memory/1164-183-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	xmrig
behavioral2/memory/4564-212-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp	xmrig
behavioral2/memory/2532-218-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp	xmrig
behavioral2/memory/1224-220-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp	xmrig
behavioral2/memory/2052-222-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp	xmrig
behavioral2/memory/536-224-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp	xmrig
behavioral2/memory/1304-235-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp	xmrig
behavioral2/memory/1228-237-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp	xmrig
behavioral2/memory/2068-239-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp	xmrig
behavioral2/memory/1172-241-0x00007FF76C650000-0x00007FF76C9A1000-memory.dmp	xmrig
behavioral2/memory/3116-243-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp	xmrig
behavioral2/memory/2152-245-0x00007FF667DE0000-0x00007FF668131000-memory.dmp	xmrig
behavioral2/memory/4524-250-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	xmrig
behavioral2/memory/2784-252-0x00007FF633FF0000-0x00007FF634341000-memory.dmp	xmrig
behavioral2/memory/2868-254-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	xmrig
behavioral2/memory/2524-260-0x00007FF7703D0000-0x00007FF770721000-memory.dmp	xmrig
behavioral2/memory/3068-262-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp	xmrig
behavioral2/memory/2188-264-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp	xmrig
behavioral2/memory/624-269-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	xmrig
behavioral2/memory/3820-271-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp	xmrig
behavioral2/memory/1420-275-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp	xmrig
behavioral2/memory/3028-274-0x00007FF63D320000-0x00007FF63D671000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4564	CPtLdce.exe
2532	fbOviDt.exe
1224	yPrqwYu.exe
2052	sUagNZv.exe
536	qeLjNNC.exe
1304	gqTgadN.exe
1228	HEuDizc.exe
2068	CwGPicD.exe
3116	xtozDUw.exe
1172	FZjNSUr.exe
2152	mWmzOAy.exe
4524	OfxAaoU.exe
2784	oLLDHbB.exe
2868	jfvAYDZ.exe
2524	ugjTDBa.exe
3068	iJCVjgY.exe
2188	NIKPcIg.exe
624	HODTcGz.exe
3820	sxDgiZz.exe
3028	rDcLEOZ.exe
1420	DgMXNQE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1164-0-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	upx
behavioral2/files/0x0008000000023cab-5.dat	upx
behavioral2/memory/4564-7-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-10.dat	upx
behavioral2/files/0x0007000000023cb0-11.dat	upx
behavioral2/memory/2532-14-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-22.dat	upx
behavioral2/files/0x0008000000023cac-27.dat	upx
behavioral2/memory/536-29-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp	upx
behavioral2/memory/2052-23-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp	upx
behavioral2/memory/1224-17-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-36.dat	upx
behavioral2/memory/1304-38-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-42.dat	upx
behavioral2/files/0x0007000000023cb5-47.dat	upx
behavioral2/memory/3116-62-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp	upx
behavioral2/memory/4564-65-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-67.dat	upx
behavioral2/files/0x0007000000023cb6-68.dat	upx
behavioral2/memory/2152-66-0x00007FF667DE0000-0x00007FF668131000-memory.dmp	upx
behavioral2/memory/1172-64-0x00007FF76C650000-0x00007FF76C9A1000-memory.dmp	upx
behavioral2/memory/1164-60-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-57.dat	upx
behavioral2/memory/2068-48-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp	upx
behavioral2/memory/1228-44-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp	upx
behavioral2/memory/2532-71-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp	upx
behavioral2/memory/1224-77-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-75.dat	upx
behavioral2/files/0x0007000000023cba-81.dat	upx
behavioral2/memory/4524-82-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	upx
behavioral2/memory/2784-87-0x00007FF633FF0000-0x00007FF634341000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-88.dat	upx
behavioral2/memory/2868-90-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	upx
behavioral2/memory/536-89-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp	upx
behavioral2/memory/2052-84-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp	upx
behavioral2/memory/1304-96-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp	upx
behavioral2/memory/2524-99-0x00007FF7703D0000-0x00007FF770721000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-105.dat	upx
behavioral2/memory/3068-104-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp	upx
behavioral2/memory/3116-111-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-112.dat	upx
behavioral2/memory/2068-110-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-101.dat	upx
behavioral2/memory/1228-97-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-127.dat	upx
behavioral2/files/0x0007000000023cc1-129.dat	upx
behavioral2/memory/2188-114-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp	upx
behavioral2/memory/624-131-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp	upx
behavioral2/memory/2152-136-0x00007FF667DE0000-0x00007FF668131000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-139.dat	upx
behavioral2/files/0x0007000000023cc3-140.dat	upx
behavioral2/memory/3028-141-0x00007FF63D320000-0x00007FF63D671000-memory.dmp	upx
behavioral2/memory/3820-135-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp	upx
behavioral2/memory/1420-145-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp	upx
behavioral2/memory/2868-152-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	upx
behavioral2/memory/2524-156-0x00007FF7703D0000-0x00007FF770721000-memory.dmp	upx
behavioral2/memory/3068-157-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp	upx
behavioral2/memory/1164-158-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	upx
behavioral2/memory/2188-162-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp	upx
behavioral2/memory/3820-168-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp	upx
behavioral2/memory/3028-173-0x00007FF63D320000-0x00007FF63D671000-memory.dmp	upx
behavioral2/memory/1420-172-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp	upx
behavioral2/memory/1164-183-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp	upx
behavioral2/memory/4564-212-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qeLjNNC.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLLDHbB.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HODTcGz.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sxDgiZz.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUagNZv.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqTgadN.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HEuDizc.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CwGPicD.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FZjNSUr.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jfvAYDZ.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPtLdce.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtozDUw.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWmzOAy.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iJCVjgY.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DgMXNQE.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fbOviDt.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPrqwYu.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OfxAaoU.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugjTDBa.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIKPcIg.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDcLEOZ.exe	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4564	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1164 wrote to memory of 4564	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1164 wrote to memory of 2532	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1164 wrote to memory of 2532	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1164 wrote to memory of 1224	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1164 wrote to memory of 1224	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1164 wrote to memory of 2052	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1164 wrote to memory of 2052	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1164 wrote to memory of 536	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1164 wrote to memory of 536	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1164 wrote to memory of 1304	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1164 wrote to memory of 1304	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1164 wrote to memory of 1228	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1164 wrote to memory of 1228	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1164 wrote to memory of 2068	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1164 wrote to memory of 2068	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1164 wrote to memory of 3116	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1164 wrote to memory of 3116	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1164 wrote to memory of 1172	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1164 wrote to memory of 1172	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1164 wrote to memory of 2152	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1164 wrote to memory of 2152	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1164 wrote to memory of 4524	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1164 wrote to memory of 4524	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1164 wrote to memory of 2784	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1164 wrote to memory of 2784	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1164 wrote to memory of 2868	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1164 wrote to memory of 2868	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1164 wrote to memory of 2524	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1164 wrote to memory of 2524	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1164 wrote to memory of 3068	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1164 wrote to memory of 3068	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1164 wrote to memory of 2188	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1164 wrote to memory of 2188	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1164 wrote to memory of 624	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1164 wrote to memory of 624	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1164 wrote to memory of 3820	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1164 wrote to memory of 3820	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1164 wrote to memory of 3028	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1164 wrote to memory of 3028	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1164 wrote to memory of 1420	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1164 wrote to memory of 1420	1164	2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_04169a2a39c3b655025e066ddfcd540d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\System\CPtLdce.exe
  C:\Windows\System\CPtLdce.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\fbOviDt.exe
  C:\Windows\System\fbOviDt.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\yPrqwYu.exe
  C:\Windows\System\yPrqwYu.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\sUagNZv.exe
  C:\Windows\System\sUagNZv.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\qeLjNNC.exe
  C:\Windows\System\qeLjNNC.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\gqTgadN.exe
  C:\Windows\System\gqTgadN.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\HEuDizc.exe
  C:\Windows\System\HEuDizc.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\CwGPicD.exe
  C:\Windows\System\CwGPicD.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\xtozDUw.exe
  C:\Windows\System\xtozDUw.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\FZjNSUr.exe
  C:\Windows\System\FZjNSUr.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\mWmzOAy.exe
  C:\Windows\System\mWmzOAy.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\OfxAaoU.exe
  C:\Windows\System\OfxAaoU.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\oLLDHbB.exe
  C:\Windows\System\oLLDHbB.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\jfvAYDZ.exe
  C:\Windows\System\jfvAYDZ.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\ugjTDBa.exe
  C:\Windows\System\ugjTDBa.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\iJCVjgY.exe
  C:\Windows\System\iJCVjgY.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\NIKPcIg.exe
  C:\Windows\System\NIKPcIg.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\HODTcGz.exe
  C:\Windows\System\HODTcGz.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\sxDgiZz.exe
  C:\Windows\System\sxDgiZz.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\rDcLEOZ.exe
  C:\Windows\System\rDcLEOZ.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\DgMXNQE.exe
  C:\Windows\System\DgMXNQE.exe
  2⤵
  - Executes dropped EXE
  PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CPtLdce.exe

Filesize
5.2MB

MD5
246b203969c6d7bd25e001c19e9cf844

SHA1
e3ef10ee7f6a964a285b5c77ada789316da895c8

SHA256
73b0dcfe42584e8ddafd02839a79fb1ada81a8596ba2560043030c597ce349aa

SHA512
13cc92af0010ab5951865830a23a11531c1366d56d125283e4a0f683df894c45809dc160d57d894bbd8af55dbe05e9f6d2827a74b81c63e881e3a59f4c210681

Download Submit
C:\Windows\System\CwGPicD.exe

Filesize
5.2MB

MD5
a281e96e6e0f60af6421175de99b1bd5

SHA1
3bde75adf4d3f21a2673dbed6019c9918064efca

SHA256
4884d476bce1c6ca534c357c31c781c5a7b6fdbaf50cdc6bbb35d3d3a3c844ed

SHA512
12fb6675bc761952997fb8768b8e043140ff42d01b8ae1c814c6170eb54b02cdc3f9885f4c60f675a2fe93ed5a3656c997ad2a1f4dc78a24e1fe8f248d2076e5

Download Submit
C:\Windows\System\DgMXNQE.exe

Filesize
5.2MB

MD5
24f1b700824ce3a857c22bef9d1b3cd4

SHA1
0570fef8877de0b589b2627911e9ae2879da9904

SHA256
44a7e9a9f9a3a2410669db1291dbfbe87da2a8eeae8926cef81d28cf51324c60

SHA512
92b13de3c2ce5faef21e59cf7e54ca2f2cc7df93b26e6c2880aa3f2c1e1008d3503d9ae26b706ea28289043a2527fad194a6f28f696c91a9860191a0836c4791

Download Submit
C:\Windows\System\FZjNSUr.exe

Filesize
5.2MB

MD5
e03b293ed66db3da51ee8ee2f883ae94

SHA1
1f049b1a167902a9ff2abe859c83efd546d9e0fb

SHA256
091e0d723e70ac660a94006bc3634bb8994da31b151e62e36138c9cb64b0dba4

SHA512
d2320c64dc8ee57ebdd965a84a5832829a438f5910bab620462c4cae7a1205d1cc4c5fcd4d40c21ec9771ae97aa7a281f36970fc239aa98bc8fa1e270d28ed9b

Download Submit
C:\Windows\System\HEuDizc.exe

Filesize
5.2MB

MD5
211e43722a2be57a120a2112b2e5e5d1

SHA1
651d0e6700d493c9e9b80d759e4c171e811f2864

SHA256
fc9000d049a4cfd3c178aaf492c7fcbf75cb22b0a6ebdf46c804fbb572baf6fe

SHA512
80733b4c7b174557ed2475e6c6e1cb94d41814a32ebea1bff308082795219578360eb486a1f00bd6bb551308eb43b36654d9d467d7d6b66bdb5bc1227c511fc1

Download Submit
C:\Windows\System\HODTcGz.exe

Filesize
5.2MB

MD5
5c833f09ce96b0e2ec44d1ba83067442

SHA1
ceaebc77d6d1538b571d2cc85d426119b1db1d1e

SHA256
385b589869a379b9c4bd6955a37d503db1a03e7eb774318c7d548c5c25c189f5

SHA512
9f53a195056f3481dad9a4cc6e58d5d545321a49c3bb47632ab4b323b3f43b8d06d835d013bd5c9b298faa987d6ff675b8dda0eb2386794e356b8162dd5f21f3

Download Submit
C:\Windows\System\NIKPcIg.exe

Filesize
5.2MB

MD5
42dae1502042dea319689f2590fdff34

SHA1
255f751c810c243a8adbcf6912eff68cbb4796e6

SHA256
2a7bd3c3444d23d593ee05d4d42bd3a70ec5b1d6118569298c6f2a600ed5fb85

SHA512
8b9db105fb36f2cc5575cb00cf2ef41b0ca22c4919d41767be2ca440969a0b9381d2190f1253336357f4a7874fa98e02937e105be0ff1cfb889aafd5e33ff2bf

Download Submit
C:\Windows\System\OfxAaoU.exe

Filesize
5.2MB

MD5
3863bba6cc348be257912c6aca271b20

SHA1
4d5adce10a1666b92f7dbda1f9e798ca04aa8f79

SHA256
2228e586fe33da64556812f891c763232c4dbfe0dc9fa7d36e6b300198b9e9f7

SHA512
26005a0527f99c4d8e5c716d0ba618f18c549975892b685177c97a2e3277c8a9faefa9d57922ac750a5dec09aabaf26b87a8553c28171405e82bbe78f291a156

Download Submit
C:\Windows\System\fbOviDt.exe

Filesize
5.2MB

MD5
c5865153bca4198e4271e17fcfb4dbe8

SHA1
a3422fbac5f4ef35b1954c53cbc52e3025f91a94

SHA256
3ca5052ae957b94a4df5564d7cb12ff1aa01a916964b2c675d8235d517072072

SHA512
991c60441cb06ccc41feadc9d735fca046b1fd06155ec9a39666e8053f04405519d9edb9861be72a9843504e6fb359a9238312262419cc25b2035631578e218a

Download Submit
C:\Windows\System\gqTgadN.exe

Filesize
5.2MB

MD5
80b3951d53c572f4ea9aeadb8ad140b6

SHA1
802994b8a3eb40c6dcecb01742278a51e59d57ee

SHA256
12b9e059f89edf6a057764e43eff7112ce521955a92595e73f017bf195ac0155

SHA512
08c65fcf98e883e0c099752f78f46e968b3f16c638b628f904cdca15b83dd3d67628eed042ae22d99a1af32e79dbf0fa0259034efcd405dde391788e5898a682

Download Submit
C:\Windows\System\iJCVjgY.exe

Filesize
5.2MB

MD5
69ccb1e00578f830dc253d0115347906

SHA1
05d6a8cf00cd3ae0f917a57b996b742d276f8d67

SHA256
a40222b41e236ac9c69ee1947dd64456624305fe8e4dfec474adb7c402bda56a

SHA512
0a8f322d9b4b0bb33ee736aff164e13908e6817afa9cc6bedd08645c561e4cb634e396ce1606addc1973eb182e729f2a35134bb0032758159e219679ccaa61b4

Download Submit
C:\Windows\System\jfvAYDZ.exe

Filesize
5.2MB

MD5
68a36899bdf737921fe76f7d2e8c9e04

SHA1
6c4d3b510b7535bb3d22f7fbc405ff4286d56ab2

SHA256
29aa34784fe0a050038282b103d2f45ab135754277c6b9e6482970ec1c71ed14

SHA512
48647a93cd380cd8e93e7e50abe6b64cea3f33f0c8e95b3ff095abcca6602a9d3c3e87dff96e6692b39a400f5f3ef1cb9fe5fb48291ff6ae1b45cb3c00c8e634

Download Submit
C:\Windows\System\mWmzOAy.exe

Filesize
5.2MB

MD5
981a93b9a076d51781188a2ade0bd6d7

SHA1
ddb9301473dc16ab1546e04becdee127826cbd24

SHA256
a3b8847f120c531393dda97ebcc49eb6e71e9568f0fee6008a6906ac3be027a8

SHA512
070bd932d4add8163860bd05ae26614f794ae2fb7480d8747fb11cc672631d6b613de860e41f37f3a74b9142f29595f1def8084c96c57e8715ed8efb4f0df1b0

Download Submit
C:\Windows\System\oLLDHbB.exe

Filesize
5.2MB

MD5
a201c983db71a91493a240ab2b3fa98d

SHA1
43299bb56f0be953abef14d78426b2dc86b70b2f

SHA256
3f1ed74ad40cc7c2c82404a6bad6028acc2f60544e7d213b270ad155014aee7f

SHA512
3c28445907a9f1df8fde75a97986ae9812738d7491415b5425284a7a47952e394d5588c32997301d9dd7132fb4bd2c630515f52be7a67b6c32a8253379fcf548

Download Submit
C:\Windows\System\qeLjNNC.exe

Filesize
5.2MB

MD5
0c1854445219a41e43ca7b11b489c387

SHA1
671963e8eb42a8a6b3b897eaf9fbcaf620897ee9

SHA256
74198f8dc3fe8b7bb54c010804d06b598d3da367a03e59bec4089cf1dc95131d

SHA512
2c6ff8f38dc3509f0b5036314b7bfaaf5b7dfff911429313e99c8cc3a57a5d3fa1591fbd9713d5c42653e77eaad8fb12fc5ca78e0250b76cff409bba4174899b

Download Submit
C:\Windows\System\rDcLEOZ.exe

Filesize
5.2MB

MD5
5982faf41bebbd6d10ac3cc8c5027708

SHA1
26bf7cd8eb63be90f7676a03cfb2975f627e536c

SHA256
5e5c1606adcb585e1c687650a8ce8d68bc0f0ced13d5ad707c7ea4201dadb644

SHA512
2460afec5699390efb952cba84c703a6813aa89932db06d319aeebfa71635bdc2d2b5e47a97f45291556519708bee58fc484e7953f4021979fa1e7fa256302af

Download Submit
C:\Windows\System\sUagNZv.exe

Filesize
5.2MB

MD5
47b375569d60a5f17daaca5a13935021

SHA1
840de95f85003dc81927cf2261224a50b7b865f9

SHA256
530ea6e6c48f6f082f7bb69df7d195af47b9b95d3ccadaeb9d540b9573f0f655

SHA512
349940cff5e612a2a29256cb538ab43c6a470704983754580e6dc14b8ce33035e9b92860848e8c5228dfcf5266740641c352ade5abdd79c832795ac3115e8fdd

Download Submit
C:\Windows\System\sxDgiZz.exe

Filesize
5.2MB

MD5
603e8c7416c4cce6ca985d516d82fcde

SHA1
60b883be3df581caff8ef304b7a1bdf533c04d48

SHA256
34cfe837505da53bc15c3f42c68319cef98805a5f2f54cd5b97f72457f98ffc8

SHA512
795256af30f3a99f29ae0724f5b669b0248c1b4d68545e2494d7f84bb9a51d5d01a6a48066087129a099c50f68d8fd8319c447eac285be0bc7a962029c652324

Download Submit
C:\Windows\System\ugjTDBa.exe

Filesize
5.2MB

MD5
65b0a945aa9cea556abae36b49fc91c6

SHA1
955401993bf48c8f61cdd6dab642f62434d3ab58

SHA256
e3fda10b9e5ff170e657bde05c5040c64095edcaf439b4b01e84f53d815212d2

SHA512
dfa72fe413e42021d406b04f13303c34e57229054ceee6f0d0a959fae5688171eb06df683d6def6f11840a03860c2239f2bbf2606327074227e0aca1ba04f83a

Download Submit
C:\Windows\System\xtozDUw.exe

Filesize
5.2MB

MD5
baa1296afa767bc95bc6ac3a88133523

SHA1
ab9cddd3b2f7ca51818bf4b4e542155f9b942dcb

SHA256
18dd8b32bc7665a36aded44e733fc29427682a29811146b7fc4fa1337ef91a01

SHA512
2fa1b19caaf82e8218489100819cea1c0d65abd187be135a8e6d78201cda8e9bc1a3dc487bc11620d97e2c848ec4222642bad12dcd66d228b758d4f159f3a922

Download Submit
C:\Windows\System\yPrqwYu.exe

Filesize
5.2MB

MD5
50ad1a153d2ed6e5aa85aa5ec7caabb9

SHA1
70a1acecb7a9c05bacb0121be8b2c662fb2fd405

SHA256
eeee7cd4ad656fe9c42479ccd38a79cd4f8cabba3cd7d23686be2e82d8d87eaa

SHA512
7b4fb5d07b5eade7748eb304a6e1e20a5166ca0f0e45f42dfbe8558661aa9cc1310b119f9b6b1f77c91ce53a28ac9b14dccef4c62eb416b99f0ad391305401a5

Download Submit
memory/536-224-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp

Filesize
3.3MB

Download
memory/536-29-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp

Filesize
3.3MB

Download
memory/536-89-0x00007FF68F9C0000-0x00007FF68FD11000-memory.dmp

Filesize
3.3MB

Download
memory/624-131-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp

Filesize
3.3MB

Download
memory/624-269-0x00007FF6A9DC0000-0x00007FF6AA111000-memory.dmp

Filesize
3.3MB

Download
memory/1164-60-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-183-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-0-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-158-0x00007FF7CD880000-0x00007FF7CDBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-1-0x0000023B41280000-0x0000023B41290000-memory.dmp

Filesize
64KB

Download
memory/1172-64-0x00007FF76C650000-0x00007FF76C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-241-0x00007FF76C650000-0x00007FF76C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-220-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp

Filesize
3.3MB

Download
memory/1224-17-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp

Filesize
3.3MB

Download
memory/1224-77-0x00007FF6BF2B0000-0x00007FF6BF601000-memory.dmp

Filesize
3.3MB

Download
memory/1228-97-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp

Filesize
3.3MB

Download
memory/1228-44-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp

Filesize
3.3MB

Download
memory/1228-237-0x00007FF7B48C0000-0x00007FF7B4C11000-memory.dmp

Filesize
3.3MB

Download
memory/1304-96-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-235-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-38-0x00007FF6F8970000-0x00007FF6F8CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1420-172-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp

Filesize
3.3MB

Download
memory/1420-275-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp

Filesize
3.3MB

Download
memory/1420-145-0x00007FF6639B0000-0x00007FF663D01000-memory.dmp

Filesize
3.3MB

Download
memory/2052-222-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-23-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-84-0x00007FF6ACD90000-0x00007FF6AD0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-48-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-110-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-239-0x00007FF63B990000-0x00007FF63BCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-136-0x00007FF667DE0000-0x00007FF668131000-memory.dmp

Filesize
3.3MB

Download
memory/2152-245-0x00007FF667DE0000-0x00007FF668131000-memory.dmp

Filesize
3.3MB

Download
memory/2152-66-0x00007FF667DE0000-0x00007FF668131000-memory.dmp

Filesize
3.3MB

Download
memory/2188-114-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp

Filesize
3.3MB

Download
memory/2188-264-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp

Filesize
3.3MB

Download
memory/2188-162-0x00007FF7F8E20000-0x00007FF7F9171000-memory.dmp

Filesize
3.3MB

Download
memory/2524-260-0x00007FF7703D0000-0x00007FF770721000-memory.dmp

Filesize
3.3MB

Download
memory/2524-156-0x00007FF7703D0000-0x00007FF770721000-memory.dmp

Filesize
3.3MB

Download
memory/2524-99-0x00007FF7703D0000-0x00007FF770721000-memory.dmp

Filesize
3.3MB

Download
memory/2532-14-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp

Filesize
3.3MB

Download
memory/2532-71-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp

Filesize
3.3MB

Download
memory/2532-218-0x00007FF68D3D0000-0x00007FF68D721000-memory.dmp

Filesize
3.3MB

Download
memory/2784-252-0x00007FF633FF0000-0x00007FF634341000-memory.dmp

Filesize
3.3MB

Download
memory/2784-87-0x00007FF633FF0000-0x00007FF634341000-memory.dmp

Filesize
3.3MB

Download
memory/2868-152-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/2868-90-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/2868-254-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/3028-173-0x00007FF63D320000-0x00007FF63D671000-memory.dmp

Filesize
3.3MB

Download
memory/3028-274-0x00007FF63D320000-0x00007FF63D671000-memory.dmp

Filesize
3.3MB

Download
memory/3028-141-0x00007FF63D320000-0x00007FF63D671000-memory.dmp

Filesize
3.3MB

Download
memory/3068-262-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp

Filesize
3.3MB

Download
memory/3068-157-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp

Filesize
3.3MB

Download
memory/3068-104-0x00007FF6FF920000-0x00007FF6FFC71000-memory.dmp

Filesize
3.3MB

Download
memory/3116-243-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp

Filesize
3.3MB

Download
memory/3116-111-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp

Filesize
3.3MB

Download
memory/3116-62-0x00007FF7B25E0000-0x00007FF7B2931000-memory.dmp

Filesize
3.3MB

Download
memory/3820-271-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-135-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-168-0x00007FF7F22A0000-0x00007FF7F25F1000-memory.dmp

Filesize
3.3MB

Download
memory/4524-250-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp

Filesize
3.3MB

Download
memory/4524-82-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp

Filesize
3.3MB

Download
memory/4564-65-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-7-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-212-0x00007FF747C50000-0x00007FF747FA1000-memory.dmp

Filesize
3.3MB

Download