cobaltstrike | e38c6a508442c973f30458989b72b8e921a26d146774ff46a95c57b93e65e92d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f26c21d5376082035012cf67fcced301
SHA1

666960db694f6a246f7b48981f826c7466d7db93
SHA256

e38c6a508442c973f30458989b72b8e921a26d146774ff46a95c57b93e65e92d
SHA512

4c778b882b8d9bc8fa8884e109185e24ea3da07e0bbd8ea00aafb826d263c990fcc32d65cb81b0972f8d912b13efecf65b6ee5c513e0f2a761e47c7006015644
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c97-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-106.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2480-14-0x00007FF6985F0000-0x00007FF698941000-memory.dmp	xmrig
behavioral2/memory/2480-77-0x00007FF6985F0000-0x00007FF698941000-memory.dmp	xmrig
behavioral2/memory/5076-87-0x00007FF74C020000-0x00007FF74C371000-memory.dmp	xmrig
behavioral2/memory/3304-70-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp	xmrig
behavioral2/memory/3480-60-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp	xmrig
behavioral2/memory/1332-59-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	xmrig
behavioral2/memory/2568-93-0x00007FF68E520000-0x00007FF68E871000-memory.dmp	xmrig
behavioral2/memory/836-98-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp	xmrig
behavioral2/memory/3304-136-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp	xmrig
behavioral2/memory/3092-137-0x00007FF7D4570000-0x00007FF7D48C1000-memory.dmp	xmrig
behavioral2/memory/1196-135-0x00007FF674D00000-0x00007FF675051000-memory.dmp	xmrig
behavioral2/memory/1864-134-0x00007FF688480000-0x00007FF6887D1000-memory.dmp	xmrig
behavioral2/memory/1200-119-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	xmrig
behavioral2/memory/432-101-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp	xmrig
behavioral2/memory/1332-138-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	xmrig
behavioral2/memory/4992-143-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp	xmrig
behavioral2/memory/4844-142-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp	xmrig
behavioral2/memory/1476-147-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp	xmrig
behavioral2/memory/3424-155-0x00007FF6482F0000-0x00007FF648641000-memory.dmp	xmrig
behavioral2/memory/5116-156-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp	xmrig
behavioral2/memory/1584-157-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp	xmrig
behavioral2/memory/4068-158-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp	xmrig
behavioral2/memory/2884-165-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp	xmrig
behavioral2/memory/4168-161-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp	xmrig
behavioral2/memory/2720-162-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp	xmrig
behavioral2/memory/1332-166-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	xmrig
behavioral2/memory/3480-217-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp	xmrig
behavioral2/memory/2480-219-0x00007FF6985F0000-0x00007FF698941000-memory.dmp	xmrig
behavioral2/memory/5076-221-0x00007FF74C020000-0x00007FF74C371000-memory.dmp	xmrig
behavioral2/memory/2568-223-0x00007FF68E520000-0x00007FF68E871000-memory.dmp	xmrig
behavioral2/memory/432-228-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp	xmrig
behavioral2/memory/836-226-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp	xmrig
behavioral2/memory/1200-239-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	xmrig
behavioral2/memory/1196-241-0x00007FF674D00000-0x00007FF675051000-memory.dmp	xmrig
behavioral2/memory/3304-245-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp	xmrig
behavioral2/memory/1476-247-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp	xmrig
behavioral2/memory/4992-249-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp	xmrig
behavioral2/memory/3424-251-0x00007FF6482F0000-0x00007FF648641000-memory.dmp	xmrig
behavioral2/memory/4844-243-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp	xmrig
behavioral2/memory/5116-253-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp	xmrig
behavioral2/memory/1584-261-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp	xmrig
behavioral2/memory/4068-263-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp	xmrig
behavioral2/memory/2884-265-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp	xmrig
behavioral2/memory/1864-269-0x00007FF688480000-0x00007FF6887D1000-memory.dmp	xmrig
behavioral2/memory/2720-271-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp	xmrig
behavioral2/memory/3092-267-0x00007FF7D4570000-0x00007FF7D48C1000-memory.dmp	xmrig
behavioral2/memory/4168-273-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

tEFCQNN.exexhPinLQ.exeiKLlrtx.exerqMFcOh.exeWVcuVin.exeZVWKKNf.exexcbAMNY.exevkzrQEn.exeTwtyNxl.exeXarWuXv.exeaGyaJoT.exewUUgcsP.execpWwaFh.exesKeLGig.exedVzBzXX.exeiRlyIjM.exeNJQJmGk.exeZBJfmfQ.exeTEzleGB.exetSVRXLj.exeShpqbqq.exe

pid	Process
3480	tEFCQNN.exe
2480	xhPinLQ.exe
5076	iKLlrtx.exe
2568	rqMFcOh.exe
836	WVcuVin.exe
432	ZVWKKNf.exe
1200	xcbAMNY.exe
1196	vkzrQEn.exe
4844	TwtyNxl.exe
3304	XarWuXv.exe
1476	aGyaJoT.exe
4992	wUUgcsP.exe
3424	cpWwaFh.exe
5116	sKeLGig.exe
1584	dVzBzXX.exe
4068	iRlyIjM.exe
2884	NJQJmGk.exe
4168	ZBJfmfQ.exe
2720	TEzleGB.exe
3092	tSVRXLj.exe
1864	Shpqbqq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1332-0-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	upx
behavioral2/files/0x0008000000023c97-4.dat	upx
behavioral2/files/0x0007000000023c9b-11.dat	upx
behavioral2/files/0x0007000000023c9c-10.dat	upx
behavioral2/memory/2480-14-0x00007FF6985F0000-0x00007FF698941000-memory.dmp	upx
behavioral2/memory/3480-8-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-22.dat	upx
behavioral2/memory/2568-26-0x00007FF68E520000-0x00007FF68E871000-memory.dmp	upx
behavioral2/memory/5076-18-0x00007FF74C020000-0x00007FF74C371000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-29.dat	upx
behavioral2/files/0x0008000000023c9f-37.dat	upx
behavioral2/memory/432-34-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp	upx
behavioral2/memory/836-32-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-41.dat	upx
behavioral2/files/0x0007000000023ca2-55.dat	upx
behavioral2/files/0x0007000000023ca4-67.dat	upx
behavioral2/memory/4992-71-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp	upx
behavioral2/memory/2480-77-0x00007FF6985F0000-0x00007FF698941000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-81.dat	upx
behavioral2/memory/3424-80-0x00007FF6482F0000-0x00007FF648641000-memory.dmp	upx
behavioral2/memory/5116-90-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-88.dat	upx
behavioral2/memory/5076-87-0x00007FF74C020000-0x00007FF74C371000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-75.dat	upx
behavioral2/memory/1476-73-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-78.dat	upx
behavioral2/memory/3304-70-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp	upx
behavioral2/memory/4844-64-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-63.dat	upx
behavioral2/memory/3480-60-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp	upx
behavioral2/memory/1332-59-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	upx
behavioral2/memory/1196-51-0x00007FF674D00000-0x00007FF675051000-memory.dmp	upx
behavioral2/memory/1200-42-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	upx
behavioral2/memory/2568-93-0x00007FF68E520000-0x00007FF68E871000-memory.dmp	upx
behavioral2/memory/836-98-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-102.dat	upx
behavioral2/files/0x0007000000023cae-121.dat	upx
behavioral2/files/0x0007000000023cad-129.dat	upx
behavioral2/files/0x0007000000023cac-132.dat	upx
behavioral2/memory/3304-136-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp	upx
behavioral2/memory/3092-137-0x00007FF7D4570000-0x00007FF7D48C1000-memory.dmp	upx
behavioral2/memory/1196-135-0x00007FF674D00000-0x00007FF675051000-memory.dmp	upx
behavioral2/memory/1864-134-0x00007FF688480000-0x00007FF6887D1000-memory.dmp	upx
behavioral2/memory/4168-127-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-125.dat	upx
behavioral2/memory/2720-130-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp	upx
behavioral2/memory/1200-119-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-122.dat	upx
behavioral2/memory/2884-113-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-106.dat	upx
behavioral2/memory/432-101-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp	upx
behavioral2/memory/4068-100-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp	upx
behavioral2/memory/1584-99-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp	upx
behavioral2/memory/1332-138-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp	upx
behavioral2/memory/4992-143-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp	upx
behavioral2/memory/4844-142-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp	upx
behavioral2/memory/1476-147-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp	upx
behavioral2/memory/3424-155-0x00007FF6482F0000-0x00007FF648641000-memory.dmp	upx
behavioral2/memory/5116-156-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp	upx
behavioral2/memory/1584-157-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp	upx
behavioral2/memory/4068-158-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp	upx
behavioral2/memory/2884-165-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp	upx
behavioral2/memory/4168-161-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp	upx
behavioral2/memory/2720-162-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\xcbAMNY.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKeLGig.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRlyIjM.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NJQJmGk.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iKLlrtx.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WVcuVin.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vkzrQEn.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TwtyNxl.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cpWwaFh.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVzBzXX.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tSVRXLj.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Shpqbqq.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tEFCQNN.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xhPinLQ.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rqMFcOh.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGyaJoT.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUUgcsP.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEzleGB.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVWKKNf.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XarWuXv.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZBJfmfQ.exe	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 1332 wrote to memory of 3480	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1332 wrote to memory of 3480	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1332 wrote to memory of 2480	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1332 wrote to memory of 2480	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1332 wrote to memory of 5076	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1332 wrote to memory of 5076	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1332 wrote to memory of 2568	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1332 wrote to memory of 2568	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1332 wrote to memory of 836	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1332 wrote to memory of 836	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1332 wrote to memory of 432	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1332 wrote to memory of 432	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1332 wrote to memory of 1200	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1332 wrote to memory of 1200	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1332 wrote to memory of 1196	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1332 wrote to memory of 1196	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1332 wrote to memory of 4844	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1332 wrote to memory of 4844	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1332 wrote to memory of 3304	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1332 wrote to memory of 3304	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1332 wrote to memory of 1476	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1332 wrote to memory of 1476	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1332 wrote to memory of 4992	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1332 wrote to memory of 4992	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1332 wrote to memory of 3424	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1332 wrote to memory of 3424	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1332 wrote to memory of 5116	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1332 wrote to memory of 5116	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1332 wrote to memory of 1584	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1332 wrote to memory of 1584	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1332 wrote to memory of 4068	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1332 wrote to memory of 4068	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1332 wrote to memory of 2884	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1332 wrote to memory of 2884	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1332 wrote to memory of 4168	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1332 wrote to memory of 4168	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1332 wrote to memory of 2720	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1332 wrote to memory of 2720	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1332 wrote to memory of 3092	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1332 wrote to memory of 3092	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1332 wrote to memory of 1864	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1332 wrote to memory of 1864	1332	2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_f26c21d5376082035012cf67fcced301_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System\tEFCQNN.exe
  C:\Windows\System\tEFCQNN.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\xhPinLQ.exe
  C:\Windows\System\xhPinLQ.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\iKLlrtx.exe
  C:\Windows\System\iKLlrtx.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\rqMFcOh.exe
  C:\Windows\System\rqMFcOh.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\WVcuVin.exe
  C:\Windows\System\WVcuVin.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\ZVWKKNf.exe
  C:\Windows\System\ZVWKKNf.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\xcbAMNY.exe
  C:\Windows\System\xcbAMNY.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\vkzrQEn.exe
  C:\Windows\System\vkzrQEn.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\TwtyNxl.exe
  C:\Windows\System\TwtyNxl.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\XarWuXv.exe
  C:\Windows\System\XarWuXv.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\aGyaJoT.exe
  C:\Windows\System\aGyaJoT.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\wUUgcsP.exe
  C:\Windows\System\wUUgcsP.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\cpWwaFh.exe
  C:\Windows\System\cpWwaFh.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\sKeLGig.exe
  C:\Windows\System\sKeLGig.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\dVzBzXX.exe
  C:\Windows\System\dVzBzXX.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\iRlyIjM.exe
  C:\Windows\System\iRlyIjM.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\NJQJmGk.exe
  C:\Windows\System\NJQJmGk.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\ZBJfmfQ.exe
  C:\Windows\System\ZBJfmfQ.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\TEzleGB.exe
  C:\Windows\System\TEzleGB.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\tSVRXLj.exe
  C:\Windows\System\tSVRXLj.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\Shpqbqq.exe
  C:\Windows\System\Shpqbqq.exe
  2⤵
  - Executes dropped EXE
  PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\NJQJmGk.exe

Filesize
5.2MB

MD5
ceae09d7437a082df2200e506753d7b1

SHA1
6eeb03a158c6fa34b5680e563ff539c0519f89d4

SHA256
efc5fdb18fec69b0e00061a452382198df8c9f9005060a3283edf2ab3c2949d9

SHA512
789406801103954743c061d747640356b6485dfe50d89d93e40b744963e28e16811ca7dc1c38c6c92bc01f6308460d0a4bddd2e555ec5a7431828d01cc5371d2

Download Submit
C:\Windows\System\Shpqbqq.exe

Filesize
5.2MB

MD5
e67c5809a0abe0e1979121fa38e6349a

SHA1
a6c771343d550dcc0d03de54704d334ee01a4438

SHA256
13c2197a010af1b41d30831229d6fcb803c82ffcbbdc3504973b098fa1584a9e

SHA512
bf818814fc463793a44924a7ba8b41b97dfc1d56201b6ece90b95b55256a7cb2daff61053ceb3264441c31a4f7f0125e91cbd802131e210bb1663ce271c03aca

Download Submit
C:\Windows\System\TEzleGB.exe

Filesize
5.2MB

MD5
b967b29795705d52638f0f160c0a38b8

SHA1
ff44cfdfa3ad4a295966f56cf6a5567a6279ec25

SHA256
72bba379e8fd896845b30c6ec6636042ce87ac27bc5b249e80ef0118ca73eaa4

SHA512
3ef0eec7e2c1d829106e819f4581c724f7acc7d7fee1c84cd03302c33e8b0fa24d6f43d0e24fba3d6f113da8e85b15c7a2ef35fa852b45924229bcb7e1bc111c

Download Submit
C:\Windows\System\TwtyNxl.exe

Filesize
5.2MB

MD5
8ce9b4b1d8fe398b52f4e7d2b175129f

SHA1
9009c513390221b01305803fceac0d00269e1e82

SHA256
3bb941e9c4a5e58f311dd85ea0a0d84467011c29c512bc3f870a3a80f7f101a7

SHA512
4d02753d647c9f48eac44c85d79075860fa0ce779fd9e39acc9e4408996121fa2d489dfd10a91bc289fcf05b504325b5ee4a64177b2ad99c4375172d356c9b9f

Download Submit
C:\Windows\System\WVcuVin.exe

Filesize
5.2MB

MD5
18e6be0a703746460d1d3710b88f9d69

SHA1
0b8ccefbc33adf92329fc57d7a022dcb3c3a5e22

SHA256
9f2c9a8addea99b858909eed8e5f70733cf45032fee97297ba2c81fa68e60bba

SHA512
efb56586fb09a009e79e293315db00f6cf58f25ee44b87ed35fe755f2b2b29e235fbab6e0f7165225f430f50947498e6472d796ddaef815657b3bc2d514b55fb

Download Submit
C:\Windows\System\XarWuXv.exe

Filesize
5.2MB

MD5
1771aae06e59cc194b6f0fbd15eaacca

SHA1
af6620bac90d5a9df5eacbb971505d4fd8a36bd3

SHA256
d50ad7f59bd027b8b5cb080070f139455d8b958e9e48fc700510976bce3fe7f9

SHA512
da554f638f7d39012c33b548c96e5a854ff9c54c09f6f0aa38c4973036a63a8f6e5c377efbac8b0183fb1762cb1a6b9a2e5ac98f22241235b63e50eae274efa7

Download Submit
C:\Windows\System\ZBJfmfQ.exe

Filesize
5.2MB

MD5
4187b9c7d0e2d2f505b08eb4a04dd674

SHA1
2014194d3fadcc30925996de8551cd2ff4274503

SHA256
4b3588163e6c361d6d25e799bd53f1d91b4694bd07dcbc2e510b568972bf7218

SHA512
e3eebe409798558c27858b0d96834500e90b7e1a83da53c402083a03c9adbbec7bd0e064eaab7f437f009537ccc89458a4f078ac6495d6b40a45042d012ede1d

Download Submit
C:\Windows\System\ZVWKKNf.exe

Filesize
5.2MB

MD5
62d69d577d58c0a66df5f964b7315368

SHA1
a4f764834bf86bce4906eb061ad2517a2c8cb046

SHA256
c76ba6a555680fa8e31e300b7673eeff01ca046285ef2b1f0df994852ace3284

SHA512
816382a701c8e598867beda2a747942bf7e9de9ac176579dd131174fe62af4faf1fd7f715cf2763b8d0899ea9ced469e50065361424e683c9b6e9cf741f83475

Download Submit
C:\Windows\System\aGyaJoT.exe

Filesize
5.2MB

MD5
94c729d83731713c8c4be76e67af2bd0

SHA1
fcd6b005184a1ca53915f7f56acac4baa369e415

SHA256
ee836d7352f990d2674497a1d79761526640f1f8c07fed6b78135d912358faea

SHA512
a388a846e529440fa0144fe4e34eac9c22548839302785f4701d19b4be94fd06eb00dbf1e804e93bb47076ece07b810c8321aa80b959275d2b831253eab37e08

Download Submit
C:\Windows\System\cpWwaFh.exe

Filesize
5.2MB

MD5
b8f78fde6513b0b196c5096e8bffdf62

SHA1
80e8a1543b0ba0db00bd745b0e7ac4472bd9335a

SHA256
46d948860d40843a994c458a541b7dfc58f2d27a8dfca80f682d5ba30b2dec26

SHA512
41edaa9661a1a025017b35b5f51951240706feb638b51e612582a62fe1cbdde9a82570b4ed3228e457117d79cd4c5c5b0b5d53253759af9ef21e837c36b656d9

Download Submit
C:\Windows\System\dVzBzXX.exe

Filesize
5.2MB

MD5
86adc3a88853fa19a1ca814ba8345c42

SHA1
0e0c8383c45451bfe73c9027137d27ea9f9c395e

SHA256
a3ef6a24b904a1b7e7f63f3034847920655a63b21a94f6e400a13b6dbd34dce1

SHA512
d57f662018bb6f915d90fa46549b5424b9e18dd51c3ca80e152dcbcbdfa901da2f77090fe284800b0b56d7e969e56da3e4ffff7e35cf9fd843854b542be12865

Download Submit
C:\Windows\System\iKLlrtx.exe

Filesize
5.2MB

MD5
57658663fd5bdf7b50573f1541ba01ee

SHA1
c71e63cb9791a4ad4f2077eed4e263cc898eee6a

SHA256
37a07bc0735b87c45010bec941fec757f36dd15fb4237db78b0a907fe458db50

SHA512
ab95308ddf2aad7d430c8e862b1077ef96621f748897d9adc40e61e4424a3604e6e1dac023f366317b3fcb2f2e6b29946ccb981a8104dc6033094cf82d3030d6

Download Submit
C:\Windows\System\iRlyIjM.exe

Filesize
5.2MB

MD5
6a91b6c35d5eb6dad21cf6b6ca5ccc28

SHA1
266539e1e73cfaa419cf5e590f93698b6dcd59ec

SHA256
085a75246c2084f17a6f9e66478a4b47226a9b956f7c5315c7ad68d5eb7feaa9

SHA512
4bd7d2e9dc7afd2c157159b959aa1e8fa1eeecac84f967ed94378afed9296a1d893a7c6dd6a066143a50d11973978f6e8e91b60ee10d7025d86a9b428a1d8a6f

Download Submit
C:\Windows\System\rqMFcOh.exe

Filesize
5.2MB

MD5
fec0b4027f188365deed727b0087929a

SHA1
48946d032fd71c16e8be017edfafd37e38b13055

SHA256
b6e6da6550af56ec24ea857ad68f524afad4a879e8e6ffbd3e093e8a1fa162e0

SHA512
da9dd713da17c9db1dc3f1aebba59841493ada3c41036bf287dc32b48bcf6122002a4446a4317c2d241636481c1e54cf71422c7fdfbd0bb4ad25a8e476c7ceae

Download Submit
C:\Windows\System\sKeLGig.exe

Filesize
5.2MB

MD5
610d9f243f38dd52ceada57b065402d7

SHA1
7e21efe4a9fe43cb74dae782e5985481d105bb71

SHA256
5032838a60a15dfe4be256420932b065bb3a6e476c61a287a2eda8d50c325c6f

SHA512
e515cf3cc74e01764fc8cae2bda13a8e57551119f2958d6240fdee4e30a29906166d2932902c7dd484e59e1b07beefe638d421a39a5b46de937b2def0d416cef

Download Submit
C:\Windows\System\tEFCQNN.exe

Filesize
5.2MB

MD5
494760163b172283f2ff2c779ecad0a4

SHA1
14d523f6103ded1bbf26746c5da279effbc1cf6f

SHA256
8fb019a931dad2bcbcb77a690fe0d6ca634052065eb63156c8f4f7592d89bbdf

SHA512
4830ae8db910f9ae8f75669a3e4718fde935b9868b42aa4031a17763080cbfd41e3d01eb8997aec0068db0cc100c38a99a7605e0dfc840ec262efdb1a32d8c60

Download Submit
C:\Windows\System\tSVRXLj.exe

Filesize
5.2MB

MD5
e12bbe81b1d0384450d86b3272aa4417

SHA1
5c5563e3937d9d8eaa58d1aaecd7951c8dc0225a

SHA256
2b33d025305cd0cce6bb0e44ea84745fd4624a9013eba4bbe4f5add03ebdeca3

SHA512
9a9aeb6188ded1064893de8bc59a53e74d76f6152cb871e867e7bcf19af3d1af7cfe4ee3a18bf3fcc2430ca6def42fec481413e302f0ce5bdbde809a9905f4fc

Download Submit
C:\Windows\System\vkzrQEn.exe

Filesize
5.2MB

MD5
15ebb005ae1d568e96202291e0331ccc

SHA1
923274da1cd3490bf12984bc81a952d744e87f19

SHA256
c91c92ce0650efa84c3683e0a0ddec2bc709c47485e57791b76e645aac84cba5

SHA512
b5b484450e3cb98ef20578ec6c721bd8b4073cfd23fca64e98e4dfaf386bb59ae7f23ed9c0ce5d71018e711c587af87776452298503e80284ad80a8d841d204b

Download Submit
C:\Windows\System\wUUgcsP.exe

Filesize
5.2MB

MD5
2c6bfddf6c3a64a0497b3312e14b0aa9

SHA1
d3bd456598438b0506a3996a6162c6549d1821ee

SHA256
d7242b05be50b78308ba836f6c079fe69c6f71d5a08de78dc82709c0eafaec75

SHA512
d105e16970a6cdbaabf83e3c1bafce11713c012dcddc3d1be1901d5b7e5da65609e0e9218417fd1deee4a9ff18727dd838be77759965cffbccf1613b898c3b14

Download Submit
C:\Windows\System\xcbAMNY.exe

Filesize
5.2MB

MD5
2a89261f0a214fba64f0d0bc52d62030

SHA1
f214b132046074e2258418b2950f473d78e47e11

SHA256
ec012db8880df0ef4d5a58f4935ab79943cf011db6b08d9b899ad04fcb242ce3

SHA512
8bece5c8e600cd198b2d0672de8e0808dd158f81f8e4659e8f87c6287f8de4fdd4ae6560ece9384502306921e555d02533d98454be17743ecda89547f3c3a6da

Download Submit
C:\Windows\System\xhPinLQ.exe

Filesize
5.2MB

MD5
161f238cc4af84a5a80eb13822eb37de

SHA1
9e4c5997c1221e28984bfb8262ba43c0bf799f01

SHA256
ffc8928a02ee27cd99a9202fe5c2ba4af6c7378e4a6facea32a262c2ca488e26

SHA512
a7d8f4d0051afa9f5431545bd4dceb09bcc6f89867bddb1ba49d3739da1cf3ceb2ff3b4b5d7c51ecb6efba1b68e2a9c7bfece26586db2ce1b43dc81110eb79ca

Download Submit
memory/432-34-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp

Filesize
3.3MB

Download
memory/432-101-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp

Filesize
3.3MB

Download
memory/432-228-0x00007FF6CEDF0000-0x00007FF6CF141000-memory.dmp

Filesize
3.3MB

Download
memory/836-226-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/836-32-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/836-98-0x00007FF75AC80000-0x00007FF75AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-135-0x00007FF674D00000-0x00007FF675051000-memory.dmp

Filesize
3.3MB

Download
memory/1196-241-0x00007FF674D00000-0x00007FF675051000-memory.dmp

Filesize
3.3MB

Download
memory/1196-51-0x00007FF674D00000-0x00007FF675051000-memory.dmp

Filesize
3.3MB

Download
memory/1200-42-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1200-239-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1200-119-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1332-138-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp

Filesize
3.3MB

Download
memory/1332-59-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp

Filesize
3.3MB

Download
memory/1332-1-0x000001EADEA80000-0x000001EADEA90000-memory.dmp

Filesize
64KB

Download
memory/1332-166-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp

Filesize
3.3MB

Download
memory/1332-0-0x00007FF7D6C00000-0x00007FF7D6F51000-memory.dmp

Filesize
3.3MB

Download
memory/1476-147-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1476-247-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1476-73-0x00007FF73DC30000-0x00007FF73DF81000-memory.dmp

Filesize
3.3MB

Download
memory/1584-157-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-261-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-99-0x00007FF7E0090000-0x00007FF7E03E1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-134-0x00007FF688480000-0x00007FF6887D1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-269-0x00007FF688480000-0x00007FF6887D1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-77-0x00007FF6985F0000-0x00007FF698941000-memory.dmp

Filesize
3.3MB

Download
memory/2480-219-0x00007FF6985F0000-0x00007FF698941000-memory.dmp

Filesize
3.3MB

Download
memory/2480-14-0x00007FF6985F0000-0x00007FF698941000-memory.dmp

Filesize
3.3MB

Download
memory/2568-223-0x00007FF68E520000-0x00007FF68E871000-memory.dmp

Filesize
3.3MB

Download
memory/2568-26-0x00007FF68E520000-0x00007FF68E871000-memory.dmp

Filesize
3.3MB

Download
memory/2568-93-0x00007FF68E520000-0x00007FF68E871000-memory.dmp

Filesize
3.3MB

Download
memory/2720-130-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp

Filesize
3.3MB

Download
memory/2720-271-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp

Filesize
3.3MB

Download
memory/2720-162-0x00007FF70E0F0000-0x00007FF70E441000-memory.dmp

Filesize
3.3MB

Download
memory/2884-165-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp

Filesize
3.3MB

Download
memory/2884-113-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp

Filesize
3.3MB

Download
memory/2884-265-0x00007FF67B700000-0x00007FF67BA51000-memory.dmp

Filesize
3.3MB

Download
memory/3092-137-0x00007FF7D4570000-0x00007FF7D48C1000-memory.dmp

Filesize
3.3MB

Download
memory/3092-267-0x00007FF7D4570000-0x00007FF7D48C1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-245-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-70-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-136-0x00007FF6DBC50000-0x00007FF6DBFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-155-0x00007FF6482F0000-0x00007FF648641000-memory.dmp

Filesize
3.3MB

Download
memory/3424-80-0x00007FF6482F0000-0x00007FF648641000-memory.dmp

Filesize
3.3MB

Download
memory/3424-251-0x00007FF6482F0000-0x00007FF648641000-memory.dmp

Filesize
3.3MB

Download
memory/3480-8-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-60-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-217-0x00007FF6B1D60000-0x00007FF6B20B1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-100-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp

Filesize
3.3MB

Download
memory/4068-263-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp

Filesize
3.3MB

Download
memory/4068-158-0x00007FF7FFB00000-0x00007FF7FFE51000-memory.dmp

Filesize
3.3MB

Download
memory/4168-161-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4168-273-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4168-127-0x00007FF6C5C30000-0x00007FF6C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4844-243-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-64-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-142-0x00007FF798CA0000-0x00007FF798FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-249-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp

Filesize
3.3MB

Download
memory/4992-71-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp

Filesize
3.3MB

Download
memory/4992-143-0x00007FF70CDB0000-0x00007FF70D101000-memory.dmp

Filesize
3.3MB

Download
memory/5076-221-0x00007FF74C020000-0x00007FF74C371000-memory.dmp

Filesize
3.3MB

Download
memory/5076-18-0x00007FF74C020000-0x00007FF74C371000-memory.dmp

Filesize
3.3MB

Download
memory/5076-87-0x00007FF74C020000-0x00007FF74C371000-memory.dmp

Filesize
3.3MB

Download
memory/5116-253-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-90-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-156-0x00007FF640B80000-0x00007FF640ED1000-memory.dmp

Filesize
3.3MB

Download