cobaltstrike | a3dc2e80939fd6b64879409263fbdea86f57d16b8601086bf8f19147d2551824

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7a2568097d97419cca5c8717daac618a
SHA1

81f4fa03a3ffbce688c39a6ce0ff33742fe1f4e1
SHA256

a3dc2e80939fd6b64879409263fbdea86f57d16b8601086bf8f19147d2551824
SHA512

fe9882ebef4ad7c694b420654e057a5d46855ec3f793908b5aae23aac27e82d7c6cccd6a74da0ce163027a284c40ade74d945f10fd9de82c6003dc69121f4101
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c89-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c8a-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5044-20-0x00007FF7227A0000-0x00007FF722AF1000-memory.dmp	xmrig
behavioral2/memory/2932-77-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp	xmrig
behavioral2/memory/1496-72-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp	xmrig
behavioral2/memory/4128-68-0x00007FF797500000-0x00007FF797851000-memory.dmp	xmrig
behavioral2/memory/2064-48-0x00007FF642F20000-0x00007FF643271000-memory.dmp	xmrig
behavioral2/memory/3624-111-0x00007FF601080000-0x00007FF6013D1000-memory.dmp	xmrig
behavioral2/memory/1288-122-0x00007FF643F10000-0x00007FF644261000-memory.dmp	xmrig
behavioral2/memory/2656-128-0x00007FF695030000-0x00007FF695381000-memory.dmp	xmrig
behavioral2/memory/3616-100-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	xmrig
behavioral2/memory/5092-91-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp	xmrig
behavioral2/memory/2488-90-0x00007FF659180000-0x00007FF6594D1000-memory.dmp	xmrig
behavioral2/memory/3540-92-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp	xmrig
behavioral2/memory/920-133-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp	xmrig
behavioral2/memory/1832-134-0x00007FF670120000-0x00007FF670471000-memory.dmp	xmrig
behavioral2/memory/768-132-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	xmrig
behavioral2/memory/3736-149-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp	xmrig
behavioral2/memory/4128-146-0x00007FF797500000-0x00007FF797851000-memory.dmp	xmrig
behavioral2/memory/2620-161-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp	xmrig
behavioral2/memory/3468-164-0x00007FF789120000-0x00007FF789471000-memory.dmp	xmrig
behavioral2/memory/1096-162-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp	xmrig
behavioral2/memory/3316-163-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp	xmrig
behavioral2/memory/3340-168-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp	xmrig
behavioral2/memory/2536-170-0x00007FF647970000-0x00007FF647CC1000-memory.dmp	xmrig
behavioral2/memory/4128-171-0x00007FF797500000-0x00007FF797851000-memory.dmp	xmrig
behavioral2/memory/1496-199-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp	xmrig
behavioral2/memory/2932-201-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp	xmrig
behavioral2/memory/5044-203-0x00007FF7227A0000-0x00007FF722AF1000-memory.dmp	xmrig
behavioral2/memory/5092-223-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp	xmrig
behavioral2/memory/2488-222-0x00007FF659180000-0x00007FF6594D1000-memory.dmp	xmrig
behavioral2/memory/3540-225-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp	xmrig
behavioral2/memory/2064-227-0x00007FF642F20000-0x00007FF643271000-memory.dmp	xmrig
behavioral2/memory/3616-229-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	xmrig
behavioral2/memory/1288-233-0x00007FF643F10000-0x00007FF644261000-memory.dmp	xmrig
behavioral2/memory/3624-232-0x00007FF601080000-0x00007FF6013D1000-memory.dmp	xmrig
behavioral2/memory/920-237-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp	xmrig
behavioral2/memory/768-236-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	xmrig
behavioral2/memory/2656-239-0x00007FF695030000-0x00007FF695381000-memory.dmp	xmrig
behavioral2/memory/1832-247-0x00007FF670120000-0x00007FF670471000-memory.dmp	xmrig
behavioral2/memory/3736-251-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp	xmrig
behavioral2/memory/2620-255-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp	xmrig
behavioral2/memory/3468-254-0x00007FF789120000-0x00007FF789471000-memory.dmp	xmrig
behavioral2/memory/1096-257-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp	xmrig
behavioral2/memory/3316-259-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp	xmrig
behavioral2/memory/3340-262-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp	xmrig
behavioral2/memory/2536-264-0x00007FF647970000-0x00007FF647CC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

RLCVcZm.exejeGWSwa.exePyMfTfn.exegAPYRkM.exebXRMvOz.exeybtxkPq.exevZZmoFA.exekCFUHiy.exeBirMbRb.exeCAhvKmJ.exeQIaYEil.exeQWtYfRa.exebggkAKp.exezbiNlSs.exeeRbEizX.exeSGLuCPx.exevoSVMee.exeoFFlPYf.exefnKpHoN.exeSWENCdl.exeOrFJCyF.exe

pid	Process
1496	RLCVcZm.exe
2932	jeGWSwa.exe
5044	PyMfTfn.exe
2488	gAPYRkM.exe
5092	bXRMvOz.exe
3540	ybtxkPq.exe
2064	vZZmoFA.exe
3616	kCFUHiy.exe
3624	BirMbRb.exe
1288	CAhvKmJ.exe
2656	QIaYEil.exe
768	QWtYfRa.exe
920	bggkAKp.exe
1832	zbiNlSs.exe
3736	eRbEizX.exe
3468	SGLuCPx.exe
2620	voSVMee.exe
1096	oFFlPYf.exe
3316	fnKpHoN.exe
2536	SWENCdl.exe
3340	OrFJCyF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4128-0-0x00007FF797500000-0x00007FF797851000-memory.dmp	upx
behavioral2/files/0x0008000000023c89-6.dat	upx
behavioral2/memory/1496-8-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-10.dat	upx
behavioral2/files/0x0007000000023c8d-11.dat	upx
behavioral2/memory/5044-20-0x00007FF7227A0000-0x00007FF722AF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-23.dat	upx
behavioral2/memory/5092-29-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-36.dat	upx
behavioral2/files/0x0007000000023c92-41.dat	upx
behavioral2/memory/3616-46-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c8a-49.dat	upx
behavioral2/files/0x0007000000023c93-52.dat	upx
behavioral2/memory/1288-60-0x00007FF643F10000-0x00007FF644261000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-69.dat	upx
behavioral2/memory/2932-77-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp	upx
behavioral2/memory/768-78-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-82.dat	upx
behavioral2/memory/920-81-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-74.dat	upx
behavioral2/memory/1496-72-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp	upx
behavioral2/memory/2656-71-0x00007FF695030000-0x00007FF695381000-memory.dmp	upx
behavioral2/memory/4128-68-0x00007FF797500000-0x00007FF797851000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-63.dat	upx
behavioral2/memory/3624-54-0x00007FF601080000-0x00007FF6013D1000-memory.dmp	upx
behavioral2/memory/2064-48-0x00007FF642F20000-0x00007FF643271000-memory.dmp	upx
behavioral2/memory/3540-44-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-32.dat	upx
behavioral2/memory/2488-24-0x00007FF659180000-0x00007FF6594D1000-memory.dmp	upx
behavioral2/memory/2932-16-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-102.dat	upx
behavioral2/memory/3736-101-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp	upx
behavioral2/memory/3624-111-0x00007FF601080000-0x00007FF6013D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-112.dat	upx
behavioral2/files/0x0007000000023c9d-120.dat	upx
behavioral2/memory/1288-122-0x00007FF643F10000-0x00007FF644261000-memory.dmp	upx
behavioral2/memory/2656-128-0x00007FF695030000-0x00007FF695381000-memory.dmp	upx
behavioral2/memory/3316-131-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-129.dat	upx
behavioral2/memory/1096-123-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp	upx
behavioral2/memory/2620-121-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-116.dat	upx
behavioral2/memory/3468-110-0x00007FF789120000-0x00007FF789471000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-105.dat	upx
behavioral2/memory/1832-104-0x00007FF670120000-0x00007FF670471000-memory.dmp	upx
behavioral2/memory/3616-100-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	upx
behavioral2/memory/5092-91-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp	upx
behavioral2/memory/2488-90-0x00007FF659180000-0x00007FF6594D1000-memory.dmp	upx
behavioral2/memory/3540-92-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp	upx
behavioral2/memory/920-133-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp	upx
behavioral2/memory/1832-134-0x00007FF670120000-0x00007FF670471000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-138.dat	upx
behavioral2/files/0x0007000000023c9f-140.dat	upx
behavioral2/memory/2536-139-0x00007FF647970000-0x00007FF647CC1000-memory.dmp	upx
behavioral2/memory/768-132-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	upx
behavioral2/memory/3340-141-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp	upx
behavioral2/memory/3736-149-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp	upx
behavioral2/memory/4128-146-0x00007FF797500000-0x00007FF797851000-memory.dmp	upx
behavioral2/memory/2620-161-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp	upx
behavioral2/memory/3468-164-0x00007FF789120000-0x00007FF789471000-memory.dmp	upx
behavioral2/memory/1096-162-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp	upx
behavioral2/memory/3316-163-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp	upx
behavioral2/memory/3340-168-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp	upx
behavioral2/memory/2536-170-0x00007FF647970000-0x00007FF647CC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\kCFUHiy.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BirMbRb.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QIaYEil.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eRbEizX.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\voSVMee.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWENCdl.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLCVcZm.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jeGWSwa.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXRMvOz.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zbiNlSs.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PyMfTfn.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gAPYRkM.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QWtYfRa.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bggkAKp.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SGLuCPx.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrFJCyF.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybtxkPq.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vZZmoFA.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAhvKmJ.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oFFlPYf.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fnKpHoN.exe	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 4128 wrote to memory of 1496	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4128 wrote to memory of 1496	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4128 wrote to memory of 2932	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4128 wrote to memory of 2932	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4128 wrote to memory of 5044	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4128 wrote to memory of 5044	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4128 wrote to memory of 2488	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4128 wrote to memory of 2488	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4128 wrote to memory of 5092	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4128 wrote to memory of 5092	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4128 wrote to memory of 3540	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4128 wrote to memory of 3540	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4128 wrote to memory of 2064	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4128 wrote to memory of 2064	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4128 wrote to memory of 3616	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4128 wrote to memory of 3616	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4128 wrote to memory of 3624	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4128 wrote to memory of 3624	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4128 wrote to memory of 1288	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4128 wrote to memory of 1288	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4128 wrote to memory of 2656	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4128 wrote to memory of 2656	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4128 wrote to memory of 768	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4128 wrote to memory of 768	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4128 wrote to memory of 920	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4128 wrote to memory of 920	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4128 wrote to memory of 1832	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4128 wrote to memory of 1832	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4128 wrote to memory of 3736	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4128 wrote to memory of 3736	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4128 wrote to memory of 3468	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4128 wrote to memory of 3468	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4128 wrote to memory of 2620	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4128 wrote to memory of 2620	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4128 wrote to memory of 1096	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4128 wrote to memory of 1096	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4128 wrote to memory of 3316	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4128 wrote to memory of 3316	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4128 wrote to memory of 3340	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4128 wrote to memory of 3340	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4128 wrote to memory of 2536	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4128 wrote to memory of 2536	4128	2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_7a2568097d97419cca5c8717daac618a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\System\RLCVcZm.exe
  C:\Windows\System\RLCVcZm.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\jeGWSwa.exe
  C:\Windows\System\jeGWSwa.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\PyMfTfn.exe
  C:\Windows\System\PyMfTfn.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\gAPYRkM.exe
  C:\Windows\System\gAPYRkM.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\bXRMvOz.exe
  C:\Windows\System\bXRMvOz.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\ybtxkPq.exe
  C:\Windows\System\ybtxkPq.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\vZZmoFA.exe
  C:\Windows\System\vZZmoFA.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\kCFUHiy.exe
  C:\Windows\System\kCFUHiy.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\BirMbRb.exe
  C:\Windows\System\BirMbRb.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\CAhvKmJ.exe
  C:\Windows\System\CAhvKmJ.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\QIaYEil.exe
  C:\Windows\System\QIaYEil.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\QWtYfRa.exe
  C:\Windows\System\QWtYfRa.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\bggkAKp.exe
  C:\Windows\System\bggkAKp.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\zbiNlSs.exe
  C:\Windows\System\zbiNlSs.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\eRbEizX.exe
  C:\Windows\System\eRbEizX.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\SGLuCPx.exe
  C:\Windows\System\SGLuCPx.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\voSVMee.exe
  C:\Windows\System\voSVMee.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\oFFlPYf.exe
  C:\Windows\System\oFFlPYf.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\fnKpHoN.exe
  C:\Windows\System\fnKpHoN.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\OrFJCyF.exe
  C:\Windows\System\OrFJCyF.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\SWENCdl.exe
  C:\Windows\System\SWENCdl.exe
  2⤵
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BirMbRb.exe

Filesize
5.2MB

MD5
68b0e1ba9b0c59c9dec68a668b88a05c

SHA1
03459022466d88336e843787adc411bbe0a33ad1

SHA256
155e97ad728b29e35c4df4912ac9708d955b9938331529f4435c842ec558f364

SHA512
79a75e239aa5f037ec6f4d2b60e56c955296a259449971d0b68a044e0c88b1323bd9657336fa8b0380b8263910000e247ca1a7efe28a254bc4e5c7ac8bfa68e5

Download Submit
C:\Windows\System\CAhvKmJ.exe

Filesize
5.2MB

MD5
899121f52f98f7c65685bf919cce2c7a

SHA1
61535818f6a3477983fdc2c473dfda32893e7dd7

SHA256
f2d96b02182eaafd5c79de7e8ec05890722cfea9ed42c87555e56961a28641c4

SHA512
dee6a9d145bf7e5ae58abcf09d75746181a0985d61361799f548ffa6dccb45a19c330e832e480a6e7ae0739565661d1608a08576c72b771e5acf7f1f909c4a47

Download Submit
C:\Windows\System\OrFJCyF.exe

Filesize
5.2MB

MD5
0978a9de15db85f2f321de03f2847966

SHA1
58d6659b093c593e40aabd3d11054ccd3d761494

SHA256
496d54c0295881a4056a6efa12f81aa49eb7246f8316312f18185a85f2aefb8c

SHA512
8fa7004210b7b93f51d51114023e086e4c8b07e8bd88c21ac2df6299570a779b2cdba707324804fca5b66ca961eb7ad0cae9fb1031f9187c3cbc2d6355e0765c

Download Submit
C:\Windows\System\PyMfTfn.exe

Filesize
5.2MB

MD5
13a29028115fe95fce53e1b2ec1bcbe5

SHA1
b4e04762169c83f770246eefb141adee6d6e7db3

SHA256
fc8a815895ee25a89c5de7e275a673540bc4c3f9866d3b78efc20a7168ded6ba

SHA512
20ee5b892c76b8ca9970313ba2453fb5a35e8934d154943cbc0ee66187c1898f73054a17b44be8558de3c51873471ebd7759212c970f1c9a73d62073792d6cda

Download Submit
C:\Windows\System\QIaYEil.exe

Filesize
5.2MB

MD5
1a0af304bc412669a91e731f228c6518

SHA1
b82634d6c77ce2227d87011166e9d1c63df02b2a

SHA256
cf45a16b4fa0f086d7a19c0d0021d9c184b65cafc07f450872472af28b9bb10f

SHA512
8d39dffa9d4c6107922388b5672b4dce34fa5f9195d7f2ba90ef8a914b3482c6db452f06e1000d508f5ff2a8ada3c7ebd11ef34d865ffe5ff0aa5443af11a2ea

Download Submit
C:\Windows\System\QWtYfRa.exe

Filesize
5.2MB

MD5
81e3e778e393dd0480526168a6dc7b9e

SHA1
8c1b4b65f18655fd1cdf5b22013478855cd3221b

SHA256
c292be9f08997101195a64e5a22a203d50e5a376d89919bc07df41b84cd2201f

SHA512
060c9768e3e7b289596738100d92b16f62e90e9d767c9666a489c0e02b9e8102cfa0beed2abe4bbf5af57563068a8880c607ab0859dad3f36a08d355fce3d2ae

Download Submit
C:\Windows\System\RLCVcZm.exe

Filesize
5.2MB

MD5
d6e5f7e3b3998422b30ddccffd18c0df

SHA1
fc9b49e4613a4325998c2bbb86cc800a3302280a

SHA256
50272e2d7e06418051b451fe803dc5980254e44e70045230828968709249f65b

SHA512
739a157603d33db32b005f7575daed2542817486a4024466d681da459f7d6080d0218e349bd1c0a69b3aeeec0935dff14e0d94b5179942b8bd3ce98ebfc119c3

Download Submit
C:\Windows\System\SGLuCPx.exe

Filesize
5.2MB

MD5
915cb081c7c13bc50f7d450888e52c16

SHA1
500b89d7f2d400deb73c3ec234c8649fbd2279e3

SHA256
16b913c4f486329120a759ca6cc19b2d791eb04733aa9873c2cef0e40b2c2668

SHA512
eec3923c91b2cab569e90e60234fba20a9bac3950a1d2fcc5870e1bb2b9caa1e73de908a6d0370c336393682a06c64bec7766abad2d9187fb55367cede85777d

Download Submit
C:\Windows\System\SWENCdl.exe

Filesize
5.2MB

MD5
57adf2b600f25b10898d9c0436796477

SHA1
2b0e32aaa09acf3b899d8def2336e6d2e43623f4

SHA256
13868c1bd308c6dece6da1e576c87f7b49d2fedd8452f404f8bf23fdea2f2fa6

SHA512
a8b89e3c8358312f3cae2333a589e0b4aa60c6225403b023c518dd5c75a44e718f648c40f3dd855e5cab31354fc5af886a875492e8d8e3ab68c7b9fe6cb6d42a

Download Submit
C:\Windows\System\bXRMvOz.exe

Filesize
5.2MB

MD5
44078aca3349c4df673f4101b3fc88db

SHA1
a4cf7a8b5b6d81461ec77fa7210dfefeab77e242

SHA256
2993aaa9fd4016f46dcc2b1ac185f8398b3254ca6505aec146417a9b21bce66b

SHA512
7f11e2cee33e282eb12774cd886a8e5bfd3b71816df22d6931f09aaa192794d97642973c738924a12dbcd0c9bb34f8e4b52768aa6c27ce042aa973361ffe9049

Download Submit
C:\Windows\System\bggkAKp.exe

Filesize
5.2MB

MD5
0ec212e3472ae30525339d8530b082ed

SHA1
6ff9abbdc06459672e0496008087fb9cd82f42eb

SHA256
11644660ec871865d809a01ee4b77bf93b8d48a91f9e02524b140f407e7faf59

SHA512
54cb755f5179dd4dc88d3962c99f4de1f1f5ca1736fc571265dcbe0a8211ace2aabcd0a959e701f4b8894a0b19dc1c7fee1cb3f4733e82e193ac481e3be4a86c

Download Submit
C:\Windows\System\eRbEizX.exe

Filesize
5.2MB

MD5
53bed6c6385b054607c9517b05ba6701

SHA1
e904225b066aae6db8843895429bda958c294e94

SHA256
db1491cecf33fad7927e7a9271e2c4a52e5460729fdd16cde48337951e898e8b

SHA512
29a2d5d86a3b04166b2e404eadfe8b85fc9a67d52d291cc8b6f861d460995de87aa79b4799e195a854ebe7eecf0680682769e40cfa4dddd96081dd526268f1ba

Download Submit
C:\Windows\System\fnKpHoN.exe

Filesize
5.2MB

MD5
b44c95edaccee98861e5626701f4516f

SHA1
7424f233c48e1ac246a33db1054a07b44f711dec

SHA256
207fc2ecfd0df9facccc534b34615bc61bf597463bcf86fb79586b5006e17136

SHA512
aa4ce18a4b04a6f690da6f0f46e653663a21efd4ca763e581abf8cfd827165a5336d70d4b5fdc23230ebf2ea95ed6747b0b3c2af9e42a988338c3418f15eb33e

Download Submit
C:\Windows\System\gAPYRkM.exe

Filesize
5.2MB

MD5
9ded5e64dbb3707732c09ba9ded46f8b

SHA1
dac4c25291cd33511082872251ee28646faf23ad

SHA256
083ce8305f088bad95688018f56b0ce3b5a8487260545b1d8edfc23decc6f71e

SHA512
7268173d4839b1710331db6c9df11a94437d0a83cdee0ac8fd53df46550fb182677a8022c6043d21fabc517ef03c7296df2ce217dd5a0bc090c2e9ddcf52290d

Download Submit
C:\Windows\System\jeGWSwa.exe

Filesize
5.2MB

MD5
e2b38f2cc40ad63bf674c427d1063939

SHA1
57657f7153c30373df758deb960f74da6ebb8f07

SHA256
c921460b11a78b995a26dbdf18c5767109d3d7d31da6de4fdfec908f94863cc9

SHA512
d698a5ae796e1e38807a00a3f80449e27a10532a72cdd6052ba652256823ce2008d783afcaf2b35134e1b3715f4b0a5b635f1965e7e43b7c7522994ec9d9ccdc

Download Submit
C:\Windows\System\kCFUHiy.exe

Filesize
5.2MB

MD5
a7d6d1bd24855b7c19777cfc07511de4

SHA1
c8047c339ea9c290d39a9d83d02b081de15ed789

SHA256
4848c41b2d2df39fdf956022e4f993786dc2851b266e415a30b47443790630a6

SHA512
3a4c47eb07af78236788a60d067bdb5b07b5cce7c7a276cc71d9d9c8a37c676bfe9c600a7a591bcb979a1480aa30d6d9708f3231655a8b8285998e89ab39daa2

Download Submit
C:\Windows\System\oFFlPYf.exe

Filesize
5.2MB

MD5
06c33a3fa2ff8cba94cf6fd7e9d782c4

SHA1
97b5d668c383d602fc9470998c58e894f82d6f68

SHA256
9d4bac980262078e15405a2c414ee528ff32ce279008e4f560efef8013a8d272

SHA512
1ba79d59f17a352092a93e5d7502b98c463e670995571eabe51eaf3b5bf203799f4776fca448192976768975654b4dbcef67976c1104631d7a9636a91d3ba28a

Download Submit
C:\Windows\System\vZZmoFA.exe

Filesize
5.2MB

MD5
1e18bd5e8ca1465da8125959673cc8c1

SHA1
b97a8fa24e421c1666df480eeacf73d9d367a8ba

SHA256
6886e0fd8dc5d9a1c1eca22ddcffcdc3492e4449c38c3e3f0f0f49758ded0d90

SHA512
ca230fa1fae227b8bc60465b6cebcd0350d35cbeb2fdd9888f74740ad21dc1ed3861fa7b9f954d7e565f727fcb611d2e4cd5142d57ab96da35e6055f46eddf44

Download Submit
C:\Windows\System\voSVMee.exe

Filesize
5.2MB

MD5
1eca0c2e4c408c941b7d7049f5efd6ee

SHA1
b454ec09e1e119677c02118817e0f6de634ab438

SHA256
509cd6909b5b8a701ed60756416b704889d7b1e8aa0e9bc6438234a8f081eeca

SHA512
c01c89803bdaa530fbd30d16804231c23ba778df874f944925f8cc5a16930d95665ac36ffcf23e6829e5ee17ccdc5a34fe4f8ffc531007e5541a3e308e74bfee

Download Submit
C:\Windows\System\ybtxkPq.exe

Filesize
5.2MB

MD5
1dde6c13226a050404123ba4c8949119

SHA1
77d85df5f52d9da72f1b5a5d1f623ce2cf27b5e3

SHA256
3d0ad4264dab741fbbbde7b4715854cc332c13539af3335793a3de19dbd7c721

SHA512
db7203c520c24ac3482cbc1a47858d9ecea3f5034f01070f034e766701df6e7eb850fbffd646b942f46af9fdde0f4e2a1138ca29c14da441776994764b60d48d

Download Submit
C:\Windows\System\zbiNlSs.exe

Filesize
5.2MB

MD5
9bb1fed73c9f381e86ec7be300680d9b

SHA1
17ac07b05a6284cb4c9bc591a38e0d620a1ba1cd

SHA256
d985dcfd072b66d88115269072db09d9b5a8a269169a441fc42303a04fdf8a5e

SHA512
362ec44fda3e179d3debb962a15d9b227d1eaf5fe7cc8f8c9c1887396be7b23179cebc711b470a348c6659241b0b087aaea87697aefc982ed16c4c18c63196ce

Download Submit
memory/768-132-0x00007FF7645D0000-0x00007FF764921000-memory.dmp

Filesize
3.3MB

Download
memory/768-78-0x00007FF7645D0000-0x00007FF764921000-memory.dmp

Filesize
3.3MB

Download
memory/768-236-0x00007FF7645D0000-0x00007FF764921000-memory.dmp

Filesize
3.3MB

Download
memory/920-237-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp

Filesize
3.3MB

Download
memory/920-81-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp

Filesize
3.3MB

Download
memory/920-133-0x00007FF648D70000-0x00007FF6490C1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-123-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-162-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-257-0x00007FF6DA750000-0x00007FF6DAAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-60-0x00007FF643F10000-0x00007FF644261000-memory.dmp

Filesize
3.3MB

Download
memory/1288-122-0x00007FF643F10000-0x00007FF644261000-memory.dmp

Filesize
3.3MB

Download
memory/1288-233-0x00007FF643F10000-0x00007FF644261000-memory.dmp

Filesize
3.3MB

Download
memory/1496-199-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp

Filesize
3.3MB

Download
memory/1496-8-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp

Filesize
3.3MB

Download
memory/1496-72-0x00007FF66CB00000-0x00007FF66CE51000-memory.dmp

Filesize
3.3MB

Download
memory/1832-134-0x00007FF670120000-0x00007FF670471000-memory.dmp

Filesize
3.3MB

Download
memory/1832-247-0x00007FF670120000-0x00007FF670471000-memory.dmp

Filesize
3.3MB

Download
memory/1832-104-0x00007FF670120000-0x00007FF670471000-memory.dmp

Filesize
3.3MB

Download
memory/2064-48-0x00007FF642F20000-0x00007FF643271000-memory.dmp

Filesize
3.3MB

Download
memory/2064-227-0x00007FF642F20000-0x00007FF643271000-memory.dmp

Filesize
3.3MB

Download
memory/2488-90-0x00007FF659180000-0x00007FF6594D1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-222-0x00007FF659180000-0x00007FF6594D1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-24-0x00007FF659180000-0x00007FF6594D1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-139-0x00007FF647970000-0x00007FF647CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-264-0x00007FF647970000-0x00007FF647CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-170-0x00007FF647970000-0x00007FF647CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-121-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-255-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-161-0x00007FF6A09A0000-0x00007FF6A0CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-71-0x00007FF695030000-0x00007FF695381000-memory.dmp

Filesize
3.3MB

Download
memory/2656-239-0x00007FF695030000-0x00007FF695381000-memory.dmp

Filesize
3.3MB

Download
memory/2656-128-0x00007FF695030000-0x00007FF695381000-memory.dmp

Filesize
3.3MB

Download
memory/2932-77-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp

Filesize
3.3MB

Download
memory/2932-201-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp

Filesize
3.3MB

Download
memory/2932-16-0x00007FF69CE00000-0x00007FF69D151000-memory.dmp

Filesize
3.3MB

Download
memory/3316-131-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-163-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-259-0x00007FF73E450000-0x00007FF73E7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-141-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp

Filesize
3.3MB

Download
memory/3340-262-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp

Filesize
3.3MB

Download
memory/3340-168-0x00007FF6877B0000-0x00007FF687B01000-memory.dmp

Filesize
3.3MB

Download
memory/3468-164-0x00007FF789120000-0x00007FF789471000-memory.dmp

Filesize
3.3MB

Download
memory/3468-254-0x00007FF789120000-0x00007FF789471000-memory.dmp

Filesize
3.3MB

Download
memory/3468-110-0x00007FF789120000-0x00007FF789471000-memory.dmp

Filesize
3.3MB

Download
memory/3540-225-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp

Filesize
3.3MB

Download
memory/3540-44-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp

Filesize
3.3MB

Download
memory/3540-92-0x00007FF77DCE0000-0x00007FF77E031000-memory.dmp

Filesize
3.3MB

Download
memory/3616-46-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-100-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-229-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-232-0x00007FF601080000-0x00007FF6013D1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-54-0x00007FF601080000-0x00007FF6013D1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-111-0x00007FF601080000-0x00007FF6013D1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-101-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp

Filesize
3.3MB

Download
memory/3736-149-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp

Filesize
3.3MB

Download
memory/3736-251-0x00007FF78CE10000-0x00007FF78D161000-memory.dmp

Filesize
3.3MB

Download
memory/4128-146-0x00007FF797500000-0x00007FF797851000-memory.dmp

Filesize
3.3MB

Download
memory/4128-171-0x00007FF797500000-0x00007FF797851000-memory.dmp

Filesize
3.3MB

Download
memory/4128-68-0x00007FF797500000-0x00007FF797851000-memory.dmp

Filesize
3.3MB

Download
memory/4128-0-0x00007FF797500000-0x00007FF797851000-memory.dmp

Filesize
3.3MB

Download
memory/4128-1-0x000002659C0D0000-0x000002659C0E0000-memory.dmp

Filesize
64KB

Download
memory/5044-203-0x00007FF7227A0000-0x00007FF722AF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-20-0x00007FF7227A0000-0x00007FF722AF1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-29-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-91-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-223-0x00007FF676FA0000-0x00007FF6772F1000-memory.dmp

Filesize
3.3MB

Download