cobaltstrike | 153cac7015d02c969ebb4e7f6b01004afeb7af86e2c23afcf2eea6723ddc978f

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 09:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

46bc14619f3caafb0901d84ea1bd49ff
SHA1

2daefd22390d589e389e0b79c3d7560aec3f4e60
SHA256

153cac7015d02c969ebb4e7f6b01004afeb7af86e2c23afcf2eea6723ddc978f
SHA512

e332c43f262eaf14a7aa31c1e5755753d94f5d29881970b84f117b0d5bb100ce69240ad2ef5740273a2d2c094537fb46431835b5f14e5a681a039ebd70c527e7
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibd56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002349f-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a3-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-116.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a0-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ab-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a4-22.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2496-104-0x00007FF601C00000-0x00007FF601F51000-memory.dmp	xmrig
behavioral2/memory/1476-94-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp	xmrig
behavioral2/memory/3232-89-0x00007FF687860000-0x00007FF687BB1000-memory.dmp	xmrig
behavioral2/memory/1536-60-0x00007FF7015C0000-0x00007FF701911000-memory.dmp	xmrig
behavioral2/memory/1132-55-0x00007FF696490000-0x00007FF6967E1000-memory.dmp	xmrig
behavioral2/memory/3112-121-0x00007FF66A160000-0x00007FF66A4B1000-memory.dmp	xmrig
behavioral2/memory/760-120-0x00007FF798110000-0x00007FF798461000-memory.dmp	xmrig
behavioral2/memory/5076-123-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	xmrig
behavioral2/memory/4496-125-0x00007FF721290000-0x00007FF7215E1000-memory.dmp	xmrig
behavioral2/memory/3964-124-0x00007FF790C80000-0x00007FF790FD1000-memory.dmp	xmrig
behavioral2/memory/1900-126-0x00007FF68EAA0000-0x00007FF68EDF1000-memory.dmp	xmrig
behavioral2/memory/696-122-0x00007FF645F20000-0x00007FF646271000-memory.dmp	xmrig
behavioral2/memory/2956-127-0x00007FF7C3100000-0x00007FF7C3451000-memory.dmp	xmrig
behavioral2/memory/1768-128-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	xmrig
behavioral2/memory/4360-129-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp	xmrig
behavioral2/memory/2476-132-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp	xmrig
behavioral2/memory/1836-138-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp	xmrig
behavioral2/memory/3548-136-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp	xmrig
behavioral2/memory/3708-144-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp	xmrig
behavioral2/memory/2296-133-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp	xmrig
behavioral2/memory/1380-130-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp	xmrig
behavioral2/memory/2540-131-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp	xmrig
behavioral2/memory/1768-150-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	xmrig
behavioral2/memory/1768-151-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	xmrig
behavioral2/memory/4360-210-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp	xmrig
behavioral2/memory/2540-212-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp	xmrig
behavioral2/memory/2476-216-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp	xmrig
behavioral2/memory/1380-214-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp	xmrig
behavioral2/memory/1132-220-0x00007FF696490000-0x00007FF6967E1000-memory.dmp	xmrig
behavioral2/memory/2296-219-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp	xmrig
behavioral2/memory/1536-223-0x00007FF7015C0000-0x00007FF701911000-memory.dmp	xmrig
behavioral2/memory/760-232-0x00007FF798110000-0x00007FF798461000-memory.dmp	xmrig
behavioral2/memory/1476-234-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp	xmrig
behavioral2/memory/3232-236-0x00007FF687860000-0x00007FF687BB1000-memory.dmp	xmrig
behavioral2/memory/1836-238-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp	xmrig
behavioral2/memory/3548-242-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp	xmrig
behavioral2/memory/3112-241-0x00007FF66A160000-0x00007FF66A4B1000-memory.dmp	xmrig
behavioral2/memory/696-244-0x00007FF645F20000-0x00007FF646271000-memory.dmp	xmrig
behavioral2/memory/3708-248-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp	xmrig
behavioral2/memory/5076-246-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	xmrig
behavioral2/memory/2496-250-0x00007FF601C00000-0x00007FF601F51000-memory.dmp	xmrig
behavioral2/memory/2956-256-0x00007FF7C3100000-0x00007FF7C3451000-memory.dmp	xmrig
behavioral2/memory/1900-258-0x00007FF68EAA0000-0x00007FF68EDF1000-memory.dmp	xmrig
behavioral2/memory/3964-254-0x00007FF790C80000-0x00007FF790FD1000-memory.dmp	xmrig
behavioral2/memory/4496-253-0x00007FF721290000-0x00007FF7215E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4360	MjaWuAC.exe
1380	BELlxhC.exe
2540	ILRwnhL.exe
2476	jszeIyF.exe
1132	NkUvHjr.exe
2296	NVBQexm.exe
1536	MpiQgcD.exe
760	DddVxee.exe
3548	PxiWlqS.exe
1836	qaxiIiL.exe
3232	ualfZjv.exe
3112	BKndrOX.exe
1476	DKSoFMF.exe
696	bXmBpdy.exe
5076	YYHeWSD.exe
3708	cAzqWjw.exe
2496	MxRkVaG.exe
3964	ETzDbxV.exe
4496	TPyRcvj.exe
2956	iCaHeHz.exe
1900	eyDSnvj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1768-0-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	upx
behavioral2/files/0x000800000002349f-6.dat	upx
behavioral2/memory/4360-7-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-12.dat	upx
behavioral2/memory/2540-20-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-28.dat	upx
behavioral2/memory/2476-31-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-54.dat	upx
behavioral2/files/0x00070000000234ad-84.dat	upx
behavioral2/files/0x00070000000234b0-82.dat	upx
behavioral2/files/0x00070000000234af-90.dat	upx
behavioral2/files/0x00070000000234b1-100.dat	upx
behavioral2/files/0x00070000000234b2-107.dat	upx
behavioral2/files/0x00070000000234b3-114.dat	upx
behavioral2/files/0x00070000000234b5-118.dat	upx
behavioral2/files/0x00070000000234b4-116.dat	upx
behavioral2/memory/2496-104-0x00007FF601C00000-0x00007FF601F51000-memory.dmp	upx
behavioral2/memory/3708-103-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp	upx
behavioral2/files/0x00080000000234a0-98.dat	upx
behavioral2/memory/1476-94-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp	upx
behavioral2/memory/3232-89-0x00007FF687860000-0x00007FF687BB1000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-86.dat	upx
behavioral2/memory/1836-79-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp	upx
behavioral2/memory/3548-77-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-66.dat	upx
behavioral2/files/0x00070000000234ab-68.dat	upx
behavioral2/memory/1536-60-0x00007FF7015C0000-0x00007FF701911000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-58.dat	upx
behavioral2/memory/1132-55-0x00007FF696490000-0x00007FF6967E1000-memory.dmp	upx
behavioral2/memory/2296-48-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-44.dat	upx
behavioral2/files/0x00070000000234a6-39.dat	upx
behavioral2/files/0x00070000000234a5-27.dat	upx
behavioral2/files/0x00070000000234a4-22.dat	upx
behavioral2/memory/1380-15-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp	upx
behavioral2/memory/3112-121-0x00007FF66A160000-0x00007FF66A4B1000-memory.dmp	upx
behavioral2/memory/760-120-0x00007FF798110000-0x00007FF798461000-memory.dmp	upx
behavioral2/memory/5076-123-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	upx
behavioral2/memory/4496-125-0x00007FF721290000-0x00007FF7215E1000-memory.dmp	upx
behavioral2/memory/3964-124-0x00007FF790C80000-0x00007FF790FD1000-memory.dmp	upx
behavioral2/memory/1900-126-0x00007FF68EAA0000-0x00007FF68EDF1000-memory.dmp	upx
behavioral2/memory/696-122-0x00007FF645F20000-0x00007FF646271000-memory.dmp	upx
behavioral2/memory/2956-127-0x00007FF7C3100000-0x00007FF7C3451000-memory.dmp	upx
behavioral2/memory/1768-128-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	upx
behavioral2/memory/4360-129-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp	upx
behavioral2/memory/2476-132-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp	upx
behavioral2/memory/1836-138-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp	upx
behavioral2/memory/3548-136-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp	upx
behavioral2/memory/3708-144-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp	upx
behavioral2/memory/2296-133-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp	upx
behavioral2/memory/1380-130-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp	upx
behavioral2/memory/2540-131-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp	upx
behavioral2/memory/1768-150-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	upx
behavioral2/memory/1768-151-0x00007FF7430E0000-0x00007FF743431000-memory.dmp	upx
behavioral2/memory/4360-210-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp	upx
behavioral2/memory/2540-212-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp	upx
behavioral2/memory/2476-216-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp	upx
behavioral2/memory/1380-214-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp	upx
behavioral2/memory/1132-220-0x00007FF696490000-0x00007FF6967E1000-memory.dmp	upx
behavioral2/memory/2296-219-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp	upx
behavioral2/memory/1536-223-0x00007FF7015C0000-0x00007FF701911000-memory.dmp	upx
behavioral2/memory/760-232-0x00007FF798110000-0x00007FF798461000-memory.dmp	upx
behavioral2/memory/1476-234-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp	upx
behavioral2/memory/3232-236-0x00007FF687860000-0x00007FF687BB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BELlxhC.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkUvHjr.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxiWlqS.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKSoFMF.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXmBpdy.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jszeIyF.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MpiQgcD.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DddVxee.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ualfZjv.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BKndrOX.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxRkVaG.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyDSnvj.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MjaWuAC.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ILRwnhL.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVBQexm.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qaxiIiL.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAzqWjw.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETzDbxV.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iCaHeHz.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YYHeWSD.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPyRcvj.exe	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4360	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1768 wrote to memory of 4360	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1768 wrote to memory of 1380	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1768 wrote to memory of 1380	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1768 wrote to memory of 2540	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1768 wrote to memory of 2540	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1768 wrote to memory of 2476	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1768 wrote to memory of 2476	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1768 wrote to memory of 2296	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1768 wrote to memory of 2296	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1768 wrote to memory of 1132	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1768 wrote to memory of 1132	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1768 wrote to memory of 1536	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1768 wrote to memory of 1536	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1768 wrote to memory of 3548	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1768 wrote to memory of 3548	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1768 wrote to memory of 760	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1768 wrote to memory of 760	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1768 wrote to memory of 1836	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1768 wrote to memory of 1836	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1768 wrote to memory of 3232	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1768 wrote to memory of 3232	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1768 wrote to memory of 3112	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1768 wrote to memory of 3112	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1768 wrote to memory of 1476	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1768 wrote to memory of 1476	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1768 wrote to memory of 696	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1768 wrote to memory of 696	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1768 wrote to memory of 5076	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1768 wrote to memory of 5076	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1768 wrote to memory of 3708	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1768 wrote to memory of 3708	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1768 wrote to memory of 2496	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1768 wrote to memory of 2496	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1768 wrote to memory of 3964	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1768 wrote to memory of 3964	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1768 wrote to memory of 4496	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1768 wrote to memory of 4496	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1768 wrote to memory of 2956	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1768 wrote to memory of 2956	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1768 wrote to memory of 1900	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1768 wrote to memory of 1900	1768	2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_46bc14619f3caafb0901d84ea1bd49ff_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\System\MjaWuAC.exe
  C:\Windows\System\MjaWuAC.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\BELlxhC.exe
  C:\Windows\System\BELlxhC.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\ILRwnhL.exe
  C:\Windows\System\ILRwnhL.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\jszeIyF.exe
  C:\Windows\System\jszeIyF.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\NVBQexm.exe
  C:\Windows\System\NVBQexm.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\NkUvHjr.exe
  C:\Windows\System\NkUvHjr.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\MpiQgcD.exe
  C:\Windows\System\MpiQgcD.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\PxiWlqS.exe
  C:\Windows\System\PxiWlqS.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\DddVxee.exe
  C:\Windows\System\DddVxee.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\qaxiIiL.exe
  C:\Windows\System\qaxiIiL.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\ualfZjv.exe
  C:\Windows\System\ualfZjv.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\BKndrOX.exe
  C:\Windows\System\BKndrOX.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\DKSoFMF.exe
  C:\Windows\System\DKSoFMF.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\bXmBpdy.exe
  C:\Windows\System\bXmBpdy.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\YYHeWSD.exe
  C:\Windows\System\YYHeWSD.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\cAzqWjw.exe
  C:\Windows\System\cAzqWjw.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\MxRkVaG.exe
  C:\Windows\System\MxRkVaG.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\ETzDbxV.exe
  C:\Windows\System\ETzDbxV.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\TPyRcvj.exe
  C:\Windows\System\TPyRcvj.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\iCaHeHz.exe
  C:\Windows\System\iCaHeHz.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\eyDSnvj.exe
  C:\Windows\System\eyDSnvj.exe
  2⤵
  - Executes dropped EXE
  PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BELlxhC.exe

Filesize
5.2MB

MD5
b8e73da96e304f2a5490efcffa518e16

SHA1
b7a0957f00e81fbce2cb4f8aea757cb26b2045d0

SHA256
1bb543fb0fa780c7b80e26d97f93889bbf61f6903b7c18797c5034713c9d0f96

SHA512
e563cb9fc4f40bf3a761d41b8cffb206ba8da1cb19e6b59e9f7b0d6d6ce5030b0696c575a354e30c739c306a9748ed124c4492546b2eacac24e9485b977c43ba

Download Submit
C:\Windows\System\BKndrOX.exe

Filesize
5.2MB

MD5
1f5a3d6ca49dcbe5fe0cc071c7f59de7

SHA1
dfd3f59b9c49cbe9cc9ecffaf408e18ca578b6fe

SHA256
3bbb44cced8c9941e2f8dc6eeb65fb60cfef286df0c4d5fc51cc0016547aa162

SHA512
8bc64ac567c21b1cc2a417579d97ebbf0cfcf9e52495f6383af6c7d8915e007ece34420aaafc62693932f18721e9ff8566466a60abf3fc07592d0e8d959a25b4

Download Submit
C:\Windows\System\DKSoFMF.exe

Filesize
5.2MB

MD5
25f0f5fb997f550ae25058c4962832d5

SHA1
b24d911600d23861c384e9c1c785c13531be7567

SHA256
620aad71d4e4b00748bfe2741bce052b411a4b3230d44d088b4420700c432bc5

SHA512
5902295798b5db9e1ff1f411d6a7158af2b8efa2599a9cae95e2a1882421af1b2c39cce19e8c48fffdfecda14db16c437f03aa214b35d22efdf6d5cd4f0a5ca3

Download Submit
C:\Windows\System\DddVxee.exe

Filesize
5.2MB

MD5
777b337f2435615ffd0e02a7d1fe5248

SHA1
fcf5b43e19f49544075e8678a431f867d1001bc2

SHA256
87082fe49397bb26b29c94d89be2e62503875474d8915fcf4598a792be154f1e

SHA512
7304b49d06a1a2848d51b0ca39d4144575c372a593d2e44e7e8e3d8b15a862fe2f0f49072bcd3c109b1bb8e5aea696b27b3ff881702fb053a5d0f93310d4231a

Download Submit
C:\Windows\System\ETzDbxV.exe

Filesize
5.2MB

MD5
984733ecdedc447b7f5b79f3f0493d47

SHA1
ba754ac46ae387d9157afe287fce02e3bc6a7500

SHA256
c3ca469da252f30449161d4e5ed115997fda7d3c8af162bc9779010c30cfaa15

SHA512
81f83ccfc9b5012e154b85a3a8fb845c2bbd79bebffe119ba601907599b2056466ca3e2a1c5fc91b54a4938e2d59ad1ce82bc7cdb14262f20da57a3994ce7147

Download Submit
C:\Windows\System\ILRwnhL.exe

Filesize
5.2MB

MD5
9d4c9f4e7bd5d375dbb7e30e82f04e7a

SHA1
f366078eee5ea6d660b704064781503f3127d71b

SHA256
b4b5e9d174b5cd8c11185297ebba53d3b65ba5f237fd324c9b5d614140f3c637

SHA512
4436c28987eec35de749f2dcdb885bd469d8fcbc2866fb9d46a271ab01812e90d52fc07270ca6a1fdfd7999a81a4b031ef83c9e32370fcef4a7469988b9fb600

Download Submit
C:\Windows\System\MjaWuAC.exe

Filesize
5.2MB

MD5
1d37efde3c0bed01acb4f8f70dbb2b24

SHA1
7c1bc74712446694d9e6180d757385a057b2361a

SHA256
492b3d5e7673f10f4759b88776c130c21fb58f1a685c114abe65d1d75a0265bb

SHA512
5dc14762c097a2913b1fee4a2dc0d97ccdbc87f03df0d55ff345fbbb73754e5b76465bfa97299394c0ae8027f1d12c9cde044e26a2d80440c814732cee02b49f

Download Submit
C:\Windows\System\MpiQgcD.exe

Filesize
5.2MB

MD5
36ca0d5c3ec15e4426bcbd548f123a29

SHA1
20e39052191a0ca5185f87b42c0ef7edde86d784

SHA256
91a085eadbe79ea0576f5c6d84f584493ceadb9fe6e83df4d7211c630b02d305

SHA512
9102aa880c0313020a907c044ed0a292b48a11b5b6e022cf2ed787793bd004408b5390f232d208d90f8508312a69515f08868d9d2a38d64978a30eaa026ba639

Download Submit
C:\Windows\System\MxRkVaG.exe

Filesize
5.2MB

MD5
751058b6b15f60d02bba68b07ba592fd

SHA1
3fd5713127aabcf31799cabdab0df51c99b90d99

SHA256
c71bb3ddcf7d9a8bb625485aa5940e59b3898388188a161941e8ddb1b0c0e6c2

SHA512
7f523d852ae90a15ba0ad4d3b7be6e0069aa79a6be17ad3f8339343177aea6b5eb6cb69e242a5bea0182a893653224258c825af602e27e9c17a02247de14a7a1

Download Submit
C:\Windows\System\NVBQexm.exe

Filesize
5.2MB

MD5
52cc59348ce56daf52c1d27d270827c1

SHA1
d4f5e96fb2e07f1c2e0af679a8a0eef433a3e027

SHA256
1a8935ae8b25ccdef4a97b2078afdc972ac1d07fd9addc48f743990898424d55

SHA512
92ae03c4f57008bf19d1f45c64390ec5e05f6ffeac11b3c013c48024befd5245132637ee630ce7076c0625cd9a2c6982dc00bfe85ee86c85a8c4988729832aa2

Download Submit
C:\Windows\System\NkUvHjr.exe

Filesize
5.2MB

MD5
434a050bf9e4907f0c91b4fc8d9f353e

SHA1
83625d285cf1be7e28e67011536ab9911864f9a0

SHA256
9e338904911762f51445853696c62ba8c6dcc8f282ec22704607574a5a450c1c

SHA512
ddb7b5f6bb9fa2e4ecbcf6868c2e551e0ab3e1bae7535d460f9c845ba99853ec386306f2b58a009acf7665ccc837c09f6bbdaa5d4b0b22711d9c777c238f85b5

Download Submit
C:\Windows\System\PxiWlqS.exe

Filesize
5.2MB

MD5
32bf1b601ca53eb40787429d26036d84

SHA1
b7da6bb43fdf9bdeb1a552bd1b8c42dacdeeec9b

SHA256
363bab72a14bc65d2634a9274afea85ebb678af44cdf79292491797d0732893e

SHA512
565bfced1ef27a2af52ba1e58d733473479ccd4fe1927371896a92e2980e7feab0691d700f1afcd7f78bb36535e03fd5d9a01573a6efc381037b9a81488951c9

Download Submit
C:\Windows\System\TPyRcvj.exe

Filesize
5.2MB

MD5
ca6e30f7cb17c55e8839389e243593a1

SHA1
d11d0e11e3d6b1ddd382258cb6ce7d52de3914ab

SHA256
8f15292bf702e1d5171cae62926a02012f8aa05efe8ad5609f8e5c80e11a6f97

SHA512
20c192d09af1adc38657c6e2aa0cfdb1bd3054a3803b2b228057c54090ff9068339e7258336ccdbbcb731cdaaaccfd51b07abfdf51e4046aca7057e27ea259ed

Download Submit
C:\Windows\System\YYHeWSD.exe

Filesize
5.2MB

MD5
3af587cd775aa51fbeaace1d56f50e7c

SHA1
fce9308856a2434a94b7c208985620725064bf8e

SHA256
a2171484c692bd863a95324eb48d16009331c08d91f491ba4e1ac9fedcd8b7ee

SHA512
9c99394e0c2e88055f4f195739ac95285170b61f58b9128526b8d254f563ee5ce6f5e18c88924dbc4a47cbe9ee3655b107cfee1d47cae0ed74f2eb0f476f1c0e

Download Submit
C:\Windows\System\bXmBpdy.exe

Filesize
5.2MB

MD5
f2df92f1b9411b2e690370c1a621c374

SHA1
2bf647482744a01ce4641070c627947788c2f780

SHA256
0007b2bd7696fbba74e12e22ee15a47d63b18b2dcc0811cfa599dcbec495164b

SHA512
a921a09fbdeeafa91d4470117a6c79b08b410d5c3f80cbb1e5d074f4fc8ee3856d878ad0821802b1fb8b226b041d04688285adc84ad8a4feff015aa69ae33062

Download Submit
C:\Windows\System\cAzqWjw.exe

Filesize
5.2MB

MD5
5575b46b720e2ca9e7175e82d12d0eb4

SHA1
30f1c9680bf630183b3e370a9ccef6ab920dc4b6

SHA256
7061d8ac81f93e8cf2d070fe6995ccf2e91f437c8c4cf272cbe768cff453b73a

SHA512
1e753a363b496199b8bd5a5abd5e5a21f6358c671267118b5927e668571c4c87324bbd2bc8b0a44cb6b60a6380316f487929ee65aae057ff6bde593fb12636cc

Download Submit
C:\Windows\System\eyDSnvj.exe

Filesize
5.2MB

MD5
da900d46ab9bb27bb5146fd189194dcd

SHA1
dd7de378b5e70f755bf89a0fc95bf918030c40df

SHA256
3f29b22bcb10a506a85d437ff16692da8ae5d935e21f2c827dc9ef28b3e95026

SHA512
38612ea6ef8f300d6d593c2945c94b19b085aa01109ca64b6ff3618ec7e20407df33dc84f968b3afb2567dc074363e71d87ee9018bc1f33363e104dd4010ab91

Download Submit
C:\Windows\System\iCaHeHz.exe

Filesize
5.2MB

MD5
035bf0a6c15a573bc9cbbbd3e8b91946

SHA1
01afa4870bad5347c934348638e61e606ad427d2

SHA256
573e2c70758036c5112334d9e0fb2869cf98dfb38c1d0803f09e99d201e24630

SHA512
29635eabaddf6259c41946c330dd474c9b13ab3ece51117ce12c6db6685484c6f1d45e9cb9d224578fdbb81043ef968e58c3e28365278dbd0fe1ab9ebd5a8720

Download Submit
C:\Windows\System\jszeIyF.exe

Filesize
5.2MB

MD5
e5e06f885421aaacab8db35b2274f6f7

SHA1
a7b2951ba823307d2b085ba2894eb94bb34a0f05

SHA256
26de0a599de00ee657cb762d3b3025317c34839ff5427d7796edf3c35e36ec73

SHA512
9c1b62e3c6c9b0ec69bb9f1162a7dbc85d15f26fbf93e47e9dc64942da89180304d2303b40d3d2883476169c53fe9aca9d2583c89306ed5947e03a6b44cdbde2

Download Submit
C:\Windows\System\qaxiIiL.exe

Filesize
5.2MB

MD5
3f08609cd6e0e6f70c4471b86460a9ba

SHA1
3bc7b718fbc7ee46834b38a604dba2297391b14f

SHA256
4933511735d6fa9503176aef1d0b1b0fce9decc8e4ae79f2babb8b5b79042c5d

SHA512
c1fbd31f287d1ced033b802b4c1fe4eabd8000c4695b0f19f482f80a4450b3bf197e1dbb9023bfbf5c4cc4cee33e9a65ac44c0542d415eda0501c9b2399fd968

Download Submit
C:\Windows\System\ualfZjv.exe

Filesize
5.2MB

MD5
97d717a5e343a5dce304cddb104196e4

SHA1
caec1d09b75fa33f0df6dc815a42dc0ebee95bf9

SHA256
6a894f8b50239b24ec2b8b4a63c01ae8921036192e139de40d7bfe464900d506

SHA512
d6e9825f7c2edb7af8cc9952505b0fa1a8130022f795c99e953aac42f7c939af79230c13ef88ad0a88882075252e32f399ed626931c2b46e0458ba553fc3a578

Download Submit
memory/696-122-0x00007FF645F20000-0x00007FF646271000-memory.dmp

Filesize
3.3MB

Download
memory/696-244-0x00007FF645F20000-0x00007FF646271000-memory.dmp

Filesize
3.3MB

Download
memory/760-232-0x00007FF798110000-0x00007FF798461000-memory.dmp

Filesize
3.3MB

Download
memory/760-120-0x00007FF798110000-0x00007FF798461000-memory.dmp

Filesize
3.3MB

Download
memory/1132-55-0x00007FF696490000-0x00007FF6967E1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-220-0x00007FF696490000-0x00007FF6967E1000-memory.dmp

Filesize
3.3MB

Download
memory/1380-130-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp

Filesize
3.3MB

Download
memory/1380-15-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp

Filesize
3.3MB

Download
memory/1380-214-0x00007FF64A5D0000-0x00007FF64A921000-memory.dmp

Filesize
3.3MB

Download
memory/1476-94-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-234-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-223-0x00007FF7015C0000-0x00007FF701911000-memory.dmp

Filesize
3.3MB

Download
memory/1536-60-0x00007FF7015C0000-0x00007FF701911000-memory.dmp

Filesize
3.3MB

Download
memory/1768-0-0x00007FF7430E0000-0x00007FF743431000-memory.dmp

Filesize
3.3MB

Download
memory/1768-1-0x00000229B9400000-0x00000229B9410000-memory.dmp

Filesize
64KB

Download
memory/1768-151-0x00007FF7430E0000-0x00007FF743431000-memory.dmp

Filesize
3.3MB

Download
memory/1768-150-0x00007FF7430E0000-0x00007FF743431000-memory.dmp

Filesize
3.3MB

Download
memory/1768-128-0x00007FF7430E0000-0x00007FF743431000-memory.dmp

Filesize
3.3MB

Download
memory/1836-238-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-79-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-138-0x00007FF636E50000-0x00007FF6371A1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-258-0x00007FF68EAA0000-0x00007FF68EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-126-0x00007FF68EAA0000-0x00007FF68EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-48-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp

Filesize
3.3MB

Download
memory/2296-219-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp

Filesize
3.3MB

Download
memory/2296-133-0x00007FF68DFF0000-0x00007FF68E341000-memory.dmp

Filesize
3.3MB

Download
memory/2476-216-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp

Filesize
3.3MB

Download
memory/2476-31-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp

Filesize
3.3MB

Download
memory/2476-132-0x00007FF60E3E0000-0x00007FF60E731000-memory.dmp

Filesize
3.3MB

Download
memory/2496-104-0x00007FF601C00000-0x00007FF601F51000-memory.dmp

Filesize
3.3MB

Download
memory/2496-250-0x00007FF601C00000-0x00007FF601F51000-memory.dmp

Filesize
3.3MB

Download
memory/2540-212-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp

Filesize
3.3MB

Download
memory/2540-20-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp

Filesize
3.3MB

Download
memory/2540-131-0x00007FF6F8CE0000-0x00007FF6F9031000-memory.dmp

Filesize
3.3MB

Download
memory/2956-127-0x00007FF7C3100000-0x00007FF7C3451000-memory.dmp

Filesize
3.3MB

Download
memory/2956-256-0x00007FF7C3100000-0x00007FF7C3451000-memory.dmp

Filesize
3.3MB

Download
memory/3112-241-0x00007FF66A160000-0x00007FF66A4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-121-0x00007FF66A160000-0x00007FF66A4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-236-0x00007FF687860000-0x00007FF687BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-89-0x00007FF687860000-0x00007FF687BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-136-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp

Filesize
3.3MB

Download
memory/3548-242-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp

Filesize
3.3MB

Download
memory/3548-77-0x00007FF6C1310000-0x00007FF6C1661000-memory.dmp

Filesize
3.3MB

Download
memory/3708-248-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-103-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-144-0x00007FF751C70000-0x00007FF751FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-124-0x00007FF790C80000-0x00007FF790FD1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-254-0x00007FF790C80000-0x00007FF790FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4360-210-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp

Filesize
3.3MB

Download
memory/4360-129-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp

Filesize
3.3MB

Download
memory/4360-7-0x00007FF6D0610000-0x00007FF6D0961000-memory.dmp

Filesize
3.3MB

Download
memory/4496-125-0x00007FF721290000-0x00007FF7215E1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-253-0x00007FF721290000-0x00007FF7215E1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-123-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp

Filesize
3.3MB

Download
memory/5076-246-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp

Filesize
3.3MB

Download