cobaltstrike | 4060e745f1bac843f91f728039aae342198bc5763fb40b1aad1ace8e2ed59efa

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1b801362a2d0f1785cb6ae18dafd7815
SHA1

42ce9df75df8784628409362f5c9e7469eef5ef8
SHA256

4060e745f1bac843f91f728039aae342198bc5763fb40b1aad1ace8e2ed59efa
SHA512

95f33514b9e025742710651ba4e342d3a6c54f7fc1fa655ff719cd40e990b7737f1f6abe854c7efc8063b4ae03d136efcd22f49880101e9425be07ea0a90d7d0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233c1-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c7-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cc-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cd-58.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233c2-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cf-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d6-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d4-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d8-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d5-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d7-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-97.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2188-51-0x00007FF623000000-0x00007FF623351000-memory.dmp	xmrig
behavioral2/memory/800-36-0x00007FF68C140000-0x00007FF68C491000-memory.dmp	xmrig
behavioral2/memory/1932-72-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	xmrig
behavioral2/memory/2540-75-0x00007FF657A10000-0x00007FF657D61000-memory.dmp	xmrig
behavioral2/memory/3788-79-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp	xmrig
behavioral2/memory/4948-106-0x00007FF645270000-0x00007FF6455C1000-memory.dmp	xmrig
behavioral2/memory/2464-132-0x00007FF742E20000-0x00007FF743171000-memory.dmp	xmrig
behavioral2/memory/2512-123-0x00007FF73FE00000-0x00007FF740151000-memory.dmp	xmrig
behavioral2/memory/4472-122-0x00007FF73B9F0000-0x00007FF73BD41000-memory.dmp	xmrig
behavioral2/memory/4464-121-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp	xmrig
behavioral2/memory/884-114-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp	xmrig
behavioral2/memory/4740-113-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp	xmrig
behavioral2/memory/1392-88-0x00007FF6732D0000-0x00007FF673621000-memory.dmp	xmrig
behavioral2/memory/4572-81-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp	xmrig
behavioral2/memory/1932-136-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	xmrig
behavioral2/memory/2068-146-0x00007FF6422E0000-0x00007FF642631000-memory.dmp	xmrig
behavioral2/memory/5084-147-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp	xmrig
behavioral2/memory/3108-148-0x00007FF654D00000-0x00007FF655051000-memory.dmp	xmrig
behavioral2/memory/2276-151-0x00007FF623790000-0x00007FF623AE1000-memory.dmp	xmrig
behavioral2/memory/1568-156-0x00007FF738900000-0x00007FF738C51000-memory.dmp	xmrig
behavioral2/memory/2268-162-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp	xmrig
behavioral2/memory/3376-160-0x00007FF720920000-0x00007FF720C71000-memory.dmp	xmrig
behavioral2/memory/4504-161-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp	xmrig
behavioral2/memory/1932-163-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	xmrig
behavioral2/memory/3788-215-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp	xmrig
behavioral2/memory/4572-217-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp	xmrig
behavioral2/memory/1392-222-0x00007FF6732D0000-0x00007FF673621000-memory.dmp	xmrig
behavioral2/memory/800-224-0x00007FF68C140000-0x00007FF68C491000-memory.dmp	xmrig
behavioral2/memory/4740-226-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp	xmrig
behavioral2/memory/884-229-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp	xmrig
behavioral2/memory/2188-230-0x00007FF623000000-0x00007FF623351000-memory.dmp	xmrig
behavioral2/memory/2464-232-0x00007FF742E20000-0x00007FF743171000-memory.dmp	xmrig
behavioral2/memory/4464-234-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp	xmrig
behavioral2/memory/2068-242-0x00007FF6422E0000-0x00007FF642631000-memory.dmp	xmrig
behavioral2/memory/5084-244-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp	xmrig
behavioral2/memory/2540-246-0x00007FF657A10000-0x00007FF657D61000-memory.dmp	xmrig
behavioral2/memory/3108-254-0x00007FF654D00000-0x00007FF655051000-memory.dmp	xmrig
behavioral2/memory/2276-256-0x00007FF623790000-0x00007FF623AE1000-memory.dmp	xmrig
behavioral2/memory/4948-258-0x00007FF645270000-0x00007FF6455C1000-memory.dmp	xmrig
behavioral2/memory/2512-260-0x00007FF73FE00000-0x00007FF740151000-memory.dmp	xmrig
behavioral2/memory/4472-262-0x00007FF73B9F0000-0x00007FF73BD41000-memory.dmp	xmrig
behavioral2/memory/1568-264-0x00007FF738900000-0x00007FF738C51000-memory.dmp	xmrig
behavioral2/memory/3376-266-0x00007FF720920000-0x00007FF720C71000-memory.dmp	xmrig
behavioral2/memory/4504-270-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp	xmrig
behavioral2/memory/2268-269-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3788	wtQCNfp.exe
4572	iREHsCi.exe
1392	OYZHVeZ.exe
4740	FcVnpko.exe
800	CBwickI.exe
884	iUvwnze.exe
2188	kAJFYNl.exe
4464	KqFxrzv.exe
2464	CSbzFWp.exe
2068	EqIAZGo.exe
5084	hOtanjP.exe
2540	nIAuSEC.exe
3108	dxbxzoD.exe
2276	aZSwWOO.exe
4948	xYntgfJ.exe
4472	ZYtTYMI.exe
2268	fWajKlN.exe
1568	sKUiTbi.exe
2512	eLHUMNS.exe
3376	qidRSnl.exe
4504	TnKZBHn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1932-0-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	upx
behavioral2/files/0x00080000000233c1-4.dat	upx
behavioral2/memory/3788-8-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp	upx
behavioral2/files/0x00070000000233c6-10.dat	upx
behavioral2/files/0x00070000000233c5-20.dat	upx
behavioral2/files/0x00070000000233c7-28.dat	upx
behavioral2/memory/4740-24-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp	upx
behavioral2/files/0x00070000000233ca-37.dat	upx
behavioral2/files/0x00070000000233cb-44.dat	upx
behavioral2/memory/4464-50-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp	upx
behavioral2/files/0x00070000000233cc-55.dat	upx
behavioral2/memory/2464-54-0x00007FF742E20000-0x00007FF743171000-memory.dmp	upx
behavioral2/memory/2188-51-0x00007FF623000000-0x00007FF623351000-memory.dmp	upx
behavioral2/memory/884-46-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp	upx
behavioral2/files/0x00070000000233c9-39.dat	upx
behavioral2/memory/800-36-0x00007FF68C140000-0x00007FF68C491000-memory.dmp	upx
behavioral2/files/0x00070000000233c8-34.dat	upx
behavioral2/memory/1392-23-0x00007FF6732D0000-0x00007FF673621000-memory.dmp	upx
behavioral2/memory/4572-17-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp	upx
behavioral2/files/0x00070000000233cd-58.dat	upx
behavioral2/memory/2068-61-0x00007FF6422E0000-0x00007FF642631000-memory.dmp	upx
behavioral2/files/0x00080000000233c2-65.dat	upx
behavioral2/memory/5084-66-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp	upx
behavioral2/files/0x00070000000233cf-70.dat	upx
behavioral2/memory/1932-72-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	upx
behavioral2/memory/2540-75-0x00007FF657A10000-0x00007FF657D61000-memory.dmp	upx
behavioral2/files/0x00070000000233d0-78.dat	upx
behavioral2/memory/3788-79-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp	upx
behavioral2/files/0x00070000000233d1-84.dat	upx
behavioral2/memory/4948-106-0x00007FF645270000-0x00007FF6455C1000-memory.dmp	upx
behavioral2/files/0x00070000000233d6-115.dat	upx
behavioral2/files/0x00070000000233d4-119.dat	upx
behavioral2/files/0x00070000000233d3-124.dat	upx
behavioral2/files/0x00070000000233d8-131.dat	upx
behavioral2/memory/4504-133-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp	upx
behavioral2/memory/2464-132-0x00007FF742E20000-0x00007FF743171000-memory.dmp	upx
behavioral2/files/0x00070000000233d5-129.dat	upx
behavioral2/files/0x00070000000233d7-127.dat	upx
behavioral2/memory/3376-126-0x00007FF720920000-0x00007FF720C71000-memory.dmp	upx
behavioral2/memory/2512-123-0x00007FF73FE00000-0x00007FF740151000-memory.dmp	upx
behavioral2/memory/4472-122-0x00007FF73B9F0000-0x00007FF73BD41000-memory.dmp	upx
behavioral2/memory/4464-121-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp	upx
behavioral2/memory/884-114-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp	upx
behavioral2/memory/4740-113-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp	upx
behavioral2/memory/2268-109-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp	upx
behavioral2/memory/1568-112-0x00007FF738900000-0x00007FF738C51000-memory.dmp	upx
behavioral2/memory/2276-101-0x00007FF623790000-0x00007FF623AE1000-memory.dmp	upx
behavioral2/files/0x00070000000233d2-97.dat	upx
behavioral2/memory/1392-88-0x00007FF6732D0000-0x00007FF673621000-memory.dmp	upx
behavioral2/memory/3108-85-0x00007FF654D00000-0x00007FF655051000-memory.dmp	upx
behavioral2/memory/4572-81-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp	upx
behavioral2/memory/1932-136-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	upx
behavioral2/memory/2068-146-0x00007FF6422E0000-0x00007FF642631000-memory.dmp	upx
behavioral2/memory/5084-147-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp	upx
behavioral2/memory/3108-148-0x00007FF654D00000-0x00007FF655051000-memory.dmp	upx
behavioral2/memory/2276-151-0x00007FF623790000-0x00007FF623AE1000-memory.dmp	upx
behavioral2/memory/1568-156-0x00007FF738900000-0x00007FF738C51000-memory.dmp	upx
behavioral2/memory/2268-162-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp	upx
behavioral2/memory/3376-160-0x00007FF720920000-0x00007FF720C71000-memory.dmp	upx
behavioral2/memory/4504-161-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp	upx
behavioral2/memory/1932-163-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp	upx
behavioral2/memory/3788-215-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp	upx
behavioral2/memory/4572-217-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp	upx
behavioral2/memory/1392-222-0x00007FF6732D0000-0x00007FF673621000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eLHUMNS.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qidRSnl.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wtQCNfp.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAJFYNl.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hOtanjP.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxbxzoD.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKUiTbi.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iREHsCi.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqIAZGo.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nIAuSEC.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xYntgfJ.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fWajKlN.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYZHVeZ.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CBwickI.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iUvwnze.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZYtTYMI.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TnKZBHn.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FcVnpko.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqFxrzv.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CSbzFWp.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZSwWOO.exe	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3788	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1932 wrote to memory of 3788	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1932 wrote to memory of 4572	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1932 wrote to memory of 4572	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1932 wrote to memory of 1392	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1932 wrote to memory of 1392	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1932 wrote to memory of 800	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1932 wrote to memory of 800	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1932 wrote to memory of 4740	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1932 wrote to memory of 4740	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1932 wrote to memory of 884	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1932 wrote to memory of 884	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1932 wrote to memory of 2188	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1932 wrote to memory of 2188	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1932 wrote to memory of 4464	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1932 wrote to memory of 4464	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1932 wrote to memory of 2464	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1932 wrote to memory of 2464	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1932 wrote to memory of 2068	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1932 wrote to memory of 2068	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1932 wrote to memory of 5084	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1932 wrote to memory of 5084	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1932 wrote to memory of 2540	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1932 wrote to memory of 2540	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1932 wrote to memory of 3108	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1932 wrote to memory of 3108	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1932 wrote to memory of 2276	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1932 wrote to memory of 2276	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1932 wrote to memory of 4948	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1932 wrote to memory of 4948	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1932 wrote to memory of 1568	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1932 wrote to memory of 1568	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1932 wrote to memory of 4472	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1932 wrote to memory of 4472	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1932 wrote to memory of 2268	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1932 wrote to memory of 2268	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1932 wrote to memory of 2512	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1932 wrote to memory of 2512	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1932 wrote to memory of 3376	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1932 wrote to memory of 3376	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1932 wrote to memory of 4504	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1932 wrote to memory of 4504	1932	2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-21_1b801362a2d0f1785cb6ae18dafd7815_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\System\wtQCNfp.exe
  C:\Windows\System\wtQCNfp.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\iREHsCi.exe
  C:\Windows\System\iREHsCi.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\OYZHVeZ.exe
  C:\Windows\System\OYZHVeZ.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\CBwickI.exe
  C:\Windows\System\CBwickI.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\FcVnpko.exe
  C:\Windows\System\FcVnpko.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\iUvwnze.exe
  C:\Windows\System\iUvwnze.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\kAJFYNl.exe
  C:\Windows\System\kAJFYNl.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\KqFxrzv.exe
  C:\Windows\System\KqFxrzv.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\CSbzFWp.exe
  C:\Windows\System\CSbzFWp.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\EqIAZGo.exe
  C:\Windows\System\EqIAZGo.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\hOtanjP.exe
  C:\Windows\System\hOtanjP.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\nIAuSEC.exe
  C:\Windows\System\nIAuSEC.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\dxbxzoD.exe
  C:\Windows\System\dxbxzoD.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\aZSwWOO.exe
  C:\Windows\System\aZSwWOO.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\xYntgfJ.exe
  C:\Windows\System\xYntgfJ.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\sKUiTbi.exe
  C:\Windows\System\sKUiTbi.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\ZYtTYMI.exe
  C:\Windows\System\ZYtTYMI.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\fWajKlN.exe
  C:\Windows\System\fWajKlN.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\eLHUMNS.exe
  C:\Windows\System\eLHUMNS.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\qidRSnl.exe
  C:\Windows\System\qidRSnl.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\TnKZBHn.exe
  C:\Windows\System\TnKZBHn.exe
  2⤵
  - Executes dropped EXE
  PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CBwickI.exe

Filesize
5.2MB

MD5
85290579f9d1f02220c3c9056fefb894

SHA1
31c29b8e9d14e23c14f19fc6448b89c92607d898

SHA256
052007cb2db9bf55cddbb484d2c8a75b6d1dfb59763c6521c6d2cdb499f5f536

SHA512
5dbd0f8d1c3f9d81b39c0b5e26af2110880751e7364ce9bd36e07a626ab3689d1bb576ef37c00d1e7b01be235b08af1361ccd7617a40476a5f96273e6a85da54

Download Submit
C:\Windows\System\CSbzFWp.exe

Filesize
5.2MB

MD5
596d485fc5a79d7245a235a76cbad0fa

SHA1
0001756f5ee873cf157d602749fae04c4c4e534f

SHA256
ef2951ced69cfe872e6fa512c06af8cf3ce2424f1780edbfacb57078997924a1

SHA512
01051de8111aee9dd89ff4948b2d9e459a01cdf46304f5480611ef44ee7d60d24f15d67e0fac9d755e3db9bd64c816b27da729c05a2d50920b18b65487cec151

Download Submit
C:\Windows\System\EqIAZGo.exe

Filesize
5.2MB

MD5
37a3aac9003231e1be696421207e2e29

SHA1
25d4239ddcfe9cb748450ebea0a5ae989af3e40a

SHA256
c9667e8ef23023494a6b764a9d4b1bf378890103a1d2b676a4b7aca4d9d6decb

SHA512
1921edc8086ef021f4d3d2c0e4d74d4ce7e64100ba7b9d5e29028454b49cd4fb83cfbf1a9c5297f418f2c6c9ec97526ab313c90c41a2f37a4bb9c1d6d0dd919c

Download Submit
C:\Windows\System\FcVnpko.exe

Filesize
5.2MB

MD5
73d42a436029f4060552a7c840e48ac6

SHA1
f1915180aa9cea91951854d13a5d1e97d3e0ac20

SHA256
a8f028685cdeb92aa89349b9b90010b5e28f116b078e7ef0727451cab501f851

SHA512
a10727fcc431f3c2678f184c0f82288c110ffe5905425083a327b1e14da87023639326980bb50e31ff247dd0a6ee90a1cc0d91a3fd8dc0484f8d655e7d17e402

Download Submit
C:\Windows\System\KqFxrzv.exe

Filesize
5.2MB

MD5
f55f515284eaa0df5c21e57e6c05424f

SHA1
08a4112db4a6b982dc628858196d102eae35020a

SHA256
cbb2f8f57896246fafc04805e4d8ce1499dab3827058c28e9b0a62e7174fcbff

SHA512
b3d58b9c6ba66e388b6ea99cc5c8c08cf3c73b389b608cff42826912e5d7c8dd115f934a9b82235e293d8fe1b786315da2d9c95eca3d98a6cafff66da212b76b

Download Submit
C:\Windows\System\OYZHVeZ.exe

Filesize
5.2MB

MD5
07ca5d4b9ba84e14decd638a0a34b396

SHA1
aadc4ea3004e9fb03b7bf03ce8c372e875fcf87e

SHA256
02b2ed756ffeaa4138924520233b72b0acf0b3c94289b3e67aee7c52760758fe

SHA512
71c43f220c55d71ab006940843ddc7c2edacc3ef72782cc3a2e65ab775e71a16710e0d79c511aa8319055c12ab6c6d9417d6483f31fb8001bfa162609c116eb1

Download Submit
C:\Windows\System\TnKZBHn.exe

Filesize
5.2MB

MD5
97b289a37c42bd739dd2a58f81adbc32

SHA1
004a07410487938789c40e6b9f6d5cf461db8114

SHA256
fa784367aec79634f68bc8593649dedbf29ff1fb2d6b152576dfecc93043fbef

SHA512
2838480617bac59d40abf943b7acd99adec71a014e74b364f68a6c6b6298f1355a2cf52a5cb36a24fa0f8c5b1f11461345c4569bdb03541272d479fb71bf9ce2

Download Submit
C:\Windows\System\ZYtTYMI.exe

Filesize
5.2MB

MD5
91b24c30a860da9584c2266798717bae

SHA1
9e113afd36002cf14a7f5f822dfbe17088cf25e5

SHA256
da83f0e3f460042276df343370855353de530dce28ff0ff35e76859b9698e6c7

SHA512
492326d16164f8868285a781d75d4c76576e8277bf871761de64cd8fbb83ad22686df6589be24d3fba2e55bb4dee9c2cd8d94ed4c6e8f2077cd591ce76575e67

Download Submit
C:\Windows\System\aZSwWOO.exe

Filesize
5.2MB

MD5
524dfc0accb6ad9cc7264a061889e29e

SHA1
7fda0d2933866ae35b2fc4da4231854050025b02

SHA256
3753cca290e52f9af3e5d33c4d3512f08798485504b09a15d513e6fae2cef406

SHA512
f2dafe4c976aaad8a2bf5fa19bf0697248c9113e6d3bc5d9a3a0163f1f3bc0d562316ecc87aee97c3f92fceffbcb1aced9db8d1f55b1cdb79f0223a9c0693c97

Download Submit
C:\Windows\System\dxbxzoD.exe

Filesize
5.2MB

MD5
35e0533316bd39d6088e2cb87e5888bb

SHA1
f96d432f179706b30dd9a17bb622d8611ac9d6f8

SHA256
0f5fe1862541288900ece34f00da6e4ed8e04f72e5b15d5a50ff0233dec8fbd1

SHA512
690812fd54549b6f0a090be55258e6e10d86b0ac0ecb818f9a77998a07a8d8707c5ad1d95b0ee1aafe4674629c8114ef1e9335944185b041a58f7d983dc860cd

Download Submit
C:\Windows\System\eLHUMNS.exe

Filesize
5.2MB

MD5
e1af118e807382edf3d977024a39a1f5

SHA1
2a6129b8ec786b0842dc4f20b2cb588de1d78a55

SHA256
eaca806b8ba7d2661983df7486615671cf16d63366f2001a38a26fe87b470338

SHA512
f240b2a68703eae77f043b68395aa9aae3a7fd8ebed6fd0f996f7aece2a8cd1ff77230038de39f4b5376ea9179c0f50c945bf0c1a2bd48a9494d93ed2a282839

Download Submit
C:\Windows\System\fWajKlN.exe

Filesize
5.2MB

MD5
2d5801d0723e21a733b3e9bf48ad8b85

SHA1
b175ecc0d535e96795b12a6eae6b93ec75af219a

SHA256
a781fd1354b8684162706f764afaacf4b271f250a19d9aa628787bba1586e2bc

SHA512
9806857afc4fa1ed4bba60a88c082c0e5be2ed76b3d509f5dd707b502a54b3a79be584e10c6cdcb5de666d97916ca5faaeb9b8d1a06ce2d8b9b250d9d3c42706

Download Submit
C:\Windows\System\hOtanjP.exe

Filesize
5.2MB

MD5
f45c2571601ccc969cd28f47d3eaf5bc

SHA1
367922685ba43cf2cc04ff23cb532e9d155046a2

SHA256
006f41f2fecd0ed88008e2f6cb40219d9d9f66088f97b97f689e96e3a5af677b

SHA512
71c5805ce39b41a14916b2f871d45b5c6b43f41065cdbad6a97b55ac7f9d2d3df2db0a06996b54030c56b8d0fec6b390f366eb0f68a5b92971b87aa7ef6b73cb

Download Submit
C:\Windows\System\iREHsCi.exe

Filesize
5.2MB

MD5
e710ace2b51a015450d4ddf0d18dff10

SHA1
71446a406676eda8d4015e4abd98b88095d38ce3

SHA256
f14f71adfee093fe3f0db04e43fd8ae81e52b075deb7821455799508bf4613a9

SHA512
e15e2e194dbbd537db697f9c861d5b1d91e102303663ff6c2af396e5b1ca833f7b5bb2f3df29cf2658361b31fc3a9918a822f0e82ded9cf98eb0797ea526dc17

Download Submit
C:\Windows\System\iUvwnze.exe

Filesize
5.2MB

MD5
1e38edcafca5c68c9db1cc29d524fd7e

SHA1
892aedb3d83c5f8da63f330e9d7c4832039631de

SHA256
a59850bdb4e21d256f9695db7151116c34c89c1538743eaeeb4b97d3ea5477de

SHA512
a3590031eeb4f1d7ceb08a4f420ccccd982fc9214c73862da3f25cc0540b7600a85ab2d17884e2fb1d2d1eb59d44c501681b5b08b1b67437701325f18fa11461

Download Submit
C:\Windows\System\kAJFYNl.exe

Filesize
5.2MB

MD5
fabff7aa9db65444666638be28e58812

SHA1
afa8bcfeaf133a0b97f3ebc23c8c9d1bda500fa9

SHA256
e85aafd659e4aa8be4ae080f68149b859ac632e85d34556f3db7aac5d3c77639

SHA512
20f46261565ab17a995760b8104647bb33de1ba027d0648078498415a36e999bd9bfb65291f9051e134be202c01117d9444f896b09cf30c4f268b10b351cc95c

Download Submit
C:\Windows\System\nIAuSEC.exe

Filesize
5.2MB

MD5
e186c9558acf9982e3c9084f1a8ebb4f

SHA1
4bb40440c6804f2e7a7d3b18ade9455354cd0d59

SHA256
e0c6977655735ad5417f3d4e1278a8fdbef0dadd3c6bdf4d81d57cbcc989d4e3

SHA512
ec85b5dab9d1f56fc375305794bc98ddbcd0b2a1a9538fe5ab800910be3d18730969640c67419e7fe325162da0d0f3ee4323e4632aeeaa6c4372185ac480a45e

Download Submit
C:\Windows\System\qidRSnl.exe

Filesize
5.2MB

MD5
4592b1a995f6c084ae3b79f602231a9e

SHA1
9e8201ae1a3fe7b0eaa48764ac10541320791c9d

SHA256
2b53d11251aee2cd6a9f21dfc749dd85be9f9af5857caae36107935a5c647eb8

SHA512
76119f4f06159f456d67d717caff0d06dd2fbe99d4018da0121ef651a0480bcd63904b81d5a27e486b9e52ab3595cc17d36aeb2efd9c49cf68741de6ab166bea

Download Submit
C:\Windows\System\sKUiTbi.exe

Filesize
5.2MB

MD5
386649289a1df9ae5cbb26961b6b08bf

SHA1
f47846cdf0531cc593fa30e3f13cd63f265dd123

SHA256
b5da1810a4407f67d4e31ada595652317884350661d54fa6f2b50091e2ecc5f5

SHA512
776ca14777f355017b44a7665a32e95050dcba8c9643338c421e86013acc9476b348b3d6c22f955e0ffd038a214b2b47c5dc5aec2a020eac78eda552e636ec09

Download Submit
C:\Windows\System\wtQCNfp.exe

Filesize
5.2MB

MD5
f4e0944b549d646735fd301d4325d6cb

SHA1
4762e6384938135cd9398d803668876a236b9e60

SHA256
50cbb537cd5faec144232223ede27cd25c63cb22c4c28c2e40f82273b8bc3d56

SHA512
7e834fc2944f386ed216dc1135906d1e9472ead6e7f27ed01982ae80941f1fcf21a65fa9b4f89ff87713987e52692639318446709c2e3c510ec74c9e5ec9e906

Download Submit
C:\Windows\System\xYntgfJ.exe

Filesize
5.2MB

MD5
59de8854ccfb019f0bca89e266c1fff0

SHA1
2f227f55e43d04750e561756471d4a71023069a9

SHA256
492650e0468136b809b0072c16fc97991d1f51e6cb338419631af6cd3a3a34a8

SHA512
31bc561e48494126ac31e92281d584c1ca2bb307ca63e810e75d6eb07239608d8e7e88f36c631cb68267a3730b16de7cd94c3824c96580286e4e533361afc592

Download Submit
memory/800-36-0x00007FF68C140000-0x00007FF68C491000-memory.dmp

Filesize
3.3MB

Download
memory/800-224-0x00007FF68C140000-0x00007FF68C491000-memory.dmp

Filesize
3.3MB

Download
memory/884-46-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp

Filesize
3.3MB

Download
memory/884-229-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp

Filesize
3.3MB

Download
memory/884-114-0x00007FF6E2670000-0x00007FF6E29C1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-88-0x00007FF6732D0000-0x00007FF673621000-memory.dmp

Filesize
3.3MB

Download
memory/1392-222-0x00007FF6732D0000-0x00007FF673621000-memory.dmp

Filesize
3.3MB

Download
memory/1392-23-0x00007FF6732D0000-0x00007FF673621000-memory.dmp

Filesize
3.3MB

Download
memory/1568-156-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/1568-264-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/1568-112-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/1932-136-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-1-0x0000026169720000-0x0000026169730000-memory.dmp

Filesize
64KB

Download
memory/1932-163-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-0-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-72-0x00007FF760C90000-0x00007FF760FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-242-0x00007FF6422E0000-0x00007FF642631000-memory.dmp

Filesize
3.3MB

Download
memory/2068-146-0x00007FF6422E0000-0x00007FF642631000-memory.dmp

Filesize
3.3MB

Download
memory/2068-61-0x00007FF6422E0000-0x00007FF642631000-memory.dmp

Filesize
3.3MB

Download
memory/2188-51-0x00007FF623000000-0x00007FF623351000-memory.dmp

Filesize
3.3MB

Download
memory/2188-230-0x00007FF623000000-0x00007FF623351000-memory.dmp

Filesize
3.3MB

Download
memory/2268-162-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp

Filesize
3.3MB

Download
memory/2268-269-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp

Filesize
3.3MB

Download
memory/2268-109-0x00007FF6DBBE0000-0x00007FF6DBF31000-memory.dmp

Filesize
3.3MB

Download
memory/2276-151-0x00007FF623790000-0x00007FF623AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-101-0x00007FF623790000-0x00007FF623AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-256-0x00007FF623790000-0x00007FF623AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-54-0x00007FF742E20000-0x00007FF743171000-memory.dmp

Filesize
3.3MB

Download
memory/2464-132-0x00007FF742E20000-0x00007FF743171000-memory.dmp

Filesize
3.3MB

Download
memory/2464-232-0x00007FF742E20000-0x00007FF743171000-memory.dmp

Filesize
3.3MB

Download
memory/2512-260-0x00007FF73FE00000-0x00007FF740151000-memory.dmp

Filesize
3.3MB

Download
memory/2512-123-0x00007FF73FE00000-0x00007FF740151000-memory.dmp

Filesize
3.3MB

Download
memory/2540-246-0x00007FF657A10000-0x00007FF657D61000-memory.dmp

Filesize
3.3MB

Download
memory/2540-75-0x00007FF657A10000-0x00007FF657D61000-memory.dmp

Filesize
3.3MB

Download
memory/3108-254-0x00007FF654D00000-0x00007FF655051000-memory.dmp

Filesize
3.3MB

Download
memory/3108-85-0x00007FF654D00000-0x00007FF655051000-memory.dmp

Filesize
3.3MB

Download
memory/3108-148-0x00007FF654D00000-0x00007FF655051000-memory.dmp

Filesize
3.3MB

Download
memory/3376-126-0x00007FF720920000-0x00007FF720C71000-memory.dmp

Filesize
3.3MB

Download
memory/3376-160-0x00007FF720920000-0x00007FF720C71000-memory.dmp

Filesize
3.3MB

Download
memory/3376-266-0x00007FF720920000-0x00007FF720C71000-memory.dmp

Filesize
3.3MB

Download
memory/3788-79-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-8-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-215-0x00007FF789B80000-0x00007FF789ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-121-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp

Filesize
3.3MB

Download
memory/4464-234-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp

Filesize
3.3MB

Download
memory/4464-50-0x00007FF66A3C0000-0x00007FF66A711000-memory.dmp

Filesize
3.3MB

Download
memory/4472-122-0x00007FF73B9F0000-0x00007FF73BD41000-memory.dmp

Filesize
3.3MB

Download
memory/4472-262-0x00007FF73B9F0000-0x00007FF73BD41000-memory.dmp

Filesize
3.3MB

Download
memory/4504-270-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-133-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-161-0x00007FF7AAC90000-0x00007FF7AAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-81-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp

Filesize
3.3MB

Download
memory/4572-17-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp

Filesize
3.3MB

Download
memory/4572-217-0x00007FF7EEBB0000-0x00007FF7EEF01000-memory.dmp

Filesize
3.3MB

Download
memory/4740-113-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp

Filesize
3.3MB

Download
memory/4740-24-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp

Filesize
3.3MB

Download
memory/4740-226-0x00007FF7D11E0000-0x00007FF7D1531000-memory.dmp

Filesize
3.3MB

Download
memory/4948-258-0x00007FF645270000-0x00007FF6455C1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-106-0x00007FF645270000-0x00007FF6455C1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-66-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp

Filesize
3.3MB

Download
memory/5084-244-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp

Filesize
3.3MB

Download
memory/5084-147-0x00007FF7999B0000-0x00007FF799D01000-memory.dmp

Filesize
3.3MB

Download