cobaltstrike | 360fd2071b07a821a8b42de61ff1b5ecead26cc203a4a25063be33f88779f1a7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5d94a4a5df29d18f1dcf742580811a0f
SHA1

4fea2a64d73a7d3d82252632d5584c184868af24
SHA256

360fd2071b07a821a8b42de61ff1b5ecead26cc203a4a25063be33f88779f1a7
SHA512

4e611494fa1fef9468094f825269af2c7875a5108ba111441ffd39ce41cd686701c2c13606d41e4956fae0aa685ce4b8303e3f55ade5c9a78ddffcbc0f65b287
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibf56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233e8-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-18.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-111.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023449-99.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2024-70-0x00007FF666400000-0x00007FF666751000-memory.dmp	xmrig
behavioral2/memory/2680-69-0x00007FF645CD0000-0x00007FF646021000-memory.dmp	xmrig
behavioral2/memory/3096-57-0x00007FF7777F0000-0x00007FF777B41000-memory.dmp	xmrig
behavioral2/memory/3888-52-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp	xmrig
behavioral2/memory/3652-24-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp	xmrig
behavioral2/memory/4180-117-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	xmrig
behavioral2/memory/4148-107-0x00007FF7102B0000-0x00007FF710601000-memory.dmp	xmrig
behavioral2/memory/4708-106-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp	xmrig
behavioral2/memory/1928-98-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	xmrig
behavioral2/memory/784-131-0x00007FF699A40000-0x00007FF699D91000-memory.dmp	xmrig
behavioral2/memory/3652-132-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp	xmrig
behavioral2/memory/2668-130-0x00007FF65A230000-0x00007FF65A581000-memory.dmp	xmrig
behavioral2/memory/1928-133-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	xmrig
behavioral2/memory/2368-145-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp	xmrig
behavioral2/memory/1144-146-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp	xmrig
behavioral2/memory/4996-148-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	xmrig
behavioral2/memory/2020-147-0x00007FF778670000-0x00007FF7789C1000-memory.dmp	xmrig
behavioral2/memory/1664-144-0x00007FF715040000-0x00007FF715391000-memory.dmp	xmrig
behavioral2/memory/1384-142-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp	xmrig
behavioral2/memory/2680-140-0x00007FF645CD0000-0x00007FF646021000-memory.dmp	xmrig
behavioral2/memory/4972-149-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp	xmrig
behavioral2/memory/4316-154-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp	xmrig
behavioral2/memory/2460-155-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp	xmrig
behavioral2/memory/1716-153-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp	xmrig
behavioral2/memory/2064-151-0x00007FF683C20000-0x00007FF683F71000-memory.dmp	xmrig
behavioral2/memory/1928-156-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	xmrig
behavioral2/memory/4708-217-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp	xmrig
behavioral2/memory/4180-219-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	xmrig
behavioral2/memory/3652-221-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp	xmrig
behavioral2/memory/784-223-0x00007FF699A40000-0x00007FF699D91000-memory.dmp	xmrig
behavioral2/memory/2020-225-0x00007FF778670000-0x00007FF7789C1000-memory.dmp	xmrig
behavioral2/memory/3888-227-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp	xmrig
behavioral2/memory/3096-230-0x00007FF7777F0000-0x00007FF777B41000-memory.dmp	xmrig
behavioral2/memory/1384-231-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp	xmrig
behavioral2/memory/2680-235-0x00007FF645CD0000-0x00007FF646021000-memory.dmp	xmrig
behavioral2/memory/2024-233-0x00007FF666400000-0x00007FF666751000-memory.dmp	xmrig
behavioral2/memory/4996-238-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	xmrig
behavioral2/memory/1664-243-0x00007FF715040000-0x00007FF715391000-memory.dmp	xmrig
behavioral2/memory/2368-242-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp	xmrig
behavioral2/memory/1144-240-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp	xmrig
behavioral2/memory/4972-250-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp	xmrig
behavioral2/memory/4148-252-0x00007FF7102B0000-0x00007FF710601000-memory.dmp	xmrig
behavioral2/memory/2668-256-0x00007FF65A230000-0x00007FF65A581000-memory.dmp	xmrig
behavioral2/memory/2064-257-0x00007FF683C20000-0x00007FF683F71000-memory.dmp	xmrig
behavioral2/memory/1716-259-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp	xmrig
behavioral2/memory/4316-261-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp	xmrig
behavioral2/memory/2460-263-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4708	ztASKrX.exe
4180	qcfuXkH.exe
3652	dOsdvHh.exe
784	HWFrGdT.exe
3888	DlqIJUD.exe
2020	JNShUVP.exe
2680	VcViwpi.exe
3096	bXDMPFW.exe
1384	eyxjKau.exe
2024	lxwQaQs.exe
1664	ArzbwPU.exe
2368	RBkTCnI.exe
1144	nGEtNOr.exe
4996	FEHAtFY.exe
4972	KUFNATw.exe
4148	YlRbFcP.exe
2064	CyXgjXq.exe
2668	wTiDTGc.exe
1716	HBYNGWE.exe
4316	rgPdRAS.exe
2460	SfrFayE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1928-0-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	upx
behavioral2/files/0x00090000000233e8-4.dat	upx
behavioral2/memory/4708-10-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp	upx
behavioral2/files/0x000700000002344c-15.dat	upx
behavioral2/files/0x000700000002344e-18.dat	upx
behavioral2/memory/4180-22-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	upx
behavioral2/files/0x000700000002344f-27.dat	upx
behavioral2/files/0x0007000000023451-39.dat	upx
behavioral2/files/0x0007000000023452-49.dat	upx
behavioral2/files/0x0007000000023454-64.dat	upx
behavioral2/files/0x0007000000023455-71.dat	upx
behavioral2/files/0x0007000000023456-78.dat	upx
behavioral2/memory/1144-82-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp	upx
behavioral2/files/0x0007000000023458-85.dat	upx
behavioral2/files/0x0007000000023457-83.dat	upx
behavioral2/memory/4996-81-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	upx
behavioral2/memory/2368-80-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp	upx
behavioral2/memory/1664-75-0x00007FF715040000-0x00007FF715391000-memory.dmp	upx
behavioral2/memory/2024-70-0x00007FF666400000-0x00007FF666751000-memory.dmp	upx
behavioral2/memory/2680-69-0x00007FF645CD0000-0x00007FF646021000-memory.dmp	upx
behavioral2/memory/1384-60-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp	upx
behavioral2/memory/3096-57-0x00007FF7777F0000-0x00007FF777B41000-memory.dmp	upx
behavioral2/files/0x0007000000023453-61.dat	upx
behavioral2/memory/3888-52-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp	upx
behavioral2/files/0x0007000000023450-42.dat	upx
behavioral2/memory/2020-37-0x00007FF778670000-0x00007FF7789C1000-memory.dmp	upx
behavioral2/memory/784-36-0x00007FF699A40000-0x00007FF699D91000-memory.dmp	upx
behavioral2/memory/3652-24-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp	upx
behavioral2/files/0x000700000002344d-20.dat	upx
behavioral2/memory/4972-92-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023459-95.dat	upx
behavioral2/files/0x000700000002345b-102.dat	upx
behavioral2/files/0x000700000002345e-114.dat	upx
behavioral2/memory/4180-117-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	upx
behavioral2/memory/1716-118-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp	upx
behavioral2/files/0x000700000002345f-115.dat	upx
behavioral2/files/0x000700000002345d-113.dat	upx
behavioral2/files/0x000700000002345c-111.dat	upx
behavioral2/memory/2064-110-0x00007FF683C20000-0x00007FF683F71000-memory.dmp	upx
behavioral2/memory/4148-107-0x00007FF7102B0000-0x00007FF710601000-memory.dmp	upx
behavioral2/memory/4708-106-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp	upx
behavioral2/memory/1928-98-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	upx
behavioral2/files/0x0008000000023449-99.dat	upx
behavioral2/memory/4316-124-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp	upx
behavioral2/memory/784-131-0x00007FF699A40000-0x00007FF699D91000-memory.dmp	upx
behavioral2/memory/3652-132-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp	upx
behavioral2/memory/2668-130-0x00007FF65A230000-0x00007FF65A581000-memory.dmp	upx
behavioral2/memory/2460-129-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp	upx
behavioral2/memory/1928-133-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	upx
behavioral2/memory/2368-145-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp	upx
behavioral2/memory/1144-146-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp	upx
behavioral2/memory/4996-148-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	upx
behavioral2/memory/2020-147-0x00007FF778670000-0x00007FF7789C1000-memory.dmp	upx
behavioral2/memory/1664-144-0x00007FF715040000-0x00007FF715391000-memory.dmp	upx
behavioral2/memory/1384-142-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp	upx
behavioral2/memory/2680-140-0x00007FF645CD0000-0x00007FF646021000-memory.dmp	upx
behavioral2/memory/4972-149-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp	upx
behavioral2/memory/4316-154-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp	upx
behavioral2/memory/2460-155-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp	upx
behavioral2/memory/1716-153-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp	upx
behavioral2/memory/2064-151-0x00007FF683C20000-0x00007FF683F71000-memory.dmp	upx
behavioral2/memory/1928-156-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp	upx
behavioral2/memory/4708-217-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp	upx
behavioral2/memory/4180-219-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qcfuXkH.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JNShUVP.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxwQaQs.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KUFNATw.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ztASKrX.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXDMPFW.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyxjKau.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArzbwPU.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfrFayE.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dOsdvHh.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGEtNOr.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FEHAtFY.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YlRbFcP.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wTiDTGc.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HBYNGWE.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rgPdRAS.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DlqIJUD.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VcViwpi.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBkTCnI.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CyXgjXq.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HWFrGdT.exe	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4708	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1928 wrote to memory of 4708	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1928 wrote to memory of 4180	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1928 wrote to memory of 4180	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1928 wrote to memory of 3652	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1928 wrote to memory of 3652	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1928 wrote to memory of 784	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1928 wrote to memory of 784	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1928 wrote to memory of 3888	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1928 wrote to memory of 3888	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1928 wrote to memory of 2020	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1928 wrote to memory of 2020	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1928 wrote to memory of 2680	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1928 wrote to memory of 2680	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1928 wrote to memory of 3096	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1928 wrote to memory of 3096	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1928 wrote to memory of 1384	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1928 wrote to memory of 1384	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1928 wrote to memory of 2024	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1928 wrote to memory of 2024	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1928 wrote to memory of 1664	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1928 wrote to memory of 1664	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1928 wrote to memory of 2368	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1928 wrote to memory of 2368	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1928 wrote to memory of 1144	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1928 wrote to memory of 1144	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1928 wrote to memory of 4996	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1928 wrote to memory of 4996	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1928 wrote to memory of 4972	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1928 wrote to memory of 4972	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1928 wrote to memory of 4148	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1928 wrote to memory of 4148	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1928 wrote to memory of 2064	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1928 wrote to memory of 2064	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1928 wrote to memory of 2668	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1928 wrote to memory of 2668	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1928 wrote to memory of 1716	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1928 wrote to memory of 1716	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1928 wrote to memory of 4316	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1928 wrote to memory of 4316	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1928 wrote to memory of 2460	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1928 wrote to memory of 2460	1928	2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_5d94a4a5df29d18f1dcf742580811a0f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System\ztASKrX.exe
  C:\Windows\System\ztASKrX.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\qcfuXkH.exe
  C:\Windows\System\qcfuXkH.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\dOsdvHh.exe
  C:\Windows\System\dOsdvHh.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\HWFrGdT.exe
  C:\Windows\System\HWFrGdT.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\DlqIJUD.exe
  C:\Windows\System\DlqIJUD.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\JNShUVP.exe
  C:\Windows\System\JNShUVP.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\VcViwpi.exe
  C:\Windows\System\VcViwpi.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\bXDMPFW.exe
  C:\Windows\System\bXDMPFW.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\eyxjKau.exe
  C:\Windows\System\eyxjKau.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\lxwQaQs.exe
  C:\Windows\System\lxwQaQs.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\ArzbwPU.exe
  C:\Windows\System\ArzbwPU.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\RBkTCnI.exe
  C:\Windows\System\RBkTCnI.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\nGEtNOr.exe
  C:\Windows\System\nGEtNOr.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\FEHAtFY.exe
  C:\Windows\System\FEHAtFY.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\KUFNATw.exe
  C:\Windows\System\KUFNATw.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\YlRbFcP.exe
  C:\Windows\System\YlRbFcP.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\CyXgjXq.exe
  C:\Windows\System\CyXgjXq.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\wTiDTGc.exe
  C:\Windows\System\wTiDTGc.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\HBYNGWE.exe
  C:\Windows\System\HBYNGWE.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\rgPdRAS.exe
  C:\Windows\System\rgPdRAS.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\SfrFayE.exe
  C:\Windows\System\SfrFayE.exe
  2⤵
  - Executes dropped EXE
  PID:2460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArzbwPU.exe

Filesize
5.2MB

MD5
9fe37fe7db79d7d69c328dfa8b4cea8b

SHA1
f31479fbcfe2d8cea91d0cd0d6577d055452e38b

SHA256
331dce205565a45150c2b7b8bfa223624b53041ad067d13548f04519759e6bb5

SHA512
2509a5e3f9feb6d1791cd7c736e96f35e480c5c5365f18e48972b370f14f9468ee2c55c5293e7ed1a3f702d15c1df26c540b052f92eb625df84a6743b09b0c7e

Download Submit
C:\Windows\System\CyXgjXq.exe

Filesize
5.2MB

MD5
493d2a4a42c69fef30e4ed79b57cec6f

SHA1
74e84456a95557c6109af377d41c4f23825e15e1

SHA256
3aa542b551ab287dd703afd9b89147ccb40df108bba37fcb54d5fdf1089996e1

SHA512
10eb0067eb55d6515ef37f0644ac968d94b21db22f7745f58eff6ad1633d4b67dc17b8044e85074e4c75cdfe87e2e06d246c427c538063028506af1f80aa020b

Download Submit
C:\Windows\System\DlqIJUD.exe

Filesize
5.2MB

MD5
9cc8319358ae1dfee933c9cd23ca3903

SHA1
5a4603ca16adf77a0c2659b86108d0b35ce3fd1b

SHA256
28b68427bd0374eba12dce4fea508e56bdd7d4f49abb65176ad7af187c99def4

SHA512
93d225d8bb6da2b7c8492ac308ed45a7f56f7f5f6292a07c962a0b15419fac096fc580ce3476fb9f5f79e07946dcce14578efaf710802862d14f92b7c6abc329

Download Submit
C:\Windows\System\FEHAtFY.exe

Filesize
5.2MB

MD5
79ec01e0739a8dd76733d5cbf68a0664

SHA1
05c8347adb56c7c612c49344d0b180888ddc0c00

SHA256
1eb67e120cecbd4d66641a1b8ab7f4bf675d1f691947622414334e345984853b

SHA512
42e2f5be872e5122ecbe5816d3fe1a2b0b8af9b2c1983b7f6dea156b576ea7e5f4a234716ca7e9bed6327be4389c55e0b4701d34a63d17c33ba26219ccca55a7

Download Submit
C:\Windows\System\HBYNGWE.exe

Filesize
5.2MB

MD5
f70d1fb36ce9d370ee282db44f45a512

SHA1
01538a378171f68b4c8954621206a0e69298b092

SHA256
a66d6fe4b59e6f2dcdcfca76b70d8fb2a8bd12836bde0e829f2068729cb687db

SHA512
e57d7ec3fd1f1ddcd0d7feeac436a560101e42280b6fba26a7f96a96ed34320a83b6b686392122c74a800c8a42edb43b2e24302cf68186aca78de24926c5ce91

Download Submit
C:\Windows\System\HWFrGdT.exe

Filesize
5.2MB

MD5
4889a7f076a2650c098deaaf96852e72

SHA1
663644dbf9a9289e7cb34075267ce87449b94131

SHA256
f70df68d2200b5d476db40db9f6946e1d10d19b8c53277500c21da3c096ed163

SHA512
7fad7997887cea692b135e7b18b6d5305355c9aeacf11122b7082c2e465ebdaf9652bffe634b8d2bf42801476f9944e4db28f608f963c8c62158902d7577b313

Download Submit
C:\Windows\System\JNShUVP.exe

Filesize
5.2MB

MD5
8be6d0d4cf005b51fffe88850a60f644

SHA1
d5d48978f7e0091ed6d6a0727235a596beb991f6

SHA256
0e4003df151fe9ff1429d1bfa80633c1fd6939f93e3e3c2b3f2088ef30094a94

SHA512
0e16a8e5dea6c81c9b067e585766fd63026ea4b3d7ea78d8ee938555e6b74d8f8f71bcab543c51e51d1c8212ec3e2bd99981f2b2815a5c1cffc390c1f9fa6092

Download Submit
C:\Windows\System\KUFNATw.exe

Filesize
5.2MB

MD5
03e700f9bb803e0224a1cbe1392e7d92

SHA1
398b3e5b84d40d1aaec27e8c75f7de28743591b8

SHA256
605eeb5c9d2d1a63e7c0ef21c224cf4af8be25edb4dfd3261e76f248fcb1112f

SHA512
c308d87a5b9b9140b43ef3bcc84a1b4bcd9595169688ea62379c60cee6205a7f6f40e20221c77f866db1d02a5df4cb4218ec0b4d396d0dab1026f1bf6d2e0300

Download Submit
C:\Windows\System\RBkTCnI.exe

Filesize
5.2MB

MD5
a30a8600f2a0408ca531af9540832607

SHA1
23540d95209ac4ae30ae6e170fa68e4596b24442

SHA256
2426afe404d3abcfa540f9ad0e429c3de91a8eb5c4f7f5f0a36c12fdd2223021

SHA512
a1a6c920d1f8a355edc1637c3971d9b6f11daafe95987257cc8d3eab69876c328188e8379d9ec20ca6e5d7b84e8cf6b05ea8682e894dace761f538c5b47cb669

Download Submit
C:\Windows\System\SfrFayE.exe

Filesize
5.2MB

MD5
33552af028a0804295cbf3ee620f34c8

SHA1
a7d5803e56052c698e7b96e67333770602936aa9

SHA256
783903dc696893ff946da62be2ec7f5f1316ebbc80ff27c6f6f213e6924b64f0

SHA512
8100660554c942f1243147e919d39aaa51e766eb8b73e55d551f195bf8ab11ac8e1fe9d563a1a2081e6121783267ec4e56673d0bbe068003b31828a9cdddc10f

Download Submit
C:\Windows\System\VcViwpi.exe

Filesize
5.2MB

MD5
8256192ec4ef3b7c7ad13fc7d3fd0482

SHA1
5667f9c237fb9cce7b1981fc11a3e3b3cfc1f7a5

SHA256
d6047d603690d3c500c396f06d7aa75ba46364c658f631a5c76c841625a90ed1

SHA512
3dda9576f64b3268647e37c7f800f8fd2bfa5020dca151b9d2bc9fa9a123f6d4e276a8c89e137e2c8e3778cb1d07a8c5e71102d5a3090f8849915cdf242150d9

Download Submit
C:\Windows\System\YlRbFcP.exe

Filesize
5.2MB

MD5
6d1ebe0115f24b71ec2378351793eed3

SHA1
f0a7f15068e02ff9becb7e5e7b3d016ec7def453

SHA256
8542fde81050e7fceafb08757342eaee61b8ce30adf7e131e98217c88eb465c3

SHA512
ea99e738291b73f03469b7358489a1ec4343addb25c29a991939dacf1e8ae5d71c98ee5bcae3dbc5a136200f19f08cff44599967c7f06b95ee5a7c02c487321f

Download Submit
C:\Windows\System\bXDMPFW.exe

Filesize
5.2MB

MD5
85ea1ee886e72dfe208d74a699fefef1

SHA1
544952f4e082dd9479720d4fe8a6377c6f124746

SHA256
ad81bead7c5e630a55dae72c7d3839c86b24f59a64fea6b9762c8b55e2f1da7e

SHA512
4ff3ddb5749fbfcfe89ace2d0fdf05c768f3334992d9359ccfb772fe1f5757867daacd0cc3fee5c1342a32a6ef28ec8738df9d9c95bb07d8e953b16d25038a35

Download Submit
C:\Windows\System\dOsdvHh.exe

Filesize
5.2MB

MD5
1b419b4a7c021c33f1b8225a472217ec

SHA1
5b52d0b052c24a0882bc82714b79eebaeb760b38

SHA256
6e2afed7d341e7c38144c495332e85b717c7a64511d4b4c8277d2fe2e7bed43c

SHA512
3aed70dc79ff26db381456932ef58aa5755ce5d91c14f8ef0ac0d91c105abd11a5694496992ccc552e567aaebe56e837e9f47f9fde682fa0e892395498c220aa

Download Submit
C:\Windows\System\eyxjKau.exe

Filesize
5.2MB

MD5
7a74e130786fe8d3dd3b8bfc7e821c23

SHA1
67fed9bfe2cee06714d582413a71c9af1602b472

SHA256
63b36971a14605b3123057950ff35d623dab1803d6800b5fc56127485577f0ee

SHA512
e875e9ffb209f15338ee6e264924b1c9b556fbe95bd916dfaf82654387cdcc963ff1588e2f4fb180b5fd079a14293001b4930a15209a46f7bd0ef7ebd0ba4b63

Download Submit
C:\Windows\System\lxwQaQs.exe

Filesize
5.2MB

MD5
b9e66cc6f919f2398f3299b8d1a09cd5

SHA1
f5a752837a5ade8976edb9f74b042f339e5e2977

SHA256
3dc8de925e56c925d56711b1698423ad73d5e3a436152bb493b450e1d2a9c298

SHA512
3ead80fe63c64652e54e44a6c8ecd772d3a17db03d61fc1732fe41c59cf03b3fa0f8f8c7298bf903852084eae2b8c04b7f64365c9a8d1e2ebdb77cca0720985e

Download Submit
C:\Windows\System\nGEtNOr.exe

Filesize
5.2MB

MD5
f9a9d51cb64785e00961d77c2ba14953

SHA1
96dffe27fa1f0c2c5b406a70234fc5da8d1da756

SHA256
09201b95e50ed265481505502a9f41d3c4b9a20ebdd201f1c08e2e6e0331c554

SHA512
e545f8b0b5e2ca25b8038cc9bc779754cd4a0a3d88ce6484cb5bf3823366a01042a4ef872dfb80b5ee66a7a945913dbb075e03350d716c677dc744b6832089ee

Download Submit
C:\Windows\System\qcfuXkH.exe

Filesize
5.2MB

MD5
c953d8973a242fce4970476492e54d60

SHA1
a8bbe8ee3764ea4ca9e7aa0d1c29689b1e5a98ef

SHA256
60a61ee391f0dfa5d01c73023039991d6cfda1a10f9f56246b0e044c780ef7f0

SHA512
9e91c7f779143231678964013a7f00bc3aa232a823e220855303073fd55aa83aca5dc15b43381ae905254e9c0138cb2125b1d2b4a7dbc58daa97ce75619a1172

Download Submit
C:\Windows\System\rgPdRAS.exe

Filesize
5.2MB

MD5
08ee51aa7f5a9a2b28327b77907200ab

SHA1
fb5262f825a7d7fe0a1d7149dd59c9124e95d5d0

SHA256
7f93149b9b461a88ae932ba793397ad46e76074c966f6dd46bddfbaa9b7b9765

SHA512
f901037f5dbe9e84f58fde9e5229c2f86d215786bf36c567dabf0eb07aeef405d40c3eddd34e3a88d10786ddd695756f6ed311fea1e6bce19b33f0dc6fa910ff

Download Submit
C:\Windows\System\wTiDTGc.exe

Filesize
5.2MB

MD5
788e1f4a0f4a57d02039bae3a86fafd3

SHA1
f8eb4ad6729fce413179225ad740036e5c51f589

SHA256
79ff3d8d77cc48fae2eb0a3e8417da4cb069aaf3110c755987c67fae214d48df

SHA512
f04e86607f54bd541863e8312441b4388952b3eb3efb0e6c9628274f5a32565d767c0fd023b27fc47f622c9618d1bb6540af65b99e079dcbe15214b99bb9ee3b

Download Submit
C:\Windows\System\ztASKrX.exe

Filesize
5.2MB

MD5
6550590f5725a140e59d3351bf01bd63

SHA1
79a730142a7c42d30fd7a211adf911cfadacc492

SHA256
f7a768098e13f7305184ef8fb79e6241bceeb957d80e6efc78f6ea6949de418e

SHA512
2b61ca58f8ade1c42a0aea68de0110d11f61ff03efebe331085c9f38386ddecea126a614fe4fad742d67a8efa23802077387b58b50b0bce6a5c67e570fa75612

Download Submit
memory/784-36-0x00007FF699A40000-0x00007FF699D91000-memory.dmp

Filesize
3.3MB

Download
memory/784-223-0x00007FF699A40000-0x00007FF699D91000-memory.dmp

Filesize
3.3MB

Download
memory/784-131-0x00007FF699A40000-0x00007FF699D91000-memory.dmp

Filesize
3.3MB

Download
memory/1144-82-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-240-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-146-0x00007FF7E0560000-0x00007FF7E08B1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-60-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp

Filesize
3.3MB

Download
memory/1384-231-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp

Filesize
3.3MB

Download
memory/1384-142-0x00007FF7A5B30000-0x00007FF7A5E81000-memory.dmp

Filesize
3.3MB

Download
memory/1664-75-0x00007FF715040000-0x00007FF715391000-memory.dmp

Filesize
3.3MB

Download
memory/1664-243-0x00007FF715040000-0x00007FF715391000-memory.dmp

Filesize
3.3MB

Download
memory/1664-144-0x00007FF715040000-0x00007FF715391000-memory.dmp

Filesize
3.3MB

Download
memory/1716-153-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp

Filesize
3.3MB

Download
memory/1716-259-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp

Filesize
3.3MB

Download
memory/1716-118-0x00007FF6FF100000-0x00007FF6FF451000-memory.dmp

Filesize
3.3MB

Download
memory/1928-156-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp

Filesize
3.3MB

Download
memory/1928-133-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp

Filesize
3.3MB

Download
memory/1928-0-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp

Filesize
3.3MB

Download
memory/1928-98-0x00007FF607AC0000-0x00007FF607E11000-memory.dmp

Filesize
3.3MB

Download
memory/1928-1-0x000001A548B40000-0x000001A548B50000-memory.dmp

Filesize
64KB

Download
memory/2020-37-0x00007FF778670000-0x00007FF7789C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-147-0x00007FF778670000-0x00007FF7789C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-225-0x00007FF778670000-0x00007FF7789C1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-233-0x00007FF666400000-0x00007FF666751000-memory.dmp

Filesize
3.3MB

Download
memory/2024-70-0x00007FF666400000-0x00007FF666751000-memory.dmp

Filesize
3.3MB

Download
memory/2064-151-0x00007FF683C20000-0x00007FF683F71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-257-0x00007FF683C20000-0x00007FF683F71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-110-0x00007FF683C20000-0x00007FF683F71000-memory.dmp

Filesize
3.3MB

Download
memory/2368-145-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp

Filesize
3.3MB

Download
memory/2368-242-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp

Filesize
3.3MB

Download
memory/2368-80-0x00007FF7E2220000-0x00007FF7E2571000-memory.dmp

Filesize
3.3MB

Download
memory/2460-129-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp

Filesize
3.3MB

Download
memory/2460-155-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp

Filesize
3.3MB

Download
memory/2460-263-0x00007FF7D1D40000-0x00007FF7D2091000-memory.dmp

Filesize
3.3MB

Download
memory/2668-130-0x00007FF65A230000-0x00007FF65A581000-memory.dmp

Filesize
3.3MB

Download
memory/2668-256-0x00007FF65A230000-0x00007FF65A581000-memory.dmp

Filesize
3.3MB

Download
memory/2680-69-0x00007FF645CD0000-0x00007FF646021000-memory.dmp

Filesize
3.3MB

Download
memory/2680-140-0x00007FF645CD0000-0x00007FF646021000-memory.dmp

Filesize
3.3MB

Download
memory/2680-235-0x00007FF645CD0000-0x00007FF646021000-memory.dmp

Filesize
3.3MB

Download
memory/3096-57-0x00007FF7777F0000-0x00007FF777B41000-memory.dmp

Filesize
3.3MB

Download
memory/3096-230-0x00007FF7777F0000-0x00007FF777B41000-memory.dmp

Filesize
3.3MB

Download
memory/3652-132-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-24-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-221-0x00007FF75EF70000-0x00007FF75F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-227-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp

Filesize
3.3MB

Download
memory/3888-52-0x00007FF65A5C0000-0x00007FF65A911000-memory.dmp

Filesize
3.3MB

Download
memory/4148-107-0x00007FF7102B0000-0x00007FF710601000-memory.dmp

Filesize
3.3MB

Download
memory/4148-252-0x00007FF7102B0000-0x00007FF710601000-memory.dmp

Filesize
3.3MB

Download
memory/4180-219-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4180-117-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4180-22-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-124-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-154-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-261-0x00007FF6CC590000-0x00007FF6CC8E1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-10-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-217-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-106-0x00007FF68CE80000-0x00007FF68D1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-92-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-149-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-250-0x00007FF7B1870000-0x00007FF7B1BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-148-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download
memory/4996-81-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download
memory/4996-238-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download