cobaltstrike | 5f424e43ef0b5a411c0fee9be36cb2ec18d35e826f122a344ecafc4f0bcb256e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cf5f6f616b7eefcfc67b4abbcc76bb18
SHA1

56a092115100bfd01d322af3308160d3e3eb2ea9
SHA256

5f424e43ef0b5a411c0fee9be36cb2ec18d35e826f122a344ecafc4f0bcb256e
SHA512

dd2a58d7c3a234e546f2415efc4f4afdd22a0c913b927036ad2d1e6a454b6337ae6e1013cc6951516ca152a6bb18641836c65b4169a98713833ea453a7718a9d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000234a6-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-12.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002348e-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ab-48.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022b23-52.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022b25-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-93.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-80.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a2-72.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4464-44-0x00007FF73F490000-0x00007FF73F7E1000-memory.dmp	xmrig
behavioral2/memory/4576-111-0x00007FF62D6E0000-0x00007FF62DA31000-memory.dmp	xmrig
behavioral2/memory/4092-117-0x00007FF6CF280000-0x00007FF6CF5D1000-memory.dmp	xmrig
behavioral2/memory/3872-128-0x00007FF7DE6D0000-0x00007FF7DEA21000-memory.dmp	xmrig
behavioral2/memory/772-129-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp	xmrig
behavioral2/memory/940-131-0x00007FF7AD4F0000-0x00007FF7AD841000-memory.dmp	xmrig
behavioral2/memory/4444-130-0x00007FF70F730000-0x00007FF70FA81000-memory.dmp	xmrig
behavioral2/memory/848-127-0x00007FF7ED140000-0x00007FF7ED491000-memory.dmp	xmrig
behavioral2/memory/4260-104-0x00007FF6A7CF0000-0x00007FF6A8041000-memory.dmp	xmrig
behavioral2/memory/4344-101-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp	xmrig
behavioral2/memory/4912-69-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp	xmrig
behavioral2/memory/4636-62-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	xmrig
behavioral2/memory/948-132-0x00007FF617370000-0x00007FF6176C1000-memory.dmp	xmrig
behavioral2/memory/2356-141-0x00007FF602510000-0x00007FF602861000-memory.dmp	xmrig
behavioral2/memory/2176-143-0x00007FF6853F0000-0x00007FF685741000-memory.dmp	xmrig
behavioral2/memory/3356-142-0x00007FF614860000-0x00007FF614BB1000-memory.dmp	xmrig
behavioral2/memory/4636-133-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	xmrig
behavioral2/memory/628-144-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp	xmrig
behavioral2/memory/4596-150-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp	xmrig
behavioral2/memory/4952-145-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/1164-148-0x00007FF66F040000-0x00007FF66F391000-memory.dmp	xmrig
behavioral2/memory/1920-146-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp	xmrig
behavioral2/memory/4864-154-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp	xmrig
behavioral2/memory/4636-157-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	xmrig
behavioral2/memory/4344-210-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp	xmrig
behavioral2/memory/772-212-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp	xmrig
behavioral2/memory/948-214-0x00007FF617370000-0x00007FF6176C1000-memory.dmp	xmrig
behavioral2/memory/3356-219-0x00007FF614860000-0x00007FF614BB1000-memory.dmp	xmrig
behavioral2/memory/4912-208-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp	xmrig
behavioral2/memory/2176-221-0x00007FF6853F0000-0x00007FF685741000-memory.dmp	xmrig
behavioral2/memory/4464-223-0x00007FF73F490000-0x00007FF73F7E1000-memory.dmp	xmrig
behavioral2/memory/2356-238-0x00007FF602510000-0x00007FF602861000-memory.dmp	xmrig
behavioral2/memory/628-240-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp	xmrig
behavioral2/memory/4952-242-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/1920-244-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp	xmrig
behavioral2/memory/4576-246-0x00007FF62D6E0000-0x00007FF62DA31000-memory.dmp	xmrig
behavioral2/memory/4260-248-0x00007FF6A7CF0000-0x00007FF6A8041000-memory.dmp	xmrig
behavioral2/memory/1164-250-0x00007FF66F040000-0x00007FF66F391000-memory.dmp	xmrig
behavioral2/memory/4092-252-0x00007FF6CF280000-0x00007FF6CF5D1000-memory.dmp	xmrig
behavioral2/memory/4596-254-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp	xmrig
behavioral2/memory/3872-256-0x00007FF7DE6D0000-0x00007FF7DEA21000-memory.dmp	xmrig
behavioral2/memory/4864-260-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp	xmrig
behavioral2/memory/940-264-0x00007FF7AD4F0000-0x00007FF7AD841000-memory.dmp	xmrig
behavioral2/memory/848-262-0x00007FF7ED140000-0x00007FF7ED491000-memory.dmp	xmrig
behavioral2/memory/4444-258-0x00007FF70F730000-0x00007FF70FA81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4912	umTMdbh.exe
4344	WqcUDip.exe
772	jAbHHeQ.exe
948	xtSSygl.exe
3356	IzzGGmb.exe
2176	fBPqULm.exe
4464	hHKnEgf.exe
2356	jwwihjM.exe
628	lxOShry.exe
4952	iXNwxSI.exe
1920	IzXkIsH.exe
4260	TlfvsIp.exe
1164	mhGatab.exe
4576	EyAZwhy.exe
4596	HvWZFrb.exe
3872	qWRDZLt.exe
4092	xPIghYK.exe
4444	LYyJNUo.exe
4864	GONgPUj.exe
940	uBEVmXX.exe
848	mGPdJNr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4636-0-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-11.dat	upx
behavioral2/memory/772-19-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-24.dat	upx
behavioral2/memory/3356-31-0x00007FF614860000-0x00007FF614BB1000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-29.dat	upx
behavioral2/files/0x00070000000234a9-34.dat	upx
behavioral2/memory/2176-42-0x00007FF6853F0000-0x00007FF685741000-memory.dmp	upx
behavioral2/memory/4464-44-0x00007FF73F490000-0x00007FF73F7E1000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-40.dat	upx
behavioral2/memory/948-25-0x00007FF617370000-0x00007FF6176C1000-memory.dmp	upx
behavioral2/memory/4344-14-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-12.dat	upx
behavioral2/memory/4912-8-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp	upx
behavioral2/files/0x000900000002348e-6.dat	upx
behavioral2/files/0x00070000000234ab-48.dat	upx
behavioral2/files/0x0002000000022b23-52.dat	upx
behavioral2/memory/628-54-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp	upx
behavioral2/files/0x0002000000022b25-65.dat	upx
behavioral2/files/0x00070000000234ac-73.dat	upx
behavioral2/memory/1920-77-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-93.dat	upx
behavioral2/memory/4576-111-0x00007FF62D6E0000-0x00007FF62DA31000-memory.dmp	upx
behavioral2/memory/4092-117-0x00007FF6CF280000-0x00007FF6CF5D1000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-116.dat	upx
behavioral2/memory/4864-125-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp	upx
behavioral2/memory/3872-128-0x00007FF7DE6D0000-0x00007FF7DEA21000-memory.dmp	upx
behavioral2/memory/772-129-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp	upx
behavioral2/memory/940-131-0x00007FF7AD4F0000-0x00007FF7AD841000-memory.dmp	upx
behavioral2/memory/4444-130-0x00007FF70F730000-0x00007FF70FA81000-memory.dmp	upx
behavioral2/memory/848-127-0x00007FF7ED140000-0x00007FF7ED491000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-121.dat	upx
behavioral2/files/0x00070000000234b2-119.dat	upx
behavioral2/files/0x00070000000234b4-122.dat	upx
behavioral2/files/0x00070000000234b0-114.dat	upx
behavioral2/files/0x00070000000234af-105.dat	upx
behavioral2/memory/4260-104-0x00007FF6A7CF0000-0x00007FF6A8041000-memory.dmp	upx
behavioral2/memory/4344-101-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-99.dat	upx
behavioral2/memory/4596-90-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-80.dat	upx
behavioral2/memory/1164-83-0x00007FF66F040000-0x00007FF66F391000-memory.dmp	upx
behavioral2/files/0x00080000000234a2-72.dat	upx
behavioral2/memory/4912-69-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp	upx
behavioral2/memory/4952-63-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/4636-62-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	upx
behavioral2/memory/2356-49-0x00007FF602510000-0x00007FF602861000-memory.dmp	upx
behavioral2/memory/948-132-0x00007FF617370000-0x00007FF6176C1000-memory.dmp	upx
behavioral2/memory/2356-141-0x00007FF602510000-0x00007FF602861000-memory.dmp	upx
behavioral2/memory/2176-143-0x00007FF6853F0000-0x00007FF685741000-memory.dmp	upx
behavioral2/memory/3356-142-0x00007FF614860000-0x00007FF614BB1000-memory.dmp	upx
behavioral2/memory/4636-133-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	upx
behavioral2/memory/628-144-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp	upx
behavioral2/memory/4596-150-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp	upx
behavioral2/memory/4952-145-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/1164-148-0x00007FF66F040000-0x00007FF66F391000-memory.dmp	upx
behavioral2/memory/1920-146-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp	upx
behavioral2/memory/4864-154-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp	upx
behavioral2/memory/4636-157-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp	upx
behavioral2/memory/4344-210-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp	upx
behavioral2/memory/772-212-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp	upx
behavioral2/memory/948-214-0x00007FF617370000-0x00007FF6176C1000-memory.dmp	upx
behavioral2/memory/3356-219-0x00007FF614860000-0x00007FF614BB1000-memory.dmp	upx
behavioral2/memory/4912-208-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lxOShry.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXNwxSI.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzXkIsH.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mhGatab.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\umTMdbh.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WqcUDip.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtSSygl.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHKnEgf.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mGPdJNr.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xPIghYK.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GONgPUj.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBPqULm.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jwwihjM.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EyAZwhy.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HvWZFrb.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlfvsIp.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWRDZLt.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBEVmXX.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jAbHHeQ.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzzGGmb.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYyJNUo.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4912	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4636 wrote to memory of 4912	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4636 wrote to memory of 4344	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4636 wrote to memory of 4344	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4636 wrote to memory of 772	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4636 wrote to memory of 772	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4636 wrote to memory of 948	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4636 wrote to memory of 948	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4636 wrote to memory of 3356	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4636 wrote to memory of 3356	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4636 wrote to memory of 2176	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4636 wrote to memory of 2176	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4636 wrote to memory of 4464	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4636 wrote to memory of 4464	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4636 wrote to memory of 2356	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4636 wrote to memory of 2356	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4636 wrote to memory of 628	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4636 wrote to memory of 628	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4636 wrote to memory of 4952	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4636 wrote to memory of 4952	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4636 wrote to memory of 1920	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4636 wrote to memory of 1920	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4636 wrote to memory of 4260	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4636 wrote to memory of 4260	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4636 wrote to memory of 1164	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4636 wrote to memory of 1164	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4636 wrote to memory of 4576	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4636 wrote to memory of 4576	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4636 wrote to memory of 4596	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4636 wrote to memory of 4596	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4636 wrote to memory of 3872	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4636 wrote to memory of 3872	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4636 wrote to memory of 4092	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4636 wrote to memory of 4092	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4636 wrote to memory of 4444	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4636 wrote to memory of 4444	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4636 wrote to memory of 4864	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4636 wrote to memory of 4864	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4636 wrote to memory of 940	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4636 wrote to memory of 940	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4636 wrote to memory of 848	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4636 wrote to memory of 848	4636	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\System\umTMdbh.exe
  C:\Windows\System\umTMdbh.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\WqcUDip.exe
  C:\Windows\System\WqcUDip.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\jAbHHeQ.exe
  C:\Windows\System\jAbHHeQ.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\xtSSygl.exe
  C:\Windows\System\xtSSygl.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\IzzGGmb.exe
  C:\Windows\System\IzzGGmb.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\fBPqULm.exe
  C:\Windows\System\fBPqULm.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\hHKnEgf.exe
  C:\Windows\System\hHKnEgf.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\jwwihjM.exe
  C:\Windows\System\jwwihjM.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\lxOShry.exe
  C:\Windows\System\lxOShry.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\iXNwxSI.exe
  C:\Windows\System\iXNwxSI.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\IzXkIsH.exe
  C:\Windows\System\IzXkIsH.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\TlfvsIp.exe
  C:\Windows\System\TlfvsIp.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\mhGatab.exe
  C:\Windows\System\mhGatab.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\EyAZwhy.exe
  C:\Windows\System\EyAZwhy.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\HvWZFrb.exe
  C:\Windows\System\HvWZFrb.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\qWRDZLt.exe
  C:\Windows\System\qWRDZLt.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\xPIghYK.exe
  C:\Windows\System\xPIghYK.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\LYyJNUo.exe
  C:\Windows\System\LYyJNUo.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\GONgPUj.exe
  C:\Windows\System\GONgPUj.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\uBEVmXX.exe
  C:\Windows\System\uBEVmXX.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\mGPdJNr.exe
  C:\Windows\System\mGPdJNr.exe
  2⤵
  - Executes dropped EXE
  PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EyAZwhy.exe

Filesize
5.2MB

MD5
056f58b2672a6d8b51ca922681a44228

SHA1
c1e2c31e93b9f73b50dfde8d06818ce6b52ed972

SHA256
50c6bd3dca1a929edc0dafa48d649f50b16a84ca748b2a385846ce1a6406f7ed

SHA512
ab539c91ba07f9c4f050a037454763fd2aba641098e8af0b3317b7a079036f479db2c7bda309806fb6b9d64b605b95746524abc337a6dc18e488d513cac0130b

Download Submit
C:\Windows\System\GONgPUj.exe

Filesize
5.2MB

MD5
b94ee50625a9ed63dc9379b18a43f114

SHA1
510cf3143eaa3906c3508977c3ffdf39016cea5f

SHA256
c673f10e2799d1799a34e5a68606ba5e6f234fadb4579c90cd3141c418fd43f5

SHA512
5448f4b1936684e5c6803d63a673e342941b927bea5338a4fa7908005ee69c560713a40330087576579c602f4d64a4866f559a5786f695a972459820228d6f10

Download Submit
C:\Windows\System\HvWZFrb.exe

Filesize
5.2MB

MD5
41f4578c0ac16b09cda5062141c58646

SHA1
14cd4bec191a44487fb96b56b444832e9f9edcb3

SHA256
1a87daba8647f72db4993c6e5ccfd7525e4f3d1b7caf0d4e77b62938979670d5

SHA512
18825787b0dc2fa3ee12de1cdff55f7d0b83d5dcc2fd865f5716231f6d3d59d94acfa8695cbdc1ee5bbd18e86fbcb7c0135f936dab079017368277d24a5e5de2

Download Submit
C:\Windows\System\IzXkIsH.exe

Filesize
5.2MB

MD5
dfea1ad705d127f51a62c498d853d126

SHA1
da823b485507dbe4e89367033e98418292f69410

SHA256
a392ad9d1b9b7ff0aa68fa429c47c7d2b78af46163077ff33ba118f759f3bb2a

SHA512
cfaa7dde11488c7aade4c20cc66592d27972d7eb4fa4b94231af3d7c4f5da7e0a5f60b6118533898bb83c7b532d44e331f3d62a7e0cdf8f61d9eb96d7cddaf64

Download Submit
C:\Windows\System\IzzGGmb.exe

Filesize
5.2MB

MD5
3caa0d32a2c506a49f7d42cda6a5a0a2

SHA1
8eea96f60a01ddc0469aa586844144901047b347

SHA256
e6de0bdd81ef5f1fca77dedfd5818adef188a61a92fdfff89fcf61e0b0db1883

SHA512
a75b9e6de2dcd00bb8c7883239b8dcba0dde90b122310963da3415eec70fe766337acf00d80b29efcec6e8340856bfb1492fcd21cf2169178b4bae32e8436bc2

Download Submit
C:\Windows\System\LYyJNUo.exe

Filesize
5.2MB

MD5
f20efe2a041e397f0f30fa13f7349d7c

SHA1
ad5a81f6ec66bbadbc3ead6d61a35309f0644a8d

SHA256
0a0cd049a95f810e33223c506b68db095d2b474e991afe23e050250ce40b272e

SHA512
0632a500c9b5b4e4304f34886802d222c6cd1bc238d20afed76330d6e77ba6bc0cfee5708aeb9c40976a670337fc0adbd2409fa6b485bfe9153835ceb65a2bf1

Download Submit
C:\Windows\System\TlfvsIp.exe

Filesize
5.2MB

MD5
9f20ac07621e800f2db2a91c25b421b6

SHA1
7938cea2eb3e37effdae15b909b0053d43131892

SHA256
3b9793a30a756c20b6fcb482014eecb1fd770e5c14e2e30feea190aa24f63294

SHA512
637c8899b81484567d875539434526eebd0bbe821daa2e53135ddf484fa7d8797ea2ca441ceb6f02789eeba317e61e2c2a320be983d5886493bea53cb8fc0bae

Download Submit
C:\Windows\System\WqcUDip.exe

Filesize
5.2MB

MD5
a861dd69bae1d953475c6fea2e2c229a

SHA1
af6e8aaad3698d0ef8bc0957e8b65dccb2333828

SHA256
99ee4c88f22fc6de7c988ec32e6be35bc7030ecb5fc5ea5cd73fcfcc57674a2b

SHA512
e22a6c8aedb21e7cd71aa6856e2b716f7973022bebf8f2ce18329e0eff3a53d797b16de2d638f50dc7f8d3e8cb9edb40870c78e0d057c5ee85c54b13004f13e7

Download Submit
C:\Windows\System\fBPqULm.exe

Filesize
5.2MB

MD5
522199116bd4b4205f149368439a5c42

SHA1
d85b8e6e9f084754ae89ff9127ee378f72626bfc

SHA256
ccc563b7b7940e72567173de5ae1ea9c5da20c60bfa76be7ad52f7a02cb814d5

SHA512
c436537f88c3b737936ec00ba64c3944d8b034aae6dc1fa129e68e37c50da0c6cf654c0b206ce2ea8bd07cf4052edc4eb6630276ea634dd47a25e2da5fe88fcd

Download Submit
C:\Windows\System\hHKnEgf.exe

Filesize
5.2MB

MD5
c63d39d19eb97f9e810f09201b1c336e

SHA1
9d3848549f2b8b3d72685d283c8641a33fcc80fb

SHA256
cfd71f566f9488e9fa02a033c749bb5143942494ecc76f42a153fc6d7b3bba08

SHA512
925bb0bdc6744df46a38bf847158a725b25375f13f50f6f0c4b0c2181653f08a373f7b6ce0c03168505e9fb81243a8f48c0d1d5f1bcb69745bf774a40ba9763e

Download Submit
C:\Windows\System\iXNwxSI.exe

Filesize
5.2MB

MD5
c5cb111fa4a87ed9aff125b36ff9e351

SHA1
050155c679227751e5a631349dcb697485a139fc

SHA256
ffac5f67752f1044d08fa0c392a6ea881cf6bbf61b061be5bbcb911a2b3919e7

SHA512
7299b86ad010332598c50a87be299aef2403ef6a4dcd584651ae86e52fbf6ae3b1ccae960c2eb72f0236c308cb24f325de348a11645bbf275bbeb22980b7c1eb

Download Submit
C:\Windows\System\jAbHHeQ.exe

Filesize
5.2MB

MD5
cbdd40f668b432af1aaf35c541569d3c

SHA1
6449d0a14517a0e278f16842a76c5bda33457ee7

SHA256
948062e02e96dc601863225f1935edac9675e616018d99c82ba50e1444b0c18f

SHA512
6e02a1bf3032b30cbb31fc7140954582add128ef33cb09e6a27dea0ab4c9e3bd5af1f30d44b97c8a0bee4fed99a8ec5b813d75276902b51b38c5b3c0114a51ae

Download Submit
C:\Windows\System\jwwihjM.exe

Filesize
5.2MB

MD5
350460de420534b56203044144ae59ff

SHA1
efc0ed435d5a040ccd79098d520c597fc234e55a

SHA256
12de0f6293e37bc0f231f3fddb5e16577a3b545ee82d438ae69160698d0e93b9

SHA512
5ca38c5af03cdd8ebe0c59577c1b419f3dc4971f507933541f8954e8bbe4785a3954b727b5a01e5df7229eb552b42be79d3af90ee28ce9ec042623f5cb1e9522

Download Submit
C:\Windows\System\lxOShry.exe

Filesize
5.2MB

MD5
2343ad1d1a82d819f2cbc146c2d32da4

SHA1
3a48603786c82a16a19253c11cce6426299194a6

SHA256
124f4a1684351931005a4050f9bc8f64b585642f4629b69704ddbce178b820d7

SHA512
b591335c45f134de47405c669e9e22ffef72c61c5e9e88c87be8acf047c9d7f645211a8b6ddff09ef8fc8623c46c2504a1e5747eb7358776ffc629497cb46e50

Download Submit
C:\Windows\System\mGPdJNr.exe

Filesize
5.2MB

MD5
743267ce535771475855e6e6e275068a

SHA1
80b1b76b11df6e8077cb8f7800137a09024a513f

SHA256
f43bb32ae1b2c28eb73a1f0099fa9dd0048c6445225f053741747a9cac70e293

SHA512
580412eac9b19c569fd157267eb51f82582bab77cea0b083aa4b83cbdfa87910f26aee32b1f7c58cf5c090d524db09aeff7a007147e9ce37fc99178189bac3fe

Download Submit
C:\Windows\System\mhGatab.exe

Filesize
5.2MB

MD5
adfe01541877776ab7922146c506ef38

SHA1
12ab178c2addd6c1196b4dd21f54c4d36c65d388

SHA256
3022e096777e0208b1e9ced6dd45c2cfa9330a628758bd25989b9507d91ef994

SHA512
3bdf90ea15900151aa15e7592bf7d5187a256b3a63ecdb8209142309397a88967e5036b43f617c53d7f158f0e4edc868dc1c65d0a5ea77740e83be77e4df2379

Download Submit
C:\Windows\System\qWRDZLt.exe

Filesize
5.2MB

MD5
0a7ede190c25f121a3df3b8d7056189e

SHA1
a7c0539eba6beb043db9fc1eeab34dad20680cad

SHA256
2acc06d27f37d14eadc440520041768847158e19a5567c27d4e3a97561bcb298

SHA512
b5b6fbb3ba88b91a7aaa184a7c80f2d88e04c936f3a33efd30e71998167e647d8c7f9628f59e9287a330e298f4d9a78f1cbf2d2de2c62eb1cfaed9840264367a

Download Submit
C:\Windows\System\uBEVmXX.exe

Filesize
5.2MB

MD5
37a138f516b8d79d4c91cd763941560f

SHA1
025649e8a4a2b595042aab65ab41a51be4fa76ad

SHA256
6ab034faaf460a67c35b6bfc9922a6e6797427e11c0706e0cbbd6f01a7c104a6

SHA512
e5ec5142977aa1f8250cbd2eb6452d10b28ecc7a2b04b06afead378c9da64835494763510032d010b812779aeeda0aaac8a543ab9dbbe9c98ec667b48fe0c2fd

Download Submit
C:\Windows\System\umTMdbh.exe

Filesize
5.2MB

MD5
c48d86d8978e3f0d210653c5f542e7d6

SHA1
70785e4baf25ea884835d4ae7e4b95621a3eda9e

SHA256
3ff4b27e103de9cd19e5ed8047689457cdf05d907f2bc06e5aadcdbdf3122b9c

SHA512
9f5363b17f3545c1c3d8721de03698945fa8761d85837f8af8edc09da5a4567aa7a9999e6a7fb8a2b2edf9c4eb31fdd117de30cfe052471851cfc56fde3e5f48

Download Submit
C:\Windows\System\xPIghYK.exe

Filesize
5.2MB

MD5
706c4c77379d6b6f6d8a4054350d8c27

SHA1
95979b477ca8661f6afb2c3e5b386dd1f36b9e61

SHA256
c93d0f59356bf2c947355cc4a1dcd36b4f113b1482bee45dab81f7b0d2fbb8af

SHA512
a38ec9e6503c9a66f8f5ceb36502d0c65120b62e674a79a365847fced7afe89424295a2b25d48048b8959950506b2a9cb66bd761873d77ca9a0d098a56f4e00a

Download Submit
C:\Windows\System\xtSSygl.exe

Filesize
5.2MB

MD5
378303b5238a107d725a58491bb6caa3

SHA1
2bb8bac16327bed999d827374a7925d6170cdc00

SHA256
2b1fbcebbda5ad49a60db29c71f24cd433022da7220201a7c0d6ad6c1982fdaa

SHA512
f7df82201b5cfc322be6a0caed33d603a66445e6b3919cf12e83e325fd9214cdd995c4f6f5be1e97d6efece2b08e5a9df5a09ea20c42c2cae76d577187a01f47

Download Submit
memory/628-144-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-54-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp

Filesize
3.3MB

Download
memory/628-240-0x00007FF7C8070000-0x00007FF7C83C1000-memory.dmp

Filesize
3.3MB

Download
memory/772-19-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp

Filesize
3.3MB

Download
memory/772-129-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp

Filesize
3.3MB

Download
memory/772-212-0x00007FF664C60000-0x00007FF664FB1000-memory.dmp

Filesize
3.3MB

Download
memory/848-127-0x00007FF7ED140000-0x00007FF7ED491000-memory.dmp

Filesize
3.3MB

Download
memory/848-262-0x00007FF7ED140000-0x00007FF7ED491000-memory.dmp

Filesize
3.3MB

Download
memory/940-264-0x00007FF7AD4F0000-0x00007FF7AD841000-memory.dmp

Filesize
3.3MB

Download
memory/940-131-0x00007FF7AD4F0000-0x00007FF7AD841000-memory.dmp

Filesize
3.3MB

Download
memory/948-25-0x00007FF617370000-0x00007FF6176C1000-memory.dmp

Filesize
3.3MB

Download
memory/948-214-0x00007FF617370000-0x00007FF6176C1000-memory.dmp

Filesize
3.3MB

Download
memory/948-132-0x00007FF617370000-0x00007FF6176C1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-148-0x00007FF66F040000-0x00007FF66F391000-memory.dmp

Filesize
3.3MB

Download
memory/1164-250-0x00007FF66F040000-0x00007FF66F391000-memory.dmp

Filesize
3.3MB

Download
memory/1164-83-0x00007FF66F040000-0x00007FF66F391000-memory.dmp

Filesize
3.3MB

Download
memory/1920-244-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp

Filesize
3.3MB

Download
memory/1920-146-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp

Filesize
3.3MB

Download
memory/1920-77-0x00007FF7C9BC0000-0x00007FF7C9F11000-memory.dmp

Filesize
3.3MB

Download
memory/2176-143-0x00007FF6853F0000-0x00007FF685741000-memory.dmp

Filesize
3.3MB

Download
memory/2176-42-0x00007FF6853F0000-0x00007FF685741000-memory.dmp

Filesize
3.3MB

Download
memory/2176-221-0x00007FF6853F0000-0x00007FF685741000-memory.dmp

Filesize
3.3MB

Download
memory/2356-141-0x00007FF602510000-0x00007FF602861000-memory.dmp

Filesize
3.3MB

Download
memory/2356-49-0x00007FF602510000-0x00007FF602861000-memory.dmp

Filesize
3.3MB

Download
memory/2356-238-0x00007FF602510000-0x00007FF602861000-memory.dmp

Filesize
3.3MB

Download
memory/3356-219-0x00007FF614860000-0x00007FF614BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-31-0x00007FF614860000-0x00007FF614BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-142-0x00007FF614860000-0x00007FF614BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-256-0x00007FF7DE6D0000-0x00007FF7DEA21000-memory.dmp

Filesize
3.3MB

Download
memory/3872-128-0x00007FF7DE6D0000-0x00007FF7DEA21000-memory.dmp

Filesize
3.3MB

Download
memory/4092-252-0x00007FF6CF280000-0x00007FF6CF5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-117-0x00007FF6CF280000-0x00007FF6CF5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-248-0x00007FF6A7CF0000-0x00007FF6A8041000-memory.dmp

Filesize
3.3MB

Download
memory/4260-104-0x00007FF6A7CF0000-0x00007FF6A8041000-memory.dmp

Filesize
3.3MB

Download
memory/4344-14-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4344-101-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4344-210-0x00007FF7639A0000-0x00007FF763CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-130-0x00007FF70F730000-0x00007FF70FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4444-258-0x00007FF70F730000-0x00007FF70FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4464-223-0x00007FF73F490000-0x00007FF73F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-44-0x00007FF73F490000-0x00007FF73F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-246-0x00007FF62D6E0000-0x00007FF62DA31000-memory.dmp

Filesize
3.3MB

Download
memory/4576-111-0x00007FF62D6E0000-0x00007FF62DA31000-memory.dmp

Filesize
3.3MB

Download
memory/4596-150-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp

Filesize
3.3MB

Download
memory/4596-254-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp

Filesize
3.3MB

Download
memory/4596-90-0x00007FF6F0BF0000-0x00007FF6F0F41000-memory.dmp

Filesize
3.3MB

Download
memory/4636-157-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp

Filesize
3.3MB

Download
memory/4636-133-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp

Filesize
3.3MB

Download
memory/4636-0-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp

Filesize
3.3MB

Download
memory/4636-1-0x00000237BAD40000-0x00000237BAD50000-memory.dmp

Filesize
64KB

Download
memory/4636-62-0x00007FF7838E0000-0x00007FF783C31000-memory.dmp

Filesize
3.3MB

Download
memory/4864-154-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-125-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-260-0x00007FF6FC0A0000-0x00007FF6FC3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-208-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-8-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-69-0x00007FF769E60000-0x00007FF76A1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-63-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/4952-242-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/4952-145-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download