cobaltstrike | ceca52b85e07b4cb0cb04a8a32f471553d9680124f27518b5f510d0c9a7bfddf

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

170e8e11adbf6e99f7d77b7433e347ef
SHA1

abb4ce815a248af4b9cb294b01894798d3d2d95b
SHA256

ceca52b85e07b4cb0cb04a8a32f471553d9680124f27518b5f510d0c9a7bfddf
SHA512

fb0749947ccdfc667be047105921516a0aee47f0a22dfbdb2f73766ef113aab104fc0a811b371c1cc08cfd61ed8603505a210dd73c80d9477b110846e53ace70
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233c1-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023412-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-39.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023413-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-29.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1768-116-0x00007FF645430000-0x00007FF645781000-memory.dmp	xmrig
behavioral2/memory/2996-126-0x00007FF6DCEE0000-0x00007FF6DD231000-memory.dmp	xmrig
behavioral2/memory/5012-125-0x00007FF70BB90000-0x00007FF70BEE1000-memory.dmp	xmrig
behavioral2/memory/2696-124-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp	xmrig
behavioral2/memory/2264-123-0x00007FF651460000-0x00007FF6517B1000-memory.dmp	xmrig
behavioral2/memory/2812-120-0x00007FF6CC1B0000-0x00007FF6CC501000-memory.dmp	xmrig
behavioral2/memory/4576-119-0x00007FF7353D0000-0x00007FF735721000-memory.dmp	xmrig
behavioral2/memory/1592-79-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp	xmrig
behavioral2/memory/456-54-0x00007FF786E00000-0x00007FF787151000-memory.dmp	xmrig
behavioral2/memory/5104-128-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	xmrig
behavioral2/memory/3576-134-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp	xmrig
behavioral2/memory/3336-133-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp	xmrig
behavioral2/memory/968-131-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp	xmrig
behavioral2/memory/1932-129-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	xmrig
behavioral2/memory/5036-132-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp	xmrig
behavioral2/memory/116-130-0x00007FF658220000-0x00007FF658571000-memory.dmp	xmrig
behavioral2/memory/3472-140-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp	xmrig
behavioral2/memory/3516-136-0x00007FF608970000-0x00007FF608CC1000-memory.dmp	xmrig
behavioral2/memory/2696-143-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp	xmrig
behavioral2/memory/2868-142-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp	xmrig
behavioral2/memory/2608-139-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp	xmrig
behavioral2/memory/1688-138-0x00007FF679520000-0x00007FF679871000-memory.dmp	xmrig
behavioral2/memory/1592-137-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp	xmrig
behavioral2/memory/3124-144-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp	xmrig
behavioral2/memory/5104-150-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	xmrig
behavioral2/memory/5104-151-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	xmrig
behavioral2/memory/1932-215-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	xmrig
behavioral2/memory/116-217-0x00007FF658220000-0x00007FF658571000-memory.dmp	xmrig
behavioral2/memory/968-219-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp	xmrig
behavioral2/memory/3336-221-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp	xmrig
behavioral2/memory/3576-223-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp	xmrig
behavioral2/memory/456-225-0x00007FF786E00000-0x00007FF787151000-memory.dmp	xmrig
behavioral2/memory/3516-227-0x00007FF608970000-0x00007FF608CC1000-memory.dmp	xmrig
behavioral2/memory/5036-231-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp	xmrig
behavioral2/memory/1592-230-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp	xmrig
behavioral2/memory/1688-238-0x00007FF679520000-0x00007FF679871000-memory.dmp	xmrig
behavioral2/memory/2868-242-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp	xmrig
behavioral2/memory/3472-245-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp	xmrig
behavioral2/memory/4576-246-0x00007FF7353D0000-0x00007FF735721000-memory.dmp	xmrig
behavioral2/memory/2264-240-0x00007FF651460000-0x00007FF6517B1000-memory.dmp	xmrig
behavioral2/memory/2608-236-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp	xmrig
behavioral2/memory/2812-253-0x00007FF6CC1B0000-0x00007FF6CC501000-memory.dmp	xmrig
behavioral2/memory/1768-254-0x00007FF645430000-0x00007FF645781000-memory.dmp	xmrig
behavioral2/memory/3124-256-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp	xmrig
behavioral2/memory/5012-250-0x00007FF70BB90000-0x00007FF70BEE1000-memory.dmp	xmrig
behavioral2/memory/2996-249-0x00007FF6DCEE0000-0x00007FF6DD231000-memory.dmp	xmrig
behavioral2/memory/2696-259-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1932	jJDPcrA.exe
116	XgnEMTJ.exe
968	HkbclNL.exe
5036	HurbcLP.exe
3336	BvqjvhD.exe
3576	aeBhGIa.exe
456	CEnjyPw.exe
3516	fWJBDof.exe
1592	OjGtapC.exe
1688	wwvSZtQ.exe
2608	nFSfvxA.exe
2264	DOtHvFj.exe
2868	zQeCTzw.exe
3472	djGrXME.exe
2696	yzpRKLW.exe
3124	fzlwfRE.exe
1768	dIRUeZS.exe
4576	eYhXHux.exe
5012	wHXEdTU.exe
2812	tjuFzPH.exe
2996	pziGuym.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-0-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	upx
behavioral2/files/0x00090000000233c1-4.dat	upx
behavioral2/memory/1932-6-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	upx
behavioral2/files/0x0008000000023412-15.dat	upx
behavioral2/files/0x0007000000023418-27.dat	upx
behavioral2/memory/3576-45-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp	upx
behavioral2/files/0x000700000002341b-44.dat	upx
behavioral2/files/0x000700000002341a-43.dat	upx
behavioral2/files/0x0007000000023419-39.dat	upx
behavioral2/memory/5036-47-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp	upx
behavioral2/files/0x000700000002341f-78.dat	upx
behavioral2/files/0x0007000000023425-90.dat	upx
behavioral2/memory/1768-116-0x00007FF645430000-0x00007FF645781000-memory.dmp	upx
behavioral2/files/0x0007000000023427-121.dat	upx
behavioral2/memory/2996-126-0x00007FF6DCEE0000-0x00007FF6DD231000-memory.dmp	upx
behavioral2/memory/5012-125-0x00007FF70BB90000-0x00007FF70BEE1000-memory.dmp	upx
behavioral2/memory/2696-124-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp	upx
behavioral2/memory/2264-123-0x00007FF651460000-0x00007FF6517B1000-memory.dmp	upx
behavioral2/memory/2812-120-0x00007FF6CC1B0000-0x00007FF6CC501000-memory.dmp	upx
behavioral2/memory/4576-119-0x00007FF7353D0000-0x00007FF735721000-memory.dmp	upx
behavioral2/files/0x0007000000023426-117.dat	upx
behavioral2/memory/3124-115-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp	upx
behavioral2/files/0x0008000000023413-113.dat	upx
behavioral2/files/0x0007000000023424-110.dat	upx
behavioral2/files/0x0007000000023422-108.dat	upx
behavioral2/files/0x0007000000023423-107.dat	upx
behavioral2/memory/3472-106-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp	upx
behavioral2/files/0x0007000000023421-99.dat	upx
behavioral2/files/0x0007000000023420-95.dat	upx
behavioral2/memory/2868-92-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp	upx
behavioral2/memory/2608-91-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp	upx
behavioral2/files/0x000700000002341e-84.dat	upx
behavioral2/memory/1592-79-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp	upx
behavioral2/files/0x000700000002341d-71.dat	upx
behavioral2/files/0x000700000002341c-67.dat	upx
behavioral2/memory/1688-66-0x00007FF679520000-0x00007FF679871000-memory.dmp	upx
behavioral2/memory/3516-55-0x00007FF608970000-0x00007FF608CC1000-memory.dmp	upx
behavioral2/memory/456-54-0x00007FF786E00000-0x00007FF787151000-memory.dmp	upx
behavioral2/files/0x0007000000023417-36.dat	upx
behavioral2/memory/3336-33-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp	upx
behavioral2/files/0x0007000000023416-29.dat	upx
behavioral2/memory/968-31-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp	upx
behavioral2/memory/116-21-0x00007FF658220000-0x00007FF658571000-memory.dmp	upx
behavioral2/memory/5104-128-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	upx
behavioral2/memory/3576-134-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp	upx
behavioral2/memory/3336-133-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp	upx
behavioral2/memory/968-131-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp	upx
behavioral2/memory/1932-129-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	upx
behavioral2/memory/5036-132-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp	upx
behavioral2/memory/116-130-0x00007FF658220000-0x00007FF658571000-memory.dmp	upx
behavioral2/memory/3472-140-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp	upx
behavioral2/memory/3516-136-0x00007FF608970000-0x00007FF608CC1000-memory.dmp	upx
behavioral2/memory/2696-143-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp	upx
behavioral2/memory/2868-142-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp	upx
behavioral2/memory/2608-139-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp	upx
behavioral2/memory/1688-138-0x00007FF679520000-0x00007FF679871000-memory.dmp	upx
behavioral2/memory/1592-137-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp	upx
behavioral2/memory/3124-144-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp	upx
behavioral2/memory/5104-150-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	upx
behavioral2/memory/5104-151-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp	upx
behavioral2/memory/1932-215-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	upx
behavioral2/memory/116-217-0x00007FF658220000-0x00007FF658571000-memory.dmp	upx
behavioral2/memory/968-219-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp	upx
behavioral2/memory/3336-221-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jJDPcrA.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fzlwfRE.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XgnEMTJ.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CEnjyPw.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjGtapC.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wwvSZtQ.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dIRUeZS.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yzpRKLW.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkbclNL.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aeBhGIa.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fWJBDof.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nFSfvxA.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\djGrXME.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOtHvFj.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pziGuym.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HurbcLP.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BvqjvhD.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQeCTzw.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eYhXHux.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wHXEdTU.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tjuFzPH.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1932	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5104 wrote to memory of 1932	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5104 wrote to memory of 116	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5104 wrote to memory of 116	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5104 wrote to memory of 968	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5104 wrote to memory of 968	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5104 wrote to memory of 5036	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5104 wrote to memory of 5036	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5104 wrote to memory of 3336	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5104 wrote to memory of 3336	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5104 wrote to memory of 3576	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5104 wrote to memory of 3576	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5104 wrote to memory of 456	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5104 wrote to memory of 456	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5104 wrote to memory of 3516	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5104 wrote to memory of 3516	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5104 wrote to memory of 1592	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5104 wrote to memory of 1592	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5104 wrote to memory of 1688	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5104 wrote to memory of 1688	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5104 wrote to memory of 2608	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5104 wrote to memory of 2608	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5104 wrote to memory of 3472	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5104 wrote to memory of 3472	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5104 wrote to memory of 2264	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5104 wrote to memory of 2264	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5104 wrote to memory of 2868	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5104 wrote to memory of 2868	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5104 wrote to memory of 2696	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5104 wrote to memory of 2696	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5104 wrote to memory of 3124	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5104 wrote to memory of 3124	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5104 wrote to memory of 1768	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5104 wrote to memory of 1768	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5104 wrote to memory of 4576	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5104 wrote to memory of 4576	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5104 wrote to memory of 5012	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5104 wrote to memory of 5012	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5104 wrote to memory of 2812	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5104 wrote to memory of 2812	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5104 wrote to memory of 2996	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5104 wrote to memory of 2996	5104	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\System\jJDPcrA.exe
  C:\Windows\System\jJDPcrA.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\XgnEMTJ.exe
  C:\Windows\System\XgnEMTJ.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\HkbclNL.exe
  C:\Windows\System\HkbclNL.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\HurbcLP.exe
  C:\Windows\System\HurbcLP.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\BvqjvhD.exe
  C:\Windows\System\BvqjvhD.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\aeBhGIa.exe
  C:\Windows\System\aeBhGIa.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\CEnjyPw.exe
  C:\Windows\System\CEnjyPw.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\fWJBDof.exe
  C:\Windows\System\fWJBDof.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\OjGtapC.exe
  C:\Windows\System\OjGtapC.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\wwvSZtQ.exe
  C:\Windows\System\wwvSZtQ.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\nFSfvxA.exe
  C:\Windows\System\nFSfvxA.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\djGrXME.exe
  C:\Windows\System\djGrXME.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\DOtHvFj.exe
  C:\Windows\System\DOtHvFj.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\zQeCTzw.exe
  C:\Windows\System\zQeCTzw.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\yzpRKLW.exe
  C:\Windows\System\yzpRKLW.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\fzlwfRE.exe
  C:\Windows\System\fzlwfRE.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\dIRUeZS.exe
  C:\Windows\System\dIRUeZS.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\eYhXHux.exe
  C:\Windows\System\eYhXHux.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\wHXEdTU.exe
  C:\Windows\System\wHXEdTU.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\tjuFzPH.exe
  C:\Windows\System\tjuFzPH.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\pziGuym.exe
  C:\Windows\System\pziGuym.exe
  2⤵
  - Executes dropped EXE
  PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BvqjvhD.exe

Filesize
5.2MB

MD5
c798ae11df1b4f6b15159f4d4cefcd54

SHA1
ece45065d87225b56d9d7c54b846d6046fc645be

SHA256
ebb07f264a66c72ec10ad77cb94e554bdf115931f53f58dab8121f544775e0a1

SHA512
c9e47f9196765a23230ab4fd26374d2b29237580f3a0163ce53d683b2ea350968e522b930777ac3ec69bcb545c4120419e117570c2f83a5bbdedeecd475738ec

Download Submit
C:\Windows\System\CEnjyPw.exe

Filesize
5.2MB

MD5
163f1aca576c2cfac51a022304e9f8ce

SHA1
ebda5c3407398db0685af4f1cde7b62611dcd228

SHA256
9d8e93bc17a0f869ecc43977c9580a26a5d60254779847e2f8ad2cd6e087d10c

SHA512
b2cb2bb130f9a3053fabae545a6b3068c5017edcc50016df0e2c6fc78bdd92f72a3ff0a9fcf113a7500111be8f82d1751731ac617bd219b2aa7b31e3fd5419fa

Download Submit
C:\Windows\System\DOtHvFj.exe

Filesize
5.2MB

MD5
f0939ba4f5f357f6cbbd1e415ea65dac

SHA1
c3eeed31bd84463c8f8409c6112874ea27b77735

SHA256
f7e042558edacb964d8b270dbc7cae0972da6af3b578a274d0b7384c5c6d46b2

SHA512
fc7c76c587ccc0e6d0676358576c117c0b865208346c9ebb8dba169b6a6a294b98e65147390d214f58a97f578630d717b8d21c209e72605e0661c406a09ae1da

Download Submit
C:\Windows\System\HkbclNL.exe

Filesize
5.2MB

MD5
6209614412315bf10902f545ed354f33

SHA1
0715249077404b76b423e8dc4e388bea542b4caa

SHA256
63745f9217b051d2d47a0442c96fe1ab9dab8222f226b8fb88ccde9c95a73763

SHA512
74cd599108463e863c17d53cca346f6f449248e285b9fe454b97fee6b9d396352f3c016d100b23c71160203ef3b85ae2b064d8cbb6375c8616ac7ad55fd4e135

Download Submit
C:\Windows\System\HurbcLP.exe

Filesize
5.2MB

MD5
608bf8113444ac720dbbc550201295d3

SHA1
b6b2ae64140409cb0a92194fb73036170bdd4d47

SHA256
ff20d3102fca238bcafd26ab9885bc3d4894b41c289e90a6d32b3906a7cdc5e8

SHA512
6d975dafe85f8109158ad564d7dc8bb97771e51c6f1cbda841ebe17741f29b97e1594f56877b29d83dae5233b6717e0058b322b8c2b7fddd5a6e89e87d0d84e7

Download Submit
C:\Windows\System\OjGtapC.exe

Filesize
5.2MB

MD5
50f072da4197c8ad152f9cf421b97829

SHA1
9b78cedc2f9d85af165dcde88873e6c425a53834

SHA256
7cbe150169f30a35b4f47ff814a9d78d5a289926451c6497e55463b6066cc070

SHA512
5db5205bb5567cb6398c70014b68bc350be5ed6698b5dcdef85ad1e3add76fa4c03c9d609439bc8f14a640db5d40b81939e5ffe34de0dd56e8cbc86606ea9a76

Download Submit
C:\Windows\System\XgnEMTJ.exe

Filesize
5.2MB

MD5
979816ce98d923419d68a187eddaa42f

SHA1
a425072162ad7321fd97b988f2e3dfd73c1384ca

SHA256
fd295842f018842acd222e27eff67673175bd3d5f723572bbedbbb01897bb791

SHA512
c24e126161ac7ab23843bb7d8d2c78c0e3d0f1ac9f1910e08a393583f3d06325fc674e6102ccf2974389f7b7eac6d37b6e348333efa72a9dc7690952d03b180d

Download Submit
C:\Windows\System\aeBhGIa.exe

Filesize
5.2MB

MD5
9866a64eebf91ed14435e1bdefda2cef

SHA1
1701bc866beaa6fe17a9a04afb7211660bf57918

SHA256
5c2eccd1547c4b3d9978202f129551c8e377ac09efa583970f2139ea096e9159

SHA512
7eb1388d66adfd70bd4f4f4ecc43c14f9cb88d898805f2c26cd6984daba3ef2936141832270c099589e51e02e60fc8f8c5930291c05e18c4664a5ce5527e13bd

Download Submit
C:\Windows\System\dIRUeZS.exe

Filesize
5.2MB

MD5
819028282258a0a92d4f1ee972f557f2

SHA1
520082edbaf672054d8ea3a67c137b53e0fb6c0c

SHA256
95a8a83c065f3593db36951b4673f0d149642f7cd0efdd2f06f3d54d22430931

SHA512
d6e7da5d7998fb205bae0dc923095f6506338727a698a96e3a499fd6a5263125adcc76cec1b258ff69f4608be91254fb8494d5b5372f2f760988eab791d476aa

Download Submit
C:\Windows\System\djGrXME.exe

Filesize
5.2MB

MD5
0215c5f6717ebbca017dbbf44234b775

SHA1
6939803e089f29754fa98211c292164cf997b688

SHA256
907d2f7427cbc98f701128ff95f4b857a01ec664f76b67cae0ed4ef219af7494

SHA512
886d4e7bcc106872665f059a04d46fe27da194ac0947a70e67e3fab89bf7ca23e5b1c5e501fe283c64f7ec458caabbc539c7f0216d20d367d574f74d52fb3a92

Download Submit
C:\Windows\System\eYhXHux.exe

Filesize
5.2MB

MD5
0920d8454a654ea344eefecc1380ff1b

SHA1
8cad47cba8a9c675b96a2ae5673a0e52e50ed86f

SHA256
7bdf6b79a93c836b3a6f3b6ab404782b4a290a1439ddd6efeffbc0fa3e03a203

SHA512
73382aa530527844714a79ae92e3cec201e7bca11699a72d552ec657f13f90bcce6241379a4837508f7856fb0ff437539cea0bc7339ca825f9382400757eb853

Download Submit
C:\Windows\System\fWJBDof.exe

Filesize
5.2MB

MD5
a9d1a0667cc1d218d7f253d20b7c0b7a

SHA1
32124c73ee6a59e9826ef05ff4b22bf7ccb54063

SHA256
0944d2105658f3d49d1080b3c04d1b76a012f0d8e77c84187e8b5f0bbddfd82e

SHA512
b9ae68e6d3190dc431e48acad3a8ada089acfa66ceaa48063be20e631f39b0ad4f236d9bf693635e6066f820709b67f3dc8e92bb52d435a6f1b5a67e539e501f

Download Submit
C:\Windows\System\fzlwfRE.exe

Filesize
5.2MB

MD5
cef72c45a8a1d54b4fccaa00fbcf6efe

SHA1
d0a9830adad647802a1723dc76491b6d37953da3

SHA256
9cb33b7d1955a1b6fd5e4978e4cae82232ea578b0150616b7a5e2f6638c771ac

SHA512
142e59a8ac3e559fa341f1e18bb3f9b0887843039ffa33c9759006bf9ec1cefddb965ef49bdc9ea4071356d29f800aab83e722951ba439070759aa62c40ef3a9

Download Submit
C:\Windows\System\jJDPcrA.exe

Filesize
5.2MB

MD5
69caa1daae598042c1016a528c446da3

SHA1
0b741561d9c2d65ee455c9ac2d991718442f0bf4

SHA256
f33263926e325e5064556b13f938170075c7568f3d9b890fbbbc2ae1325bf6cd

SHA512
af49f512e44c91fa3d65808ed7ddd575e7e6f0ec16d498e3d60865dd996ee99f32372e78278cf246c8496da21575f57f95f3e0078b09f897e8a02f2abbe8b736

Download Submit
C:\Windows\System\nFSfvxA.exe

Filesize
5.2MB

MD5
a8319c985bd8ff2284b19d5e49b52383

SHA1
00e00da8ee60c9801bf578f5f5f07a1c915efc01

SHA256
8be278adc31683d1bd9e464687e7829e9cfc8e32f218cf08a04ef46d5d8de475

SHA512
464fe7429e233fb66b7af807cb5fd7728fba7e0d4daf3e1a310f62e9854f278a4852749420564866cb3a41e4b25cf5f11d20571d229f9c88e0d94851423b3d3d

Download Submit
C:\Windows\System\pziGuym.exe

Filesize
5.2MB

MD5
f3d97cfd0cfc0afc879a2209b161bde0

SHA1
f7ad722772c7185c201cc7a33a60f259b3a53289

SHA256
db303dcf7db2b51d74d01defd1ed84ad4ecae223906ea608814c72dcb8e7eadd

SHA512
ed8183870743e92d8c338334e866c90e28131c98b7f3e127a4cd4b82e9d68ff379be7c301d79aed75771903890c2e92c179f3ee09ac6c6736a8a22f04a90dfd8

Download Submit
C:\Windows\System\tjuFzPH.exe

Filesize
5.2MB

MD5
090df9015965e07d92a60718d61efb44

SHA1
665f0220d11a91d5d5db1700cd834194017b6857

SHA256
ba21a0e0db5bcf571e883bc43b1679b98b41f410043a4c56fbf52c8e36f7307d

SHA512
285a445df7e527170a270f8dc0e0473c78369910353f63ee61522d1fd9d489e4323c094925e305ba31df0752be52b477eb44f7db3fa0192383a2dd414aff4f54

Download Submit
C:\Windows\System\wHXEdTU.exe

Filesize
5.2MB

MD5
b76d4305f822cfd1a6cdc88b90b1904d

SHA1
f4e14b77be8d1a5e05ad7b22fc98c8ef2a3d9e74

SHA256
1228428097dee49f8cb8246cfc7f78b0dfe878b3efabea20abc6add7780cb901

SHA512
cd143e914bfe7d809c59b2321d29ee442382f340cc90b8b0b68fb8be8c8f98ebf9cf194899c6a4eb8f804bf5d49b01d6a43ac97d49b4dc40078bc92dc2f83b32

Download Submit
C:\Windows\System\wwvSZtQ.exe

Filesize
5.2MB

MD5
b19245a8dfddeeb70cc11dd61d95b874

SHA1
0b40ad98d2c56db6427126e6f1ee375fe146e5df

SHA256
2c9e342bf28147b0ff6ff77d8102a6b7a7252ae349573baf807abcc37d739501

SHA512
6910ad3c680b09d97af56d6ba6ca875a55de40502c3771da3e571056b96a064701ee3dedf451941a763582441ad954bdb299c409729581b186881eed3cb31717

Download Submit
C:\Windows\System\yzpRKLW.exe

Filesize
5.2MB

MD5
10bd0ccdf5921ec3ba10a95aed94bd71

SHA1
8856ecad1c413f01c82be32451844a3d029f0e31

SHA256
c48162108f2ae5f6809c34b9e32754dec90ab1f51bc9f9cdf0c46bb88914a203

SHA512
aea12d5c9ffc7e4f39d651b1fc02a8e06a93cc5977fe24479e9e948a7011cd8201a2217ee38e323fd9c22816275a8741b3c58c04d80c92d7b9e1ab9b0a2b7344

Download Submit
C:\Windows\System\zQeCTzw.exe

Filesize
5.2MB

MD5
762f46637738e0eaf21ac77f93d7be6a

SHA1
e36761007ca14770d0f56743c702f830a2557734

SHA256
84a487ca2edfcbcdb0ce79a4358221fe129ed3f9c11f4fec906617f2c1d796ee

SHA512
493b660d9e3a7b2e6d087f4e1dba89d89e8f6332c8757eff6c9940ab48f3cd58cdebbe7b19b66434e47ed8005ce1336e35d6c24c9c061bef26bac3b9b2bec822

Download Submit
memory/116-21-0x00007FF658220000-0x00007FF658571000-memory.dmp

Filesize
3.3MB

Download
memory/116-217-0x00007FF658220000-0x00007FF658571000-memory.dmp

Filesize
3.3MB

Download
memory/116-130-0x00007FF658220000-0x00007FF658571000-memory.dmp

Filesize
3.3MB

Download
memory/456-54-0x00007FF786E00000-0x00007FF787151000-memory.dmp

Filesize
3.3MB

Download
memory/456-225-0x00007FF786E00000-0x00007FF787151000-memory.dmp

Filesize
3.3MB

Download
memory/968-131-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp

Filesize
3.3MB

Download
memory/968-219-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp

Filesize
3.3MB

Download
memory/968-31-0x00007FF6F4E40000-0x00007FF6F5191000-memory.dmp

Filesize
3.3MB

Download
memory/1592-137-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp

Filesize
3.3MB

Download
memory/1592-230-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp

Filesize
3.3MB

Download
memory/1592-79-0x00007FF7BB6B0000-0x00007FF7BBA01000-memory.dmp

Filesize
3.3MB

Download
memory/1688-238-0x00007FF679520000-0x00007FF679871000-memory.dmp

Filesize
3.3MB

Download
memory/1688-138-0x00007FF679520000-0x00007FF679871000-memory.dmp

Filesize
3.3MB

Download
memory/1688-66-0x00007FF679520000-0x00007FF679871000-memory.dmp

Filesize
3.3MB

Download
memory/1768-254-0x00007FF645430000-0x00007FF645781000-memory.dmp

Filesize
3.3MB

Download
memory/1768-116-0x00007FF645430000-0x00007FF645781000-memory.dmp

Filesize
3.3MB

Download
memory/1932-215-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-6-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-129-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/2264-240-0x00007FF651460000-0x00007FF6517B1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-123-0x00007FF651460000-0x00007FF6517B1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-236-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp

Filesize
3.3MB

Download
memory/2608-91-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp

Filesize
3.3MB

Download
memory/2608-139-0x00007FF79C9C0000-0x00007FF79CD11000-memory.dmp

Filesize
3.3MB

Download
memory/2696-259-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp

Filesize
3.3MB

Download
memory/2696-124-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp

Filesize
3.3MB

Download
memory/2696-143-0x00007FF70EAC0000-0x00007FF70EE11000-memory.dmp

Filesize
3.3MB

Download
memory/2812-120-0x00007FF6CC1B0000-0x00007FF6CC501000-memory.dmp

Filesize
3.3MB

Download
memory/2812-253-0x00007FF6CC1B0000-0x00007FF6CC501000-memory.dmp

Filesize
3.3MB

Download
memory/2868-142-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp

Filesize
3.3MB

Download
memory/2868-242-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp

Filesize
3.3MB

Download
memory/2868-92-0x00007FF7EA6C0000-0x00007FF7EAA11000-memory.dmp

Filesize
3.3MB

Download
memory/2996-249-0x00007FF6DCEE0000-0x00007FF6DD231000-memory.dmp

Filesize
3.3MB

Download
memory/2996-126-0x00007FF6DCEE0000-0x00007FF6DD231000-memory.dmp

Filesize
3.3MB

Download
memory/3124-115-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp

Filesize
3.3MB

Download
memory/3124-144-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp

Filesize
3.3MB

Download
memory/3124-256-0x00007FF73BDE0000-0x00007FF73C131000-memory.dmp

Filesize
3.3MB

Download
memory/3336-33-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp

Filesize
3.3MB

Download
memory/3336-221-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp

Filesize
3.3MB

Download
memory/3336-133-0x00007FF6059F0000-0x00007FF605D41000-memory.dmp

Filesize
3.3MB

Download
memory/3472-140-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp

Filesize
3.3MB

Download
memory/3472-106-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp

Filesize
3.3MB

Download
memory/3472-245-0x00007FF7F63F0000-0x00007FF7F6741000-memory.dmp

Filesize
3.3MB

Download
memory/3516-55-0x00007FF608970000-0x00007FF608CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-136-0x00007FF608970000-0x00007FF608CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-227-0x00007FF608970000-0x00007FF608CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-223-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-45-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-134-0x00007FF78FF50000-0x00007FF7902A1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-119-0x00007FF7353D0000-0x00007FF735721000-memory.dmp

Filesize
3.3MB

Download
memory/4576-246-0x00007FF7353D0000-0x00007FF735721000-memory.dmp

Filesize
3.3MB

Download
memory/5012-125-0x00007FF70BB90000-0x00007FF70BEE1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-250-0x00007FF70BB90000-0x00007FF70BEE1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-231-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-132-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-47-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-151-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp

Filesize
3.3MB

Download
memory/5104-150-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp

Filesize
3.3MB

Download
memory/5104-128-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp

Filesize
3.3MB

Download
memory/5104-0-0x00007FF6BE300000-0x00007FF6BE651000-memory.dmp

Filesize
3.3MB

Download
memory/5104-1-0x000002563BE10000-0x000002563BE20000-memory.dmp

Filesize
64KB

Download