cobaltstrike | 069790fc4b3a6021b36f184275207d6e47ae243acff760578fef178fd2df2b7b

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

843044785e9efe7cb67431bd45bdece9
SHA1

9023362478ab1551e62156375727153f0ee2eb57
SHA256

069790fc4b3a6021b36f184275207d6e47ae243acff760578fef178fd2df2b7b
SHA512

c970cb72f0c0878788a0dbd419821a376d69297ed666129641373330798ce542e00d8c17a41b7d2ecf426bf85b29c3dcb2925b57b4f8999c75e2dd50bb1883da
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234cc-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-89.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234ca-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-110.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-128.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2584-92-0x00007FF6C4020000-0x00007FF6C4371000-memory.dmp	xmrig
behavioral2/memory/4352-91-0x00007FF68B010000-0x00007FF68B361000-memory.dmp	xmrig
behavioral2/memory/1752-64-0x00007FF7C9750000-0x00007FF7C9AA1000-memory.dmp	xmrig
behavioral2/memory/2904-99-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	xmrig
behavioral2/memory/4828-100-0x00007FF6120E0000-0x00007FF612431000-memory.dmp	xmrig
behavioral2/memory/1880-117-0x00007FF670100000-0x00007FF670451000-memory.dmp	xmrig
behavioral2/memory/4432-109-0x00007FF795420000-0x00007FF795771000-memory.dmp	xmrig
behavioral2/memory/528-106-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp	xmrig
behavioral2/memory/4604-130-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp	xmrig
behavioral2/memory/1140-125-0x00007FF770590000-0x00007FF7708E1000-memory.dmp	xmrig
behavioral2/memory/3972-131-0x00007FF603C00000-0x00007FF603F51000-memory.dmp	xmrig
behavioral2/memory/2888-123-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp	xmrig
behavioral2/memory/2904-136-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	xmrig
behavioral2/memory/1052-137-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp	xmrig
behavioral2/memory/4568-139-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp	xmrig
behavioral2/memory/2876-153-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp	xmrig
behavioral2/memory/100-154-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp	xmrig
behavioral2/memory/1836-152-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp	xmrig
behavioral2/memory/1156-151-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp	xmrig
behavioral2/memory/4048-156-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp	xmrig
behavioral2/memory/3284-157-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp	xmrig
behavioral2/memory/452-160-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp	xmrig
behavioral2/memory/2260-161-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp	xmrig
behavioral2/memory/2904-162-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	xmrig
behavioral2/memory/4828-218-0x00007FF6120E0000-0x00007FF612431000-memory.dmp	xmrig
behavioral2/memory/528-220-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp	xmrig
behavioral2/memory/1880-222-0x00007FF670100000-0x00007FF670451000-memory.dmp	xmrig
behavioral2/memory/2888-226-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp	xmrig
behavioral2/memory/4604-224-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp	xmrig
behavioral2/memory/1140-228-0x00007FF770590000-0x00007FF7708E1000-memory.dmp	xmrig
behavioral2/memory/1752-239-0x00007FF7C9750000-0x00007FF7C9AA1000-memory.dmp	xmrig
behavioral2/memory/3972-238-0x00007FF603C00000-0x00007FF603F51000-memory.dmp	xmrig
behavioral2/memory/2584-241-0x00007FF6C4020000-0x00007FF6C4371000-memory.dmp	xmrig
behavioral2/memory/4568-245-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp	xmrig
behavioral2/memory/1052-244-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp	xmrig
behavioral2/memory/4352-247-0x00007FF68B010000-0x00007FF68B361000-memory.dmp	xmrig
behavioral2/memory/1156-249-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp	xmrig
behavioral2/memory/1836-251-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp	xmrig
behavioral2/memory/100-254-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp	xmrig
behavioral2/memory/2876-255-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp	xmrig
behavioral2/memory/4432-260-0x00007FF795420000-0x00007FF795771000-memory.dmp	xmrig
behavioral2/memory/4048-262-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp	xmrig
behavioral2/memory/3284-264-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp	xmrig
behavioral2/memory/2260-269-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp	xmrig
behavioral2/memory/452-267-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4828	XJlewno.exe
528	YeXTYqB.exe
1880	wbcVHMq.exe
2888	DGZxvxe.exe
1140	XbwBqWV.exe
4604	XLoHXqj.exe
3972	dqbtuMI.exe
1752	mcgcgZy.exe
1052	SImFXLo.exe
4352	SLsBhcF.exe
4568	pgHGjHY.exe
2584	CXJZXzp.exe
1156	RIMkjni.exe
1836	sqObFLh.exe
2876	ltDfSEq.exe
100	aLehHSt.exe
4432	TMdRCeJ.exe
4048	EYlEaEB.exe
3284	XfOqsNg.exe
452	LZSxEbN.exe
2260	jAqHPkL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2904-0-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	upx
behavioral2/files/0x00080000000234cc-5.dat	upx
behavioral2/memory/528-14-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp	upx
behavioral2/memory/1880-18-0x00007FF670100000-0x00007FF670451000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-22.dat	upx
behavioral2/files/0x00070000000234d0-29.dat	upx
behavioral2/files/0x00070000000234cf-32.dat	upx
behavioral2/files/0x00070000000234d2-34.dat	upx
behavioral2/files/0x00070000000234d5-75.dat	upx
behavioral2/files/0x00070000000234d8-74.dat	upx
behavioral2/memory/1156-79-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-89.dat	upx
behavioral2/files/0x00090000000234ca-96.dat	upx
behavioral2/memory/2876-98-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp	upx
behavioral2/files/0x00070000000234da-94.dat	upx
behavioral2/memory/100-93-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp	upx
behavioral2/memory/2584-92-0x00007FF6C4020000-0x00007FF6C4371000-memory.dmp	upx
behavioral2/memory/4352-91-0x00007FF68B010000-0x00007FF68B361000-memory.dmp	upx
behavioral2/memory/1836-86-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp	upx
behavioral2/memory/4568-78-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-71.dat	upx
behavioral2/files/0x00070000000234d7-67.dat	upx
behavioral2/files/0x00070000000234d4-66.dat	upx
behavioral2/memory/1752-64-0x00007FF7C9750000-0x00007FF7C9AA1000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-55.dat	upx
behavioral2/memory/1052-54-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp	upx
behavioral2/memory/3972-53-0x00007FF603C00000-0x00007FF603F51000-memory.dmp	upx
behavioral2/memory/4604-45-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp	upx
behavioral2/memory/1140-36-0x00007FF770590000-0x00007FF7708E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-33.dat	upx
behavioral2/memory/2888-26-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp	upx
behavioral2/memory/4828-12-0x00007FF6120E0000-0x00007FF612431000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-11.dat	upx
behavioral2/memory/2904-99-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	upx
behavioral2/memory/4828-100-0x00007FF6120E0000-0x00007FF612431000-memory.dmp	upx
behavioral2/files/0x00070000000234db-104.dat	upx
behavioral2/files/0x00070000000234dc-110.dat	upx
behavioral2/memory/1880-117-0x00007FF670100000-0x00007FF670451000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-119.dat	upx
behavioral2/memory/3284-118-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp	upx
behavioral2/memory/4048-115-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp	upx
behavioral2/memory/4432-109-0x00007FF795420000-0x00007FF795771000-memory.dmp	upx
behavioral2/memory/528-106-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-128.dat	upx
behavioral2/memory/4604-130-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp	upx
behavioral2/memory/452-129-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp	upx
behavioral2/memory/1140-125-0x00007FF770590000-0x00007FF7708E1000-memory.dmp	upx
behavioral2/memory/2260-134-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp	upx
behavioral2/memory/3972-131-0x00007FF603C00000-0x00007FF603F51000-memory.dmp	upx
behavioral2/files/0x00070000000234de-127.dat	upx
behavioral2/memory/2888-123-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp	upx
behavioral2/memory/2904-136-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	upx
behavioral2/memory/1052-137-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp	upx
behavioral2/memory/4568-139-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp	upx
behavioral2/memory/2876-153-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp	upx
behavioral2/memory/100-154-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp	upx
behavioral2/memory/1836-152-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp	upx
behavioral2/memory/1156-151-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp	upx
behavioral2/memory/4048-156-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp	upx
behavioral2/memory/3284-157-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp	upx
behavioral2/memory/452-160-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp	upx
behavioral2/memory/2260-161-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp	upx
behavioral2/memory/2904-162-0x00007FF72F310000-0x00007FF72F661000-memory.dmp	upx
behavioral2/memory/4828-218-0x00007FF6120E0000-0x00007FF612431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pgHGjHY.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMdRCeJ.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EYlEaEB.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbcVHMq.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SImFXLo.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RIMkjni.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqObFLh.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLehHSt.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJlewno.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dqbtuMI.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mcgcgZy.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLsBhcF.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltDfSEq.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XbwBqWV.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGZxvxe.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XLoHXqj.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CXJZXzp.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfOqsNg.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LZSxEbN.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jAqHPkL.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YeXTYqB.exe	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4828	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2904 wrote to memory of 4828	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2904 wrote to memory of 528	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2904 wrote to memory of 528	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2904 wrote to memory of 1880	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2904 wrote to memory of 1880	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2904 wrote to memory of 2888	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2904 wrote to memory of 2888	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2904 wrote to memory of 1140	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2904 wrote to memory of 1140	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2904 wrote to memory of 4604	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2904 wrote to memory of 4604	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2904 wrote to memory of 3972	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2904 wrote to memory of 3972	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2904 wrote to memory of 1752	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2904 wrote to memory of 1752	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2904 wrote to memory of 1052	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2904 wrote to memory of 1052	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2904 wrote to memory of 4352	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2904 wrote to memory of 4352	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2904 wrote to memory of 4568	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2904 wrote to memory of 4568	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2904 wrote to memory of 2584	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2904 wrote to memory of 2584	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2904 wrote to memory of 1156	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2904 wrote to memory of 1156	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2904 wrote to memory of 1836	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2904 wrote to memory of 1836	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2904 wrote to memory of 2876	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2904 wrote to memory of 2876	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2904 wrote to memory of 100	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2904 wrote to memory of 100	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2904 wrote to memory of 4432	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2904 wrote to memory of 4432	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2904 wrote to memory of 4048	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2904 wrote to memory of 4048	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2904 wrote to memory of 3284	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2904 wrote to memory of 3284	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2904 wrote to memory of 452	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2904 wrote to memory of 452	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2904 wrote to memory of 2260	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2904 wrote to memory of 2260	2904	2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_843044785e9efe7cb67431bd45bdece9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System\XJlewno.exe
  C:\Windows\System\XJlewno.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\YeXTYqB.exe
  C:\Windows\System\YeXTYqB.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\wbcVHMq.exe
  C:\Windows\System\wbcVHMq.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\DGZxvxe.exe
  C:\Windows\System\DGZxvxe.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\XbwBqWV.exe
  C:\Windows\System\XbwBqWV.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\XLoHXqj.exe
  C:\Windows\System\XLoHXqj.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\dqbtuMI.exe
  C:\Windows\System\dqbtuMI.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\mcgcgZy.exe
  C:\Windows\System\mcgcgZy.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\SImFXLo.exe
  C:\Windows\System\SImFXLo.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\SLsBhcF.exe
  C:\Windows\System\SLsBhcF.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\pgHGjHY.exe
  C:\Windows\System\pgHGjHY.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\CXJZXzp.exe
  C:\Windows\System\CXJZXzp.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\RIMkjni.exe
  C:\Windows\System\RIMkjni.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\sqObFLh.exe
  C:\Windows\System\sqObFLh.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\ltDfSEq.exe
  C:\Windows\System\ltDfSEq.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\aLehHSt.exe
  C:\Windows\System\aLehHSt.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System\TMdRCeJ.exe
  C:\Windows\System\TMdRCeJ.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\EYlEaEB.exe
  C:\Windows\System\EYlEaEB.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\XfOqsNg.exe
  C:\Windows\System\XfOqsNg.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\LZSxEbN.exe
  C:\Windows\System\LZSxEbN.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\jAqHPkL.exe
  C:\Windows\System\jAqHPkL.exe
  2⤵
  - Executes dropped EXE
  PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CXJZXzp.exe

Filesize
5.2MB

MD5
7e7cdd0b5f3900751761275b0fdfd0df

SHA1
438194c4fbb3345aefc3f36ea41157bf243178d6

SHA256
ab2b4079cd731135c9a5c8277d3d854b96d784a639452c1086048c2c0062d706

SHA512
02c3df2e61f553bed3c0527af48c91290d87ebab1b48ecc73702a6379a42da5a18b063b8828175a3331e0927889c33097e86628b7229a3ed43cea6a9d85f0b14

Download Submit
C:\Windows\System\DGZxvxe.exe

Filesize
5.2MB

MD5
8720710ad3ca2b9088d30c684bce700b

SHA1
8e73b0cacc3c1e618eca854f258bec0a77de3269

SHA256
92b0bba0bd6eafde3186077e6650c800ef6be1480ac96c2e7080ad4158175635

SHA512
34e8110568853d29bf3c37f302d474a4a68558ee772e2a86aa6e29322e9eb8078d7f9e6907a1165906656f7809051036bab7fd6afe45489f13b4940b08002506

Download Submit
C:\Windows\System\EYlEaEB.exe

Filesize
5.2MB

MD5
33e21f2098ca6b07962bf66145c2caa4

SHA1
e2618c61f74f6ba9ad7ebec0ebc8aa14de68df0a

SHA256
0dda64dfa13ca0c59a19c78de5d75aa0ac1317c88eea93d611d241d508e7ba70

SHA512
808fcf4a876cde683a66144e60de92c881a3f7113ec91b5d0cc50c767b00baaf3de9a923effce9f34a5cb04b389bd0f96e1d9ad94906bafc32820e0f13ac9830

Download Submit
C:\Windows\System\LZSxEbN.exe

Filesize
5.2MB

MD5
075a674263650cb4308d6cfc04ed606d

SHA1
ae56e9aab646db65482d2dadaf266eb10e056635

SHA256
a7f492864fbddfc01c35aa0f7fc660eb1580127bcae466ce6a8161935d9e7423

SHA512
544c5aa917b67a23b7fc11f7672e4ab4ae9a25d41a4258b02014de68fc10f393abb24470e002f362a8a8dea8f32b3db65900c5175c483ef7a9a13f9d2542e52c

Download Submit
C:\Windows\System\RIMkjni.exe

Filesize
5.2MB

MD5
88b99f2e9272a7c7e0993b444547abc5

SHA1
32324d9e1cc4aaa2c6413ae45d6f2953ca436403

SHA256
95b91d94971838cb67431153a1cf897ba5f743d595467487e618a62957890a25

SHA512
16110576ba3d6d63f2ca0e0a7887204ca5f4d30ee578ec489854f4a551d7113641062df509950129cb4a3a08a8d631dbcf7149f18c5c63fe75f974dba3b46572

Download Submit
C:\Windows\System\SImFXLo.exe

Filesize
5.2MB

MD5
5a8866d3156e43013159aee6ec50da54

SHA1
71f4475331d14a01e13615d3ea549dcee2b94c1b

SHA256
30d3f7566baefdb52aead1f6b89da898fb5e12a22a38de3f136236c6937979da

SHA512
6e1c87947cf466e79ff0e48fbcf2251116db24ddde0b5a3f1bd00a8eecad7bb22b7b847e721c4dfea682a0e5b146775b2220af602b01e21e82d9538fe65b20bf

Download Submit
C:\Windows\System\SLsBhcF.exe

Filesize
5.2MB

MD5
ceca475a6fed46a40a32203bbcff474b

SHA1
ab6362d62412654932a9496ecbaba95ebac48cdd

SHA256
cbcf8b28dcd0c59c872e30807120c7b800ff02c8153e38290d116c164eda6c77

SHA512
1149747d7f448a01283023eda6e9b09e19f9d8f63d14e9dd04248c0fa06914e44c75f69dae026c06699be6f20829928746319f3605b1003c5b4d8bbb1ce64d8a

Download Submit
C:\Windows\System\TMdRCeJ.exe

Filesize
5.2MB

MD5
f9cedba4cef086622ef940d2717651f2

SHA1
f4228c1f1fb2ab79e0d186123c72f42ec484726a

SHA256
3f2c0f130bb170e9ff896f79e3b47d484dba84c50b53f977a9ac6301abbcb1b8

SHA512
60ac2b3ff945d718827a49a9333f3aa14c28d5a7903695054b28ab8152d97c6b81f88ac9749f5e998fa0ec0766892fa60598ad0132ad799263ee49fa75fc3caa

Download Submit
C:\Windows\System\XJlewno.exe

Filesize
5.2MB

MD5
4728f8170b7ffad404561b050d703fde

SHA1
abf4f32a1f60cae44062f3cbd51582a7cce88bc2

SHA256
33c11122d72e6cb89724ac20ed362a8d83c84c9131b7b3476c3d07aef16f0e9f

SHA512
6abb07aecc27e04dc8b9c36a9a746c9094f476f908c29b1a98fc2f65adf14d77be2372aca5393a135c6f6451c71aae020d12ac28ac673ccf906e160668248503

Download Submit
C:\Windows\System\XLoHXqj.exe

Filesize
5.2MB

MD5
6c2c9d15a80abc744a77561e457850cc

SHA1
5a87722d2979fd76268d81692606017f1d99b04a

SHA256
cdaf1679845b56189bf78ee0586bbc481e571d6a0ecb41d3942bb5f48b5d5f5a

SHA512
f3df55c22f23980040dd17568869364dd67aaf8809bb85effc3a96230222961e365ce3c4833a5aa33a4aaa8e75b79019f4549b9ba1d544aaf78673f1767f2df6

Download Submit
C:\Windows\System\XbwBqWV.exe

Filesize
5.2MB

MD5
d333db38b7eedea569c24ee62273a10e

SHA1
4eadea982f40baefdb0c85b2b491e5a31d39a645

SHA256
dc15f3ae2c9aa2144c0dd09a980a3eaf5f3a92bcbcb4ea145a6d985954817c39

SHA512
c0cb9e30eee84946c57f02eac3f3241b452fa5c4ce30b963f84dfd9057028211b74fb1d5184b75788ef56a8a4152c9d4c8f592592c3da89463768de1e9275ea2

Download Submit
C:\Windows\System\XfOqsNg.exe

Filesize
5.2MB

MD5
20bb74fdff20f31e05ad1ac4af827666

SHA1
3c500ddb6b5433b860044b44136d62d0023ceaea

SHA256
e759e8d629acac370c923df3621a53e84bb31ad9cf56b6281e0916c8ec4b71c0

SHA512
6e1b2afcf17cc32cf842c7b3aa69726d7b92f0fdfdbc78396a5b08c43cc820999dc8525bc6dc479e1a2153043c156a713b476e5faaff218a0c52a2374abf027a

Download Submit
C:\Windows\System\YeXTYqB.exe

Filesize
5.2MB

MD5
563ec7c8076c2f1a8088773f1c8ba632

SHA1
e4b571e566e407363ac7384fc3fdaa2cfa33d6fa

SHA256
864ad41f67c9b3ac069e885776eea03ec562a792c15e792bf2b13ba9e18852f4

SHA512
005edfe4d883ca6efc3d6e71cc6e4b9c5e127c8049b5c2f1c70110533daccc3f00e4e99bc785f8dd509e83c7691b711d03be51e29caccaf2ed0cdf19f313e982

Download Submit
C:\Windows\System\aLehHSt.exe

Filesize
5.2MB

MD5
d8358e4268b7a729fdf03623b5f4a376

SHA1
ead7ba4ada9fdf34d9e5d190694a052a7203d17c

SHA256
39cffda4703e6204fc82829d63e737e0ada967b60a49452e8b2031fc2cdf0af6

SHA512
97eb699fb0ad71d3a2c0d723239a5495739e334a6a84ddc6f2c5a9e40b29cfc59371b43375a3c8f91e72b85913e65bb885765cb8414690eba95a446c362b2a24

Download Submit
C:\Windows\System\dqbtuMI.exe

Filesize
5.2MB

MD5
d2bffc44dcbafbcd83940847b035b719

SHA1
2b650d0664f5e22f2d3468089c781e91bf77fb8e

SHA256
b2f121c07bdd35e80e3cd47dde57c02303f64c4b6c42b8c3c6b715443a82f612

SHA512
a0c0e1d7cb887872c31646c18855cffc4ddadf92e36e56b18954f80bafe1d1c20f88b24ab8119e4f4350875075f36557abef26ed02bf6bb468f8008648c23d3b

Download Submit
C:\Windows\System\jAqHPkL.exe

Filesize
5.2MB

MD5
929dca5b8adae6892d3ad8292a471ab0

SHA1
bc1c9a532780cc54d5a1bdd65c5b5ac78acdf63e

SHA256
03b1627ad9892d343c93924593c617a56b917d645c35852fe44d3e71c0a4099d

SHA512
741dce4b208caab00d3a5b5cf5da0c40cfb11687f44efbb23dda14cce416a0a4f79d66d59cc94d83bb4ade230e3c1beea05d3929531523d27a331c834b1ff2d0

Download Submit
C:\Windows\System\ltDfSEq.exe

Filesize
5.2MB

MD5
d74bbea9e349399bfdcf33b01e4dc04f

SHA1
0f917b6caa9620a295ed271a0f2b1681320fff60

SHA256
cead52178f1f9f51e84571d0bfe1251d4d830a435ded21e45dda7f6cba4469ac

SHA512
167c896ee06c658363d9fe8df07ea8045dfba85c868027fcc74e0dca357836b464fcab45e3e587fec700d093949c7828b91cec525a642939f663cb2cdca175bd

Download Submit
C:\Windows\System\mcgcgZy.exe

Filesize
5.2MB

MD5
68bf47adb6c7fecf23e95e84947d3d6a

SHA1
7abf7c9aa2a93621a4f7f1a35dbbe133e317d53e

SHA256
0021cbf3ca379a3e668954b45a423d3a3ec4feccd2babb916298e3f731b00d2b

SHA512
01f44de49f57013cb39224e9a91428c9720e33eac8ff0b6d9816a276099513756fbf06eac596a0992f74f6cd87a8e08b9e9429865f0fd702180c4430cd99173e

Download Submit
C:\Windows\System\pgHGjHY.exe

Filesize
5.2MB

MD5
8aecf92c76e5159aa42ee24d8e5ae5ee

SHA1
3df1ff6375dfe584a99b0f9512b08ac45b789c6e

SHA256
3ac7a55a8b66963f8e325eec1d0d28f4dc208d82451b7bacbec2f1b04e6b5d9f

SHA512
8773d9c52999f41e2409a74da1dd8ef08d68abebfc1739f2b1e863b27887d7eee6b2530f724102dff23b67dbbec5f1dc681d91ce433f2399c937a6106972222e

Download Submit
C:\Windows\System\sqObFLh.exe

Filesize
5.2MB

MD5
5f43e14da04132f0788bd332feed274a

SHA1
083d6c4311566be3fe51dab706d898d26af02165

SHA256
6a79c92081073d686890d42b164b9d18e40e338135b97806e7b4d23f67abd5f7

SHA512
ff8ceb603050057aea7ae97a9025244f493942c56b2dc6f8ded9b4082506c0514b59cc7eeb74d0825d884c2fa8833afa1d73557565a10a8443c9a6b36a3ba52b

Download Submit
C:\Windows\System\wbcVHMq.exe

Filesize
5.2MB

MD5
35245bb178b89d80ac68cb3d2df55248

SHA1
b577214a7a56070c9c0fe3faa2955b652ddfc14b

SHA256
8baa3c2452a119e05866222d2a3c0fb5f044c74c6f251c88ca324a4ab707621b

SHA512
9add261ba4104ba94756549455463cc49b3db81dfc3e307b9b9c1f76ef728cae6edb5a71399c74122adff1f3b7be22941a068b2fffa91568a8eedcb5d6466abd

Download Submit
memory/100-93-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp

Filesize
3.3MB

Download
memory/100-254-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp

Filesize
3.3MB

Download
memory/100-154-0x00007FF6E8A00000-0x00007FF6E8D51000-memory.dmp

Filesize
3.3MB

Download
memory/452-129-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp

Filesize
3.3MB

Download
memory/452-160-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp

Filesize
3.3MB

Download
memory/452-267-0x00007FF6C8770000-0x00007FF6C8AC1000-memory.dmp

Filesize
3.3MB

Download
memory/528-220-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp

Filesize
3.3MB

Download
memory/528-106-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp

Filesize
3.3MB

Download
memory/528-14-0x00007FF6ADA70000-0x00007FF6ADDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-137-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp

Filesize
3.3MB

Download
memory/1052-54-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp

Filesize
3.3MB

Download
memory/1052-244-0x00007FF65CF20000-0x00007FF65D271000-memory.dmp

Filesize
3.3MB

Download
memory/1140-36-0x00007FF770590000-0x00007FF7708E1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-228-0x00007FF770590000-0x00007FF7708E1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-125-0x00007FF770590000-0x00007FF7708E1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-79-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-151-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-249-0x00007FF6B7470000-0x00007FF6B77C1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-64-0x00007FF7C9750000-0x00007FF7C9AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-239-0x00007FF7C9750000-0x00007FF7C9AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-86-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-251-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-152-0x00007FF6B4470000-0x00007FF6B47C1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-222-0x00007FF670100000-0x00007FF670451000-memory.dmp

Filesize
3.3MB

Download
memory/1880-117-0x00007FF670100000-0x00007FF670451000-memory.dmp

Filesize
3.3MB

Download
memory/1880-18-0x00007FF670100000-0x00007FF670451000-memory.dmp

Filesize
3.3MB

Download
memory/2260-161-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp

Filesize
3.3MB

Download
memory/2260-134-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp

Filesize
3.3MB

Download
memory/2260-269-0x00007FF7F96F0000-0x00007FF7F9A41000-memory.dmp

Filesize
3.3MB

Download
memory/2584-92-0x00007FF6C4020000-0x00007FF6C4371000-memory.dmp

Filesize
3.3MB

Download
memory/2584-241-0x00007FF6C4020000-0x00007FF6C4371000-memory.dmp

Filesize
3.3MB

Download
memory/2876-98-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-153-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-255-0x00007FF7B9960000-0x00007FF7B9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-123-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-226-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-26-0x00007FF753E80000-0x00007FF7541D1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-162-0x00007FF72F310000-0x00007FF72F661000-memory.dmp

Filesize
3.3MB

Download
memory/2904-1-0x000002655ADA0000-0x000002655ADB0000-memory.dmp

Filesize
64KB

Download
memory/2904-136-0x00007FF72F310000-0x00007FF72F661000-memory.dmp

Filesize
3.3MB

Download
memory/2904-0-0x00007FF72F310000-0x00007FF72F661000-memory.dmp

Filesize
3.3MB

Download
memory/2904-99-0x00007FF72F310000-0x00007FF72F661000-memory.dmp

Filesize
3.3MB

Download
memory/3284-118-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp

Filesize
3.3MB

Download
memory/3284-157-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp

Filesize
3.3MB

Download
memory/3284-264-0x00007FF7508C0000-0x00007FF750C11000-memory.dmp

Filesize
3.3MB

Download
memory/3972-238-0x00007FF603C00000-0x00007FF603F51000-memory.dmp

Filesize
3.3MB

Download
memory/3972-131-0x00007FF603C00000-0x00007FF603F51000-memory.dmp

Filesize
3.3MB

Download
memory/3972-53-0x00007FF603C00000-0x00007FF603F51000-memory.dmp

Filesize
3.3MB

Download
memory/4048-262-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-115-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-156-0x00007FF711AA0000-0x00007FF711DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-247-0x00007FF68B010000-0x00007FF68B361000-memory.dmp

Filesize
3.3MB

Download
memory/4352-91-0x00007FF68B010000-0x00007FF68B361000-memory.dmp

Filesize
3.3MB

Download
memory/4432-109-0x00007FF795420000-0x00007FF795771000-memory.dmp

Filesize
3.3MB

Download
memory/4432-260-0x00007FF795420000-0x00007FF795771000-memory.dmp

Filesize
3.3MB

Download
memory/4568-245-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-78-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-139-0x00007FF75F390000-0x00007FF75F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-45-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-130-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-224-0x00007FF7EFA80000-0x00007FF7EFDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-100-0x00007FF6120E0000-0x00007FF612431000-memory.dmp

Filesize
3.3MB

Download
memory/4828-12-0x00007FF6120E0000-0x00007FF612431000-memory.dmp

Filesize
3.3MB

Download
memory/4828-218-0x00007FF6120E0000-0x00007FF612431000-memory.dmp

Filesize
3.3MB

Download