cobaltstrike | b870887edf730f6cebac8d51dc5b3736134a3da20122de9338daf5fb936d3846

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8726882b7c0bcac8a0d5a85f95ab8e80
SHA1

2509ffc945702365ab7ec8d55501635bbb258167
SHA256

b870887edf730f6cebac8d51dc5b3736134a3da20122de9338daf5fb936d3846
SHA512

1b9f6abfc2c6f4bc31467bdc229254ddd8d72bb727b3a2f76f0d2d4c9447bd0a6df6d655bdd11aedac22bda74c92edfea7ce6465810baa7ed761cc86a3040dbc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002360a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360b-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360d-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360f-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023610-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023611-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360e-37.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023608-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023613-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023614-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023615-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023619-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023618-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361c-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361b-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361a-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023616-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023617-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361e-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1432-122-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp	xmrig
behavioral2/memory/4744-123-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	xmrig
behavioral2/memory/3600-106-0x00007FF733610000-0x00007FF733961000-memory.dmp	xmrig
behavioral2/memory/1612-105-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp	xmrig
behavioral2/memory/1652-104-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp	xmrig
behavioral2/memory/4460-97-0x00007FF7B3CE0000-0x00007FF7B4031000-memory.dmp	xmrig
behavioral2/memory/2428-96-0x00007FF72C7C0000-0x00007FF72CB11000-memory.dmp	xmrig
behavioral2/memory/784-84-0x00007FF607220000-0x00007FF607571000-memory.dmp	xmrig
behavioral2/memory/116-77-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	xmrig
behavioral2/memory/4208-136-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp	xmrig
behavioral2/memory/4060-140-0x00007FF7103D0000-0x00007FF710721000-memory.dmp	xmrig
behavioral2/memory/2448-139-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp	xmrig
behavioral2/memory/5092-138-0x00007FF678E30000-0x00007FF679181000-memory.dmp	xmrig
behavioral2/memory/2444-137-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	xmrig
behavioral2/memory/4764-134-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp	xmrig
behavioral2/memory/116-128-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	xmrig
behavioral2/memory/3576-144-0x00007FF692F10000-0x00007FF693261000-memory.dmp	xmrig
behavioral2/memory/4940-151-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp	xmrig
behavioral2/memory/1300-152-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp	xmrig
behavioral2/memory/1228-150-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp	xmrig
behavioral2/memory/2108-146-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp	xmrig
behavioral2/memory/3328-154-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp	xmrig
behavioral2/memory/3288-155-0x00007FF773EE0000-0x00007FF774231000-memory.dmp	xmrig
behavioral2/memory/116-156-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	xmrig
behavioral2/memory/1652-208-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp	xmrig
behavioral2/memory/1612-210-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp	xmrig
behavioral2/memory/1432-212-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp	xmrig
behavioral2/memory/2448-217-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp	xmrig
behavioral2/memory/4764-219-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp	xmrig
behavioral2/memory/4208-221-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp	xmrig
behavioral2/memory/4060-223-0x00007FF7103D0000-0x00007FF710721000-memory.dmp	xmrig
behavioral2/memory/2444-225-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	xmrig
behavioral2/memory/5092-239-0x00007FF678E30000-0x00007FF679181000-memory.dmp	xmrig
behavioral2/memory/784-241-0x00007FF607220000-0x00007FF607571000-memory.dmp	xmrig
behavioral2/memory/2108-244-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp	xmrig
behavioral2/memory/4460-249-0x00007FF7B3CE0000-0x00007FF7B4031000-memory.dmp	xmrig
behavioral2/memory/3576-247-0x00007FF692F10000-0x00007FF693261000-memory.dmp	xmrig
behavioral2/memory/2428-246-0x00007FF72C7C0000-0x00007FF72CB11000-memory.dmp	xmrig
behavioral2/memory/3328-260-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp	xmrig
behavioral2/memory/4744-261-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	xmrig
behavioral2/memory/1228-256-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp	xmrig
behavioral2/memory/1300-254-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp	xmrig
behavioral2/memory/3600-258-0x00007FF733610000-0x00007FF733961000-memory.dmp	xmrig
behavioral2/memory/4940-252-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp	xmrig
behavioral2/memory/3288-264-0x00007FF773EE0000-0x00007FF774231000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1652	rpEAijh.exe
1612	YDmKLtY.exe
1432	XCCTwru.exe
2448	YmQSeyA.exe
4764	HtitxQb.exe
4060	LByULfv.exe
4208	QDsqYcv.exe
2444	ywvysQw.exe
5092	nlQeEir.exe
3576	qTNrbnD.exe
784	IPsottg.exe
2108	ERuZySe.exe
4460	Maevvec.exe
2428	mlwyIup.exe
3600	bYePfBV.exe
1228	tHPmnxm.exe
4940	EPwUlDx.exe
1300	OXjhTkt.exe
4744	ykQwMjs.exe
3328	SCLXzLn.exe
3288	dgwgwZT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	upx
behavioral2/files/0x000800000002360a-5.dat	upx
behavioral2/files/0x000700000002360c-10.dat	upx
behavioral2/files/0x000700000002360b-15.dat	upx
behavioral2/files/0x000700000002360d-23.dat	upx
behavioral2/memory/1432-24-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp	upx
behavioral2/memory/2448-27-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp	upx
behavioral2/memory/1612-16-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp	upx
behavioral2/files/0x000700000002360f-34.dat	upx
behavioral2/memory/4060-39-0x00007FF7103D0000-0x00007FF710721000-memory.dmp	upx
behavioral2/files/0x0007000000023610-44.dat	upx
behavioral2/files/0x0007000000023611-49.dat	upx
behavioral2/memory/2444-48-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	upx
behavioral2/memory/4208-40-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp	upx
behavioral2/files/0x000700000002360e-37.dat	upx
behavioral2/memory/4764-35-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp	upx
behavioral2/memory/1652-7-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp	upx
behavioral2/files/0x0008000000023608-55.dat	upx
behavioral2/files/0x0007000000023613-56.dat	upx
behavioral2/files/0x0007000000023614-62.dat	upx
behavioral2/memory/5092-59-0x00007FF678E30000-0x00007FF679181000-memory.dmp	upx
behavioral2/files/0x0007000000023615-66.dat	upx
behavioral2/files/0x0007000000023619-95.dat	upx
behavioral2/files/0x0007000000023618-102.dat	upx
behavioral2/memory/1228-109-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp	upx
behavioral2/memory/1300-116-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp	upx
behavioral2/memory/1432-122-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp	upx
behavioral2/files/0x000700000002361d-125.dat	upx
behavioral2/memory/3328-124-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp	upx
behavioral2/memory/4744-123-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	upx
behavioral2/files/0x000700000002361c-120.dat	upx
behavioral2/memory/4940-117-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp	upx
behavioral2/files/0x000700000002361b-113.dat	upx
behavioral2/files/0x000700000002361a-107.dat	upx
behavioral2/memory/3600-106-0x00007FF733610000-0x00007FF733961000-memory.dmp	upx
behavioral2/memory/1612-105-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp	upx
behavioral2/memory/1652-104-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp	upx
behavioral2/memory/4460-97-0x00007FF7B3CE0000-0x00007FF7B4031000-memory.dmp	upx
behavioral2/memory/2428-96-0x00007FF72C7C0000-0x00007FF72CB11000-memory.dmp	upx
behavioral2/memory/784-84-0x00007FF607220000-0x00007FF607571000-memory.dmp	upx
behavioral2/files/0x0007000000023616-82.dat	upx
behavioral2/files/0x0007000000023617-78.dat	upx
behavioral2/memory/116-77-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	upx
behavioral2/memory/2108-71-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp	upx
behavioral2/memory/3576-69-0x00007FF692F10000-0x00007FF693261000-memory.dmp	upx
behavioral2/files/0x000700000002361e-130.dat	upx
behavioral2/memory/4208-136-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp	upx
behavioral2/memory/4060-140-0x00007FF7103D0000-0x00007FF710721000-memory.dmp	upx
behavioral2/memory/3288-141-0x00007FF773EE0000-0x00007FF774231000-memory.dmp	upx
behavioral2/memory/2448-139-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp	upx
behavioral2/memory/5092-138-0x00007FF678E30000-0x00007FF679181000-memory.dmp	upx
behavioral2/memory/2444-137-0x00007FF789090000-0x00007FF7893E1000-memory.dmp	upx
behavioral2/memory/4764-134-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp	upx
behavioral2/memory/116-128-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	upx
behavioral2/memory/3576-144-0x00007FF692F10000-0x00007FF693261000-memory.dmp	upx
behavioral2/memory/4940-151-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp	upx
behavioral2/memory/1300-152-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp	upx
behavioral2/memory/1228-150-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp	upx
behavioral2/memory/2108-146-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp	upx
behavioral2/memory/3328-154-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp	upx
behavioral2/memory/3288-155-0x00007FF773EE0000-0x00007FF774231000-memory.dmp	upx
behavioral2/memory/116-156-0x00007FF723770000-0x00007FF723AC1000-memory.dmp	upx
behavioral2/memory/1652-208-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp	upx
behavioral2/memory/1612-210-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OXjhTkt.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywvysQw.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qTNrbnD.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Maevvec.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYePfBV.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPsottg.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mlwyIup.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ykQwMjs.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SCLXzLn.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpEAijh.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YmQSeyA.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDsqYcv.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nlQeEir.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCCTwru.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HtitxQb.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LByULfv.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPwUlDx.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YDmKLtY.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ERuZySe.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHPmnxm.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dgwgwZT.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1652	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 116 wrote to memory of 1652	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 116 wrote to memory of 1612	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 116 wrote to memory of 1612	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 116 wrote to memory of 1432	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 116 wrote to memory of 1432	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 116 wrote to memory of 2448	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 116 wrote to memory of 2448	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 116 wrote to memory of 4764	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 116 wrote to memory of 4764	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 116 wrote to memory of 4060	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 116 wrote to memory of 4060	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 116 wrote to memory of 4208	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 116 wrote to memory of 4208	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 116 wrote to memory of 2444	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 116 wrote to memory of 2444	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 116 wrote to memory of 5092	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 116 wrote to memory of 5092	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 116 wrote to memory of 3576	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 116 wrote to memory of 3576	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 116 wrote to memory of 784	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 116 wrote to memory of 784	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 116 wrote to memory of 2108	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 116 wrote to memory of 2108	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 116 wrote to memory of 4460	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 116 wrote to memory of 4460	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 116 wrote to memory of 2428	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 116 wrote to memory of 2428	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 116 wrote to memory of 3600	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 116 wrote to memory of 3600	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 116 wrote to memory of 1228	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 116 wrote to memory of 1228	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 116 wrote to memory of 4940	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 116 wrote to memory of 4940	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 116 wrote to memory of 1300	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 116 wrote to memory of 1300	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 116 wrote to memory of 4744	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 116 wrote to memory of 4744	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 116 wrote to memory of 3328	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 116 wrote to memory of 3328	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 116 wrote to memory of 3288	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 116 wrote to memory of 3288	116	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System\rpEAijh.exe
  C:\Windows\System\rpEAijh.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\YDmKLtY.exe
  C:\Windows\System\YDmKLtY.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\XCCTwru.exe
  C:\Windows\System\XCCTwru.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\YmQSeyA.exe
  C:\Windows\System\YmQSeyA.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\HtitxQb.exe
  C:\Windows\System\HtitxQb.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\LByULfv.exe
  C:\Windows\System\LByULfv.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\QDsqYcv.exe
  C:\Windows\System\QDsqYcv.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\ywvysQw.exe
  C:\Windows\System\ywvysQw.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\nlQeEir.exe
  C:\Windows\System\nlQeEir.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\qTNrbnD.exe
  C:\Windows\System\qTNrbnD.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\IPsottg.exe
  C:\Windows\System\IPsottg.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\ERuZySe.exe
  C:\Windows\System\ERuZySe.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\Maevvec.exe
  C:\Windows\System\Maevvec.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\mlwyIup.exe
  C:\Windows\System\mlwyIup.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\bYePfBV.exe
  C:\Windows\System\bYePfBV.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\tHPmnxm.exe
  C:\Windows\System\tHPmnxm.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\EPwUlDx.exe
  C:\Windows\System\EPwUlDx.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\OXjhTkt.exe
  C:\Windows\System\OXjhTkt.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\ykQwMjs.exe
  C:\Windows\System\ykQwMjs.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\SCLXzLn.exe
  C:\Windows\System\SCLXzLn.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\dgwgwZT.exe
  C:\Windows\System\dgwgwZT.exe
  2⤵
  - Executes dropped EXE
  PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4392,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:4736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EPwUlDx.exe

Filesize
5.2MB

MD5
9632b4e2c6d93208ad6fa534ec736a04

SHA1
5130378e5789d786eab2d94db249ed2372f9ae5f

SHA256
77df7eea979952a000da62a45846b5a9b7b7922c97300ceb5209d4e069029c05

SHA512
37c5cf626b5bfa09118864814b2f53eaffda02b09155a3fb9ac2a5d24bf67baaf9307e25d41fd01e1f0e6c317e85027985beff25d1f177680040fccb2ed1c66a

Download Submit
C:\Windows\System\ERuZySe.exe

Filesize
5.2MB

MD5
f116410ba79b9c31c006fcc4ba3fdd16

SHA1
ac688d888ba55508343e1f9a837df678d3f4c18c

SHA256
a59e0448730f61d16c21a1f015da94f4041bee63d1360365e5de3eef07847b65

SHA512
f74f6e2f71f1c654eff4e7dde61cc704cb1943a06c94ca6f4bc75473be17d28556067756327ae4e560ea32b075ab5621b5c34e54e4a448f5ebb4079cbc5afc7f

Download Submit
C:\Windows\System\HtitxQb.exe

Filesize
5.2MB

MD5
7204362c02d8e6702ee822ae88712cb0

SHA1
7e1069d4cda62f517422917b8caeb3325b53c33e

SHA256
92e7bace6252b1d01c520b038dd6074423c6d3bd9d1e5f87066fb72044fc5f7c

SHA512
154907f73d4444138f0f0892cfffd6054c6dbd47fabcf5b9d97f6fb64978f8439f2f184969f80732cccb322a7458fd1a096070660faaed8099375be3cd13c3d2

Download Submit
C:\Windows\System\IPsottg.exe

Filesize
5.2MB

MD5
299cdf3438763d7eb6ef244ff31203a3

SHA1
d862c876c080ee3f31b500f7b9a4e76978e2b445

SHA256
a3e57c83f007f187e1259014b25e4fb8c16882174d747f9da2d1f0d83122db07

SHA512
e05b45d1ceb84c438b7fc344fff13da19732fe744d00bcd3afb874796bb0527632ff2a629b466ebff41a19e7e692cadc6ac6fbb16cbad43a4193066290ae9d74

Download Submit
C:\Windows\System\LByULfv.exe

Filesize
5.2MB

MD5
72375d5626dc7d77a98d35148eff7159

SHA1
44b7f87d17e7409619d9d1e943580935d5fe6d42

SHA256
8eae70429903a1b345acc3ee286fee543be97b4bd06239fcac679f82f13184e4

SHA512
f62eb41ba5cb3f8809ae22bcf2a8824644511c62f9528d8d604ed32b834167b7e7782f34b7c68b3327464864a2d4d5d3ab62a634ec184b4bffbb70728d96dce1

Download Submit
C:\Windows\System\Maevvec.exe

Filesize
5.2MB

MD5
cce6ee83fcd6ec0d76addefcd7afe32b

SHA1
cad48308bb9bcd9f003138b344a58899cb149f4b

SHA256
6a2f59558d833bc53504c55718241e85701777b772a41a3cb5b47160484db9e1

SHA512
aebd8b7559b1bee439e0959efb7f58cae01ec36061d97ec0bb1cb22dbbd355c815c1c40655aa7526d8ea0dfe313e17112188d06fb20d35fda7859b8d4c594e8d

Download Submit
C:\Windows\System\OXjhTkt.exe

Filesize
5.2MB

MD5
d5da74c1326064123770df7dd688abc5

SHA1
274330503e280b2b23f3e64b085ed65fcef15243

SHA256
ec20cd80781c6bf1552bbe43f0d8b1ccb04e9b2f69bb05538a28bc3a1d67bc43

SHA512
7192b8b71dafddae453498c7582c3ea48b1fa85ec7bd2b4d01603f0ada2ea46d340ef145450f1322a27a36f8431707c695534113f3ee232c0c187293fcd4c318

Download Submit
C:\Windows\System\QDsqYcv.exe

Filesize
5.2MB

MD5
269702910ca1b0214b3c341bd2bac6c7

SHA1
b532525ebfd5ea2f84e2298732aa6cf4b5f8f6e9

SHA256
e8f6a2ac703d7fe0e1ac3af58ac824d6cd85b8c6058f4d3a6b1bdb41846faafb

SHA512
24b48c48f326839fb5bb81f90252f94342ed1eb502fc6afd2ea37c64c5befabe7c576eea6b23289e502bbb9f7d9b57886bfcf29e26c561e70f9c799af3ad3776

Download Submit
C:\Windows\System\SCLXzLn.exe

Filesize
5.2MB

MD5
8a0e75f0dee12712ffe61c81c359905a

SHA1
32233d95d0f6123aac78d4439a0871feefea7a1a

SHA256
99b111d12ec2f1c9afc524aac923bc3f82cbb2dbc6617d9db2af20c771381c16

SHA512
e609c0d49a6240edb172e57a666f4c02a7b0f4af2b2625811555068ecb16dfc7e26c56a8145c9cef890bb7f39b9d98cd419fd6fb10717c02c4ec35e80cc88963

Download Submit
C:\Windows\System\XCCTwru.exe

Filesize
5.2MB

MD5
96c76d792811096ca9bf45cc6cd1df72

SHA1
58eb2428c4849c5650068fb47810b2c4fa2fbddc

SHA256
359adb3dfdc3acc6b71ac88000f0eb07bfb1e4fea694c9c45a975c0759e68cf3

SHA512
18bd49b910edfa4401e7cf49adfd4f4df7029a2b26060ac32ca10778ba3d64b83d22ea694498fed3883cb5f639b3e4180bb93687b96d829c2c6cf82e8ee1c829

Download Submit
C:\Windows\System\YDmKLtY.exe

Filesize
5.2MB

MD5
0978b88fac63dc9a928e7fa09696ebc9

SHA1
89b113cef716b84b7d1b3eb1ab189382575ac09d

SHA256
79e03e950441b6dc477a8e9609bc5ef9d42a1398d03b2c56c52b2296d825a301

SHA512
8786472c071d122aeac79012967b3176e036681eb5ad75b47c449a9a22605b810a8f85d5a71e783fc4cc1e68ba14053575b2a18572a8d0be669342972a24287c

Download Submit
C:\Windows\System\YmQSeyA.exe

Filesize
5.2MB

MD5
3f1d6b58fdaccc7ee4b6904ff8dee691

SHA1
34757158fad4abfa49eaece0121db7c2ccf4aa5b

SHA256
9c75b573b501c9c628616039ea2ac6429904f3e7c13f85b188447ca72cf24c4b

SHA512
5d7255e4a5a4d92be854681db665f79a4aff120c5c0e6e5a1a758d6261b16b3040781ae2ebf088949fe3c24ca16370625186a3cda8175031234183349dab4f5f

Download Submit
C:\Windows\System\bYePfBV.exe

Filesize
5.2MB

MD5
630a7c59317244e04bb9b74d8188c3df

SHA1
30f9a5d25993b27c02001e8b823d2bbbe748b904

SHA256
1dd7e1ee380db3510ba122ab6413608dbdc26478d97979855052998c93fb24ca

SHA512
abe7b72d3650bc4352958b076101676ea9e3a493b1c9b70bfa86bcf409229007ff1d4e34c38a556f7ac0a0b0dd3de263b9902a47289a594633eccb6efe123f72

Download Submit
C:\Windows\System\dgwgwZT.exe

Filesize
5.2MB

MD5
6934984f310a1686e3f1f1883dffd4e5

SHA1
768cd8dbed028164bf9f661f17c7b2bfbbed1f83

SHA256
41a7a664c09bdfda3d0ba60543a395181a5646ac1b766d64fc2764b4abd12591

SHA512
16b7fe2608252fe9b23e129f170cc487bae058e98af6222342755505751777ac0f7e54d7f44b8fe68123b399061f5873881f1acc277d6ddcc3c3f60718ce0a43

Download Submit
C:\Windows\System\mlwyIup.exe

Filesize
5.2MB

MD5
726cbb3187e37085f239b41c6e9edb4c

SHA1
643ef0bbcd36878b87ec7c53e9b54988beb3affc

SHA256
fc75d20682f33cfa15a67eb228331a6282e35c291b14aeb58fcf1ee4fa214d20

SHA512
42cd54d6948aa5790b2217f53083c2cb5a67a37d686e6204768591f034f055c6f5825c1896dae7c5e7254f9672b854c8addc39682adfb572d5616381a2eaf4fc

Download Submit
C:\Windows\System\nlQeEir.exe

Filesize
5.2MB

MD5
d3eeaa03e3978b8b4b6223e41fbd7752

SHA1
809931694e89a2140775ae6b9e35bf51accc9aec

SHA256
f65ef8ecb07dad362c60e6a32bb1c560755c3ab21a7b40946649931ac00f6b34

SHA512
4e62bfae945bb2e253b0a2d26bee4ba03a202d9e34a08bf91999675da14f685a70ffc6db066cb99330b78eb1f4a4a41f86a47e073e3f0bff6e71c03e90e90a73

Download Submit
C:\Windows\System\qTNrbnD.exe

Filesize
5.2MB

MD5
1d927e6d03cd0be33dfe1f8fe4ac1655

SHA1
2154b2875b84da5d479c9df6f62c2a240d6615d7

SHA256
47315806c89126546f01febb30ccc66d2426e868640cdfce616eb90ef6f96d4b

SHA512
639d0bd17a02041f7899fa4c4bcb98e04d7cf9e19f291bf06195527ecaae086967784e70d3b7d1f35689f3036e5c0d7ba9b8ba20c00a4cc61ab96860850e20b2

Download Submit
C:\Windows\System\rpEAijh.exe

Filesize
5.2MB

MD5
5dd60953c8da95051de28585f3390c87

SHA1
e295aec0d57c15b9193dc38a3a75995978af8aaf

SHA256
3e22d6aa90099ddfa25971e3509b7266302d44c50934e64654f2f9258a99afa8

SHA512
98b977b21c21b8e67ce404fbef34713c5b9380270281c1de0e5671229babeecd4afb7bc03881ab096cbca954696e4d9bd136ac5f9856b0b8c9987cdbab557239

Download Submit
C:\Windows\System\tHPmnxm.exe

Filesize
5.2MB

MD5
b1c74fa8d2d3ad3aa038686593f924c1

SHA1
64e1e9c8591a28a4fef22a49aa5cdcaf39075da1

SHA256
3dbc3d655095c380c351fafa8f54ef00504fdc5b1a67e1121a56375e9e8d5094

SHA512
0d533121bc6dbadc3e316414075c684bce1d026deb782d64d823c08f11187a3e15fb349c9cd04bdc52ce478b2b25bbe50ec1ceda472716b994535f6f80cb8a46

Download Submit
C:\Windows\System\ykQwMjs.exe

Filesize
5.2MB

MD5
7068c2e19fbaa2db0647a4876820b64f

SHA1
aa37f935cd141f1406c9b5c005293d2f66e25311

SHA256
04812c26ab29a6deab7dda02d74926853b977f4493a1ac47807f33c7770d6a11

SHA512
ccb79d9c29116fa936a4f421f295183e7eb12b464a2351f5849ceb563f9b499fbf3180b74f1a343b196810c31e1fc146e1d74b690759207d8034464b9c719593

Download Submit
C:\Windows\System\ywvysQw.exe

Filesize
5.2MB

MD5
331f5604b4c8f555d663c8b328bc1876

SHA1
4108eb268e2bf6cf674de7512cd17fcd3395d33c

SHA256
cdcf81b9f6be31ba1fb7b05cb13316ab48f5d4d8107160f0f4f82daef9b819d4

SHA512
5ea606993561a7beb1dd643231b9473ba7d62cd972e75c46f67c4a3b3ba894d3c46efd846f7b3bbf6aad99e8e62ba35730a9527d9a8aa7df92dd9a48b64d5d28

Download Submit
memory/116-156-0x00007FF723770000-0x00007FF723AC1000-memory.dmp

Filesize
3.3MB

Download
memory/116-1-0x00000260A0990000-0x00000260A09A0000-memory.dmp

Filesize
64KB

Download
memory/116-128-0x00007FF723770000-0x00007FF723AC1000-memory.dmp

Filesize
3.3MB

Download
memory/116-77-0x00007FF723770000-0x00007FF723AC1000-memory.dmp

Filesize
3.3MB

Download
memory/116-0-0x00007FF723770000-0x00007FF723AC1000-memory.dmp

Filesize
3.3MB

Download
memory/784-84-0x00007FF607220000-0x00007FF607571000-memory.dmp

Filesize
3.3MB

Download
memory/784-241-0x00007FF607220000-0x00007FF607571000-memory.dmp

Filesize
3.3MB

Download
memory/1228-256-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-150-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-109-0x00007FF7A4D90000-0x00007FF7A50E1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-116-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-152-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-254-0x00007FF795C70000-0x00007FF795FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-212-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-24-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-122-0x00007FF7C8190000-0x00007FF7C84E1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-16-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1612-105-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1612-210-0x00007FF68ABF0000-0x00007FF68AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1652-104-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-208-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-7-0x00007FF6DED80000-0x00007FF6DF0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-146-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-71-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-244-0x00007FF63A460000-0x00007FF63A7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-246-0x00007FF72C7C0000-0x00007FF72CB11000-memory.dmp

Filesize
3.3MB

Download
memory/2428-96-0x00007FF72C7C0000-0x00007FF72CB11000-memory.dmp

Filesize
3.3MB

Download
memory/2444-225-0x00007FF789090000-0x00007FF7893E1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-137-0x00007FF789090000-0x00007FF7893E1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-48-0x00007FF789090000-0x00007FF7893E1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-217-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp

Filesize
3.3MB

Download
memory/2448-139-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp

Filesize
3.3MB

Download
memory/2448-27-0x00007FF67ED00000-0x00007FF67F051000-memory.dmp

Filesize
3.3MB

Download
memory/3288-141-0x00007FF773EE0000-0x00007FF774231000-memory.dmp

Filesize
3.3MB

Download
memory/3288-264-0x00007FF773EE0000-0x00007FF774231000-memory.dmp

Filesize
3.3MB

Download
memory/3288-155-0x00007FF773EE0000-0x00007FF774231000-memory.dmp

Filesize
3.3MB

Download
memory/3328-260-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp

Filesize
3.3MB

Download
memory/3328-154-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp

Filesize
3.3MB

Download
memory/3328-124-0x00007FF6956D0000-0x00007FF695A21000-memory.dmp

Filesize
3.3MB

Download
memory/3576-247-0x00007FF692F10000-0x00007FF693261000-memory.dmp

Filesize
3.3MB

Download
memory/3576-144-0x00007FF692F10000-0x00007FF693261000-memory.dmp

Filesize
3.3MB

Download
memory/3576-69-0x00007FF692F10000-0x00007FF693261000-memory.dmp

Filesize
3.3MB

Download
memory/3600-258-0x00007FF733610000-0x00007FF733961000-memory.dmp

Filesize
3.3MB

Download
memory/3600-106-0x00007FF733610000-0x00007FF733961000-memory.dmp

Filesize
3.3MB

Download
memory/4060-39-0x00007FF7103D0000-0x00007FF710721000-memory.dmp

Filesize
3.3MB

Download
memory/4060-223-0x00007FF7103D0000-0x00007FF710721000-memory.dmp

Filesize
3.3MB

Download
memory/4060-140-0x00007FF7103D0000-0x00007FF710721000-memory.dmp

Filesize
3.3MB

Download
memory/4208-40-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp

Filesize
3.3MB

Download
memory/4208-221-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp

Filesize
3.3MB

Download
memory/4208-136-0x00007FF7F2340000-0x00007FF7F2691000-memory.dmp

Filesize
3.3MB

Download
memory/4460-97-0x00007FF7B3CE0000-0x00007FF7B4031000-memory.dmp

Filesize
3.3MB

Download
memory/4460-249-0x00007FF7B3CE0000-0x00007FF7B4031000-memory.dmp

Filesize
3.3MB

Download
memory/4744-261-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp

Filesize
3.3MB

Download
memory/4744-123-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp

Filesize
3.3MB

Download
memory/4764-219-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-35-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-134-0x00007FF6D2290000-0x00007FF6D25E1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-117-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-151-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-252-0x00007FF6AF670000-0x00007FF6AF9C1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-239-0x00007FF678E30000-0x00007FF679181000-memory.dmp

Filesize
3.3MB

Download
memory/5092-138-0x00007FF678E30000-0x00007FF679181000-memory.dmp

Filesize
3.3MB

Download
memory/5092-59-0x00007FF678E30000-0x00007FF679181000-memory.dmp

Filesize
3.3MB

Download