cobaltstrike | eee1b9a2ce5f4667b551cd86215a847a501ce3c34036fcdb61d40ee1cd845271

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ae3bb7c136b65bbf07821a72080125c0
SHA1

35a68b70e7360e012f22bd2cc7e2fb5d2f65a577
SHA256

eee1b9a2ce5f4667b551cd86215a847a501ce3c34036fcdb61d40ee1cd845271
SHA512

7033e7086b9c7c57872fe59d8c125565aa261b7f2875176ef57ce231f580cec268c0e1be1297f2261f5e927eb72b35cf161a54bbbb2144c81ad20b2b3b8c3580
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233c2-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023425-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023423-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-89.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2504-55-0x00007FF7BA3A0000-0x00007FF7BA6F1000-memory.dmp	xmrig
behavioral2/memory/3372-74-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	xmrig
behavioral2/memory/4776-82-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp	xmrig
behavioral2/memory/3752-103-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	xmrig
behavioral2/memory/3840-126-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp	xmrig
behavioral2/memory/1628-104-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp	xmrig
behavioral2/memory/1300-95-0x00007FF6E91D0000-0x00007FF6E9521000-memory.dmp	xmrig
behavioral2/memory/4704-88-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp	xmrig
behavioral2/memory/3416-139-0x00007FF7081B0000-0x00007FF708501000-memory.dmp	xmrig
behavioral2/memory/4840-142-0x00007FF6250F0000-0x00007FF625441000-memory.dmp	xmrig
behavioral2/memory/3608-143-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp	xmrig
behavioral2/memory/2392-144-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp	xmrig
behavioral2/memory/4636-145-0x00007FF753260000-0x00007FF7535B1000-memory.dmp	xmrig
behavioral2/memory/860-141-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp	xmrig
behavioral2/memory/756-138-0x00007FF600770000-0x00007FF600AC1000-memory.dmp	xmrig
behavioral2/memory/3372-133-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	xmrig
behavioral2/memory/4540-149-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp	xmrig
behavioral2/memory/400-147-0x00007FF7275F0000-0x00007FF727941000-memory.dmp	xmrig
behavioral2/memory/4724-152-0x00007FF671DE0000-0x00007FF672131000-memory.dmp	xmrig
behavioral2/memory/1804-153-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp	xmrig
behavioral2/memory/4676-151-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp	xmrig
behavioral2/memory/4048-150-0x00007FF6470B0000-0x00007FF647401000-memory.dmp	xmrig
behavioral2/memory/4948-154-0x00007FF744A00000-0x00007FF744D51000-memory.dmp	xmrig
behavioral2/memory/3372-155-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	xmrig
behavioral2/memory/4776-207-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp	xmrig
behavioral2/memory/4704-209-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp	xmrig
behavioral2/memory/1628-211-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp	xmrig
behavioral2/memory/3840-213-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp	xmrig
behavioral2/memory/756-221-0x00007FF600770000-0x00007FF600AC1000-memory.dmp	xmrig
behavioral2/memory/2504-224-0x00007FF7BA3A0000-0x00007FF7BA6F1000-memory.dmp	xmrig
behavioral2/memory/3416-225-0x00007FF7081B0000-0x00007FF708501000-memory.dmp	xmrig
behavioral2/memory/4840-227-0x00007FF6250F0000-0x00007FF625441000-memory.dmp	xmrig
behavioral2/memory/860-229-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp	xmrig
behavioral2/memory/3608-231-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp	xmrig
behavioral2/memory/4636-233-0x00007FF753260000-0x00007FF7535B1000-memory.dmp	xmrig
behavioral2/memory/2392-235-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp	xmrig
behavioral2/memory/1300-243-0x00007FF6E91D0000-0x00007FF6E9521000-memory.dmp	xmrig
behavioral2/memory/3752-245-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	xmrig
behavioral2/memory/400-247-0x00007FF7275F0000-0x00007FF727941000-memory.dmp	xmrig
behavioral2/memory/4540-252-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp	xmrig
behavioral2/memory/4676-256-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp	xmrig
behavioral2/memory/4724-255-0x00007FF671DE0000-0x00007FF672131000-memory.dmp	xmrig
behavioral2/memory/4048-258-0x00007FF6470B0000-0x00007FF647401000-memory.dmp	xmrig
behavioral2/memory/1804-262-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp	xmrig
behavioral2/memory/4948-261-0x00007FF744A00000-0x00007FF744D51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4776	qnbPAdt.exe
4704	npnYgGa.exe
1628	LWiOKOw.exe
3840	EqkaNnQ.exe
756	PuZviWI.exe
3416	bVjdFJb.exe
2504	PQQWFGT.exe
860	tikcufO.exe
4840	OOvfNGB.exe
3608	HCyLPki.exe
2392	cdrVcro.exe
4636	lnkdGhN.exe
1300	SLhTPeC.exe
400	eXfqWUC.exe
3752	AepFikk.exe
4540	xyEmhdi.exe
4048	ezwisul.exe
4676	WWCIzpB.exe
4724	OpmcFaE.exe
1804	YInKHxe.exe
4948	oBfnPEb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3372-0-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	upx
behavioral2/files/0x00090000000233c2-4.dat	upx
behavioral2/memory/4776-8-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp	upx
behavioral2/files/0x0008000000023425-12.dat	upx
behavioral2/files/0x0007000000023426-22.dat	upx
behavioral2/files/0x0007000000023428-28.dat	upx
behavioral2/files/0x000700000002342a-42.dat	upx
behavioral2/files/0x000700000002342c-50.dat	upx
behavioral2/files/0x000700000002342d-57.dat	upx
behavioral2/memory/4636-69-0x00007FF753260000-0x00007FF7535B1000-memory.dmp	upx
behavioral2/files/0x000700000002342f-72.dat	upx
behavioral2/files/0x000700000002342e-70.dat	upx
behavioral2/memory/2392-68-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp	upx
behavioral2/memory/4840-65-0x00007FF6250F0000-0x00007FF625441000-memory.dmp	upx
behavioral2/memory/2504-55-0x00007FF7BA3A0000-0x00007FF7BA6F1000-memory.dmp	upx
behavioral2/files/0x000700000002342b-56.dat	upx
behavioral2/memory/3608-53-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp	upx
behavioral2/memory/860-52-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp	upx
behavioral2/memory/3416-48-0x00007FF7081B0000-0x00007FF708501000-memory.dmp	upx
behavioral2/memory/756-37-0x00007FF600770000-0x00007FF600AC1000-memory.dmp	upx
behavioral2/files/0x0007000000023429-39.dat	upx
behavioral2/files/0x0007000000023427-27.dat	upx
behavioral2/memory/3840-21-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp	upx
behavioral2/memory/1628-19-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp	upx
behavioral2/memory/4704-15-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp	upx
behavioral2/memory/3372-74-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023430-78.dat	upx
behavioral2/memory/4776-82-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp	upx
behavioral2/files/0x0008000000023423-81.dat	upx
behavioral2/memory/3752-103-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	upx
behavioral2/files/0x0007000000023432-109.dat	upx
behavioral2/files/0x0007000000023436-116.dat	upx
behavioral2/files/0x0007000000023435-121.dat	upx
behavioral2/memory/1804-130-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp	upx
behavioral2/files/0x0007000000023437-127.dat	upx
behavioral2/memory/3840-126-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp	upx
behavioral2/files/0x0007000000023434-120.dat	upx
behavioral2/memory/4676-119-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp	upx
behavioral2/memory/4724-117-0x00007FF671DE0000-0x00007FF672131000-memory.dmp	upx
behavioral2/files/0x0007000000023433-114.dat	upx
behavioral2/memory/4048-112-0x00007FF6470B0000-0x00007FF647401000-memory.dmp	upx
behavioral2/memory/4540-105-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp	upx
behavioral2/memory/1628-104-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp	upx
behavioral2/memory/400-98-0x00007FF7275F0000-0x00007FF727941000-memory.dmp	upx
behavioral2/memory/1300-95-0x00007FF6E91D0000-0x00007FF6E9521000-memory.dmp	upx
behavioral2/files/0x0007000000023431-89.dat	upx
behavioral2/memory/4704-88-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp	upx
behavioral2/memory/4948-132-0x00007FF744A00000-0x00007FF744D51000-memory.dmp	upx
behavioral2/memory/3416-139-0x00007FF7081B0000-0x00007FF708501000-memory.dmp	upx
behavioral2/memory/4840-142-0x00007FF6250F0000-0x00007FF625441000-memory.dmp	upx
behavioral2/memory/3608-143-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp	upx
behavioral2/memory/2392-144-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp	upx
behavioral2/memory/4636-145-0x00007FF753260000-0x00007FF7535B1000-memory.dmp	upx
behavioral2/memory/860-141-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp	upx
behavioral2/memory/756-138-0x00007FF600770000-0x00007FF600AC1000-memory.dmp	upx
behavioral2/memory/3372-133-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	upx
behavioral2/memory/4540-149-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp	upx
behavioral2/memory/400-147-0x00007FF7275F0000-0x00007FF727941000-memory.dmp	upx
behavioral2/memory/4724-152-0x00007FF671DE0000-0x00007FF672131000-memory.dmp	upx
behavioral2/memory/1804-153-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp	upx
behavioral2/memory/4676-151-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp	upx
behavioral2/memory/4048-150-0x00007FF6470B0000-0x00007FF647401000-memory.dmp	upx
behavioral2/memory/4948-154-0x00007FF744A00000-0x00007FF744D51000-memory.dmp	upx
behavioral2/memory/3372-155-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AepFikk.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\npnYgGa.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVjdFJb.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HCyLPki.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLhTPeC.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eXfqWUC.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xyEmhdi.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWCIzpB.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpmcFaE.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWiOKOw.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOvfNGB.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oBfnPEb.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnkdGhN.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tikcufO.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdrVcro.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuZviWI.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PQQWFGT.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezwisul.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YInKHxe.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qnbPAdt.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqkaNnQ.exe	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4776	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3372 wrote to memory of 4776	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3372 wrote to memory of 4704	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3372 wrote to memory of 4704	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3372 wrote to memory of 1628	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3372 wrote to memory of 1628	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3372 wrote to memory of 3840	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3372 wrote to memory of 3840	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3372 wrote to memory of 756	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3372 wrote to memory of 756	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3372 wrote to memory of 3416	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3372 wrote to memory of 3416	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3372 wrote to memory of 2504	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3372 wrote to memory of 2504	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3372 wrote to memory of 860	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3372 wrote to memory of 860	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3372 wrote to memory of 4840	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3372 wrote to memory of 4840	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3372 wrote to memory of 3608	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3372 wrote to memory of 3608	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3372 wrote to memory of 2392	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3372 wrote to memory of 2392	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3372 wrote to memory of 4636	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3372 wrote to memory of 4636	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3372 wrote to memory of 1300	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3372 wrote to memory of 1300	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3372 wrote to memory of 400	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3372 wrote to memory of 400	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3372 wrote to memory of 3752	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3372 wrote to memory of 3752	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3372 wrote to memory of 4540	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3372 wrote to memory of 4540	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3372 wrote to memory of 4048	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3372 wrote to memory of 4048	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3372 wrote to memory of 4676	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3372 wrote to memory of 4676	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3372 wrote to memory of 4724	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3372 wrote to memory of 4724	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3372 wrote to memory of 1804	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3372 wrote to memory of 1804	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3372 wrote to memory of 4948	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3372 wrote to memory of 4948	3372	2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_ae3bb7c136b65bbf07821a72080125c0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\System\qnbPAdt.exe
  C:\Windows\System\qnbPAdt.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\npnYgGa.exe
  C:\Windows\System\npnYgGa.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\LWiOKOw.exe
  C:\Windows\System\LWiOKOw.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\EqkaNnQ.exe
  C:\Windows\System\EqkaNnQ.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\PuZviWI.exe
  C:\Windows\System\PuZviWI.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\bVjdFJb.exe
  C:\Windows\System\bVjdFJb.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\PQQWFGT.exe
  C:\Windows\System\PQQWFGT.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\tikcufO.exe
  C:\Windows\System\tikcufO.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\OOvfNGB.exe
  C:\Windows\System\OOvfNGB.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\HCyLPki.exe
  C:\Windows\System\HCyLPki.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\cdrVcro.exe
  C:\Windows\System\cdrVcro.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\lnkdGhN.exe
  C:\Windows\System\lnkdGhN.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\SLhTPeC.exe
  C:\Windows\System\SLhTPeC.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\eXfqWUC.exe
  C:\Windows\System\eXfqWUC.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\AepFikk.exe
  C:\Windows\System\AepFikk.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\xyEmhdi.exe
  C:\Windows\System\xyEmhdi.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\ezwisul.exe
  C:\Windows\System\ezwisul.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\WWCIzpB.exe
  C:\Windows\System\WWCIzpB.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\OpmcFaE.exe
  C:\Windows\System\OpmcFaE.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\YInKHxe.exe
  C:\Windows\System\YInKHxe.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\oBfnPEb.exe
  C:\Windows\System\oBfnPEb.exe
  2⤵
  - Executes dropped EXE
  PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AepFikk.exe

Filesize
5.2MB

MD5
8674b74a2c38a8d28dcdf21c03983362

SHA1
bc0dc9c50451f1119d13ae9ca731de086efca433

SHA256
e004cad4959ab4dba4d5edcaf5cb086d3b59879b15252f7d20883fbcbf08d2ae

SHA512
305e93b5342fe4a038fc6d1a8e0f35dcdb03cc547b81c6e4a82033ba5eb90156296add18fec170939136f6fc90ea1cfd2c4231f656e8e341b194d11315e0629b

Download Submit
C:\Windows\System\EqkaNnQ.exe

Filesize
5.2MB

MD5
59980f43ad5e9c60657c2fd5b44c6bef

SHA1
e510a536c7293afb102c5968206b628b1dcf0fae

SHA256
28d43311d7ebad9c124a67a1c3d8910c47e46a96bc9b7d9b167d78b815ab498c

SHA512
4b563fcaba31d85751b73ae81584ff102da08d45484b7294d5632233f7d38de62eeeefd6c7e50116aeb4c36b8973e64318597cc1ac9ff9d7b832695a77d5cf37

Download Submit
C:\Windows\System\HCyLPki.exe

Filesize
5.2MB

MD5
b2d18cf2ee787b0dad69e6654735e50b

SHA1
60a6246a3fa3078fd2905dd7ab045cb4217def85

SHA256
e60630a694920786f2e284f7f7b4d4b1b9ff9f77b29fe5cac9a2f78d1d6046a4

SHA512
5410ad95a9670ec022826beb6ccbb18c291e551cb60178ff337045032e7b39e2d83524663c4b5be7494450edba89390f5cc746ce364a3c886d365e84ead36040

Download Submit
C:\Windows\System\LWiOKOw.exe

Filesize
5.2MB

MD5
7357ffeca795d945c873bdefe381c74a

SHA1
7d03a926862c7bbdb9ab792e5d5247d947140d28

SHA256
bec9e3ed638a6b1b8b970cd797e2fb4dacc485dc2ab00ef1ef3469f7bc8b2d80

SHA512
54efdd3974462310e5b4954ff040ac4f4be394b6ec55fa0f071c99edf5aacb5f101374d23f06413f904a20c387a98a8bd21554ddea445d69fc91ba1ff9e95c48

Download Submit
C:\Windows\System\OOvfNGB.exe

Filesize
5.2MB

MD5
48899a3622660b97f3751ae156c19274

SHA1
affdb050e8135eee1f799e7defcbae0894b7fd96

SHA256
6b49bbe17b7d5fe877f4d0f396cacb8f6d9cd3bd5a76e0d6c430c6f75266bc01

SHA512
b24ec78610fdb732868c3db4a0102d21095b18cb08810c5967f0ba97acd917fa86862ff3ee2e98dcc5972e1f4c21da412ba028069b78816cd6f90b0a25a62c53

Download Submit
C:\Windows\System\OpmcFaE.exe

Filesize
5.2MB

MD5
384790b040f61ebc1d9aba1e8890dbb5

SHA1
01f1484a34ca872ecb47915d204f9c67cfeffd71

SHA256
2b72e1fd507b083071771d70f2894f7391d5261992e047d7a41634a7688c3a19

SHA512
6d924f3275233d495cb4524e13b4e479b59f6f381d9d4b9745bb5309d47bf711ceb9c96d1065ddceb5afd99821f99ae9eb5bf1bd5ec988d4c7f07b1f97a428d1

Download Submit
C:\Windows\System\PQQWFGT.exe

Filesize
5.2MB

MD5
c459bfe64b82e52835e0b0de047424e7

SHA1
6e54b98fe6f1ea1a9cc4802db4abcdb9220a2354

SHA256
3bd79d7d35e8969ef567e3a64b5c18f08681ccc6b7648faced6eaff9fcd03f3b

SHA512
fbaef79e134be44e53762e62a56e9d97abb5ae7216fd7a3db3b7cecf44d3cfd51fa5301f261ceddf675223f1bfc37423fe8422b47713301b1483499727596464

Download Submit
C:\Windows\System\PuZviWI.exe

Filesize
5.2MB

MD5
21736e2e111f4b8e88aa1a5ca46a3d2f

SHA1
5a13bcba804c1de35c32191ad040f1f457aa9106

SHA256
91c3a800c994d7d4e8a29422652e474e889c6f2b42e539dc4ed5bd59f2f1e203

SHA512
1186a9e1a0cbe14400937e8da4d073ad2e8c4f271a323b4c9f1814d1897a3b85d922e867a8cd36fd4377453ca0b3e7900565179a2b934d6ecab279d773dd175a

Download Submit
C:\Windows\System\SLhTPeC.exe

Filesize
5.2MB

MD5
802a7e86b5871f1b161110de245275f5

SHA1
18cada5fa6fbd5e1e9f95f3c63e048c67679c4c3

SHA256
d0bf47004fbf9f0c378702a7c80d5390ac1547462f440b8ee5b24c645fe6ae01

SHA512
e3179ea34eacac40a05ab0bfce4a4e4cf8038ed39f0d9d6e435647f878aa69fae84eaa2d7512fe67b8e6662ef94b89c4bfed4118938c1d5e3f56a9456044d021

Download Submit
C:\Windows\System\WWCIzpB.exe

Filesize
5.2MB

MD5
1029585384db22c73db3974826daaa71

SHA1
0e9c93056a37b55aeceb2089edad474fbc499fce

SHA256
7a2456df0a31a66aa16ad73ec804788bb65c52a9109ce5ccd57fe160189d8a18

SHA512
48d0d1ce65068c80b41812a505b978d6b1cee3414feabd38abce7ee651b154219ebc2127f08c47e4e8a86fe30ae354a97214034aee551fb1f3fb13ddf80db716

Download Submit
C:\Windows\System\YInKHxe.exe

Filesize
5.2MB

MD5
c37c8eb79c6ad9652116e78fbffe6d92

SHA1
fa494dd9383f3f152d5c853923c95c8b8fc8c8a2

SHA256
e09a37f87947a9fbd909c068695bbecc3a18681dfe9600c8329094af90ef36c6

SHA512
060daa400f6377a28a6c3ca0bc9994f7ec0480c02adab7de69f8bcff8d237e851556268e215082c555f085669d548b6efbb307494ab5577241412bea70f9d60c

Download Submit
C:\Windows\System\bVjdFJb.exe

Filesize
5.2MB

MD5
09854b5313a231809324917b49e2f1c6

SHA1
878d7238e1ce77ab0b370df6e11d12493d0af8be

SHA256
6cf9fd196d42bdc55635667df707337d52e0a4a321e71c6654efefa881f333ae

SHA512
75dd77494c48481667114ddf7ff32dfcf04a4c2f7578a58c26d87234cccbd814e60b0de453f3b46306a579c10bda46dd8ad060642dc0c0dd4359ca65b5bf4330

Download Submit
C:\Windows\System\cdrVcro.exe

Filesize
5.2MB

MD5
c1df993598acfe74dd10b91285c0e8e6

SHA1
aea3dd678dde41682b43d3f92a8002f807c76af9

SHA256
3e77655637b6cc2309993ae9acc82cbdced1036ca5a7654cef0ce72b7cf3feb2

SHA512
d6415a302a6db9d7245f40b2ea3e5017ff44ecd089bd17ae2385c04c985b69c0598e8442b442c3631e3eaf209b8699a15f326e8ac9ce54c758b9bb597b591969

Download Submit
C:\Windows\System\eXfqWUC.exe

Filesize
5.2MB

MD5
ece13d507a692109c94275a34383547b

SHA1
5d4c5a05a656fe935440fc4143580ce0a09dfc86

SHA256
5e35d5adc2ceb877459db6728c7d1550630b0323ba51165fd25db50bd291825e

SHA512
bd756c587e335e331a81f906a5bcdc79f301b89252310f2586dbf8fee3862a1419ac7357af29a9fbdebc99d1f1e64dd99eb0fe54d7c6eae0d698e9c7bdc0f299

Download Submit
C:\Windows\System\ezwisul.exe

Filesize
5.2MB

MD5
a0ecb0e5bc8b839dd0892ed26ddb50de

SHA1
9dbda288cc6d91e86ac031023818b67c57906b2c

SHA256
1122249f42219078d8a80cde8d50d054537be39f8ed7629f5ef8dade9abda822

SHA512
bf73c79b6286b406accb3f078cd3319752af2de2eb17d872b9c242fdfd4f831bf9f5d4cb153bd7f31166b1a30b398d52786258bd861a9b639416eae23db21cc3

Download Submit
C:\Windows\System\lnkdGhN.exe

Filesize
5.2MB

MD5
de17ee14cffdf7844d393f4c8f94105d

SHA1
23a91cdae2e28147ecae980abcfb6bc74b5503da

SHA256
a4dc40c40da9e4c548f64c57427999457d0ee952f555fb83e9e74375a37e0eaf

SHA512
bbadc7256b2b2515e0b83ea2cda78e2ae579e5c3095df6880e64f18cdd841a8f540fecc011dbed1ff3fc1a2760b5b51f15b04d33293ebef8abcc2e77bef44932

Download Submit
C:\Windows\System\npnYgGa.exe

Filesize
5.2MB

MD5
d88afa85704632542787457b08483fd9

SHA1
8f390d4f0ef86686f3f9ee552bc802c92cbdba63

SHA256
90ac85107580e3adc3e37e901eb7773e30ae6590d949c9b644bc58eb10556604

SHA512
c6fbd4bdea19c2fc4b00e2ece173fd364b6c0fd29744ebb81fc1e6e8923953f28407549f83b54a802d8dbc508a178d75768715be4e490d3656010988bbe4ee5b

Download Submit
C:\Windows\System\oBfnPEb.exe

Filesize
5.2MB

MD5
b81c2656a1eae548064eb33f51dbcb71

SHA1
c829fda202b1fb658e6de5892f2e8ec147ae42d4

SHA256
31b8b3114b62bcefa490f61f174f6a8a86aabc39c4904dcf3faac1298b1d9c5d

SHA512
ca820ba270e2dac69fb3258d50e3bca53c6de84daf35d9fd69983d20f789649192e9df2fc145c3054c77d1cbb07447c2e41d16d99ae9dec6a3e90eb187b0de6f

Download Submit
C:\Windows\System\qnbPAdt.exe

Filesize
5.2MB

MD5
a39d69499a1b8b4a65da0b0758e02e60

SHA1
6647114c95b92216e90305a6e0d21d215485ed52

SHA256
b37dc1d9a4d08ce36087df65c49b6de3e09454b3c5e3b1ebaa98840c1fd4ab78

SHA512
f73657956d701c089840f510a6d65cf3372383d9f6084b3db53adf3d592f91f9bd42106d1d8e46ac45923b4a3dd69a4c1b3e9b4e30b0b4a5ff36fa91c0f16f92

Download Submit
C:\Windows\System\tikcufO.exe

Filesize
5.2MB

MD5
26b308fc92fccfd6dffd7f3459236c4b

SHA1
c282f45345eedee8bf1e8054570651eb6d8c6187

SHA256
e36b5d8287ea2a0126457fb26483da2278ab1c243b588902d1df64250e58f2a8

SHA512
23124d8dc7afc557874e2907f45bb8c34bfa99171f9933517300213ff6f6eb3ed69f36227cac8afd5f4e922b5b0745d85b3d5165400aa03a0d3b854a06c19a36

Download Submit
C:\Windows\System\xyEmhdi.exe

Filesize
5.2MB

MD5
c713ad14593800310b310e1e59f3b21c

SHA1
ba1b14ce30cf66a35c495ebf011cf81c55f54896

SHA256
710c526302e8ff1a9bb3ff2685a168837bd5c3539e67ea76f20a301e915df972

SHA512
44946f1bf1b690810fcb7263dc97aa432de4059902b6ffa7a021b6ad82c3a5b7c7e1dc46a74175d855b077edce624b9de53ce1da8c69089f6a47b8132f59e2c3

Download Submit
memory/400-247-0x00007FF7275F0000-0x00007FF727941000-memory.dmp

Filesize
3.3MB

Download
memory/400-147-0x00007FF7275F0000-0x00007FF727941000-memory.dmp

Filesize
3.3MB

Download
memory/400-98-0x00007FF7275F0000-0x00007FF727941000-memory.dmp

Filesize
3.3MB

Download
memory/756-37-0x00007FF600770000-0x00007FF600AC1000-memory.dmp

Filesize
3.3MB

Download
memory/756-138-0x00007FF600770000-0x00007FF600AC1000-memory.dmp

Filesize
3.3MB

Download
memory/756-221-0x00007FF600770000-0x00007FF600AC1000-memory.dmp

Filesize
3.3MB

Download
memory/860-141-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp

Filesize
3.3MB

Download
memory/860-52-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp

Filesize
3.3MB

Download
memory/860-229-0x00007FF78DD30000-0x00007FF78E081000-memory.dmp

Filesize
3.3MB

Download
memory/1300-243-0x00007FF6E91D0000-0x00007FF6E9521000-memory.dmp

Filesize
3.3MB

Download
memory/1300-95-0x00007FF6E91D0000-0x00007FF6E9521000-memory.dmp

Filesize
3.3MB

Download
memory/1628-104-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-211-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-19-0x00007FF7E1160000-0x00007FF7E14B1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-130-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp

Filesize
3.3MB

Download
memory/1804-262-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp

Filesize
3.3MB

Download
memory/1804-153-0x00007FF75EDD0000-0x00007FF75F121000-memory.dmp

Filesize
3.3MB

Download
memory/2392-235-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-68-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-144-0x00007FF7FAE60000-0x00007FF7FB1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-55-0x00007FF7BA3A0000-0x00007FF7BA6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-224-0x00007FF7BA3A0000-0x00007FF7BA6F1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-0-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-1-0x000001B356E40000-0x000001B356E50000-memory.dmp

Filesize
64KB

Download
memory/3372-74-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-155-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-133-0x00007FF6B2C60000-0x00007FF6B2FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-225-0x00007FF7081B0000-0x00007FF708501000-memory.dmp

Filesize
3.3MB

Download
memory/3416-139-0x00007FF7081B0000-0x00007FF708501000-memory.dmp

Filesize
3.3MB

Download
memory/3416-48-0x00007FF7081B0000-0x00007FF708501000-memory.dmp

Filesize
3.3MB

Download
memory/3608-53-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-231-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-143-0x00007FF60AC80000-0x00007FF60AFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-103-0x00007FF670460000-0x00007FF6707B1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-245-0x00007FF670460000-0x00007FF6707B1000-memory.dmp

Filesize
3.3MB

Download
memory/3840-21-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp

Filesize
3.3MB

Download
memory/3840-213-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp

Filesize
3.3MB

Download
memory/3840-126-0x00007FF63B2E0000-0x00007FF63B631000-memory.dmp

Filesize
3.3MB

Download
memory/4048-112-0x00007FF6470B0000-0x00007FF647401000-memory.dmp

Filesize
3.3MB

Download
memory/4048-150-0x00007FF6470B0000-0x00007FF647401000-memory.dmp

Filesize
3.3MB

Download
memory/4048-258-0x00007FF6470B0000-0x00007FF647401000-memory.dmp

Filesize
3.3MB

Download
memory/4540-105-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-149-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-252-0x00007FF78B050000-0x00007FF78B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-69-0x00007FF753260000-0x00007FF7535B1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-233-0x00007FF753260000-0x00007FF7535B1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-145-0x00007FF753260000-0x00007FF7535B1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-151-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp

Filesize
3.3MB

Download
memory/4676-256-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp

Filesize
3.3MB

Download
memory/4676-119-0x00007FF67B5B0000-0x00007FF67B901000-memory.dmp

Filesize
3.3MB

Download
memory/4704-88-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-209-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-15-0x00007FF6CD250000-0x00007FF6CD5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-152-0x00007FF671DE0000-0x00007FF672131000-memory.dmp

Filesize
3.3MB

Download
memory/4724-117-0x00007FF671DE0000-0x00007FF672131000-memory.dmp

Filesize
3.3MB

Download
memory/4724-255-0x00007FF671DE0000-0x00007FF672131000-memory.dmp

Filesize
3.3MB

Download
memory/4776-82-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-207-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-8-0x00007FF76C170000-0x00007FF76C4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-227-0x00007FF6250F0000-0x00007FF625441000-memory.dmp

Filesize
3.3MB

Download
memory/4840-65-0x00007FF6250F0000-0x00007FF625441000-memory.dmp

Filesize
3.3MB

Download
memory/4840-142-0x00007FF6250F0000-0x00007FF625441000-memory.dmp

Filesize
3.3MB

Download
memory/4948-132-0x00007FF744A00000-0x00007FF744D51000-memory.dmp

Filesize
3.3MB

Download
memory/4948-154-0x00007FF744A00000-0x00007FF744D51000-memory.dmp

Filesize
3.3MB

Download
memory/4948-261-0x00007FF744A00000-0x00007FF744D51000-memory.dmp

Filesize
3.3MB

Download