cobaltstrike | 36651c4cffb23dab425ff8183bcdc35ec1bdfde92bc54caf027af30c7fb8fc34

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1e3eff9d6634a4a0387f6014b40881a2
SHA1

ad379d20d99ea6155a21ade94a07eb0e1152546c
SHA256

36651c4cffb23dab425ff8183bcdc35ec1bdfde92bc54caf027af30c7fb8fc34
SHA512

923528321f6fe5c66ee9dfde96e18c8e3c2a710731acfa81b2ab57286ec96a0333bb9e10b61c77aeeba22016da97c7289b298e6251ff3279660ebfcd2e8b43c4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234d0-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-7.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-42.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234d1-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-128.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023420-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3648-45-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp	xmrig
behavioral2/memory/3212-61-0x00007FF664E40000-0x00007FF665191000-memory.dmp	xmrig
behavioral2/memory/1236-55-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp	xmrig
behavioral2/memory/1112-43-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	xmrig
behavioral2/memory/3536-72-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp	xmrig
behavioral2/memory/3976-103-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	xmrig
behavioral2/memory/2288-113-0x00007FF76EEA0000-0x00007FF76F1F1000-memory.dmp	xmrig
behavioral2/memory/3648-120-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp	xmrig
behavioral2/memory/756-87-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp	xmrig
behavioral2/memory/4136-78-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp	xmrig
behavioral2/memory/3940-129-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp	xmrig
behavioral2/memory/1068-137-0x00007FF745940000-0x00007FF745C91000-memory.dmp	xmrig
behavioral2/memory/1580-125-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp	xmrig
behavioral2/memory/1112-138-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	xmrig
behavioral2/memory/4504-143-0x00007FF7270B0000-0x00007FF727401000-memory.dmp	xmrig
behavioral2/memory/1768-146-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp	xmrig
behavioral2/memory/116-153-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp	xmrig
behavioral2/memory/644-154-0x00007FF654D40000-0x00007FF655091000-memory.dmp	xmrig
behavioral2/memory/1476-156-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp	xmrig
behavioral2/memory/2604-155-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp	xmrig
behavioral2/memory/4876-160-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp	xmrig
behavioral2/memory/2516-164-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp	xmrig
behavioral2/memory/1548-165-0x00007FF606400000-0x00007FF606751000-memory.dmp	xmrig
behavioral2/memory/1552-166-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp	xmrig
behavioral2/memory/1112-168-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	xmrig
behavioral2/memory/1236-220-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp	xmrig
behavioral2/memory/3212-222-0x00007FF664E40000-0x00007FF665191000-memory.dmp	xmrig
behavioral2/memory/3536-224-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp	xmrig
behavioral2/memory/756-229-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp	xmrig
behavioral2/memory/4136-227-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp	xmrig
behavioral2/memory/3976-230-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	xmrig
behavioral2/memory/3648-238-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp	xmrig
behavioral2/memory/1580-240-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp	xmrig
behavioral2/memory/3940-242-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp	xmrig
behavioral2/memory/1068-244-0x00007FF745940000-0x00007FF745C91000-memory.dmp	xmrig
behavioral2/memory/1768-246-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp	xmrig
behavioral2/memory/116-256-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp	xmrig
behavioral2/memory/2604-259-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp	xmrig
behavioral2/memory/644-260-0x00007FF654D40000-0x00007FF655091000-memory.dmp	xmrig
behavioral2/memory/1476-262-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp	xmrig
behavioral2/memory/2288-266-0x00007FF76EEA0000-0x00007FF76F1F1000-memory.dmp	xmrig
behavioral2/memory/4876-265-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp	xmrig
behavioral2/memory/2516-268-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp	xmrig
behavioral2/memory/1552-270-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp	xmrig
behavioral2/memory/1548-274-0x00007FF606400000-0x00007FF606751000-memory.dmp	xmrig
behavioral2/memory/4504-276-0x00007FF7270B0000-0x00007FF727401000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1236	qvhDJkr.exe
3212	VFKRVPf.exe
3536	iDuOCAw.exe
4136	JRohlfu.exe
756	LvsAcLR.exe
3976	xOCjMzr.exe
3648	qQZwlSJ.exe
1580	LXoDvjW.exe
3940	XFOwAqY.exe
1068	tsQMpdP.exe
1768	tVAzzlw.exe
116	vxfyFmi.exe
2604	uEPSqQA.exe
644	UNaJzyQ.exe
1476	OVgWuYk.exe
2288	sFQghwy.exe
4876	QawnFTQ.exe
1552	PnKkSVI.exe
2516	dzPFsyf.exe
1548	YLJaauZ.exe
4504	RMntEyE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1112-0-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	upx
behavioral2/files/0x00080000000234d0-4.dat	upx
behavioral2/files/0x00070000000234d5-7.dat	upx
behavioral2/memory/3212-15-0x00007FF664E40000-0x00007FF665191000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-10.dat	upx
behavioral2/memory/1236-8-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp	upx
behavioral2/memory/3536-19-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-18.dat	upx
behavioral2/memory/756-30-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-34.dat	upx
behavioral2/files/0x00070000000234d8-37.dat	upx
behavioral2/memory/3976-36-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	upx
behavioral2/memory/4136-26-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-42.dat	upx
behavioral2/memory/3648-45-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp	upx
behavioral2/files/0x00080000000234d1-48.dat	upx
behavioral2/files/0x00070000000234da-54.dat	upx
behavioral2/memory/3940-56-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp	upx
behavioral2/files/0x00070000000234db-59.dat	upx
behavioral2/memory/3212-61-0x00007FF664E40000-0x00007FF665191000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-70.dat	upx
behavioral2/memory/1768-69-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp	upx
behavioral2/memory/1068-64-0x00007FF745940000-0x00007FF745C91000-memory.dmp	upx
behavioral2/memory/1236-55-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp	upx
behavioral2/memory/1580-51-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp	upx
behavioral2/memory/1112-43-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	upx
behavioral2/memory/3536-72-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-75.dat	upx
behavioral2/files/0x00070000000234e0-83.dat	upx
behavioral2/files/0x00070000000234e1-102.dat	upx
behavioral2/memory/3976-103-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	upx
behavioral2/memory/2288-113-0x00007FF76EEA0000-0x00007FF76F1F1000-memory.dmp	upx
behavioral2/memory/4876-117-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp	upx
behavioral2/memory/3648-120-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp	upx
behavioral2/memory/2516-119-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-121.dat	upx
behavioral2/files/0x00070000000234e5-123.dat	upx
behavioral2/memory/1552-118-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-114.dat	upx
behavioral2/memory/1476-106-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-108.dat	upx
behavioral2/files/0x00070000000234df-91.dat	upx
behavioral2/memory/2604-90-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp	upx
behavioral2/memory/756-87-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp	upx
behavioral2/memory/644-84-0x00007FF654D40000-0x00007FF655091000-memory.dmp	upx
behavioral2/memory/116-80-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp	upx
behavioral2/memory/4136-78-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-128.dat	upx
behavioral2/memory/3940-129-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp	upx
behavioral2/files/0x000b000000023420-134.dat	upx
behavioral2/memory/1068-137-0x00007FF745940000-0x00007FF745C91000-memory.dmp	upx
behavioral2/memory/1548-135-0x00007FF606400000-0x00007FF606751000-memory.dmp	upx
behavioral2/memory/1580-125-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp	upx
behavioral2/memory/1112-138-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp	upx
behavioral2/memory/4504-143-0x00007FF7270B0000-0x00007FF727401000-memory.dmp	upx
behavioral2/memory/1768-146-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp	upx
behavioral2/memory/116-153-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp	upx
behavioral2/memory/644-154-0x00007FF654D40000-0x00007FF655091000-memory.dmp	upx
behavioral2/memory/1476-156-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp	upx
behavioral2/memory/2604-155-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp	upx
behavioral2/memory/4876-160-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp	upx
behavioral2/memory/2516-164-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp	upx
behavioral2/memory/1548-165-0x00007FF606400000-0x00007FF606751000-memory.dmp	upx
behavioral2/memory/1552-166-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tsQMpdP.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNaJzyQ.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RMntEyE.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VFKRVPf.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JRohlfu.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvsAcLR.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qQZwlSJ.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFOwAqY.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxfyFmi.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uEPSqQA.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sFQghwy.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LXoDvjW.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVAzzlw.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QawnFTQ.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PnKkSVI.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YLJaauZ.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvhDJkr.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDuOCAw.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOCjMzr.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVgWuYk.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzPFsyf.exe	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1236	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1112 wrote to memory of 1236	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1112 wrote to memory of 3212	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1112 wrote to memory of 3212	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1112 wrote to memory of 3536	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1112 wrote to memory of 3536	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1112 wrote to memory of 4136	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1112 wrote to memory of 4136	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1112 wrote to memory of 756	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1112 wrote to memory of 756	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1112 wrote to memory of 3976	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1112 wrote to memory of 3976	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1112 wrote to memory of 3648	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1112 wrote to memory of 3648	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1112 wrote to memory of 1580	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1112 wrote to memory of 1580	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1112 wrote to memory of 3940	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1112 wrote to memory of 3940	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1112 wrote to memory of 1068	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1112 wrote to memory of 1068	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1112 wrote to memory of 1768	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1112 wrote to memory of 1768	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1112 wrote to memory of 116	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1112 wrote to memory of 116	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1112 wrote to memory of 2604	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1112 wrote to memory of 2604	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1112 wrote to memory of 644	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1112 wrote to memory of 644	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1112 wrote to memory of 1476	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1112 wrote to memory of 1476	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1112 wrote to memory of 2288	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1112 wrote to memory of 2288	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1112 wrote to memory of 4876	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1112 wrote to memory of 4876	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1112 wrote to memory of 1552	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1112 wrote to memory of 1552	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1112 wrote to memory of 2516	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1112 wrote to memory of 2516	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1112 wrote to memory of 1548	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1112 wrote to memory of 1548	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1112 wrote to memory of 4504	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1112 wrote to memory of 4504	1112	2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_1e3eff9d6634a4a0387f6014b40881a2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System\qvhDJkr.exe
  C:\Windows\System\qvhDJkr.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\VFKRVPf.exe
  C:\Windows\System\VFKRVPf.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\iDuOCAw.exe
  C:\Windows\System\iDuOCAw.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\JRohlfu.exe
  C:\Windows\System\JRohlfu.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\LvsAcLR.exe
  C:\Windows\System\LvsAcLR.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\xOCjMzr.exe
  C:\Windows\System\xOCjMzr.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\qQZwlSJ.exe
  C:\Windows\System\qQZwlSJ.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\LXoDvjW.exe
  C:\Windows\System\LXoDvjW.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\XFOwAqY.exe
  C:\Windows\System\XFOwAqY.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\tsQMpdP.exe
  C:\Windows\System\tsQMpdP.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\tVAzzlw.exe
  C:\Windows\System\tVAzzlw.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\vxfyFmi.exe
  C:\Windows\System\vxfyFmi.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\uEPSqQA.exe
  C:\Windows\System\uEPSqQA.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\UNaJzyQ.exe
  C:\Windows\System\UNaJzyQ.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\OVgWuYk.exe
  C:\Windows\System\OVgWuYk.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\sFQghwy.exe
  C:\Windows\System\sFQghwy.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\QawnFTQ.exe
  C:\Windows\System\QawnFTQ.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\PnKkSVI.exe
  C:\Windows\System\PnKkSVI.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\dzPFsyf.exe
  C:\Windows\System\dzPFsyf.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\YLJaauZ.exe
  C:\Windows\System\YLJaauZ.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\RMntEyE.exe
  C:\Windows\System\RMntEyE.exe
  2⤵
  - Executes dropped EXE
  PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JRohlfu.exe

Filesize
5.2MB

MD5
b6d2bf0f8564ef8e4d4f383ed4059ad1

SHA1
d37d3fe131585eac13d778e1a634b73682620d98

SHA256
8e6987db30b5afcdca32a1b020e7efda2931db62263479b982881484b6b7bd8e

SHA512
1c8532e9182ec8d5f6d0865089ef80c1582aca854ef1c55c737580c2dad66ce7ba44a2e781b88fd68f34ae8c253a2b7795b0e3a6b759688f62338683dfe4a566

Download Submit
C:\Windows\System\LXoDvjW.exe

Filesize
5.2MB

MD5
0d21f959ad645c6eaec3724a4825bac2

SHA1
b230f8feaf8a769ab394a76c054f8be3c330e443

SHA256
ab6358df2c0f8b7a4d35d78692f30505fb4e494c805b269a9ecc4907c197aec3

SHA512
8a0a956c8f586c35e882850f0cd50e6931dd22ecb0533a22edd955aeca18eda2bdc329ec9351ea637a38b643d71d6d3337adb40fc9b44142579bad28d8bb3e4b

Download Submit
C:\Windows\System\LvsAcLR.exe

Filesize
5.2MB

MD5
69704912f332b0dce5320b57522fd4b1

SHA1
991adad8ce2cc88d713f22825a3f9814b75b2bfe

SHA256
c3c3da21605097113f90c289304e8eccfd3a29f01c27f4cb1bc3e88dcf5248c9

SHA512
7fba6a1fb5766e3cb2277b6d1ba87619a044b38ddbd2091a6b1595fcbff129c4ddd54a73a212ad1ff2998a2c079a0e13988c796d8a64a43d068d39954e2d1001

Download Submit
C:\Windows\System\OVgWuYk.exe

Filesize
5.2MB

MD5
bc5f0fe5b2dbfd7c1b7817ece6b905d7

SHA1
9d4d830cf12542eb953d280c034b315fec1bcfe0

SHA256
1739807d4bf7ac4151ae8d89b35bcef01959059839bd3a86edfbfd757ced36d8

SHA512
8a610a88ff64f64913f35fb40b9501c2ff7132785de7a5353d2077c221158aa09c91677525f687557f1f36e2b3f88901d7b6ed207bb1048e3a7fc30583ac2cd8

Download Submit
C:\Windows\System\PnKkSVI.exe

Filesize
5.2MB

MD5
3e8981bc5f4c9ea4570ecb34cd0e5659

SHA1
947764e101a10152ad4461674d92b1438a881826

SHA256
2231bb1dff6072b1af5ebb0a137dfbe53919caa7789b52a3d8fe60848439cf5b

SHA512
d4950d590ab29e7a05fba7807faf56f47eefbc331b316167e6f85e572c0ee515fc9b1052427b185db077799c36d814e6236ea3ce662723c06afa74cf1cf508a8

Download Submit
C:\Windows\System\QawnFTQ.exe

Filesize
5.2MB

MD5
7a3124aeadc3f752c4197db89086831c

SHA1
3f73b2fb4b530c8cee3f9576576ae1146f25b1a8

SHA256
6b08874e80bcde36895774d8dee226ada5ad6d4d5591e6499cd11b86b75ed5cc

SHA512
103d3a8d117526d62f9a0d778fc18a051ca43309e6dffa4039f4dae425399f74702941596276e07ca6cfec7c0c9d7496d48d49e602848592fc64959546b1f62e

Download Submit
C:\Windows\System\RMntEyE.exe

Filesize
5.2MB

MD5
38ad8b116e20baa2487d030332a0bc0c

SHA1
3a2ac2cfe3266a84da7d8a36944fcd302f2eb99b

SHA256
0513c538f70b557fdf0688a77f00317d19d2440b23ff47713ba631dd090538b9

SHA512
48beac5180a9b4a6d19d7548a5ade992f57a4304ee673794e1495b8880f48946ac456e2f626051cc49d9390776d8d5ef6d604ff132ac95c04157b2ecb55be1d8

Download Submit
C:\Windows\System\UNaJzyQ.exe

Filesize
5.2MB

MD5
bcd1606765bede73c76bd2b8bccd7e57

SHA1
76808c70b888b29f2caa09e5c45522446d481fa9

SHA256
9e13970171fc585d055d08baac7f93c74bae1823722dfb948a2a04ab2cdd665c

SHA512
9bcb7511625350889da71b71d14e66296598f7ca16caf5890ec70e40b545b1d57521c5b7873f648dbbe567d281302533286f5345767d2bea4910eff7a4b899d8

Download Submit
C:\Windows\System\VFKRVPf.exe

Filesize
5.2MB

MD5
d6d7c15631b3bf857634ec571b70cb68

SHA1
75f2067de805495973145a12fc53c883ac666fcb

SHA256
9032b0b9f52b000a1f9ae989455d300b52ce0ca979ba72701db612b74c96cf46

SHA512
ae2c2ae53f2f31b35d0b32130901214796b49283cd0af49d8891ac532a0b7e05ddc96762c1676fff96abf8ce117ff54392c0546b459a962501e300a6e1391f21

Download Submit
C:\Windows\System\XFOwAqY.exe

Filesize
5.2MB

MD5
828a5f141b653c9fe96053ea77b5d562

SHA1
93542e89a12be83ec25fb59080a3a1f3c98cdcb8

SHA256
2cad8fb39c766b56cdc4feed5c75dc58d468078741792b06be06a693262ffd7a

SHA512
53c632e807d04113968f8a6918ac8d9d9db34adc2199e93646a618fcec34b2e0a2a8bd9aa84c945ccd35fbb4cdb9436501cc4fd784ef9df35e79220d13a4e2cf

Download Submit
C:\Windows\System\YLJaauZ.exe

Filesize
5.2MB

MD5
4b65ad8a35450135da7d5ce005f711d6

SHA1
78c2c625ecacdd751f9cad9d5614041500c2c27d

SHA256
295b751ffa87fbb19d5756966049acc9921d722ec6c16ac07960ea1aae7ba102

SHA512
5f4f8502059cafe918f88d6480c3090801979d1dc16a5aa6ade920ca55a687a5a555dd8953c46c8ff63dff89557f9ea11332f2cb9f26cfc56cefcc5cdeda3449

Download Submit
C:\Windows\System\dzPFsyf.exe

Filesize
5.2MB

MD5
f31f36b6ba5dcd215d51dc66b9b62a3f

SHA1
b688281644cef5b50dca250daf9608466c116256

SHA256
6f9d098b884dfec74cc1c9ba2d85d02e242bd2e68e4101f124f7ed82e9ad9764

SHA512
2d99f6bd6053bc1e79350d43a4fd2d0c6f5a4758a208ec0c788f6d2a44d7530e5ecb9febf979c69690bfadc7b54ce12516ba5da897b8ae77b2c0dde7a6cd12ab

Download Submit
C:\Windows\System\iDuOCAw.exe

Filesize
5.2MB

MD5
3e8f3d1c863d444d2a7cf3eba72249b4

SHA1
a54dbe8885ea182f8146c151a58acf745bcd98ab

SHA256
e3a630ac6b201ce8c45ee0bacc099a5a597ef0929dbf1904f65c98e970950681

SHA512
e270723d26265251a5c43187d9e28694d57e98a4cb6a51035b0fc80d275a2031f36ee7e7e0ea2eb4516187904650cf65ea5b42d44469f3507b7ab180b36d3f93

Download Submit
C:\Windows\System\qQZwlSJ.exe

Filesize
5.2MB

MD5
984e654f1676fcb269fc60711f42094e

SHA1
5216812aaac4882cc8e7d9215c811341b04b1a90

SHA256
7c7599bf7bbdfcbca5b92f56777f4569a34c7c3cff8140c9d9568ce688dc68b9

SHA512
1152ac7ac210cee12d7958985e18aaa9abf23be08707c10741b99cf7906941df479940a9240d1e1fca1fcc4843b5e999f103f99afaa7fc049bbaab43f3a46011

Download Submit
C:\Windows\System\qvhDJkr.exe

Filesize
5.2MB

MD5
c416b95b5c5e3b5b0cae5a238ddf0bf2

SHA1
943d3302a5aeee10ef0bed3626f5ffe48bd55959

SHA256
0b6a120bcdb0b009d0a4e673ea84914f5b2bc3e33068862a3f1fc803cbb89bf1

SHA512
01fae872ade5d3d8fcde1f8c4c5ecfb56cf738d62d0af359d784c27bd7cafa0b50f93874cbff1fe585dc60158c0b05b64e561a5b090e9b295e5353eca9beca29

Download Submit
C:\Windows\System\sFQghwy.exe

Filesize
5.2MB

MD5
c380b6eecae27efe605f6865f25845ae

SHA1
76f0ddd163529049f57f8470ffcc034c56c2bb91

SHA256
3f84016c6f1f365f888264c513695f5d3619ea5a4f250d572bd8922c08dbd2f6

SHA512
f944cfe8c83e5f090b915340d1638c2377ae7f98d05a0b68a1ebc90b8aa82ac5a2be91c9e1c9c58870a071bd1ac79e63d6d728dd1f9927d645d84d014f0e078d

Download Submit
C:\Windows\System\tVAzzlw.exe

Filesize
5.2MB

MD5
8d66026e8fb883bc5e16cfac62f9f221

SHA1
1a194af76cd6cd65faa62199f81ebbb94e879546

SHA256
c5c91636bfc01d5845d5bf04b28771d9de320278c538d1273dbb96e94e091909

SHA512
512eeb0acb2984bfe8f6488e63df49f48f475391ccc80442e394a31f83694606ee54201d935845ee9fafe0f3bc0b430dc1eced06116e53cb2cd63f382ddc4552

Download Submit
C:\Windows\System\tsQMpdP.exe

Filesize
5.2MB

MD5
12d80a46e8e576fc0dd7ca6dd384a575

SHA1
0ea531c536f5995d86f759628b761e26239c08ba

SHA256
ff93aa0df02480ec4e096e951fa6e7cc8ec57c14c7f6c03c287641f14f8ec52c

SHA512
2c2bd9fc9c9764b6e65bcfc752231fcc627372560b8089ddc4388d30cd07d0b1d664cb987e8799c9f9c9fed5ca9ff6a9e9b2baace2afba280ca06a21d64f764c

Download Submit
C:\Windows\System\uEPSqQA.exe

Filesize
5.2MB

MD5
91930d153fe20843d6d3411c226d26c3

SHA1
2514148f14f8e5b7230979c790b490eadba7eae6

SHA256
4715cedaea7c37cc5ad104e9da8f81c8405f081942371f1473b2703a37bc2d03

SHA512
9d0d5794685ae2cc43c890ecad2846b208360a26180238fb15b5e822c5e983bcd980b4c7dc308353184a39b28e606876a3ba48ff0e113493c04343fca3423d26

Download Submit
C:\Windows\System\vxfyFmi.exe

Filesize
5.2MB

MD5
221a02bc10de63a9331e4c0e695809d8

SHA1
aed313bb064ee9746824f3c62f1d6cef0ace84a4

SHA256
c32e5ce9a78edf29c4ea7925a63840723ab4ea65a6c3ed5e49f422b9fb2ec104

SHA512
28d22f4ee20404ee73a9fc556b4f2f8075a4fbe325321398f0159af0529fe5a0056c6fe02f3aa6a30b4bd4a50d96ab582641778e2d6d57123f2deeacfdbaf1e1

Download Submit
C:\Windows\System\xOCjMzr.exe

Filesize
5.2MB

MD5
2f77eb9a6fe6bd5b0cb2e02b433c0138

SHA1
e12c149d60354296eba40708945adbbd7716c8be

SHA256
8dada037b88835e0234586f11dcd3dbbde884c9e0f6805595ff9aef2b96590ae

SHA512
3deaf8b2d3f32b7802ed5c643b2ccdca347c6085815cd80bc4253fda48d95adb038156125e62894dac2b7791484032249b0f49b118af99dd02fef637d37d9df0

Download Submit
memory/116-153-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/116-256-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/116-80-0x00007FF7BA920000-0x00007FF7BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/644-84-0x00007FF654D40000-0x00007FF655091000-memory.dmp

Filesize
3.3MB

Download
memory/644-260-0x00007FF654D40000-0x00007FF655091000-memory.dmp

Filesize
3.3MB

Download
memory/644-154-0x00007FF654D40000-0x00007FF655091000-memory.dmp

Filesize
3.3MB

Download
memory/756-30-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp

Filesize
3.3MB

Download
memory/756-229-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp

Filesize
3.3MB

Download
memory/756-87-0x00007FF70D740000-0x00007FF70DA91000-memory.dmp

Filesize
3.3MB

Download
memory/1068-64-0x00007FF745940000-0x00007FF745C91000-memory.dmp

Filesize
3.3MB

Download
memory/1068-137-0x00007FF745940000-0x00007FF745C91000-memory.dmp

Filesize
3.3MB

Download
memory/1068-244-0x00007FF745940000-0x00007FF745C91000-memory.dmp

Filesize
3.3MB

Download
memory/1112-43-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

Filesize
3.3MB

Download
memory/1112-138-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

Filesize
3.3MB

Download
memory/1112-1-0x0000024237E70000-0x0000024237E80000-memory.dmp

Filesize
64KB

Download
memory/1112-168-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

Filesize
3.3MB

Download
memory/1112-0-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

Filesize
3.3MB

Download
memory/1236-220-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp

Filesize
3.3MB

Download
memory/1236-8-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp

Filesize
3.3MB

Download
memory/1236-55-0x00007FF6C1A40000-0x00007FF6C1D91000-memory.dmp

Filesize
3.3MB

Download
memory/1476-262-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-106-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-156-0x00007FF78BD60000-0x00007FF78C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1548-274-0x00007FF606400000-0x00007FF606751000-memory.dmp

Filesize
3.3MB

Download
memory/1548-135-0x00007FF606400000-0x00007FF606751000-memory.dmp

Filesize
3.3MB

Download
memory/1548-165-0x00007FF606400000-0x00007FF606751000-memory.dmp

Filesize
3.3MB

Download
memory/1552-166-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-118-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-270-0x00007FF770C50000-0x00007FF770FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-51-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-125-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-240-0x00007FF6A7490000-0x00007FF6A77E1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-146-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-246-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-69-0x00007FF65D5A0000-0x00007FF65D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-113-0x00007FF76EEA0000-0x00007FF76F1F1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-266-0x00007FF76EEA0000-0x00007FF76F1F1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-119-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-268-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-164-0x00007FF79C060000-0x00007FF79C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-155-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp

Filesize
3.3MB

Download
memory/2604-259-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp

Filesize
3.3MB

Download
memory/2604-90-0x00007FF69B720000-0x00007FF69BA71000-memory.dmp

Filesize
3.3MB

Download
memory/3212-61-0x00007FF664E40000-0x00007FF665191000-memory.dmp

Filesize
3.3MB

Download
memory/3212-222-0x00007FF664E40000-0x00007FF665191000-memory.dmp

Filesize
3.3MB

Download
memory/3212-15-0x00007FF664E40000-0x00007FF665191000-memory.dmp

Filesize
3.3MB

Download
memory/3536-72-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp

Filesize
3.3MB

Download
memory/3536-19-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp

Filesize
3.3MB

Download
memory/3536-224-0x00007FF75DBB0000-0x00007FF75DF01000-memory.dmp

Filesize
3.3MB

Download
memory/3648-45-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3648-238-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3648-120-0x00007FF74F9F0000-0x00007FF74FD41000-memory.dmp

Filesize
3.3MB

Download
memory/3940-129-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp

Filesize
3.3MB

Download
memory/3940-242-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp

Filesize
3.3MB

Download
memory/3940-56-0x00007FF65AF10000-0x00007FF65B261000-memory.dmp

Filesize
3.3MB

Download
memory/3976-36-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3976-230-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3976-103-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-78-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp

Filesize
3.3MB

Download
memory/4136-26-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp

Filesize
3.3MB

Download
memory/4136-227-0x00007FF769AB0000-0x00007FF769E01000-memory.dmp

Filesize
3.3MB

Download
memory/4504-143-0x00007FF7270B0000-0x00007FF727401000-memory.dmp

Filesize
3.3MB

Download
memory/4504-276-0x00007FF7270B0000-0x00007FF727401000-memory.dmp

Filesize
3.3MB

Download
memory/4876-160-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-117-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-265-0x00007FF6A6EA0000-0x00007FF6A71F1000-memory.dmp

Filesize
3.3MB

Download