cobaltstrike | 690812c8848e079500575ec4acc036f7e31182cc5cfe82eb28eab1fc5f616d7f

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ed163bc56dcc77599c78594129115d33
SHA1

6c7234c71f146b32add9fa74aa0751993c9fdd3c
SHA256

690812c8848e079500575ec4acc036f7e31182cc5cfe82eb28eab1fc5f616d7f
SHA512

a3ff89f39440c899433087395842765c69cb67c015a8286e8141cee4a8476dfd95237760cd5e02bf0b75290b9c76496c85a27b5039e0adc4256457c3a365a1b3
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibd56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233b9-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bd-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c0-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c1-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bf-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233be-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c7-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c4-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c3-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c2-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-80.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-87.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000232fb-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000232fa-118.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000232fd-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-132.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cc-134.dat	cobalt_reflective_dll
behavioral2/files/0x000b0000000232f2-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-101.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4224-8-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp	xmrig
behavioral2/memory/1032-76-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp	xmrig
behavioral2/memory/1884-72-0x00007FF7F4EB0000-0x00007FF7F5201000-memory.dmp	xmrig
behavioral2/memory/4476-71-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	xmrig
behavioral2/memory/1188-77-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp	xmrig
behavioral2/memory/1224-81-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp	xmrig
behavioral2/memory/4608-91-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	xmrig
behavioral2/memory/3636-90-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp	xmrig
behavioral2/memory/1388-92-0x00007FF760B10000-0x00007FF760E61000-memory.dmp	xmrig
behavioral2/memory/2780-135-0x00007FF793B40000-0x00007FF793E91000-memory.dmp	xmrig
behavioral2/memory/2368-130-0x00007FF715D30000-0x00007FF716081000-memory.dmp	xmrig
behavioral2/memory/2900-124-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp	xmrig
behavioral2/memory/3144-109-0x00007FF76A770000-0x00007FF76AAC1000-memory.dmp	xmrig
behavioral2/memory/3040-104-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp	xmrig
behavioral2/memory/4840-103-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	xmrig
behavioral2/memory/4476-139-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	xmrig
behavioral2/memory/1216-151-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp	xmrig
behavioral2/memory/900-154-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp	xmrig
behavioral2/memory/4572-155-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp	xmrig
behavioral2/memory/4828-158-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp	xmrig
behavioral2/memory/3704-164-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp	xmrig
behavioral2/memory/856-165-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp	xmrig
behavioral2/memory/1908-163-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp	xmrig
behavioral2/memory/4476-166-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	xmrig
behavioral2/memory/4224-215-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp	xmrig
behavioral2/memory/1032-227-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp	xmrig
behavioral2/memory/1188-229-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp	xmrig
behavioral2/memory/1224-231-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp	xmrig
behavioral2/memory/4840-233-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	xmrig
behavioral2/memory/3040-236-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp	xmrig
behavioral2/memory/3636-239-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp	xmrig
behavioral2/memory/1388-238-0x00007FF760B10000-0x00007FF760E61000-memory.dmp	xmrig
behavioral2/memory/1884-241-0x00007FF7F4EB0000-0x00007FF7F5201000-memory.dmp	xmrig
behavioral2/memory/2368-243-0x00007FF715D30000-0x00007FF716081000-memory.dmp	xmrig
behavioral2/memory/2900-245-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp	xmrig
behavioral2/memory/2780-247-0x00007FF793B40000-0x00007FF793E91000-memory.dmp	xmrig
behavioral2/memory/1216-253-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp	xmrig
behavioral2/memory/4608-252-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	xmrig
behavioral2/memory/3144-261-0x00007FF76A770000-0x00007FF76AAC1000-memory.dmp	xmrig
behavioral2/memory/4828-263-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp	xmrig
behavioral2/memory/4572-267-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp	xmrig
behavioral2/memory/900-266-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp	xmrig
behavioral2/memory/856-270-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp	xmrig
behavioral2/memory/1908-273-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp	xmrig
behavioral2/memory/3704-272-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4224	GBywMJJ.exe
1032	jzYguhU.exe
1188	ARZTStB.exe
1224	dPBNyGh.exe
1388	Mcepdri.exe
3636	HtisKBE.exe
4840	fczVCuM.exe
3040	xMObdaZ.exe
2900	zSENGog.exe
2368	cSJYzXd.exe
1884	rMHLjrG.exe
2780	WiryXWh.exe
1216	HAEuuSN.exe
4608	pXhNbcx.exe
3144	EQTbCvN.exe
4828	MDatgQN.exe
4572	nfghucY.exe
900	AjZEuof.exe
3704	HFBUiyz.exe
1908	makakTP.exe
856	ndrDfnw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4476-0-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	upx
behavioral2/files/0x00080000000233b9-4.dat	upx
behavioral2/memory/4224-8-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp	upx
behavioral2/files/0x00070000000233bd-11.dat	upx
behavioral2/files/0x00070000000233c0-27.dat	upx
behavioral2/memory/1224-29-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp	upx
behavioral2/files/0x00070000000233c1-37.dat	upx
behavioral2/memory/3636-32-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp	upx
behavioral2/files/0x00070000000233bf-31.dat	upx
behavioral2/memory/1188-25-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp	upx
behavioral2/files/0x00070000000233be-20.dat	upx
behavioral2/memory/1032-16-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp	upx
behavioral2/memory/4840-43-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	upx
behavioral2/memory/3040-48-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp	upx
behavioral2/files/0x00070000000233c5-54.dat	upx
behavioral2/memory/2900-56-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp	upx
behavioral2/files/0x00070000000233c7-66.dat	upx
behavioral2/files/0x00070000000233c6-69.dat	upx
behavioral2/memory/1032-76-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp	upx
behavioral2/memory/2780-75-0x00007FF793B40000-0x00007FF793E91000-memory.dmp	upx
behavioral2/memory/1884-72-0x00007FF7F4EB0000-0x00007FF7F5201000-memory.dmp	upx
behavioral2/memory/4476-71-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	upx
behavioral2/files/0x00070000000233c4-67.dat	upx
behavioral2/memory/2368-64-0x00007FF715D30000-0x00007FF716081000-memory.dmp	upx
behavioral2/files/0x00070000000233c3-49.dat	upx
behavioral2/files/0x00070000000233c2-44.dat	upx
behavioral2/memory/1388-38-0x00007FF760B10000-0x00007FF760E61000-memory.dmp	upx
behavioral2/memory/1188-77-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp	upx
behavioral2/files/0x00070000000233c8-80.dat	upx
behavioral2/memory/1216-82-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp	upx
behavioral2/memory/1224-81-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp	upx
behavioral2/memory/4608-91-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp	upx
behavioral2/memory/3636-90-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp	upx
behavioral2/files/0x00070000000233c9-87.dat	upx
behavioral2/memory/1388-92-0x00007FF760B10000-0x00007FF760E61000-memory.dmp	upx
behavioral2/files/0x000c0000000232fb-122.dat	upx
behavioral2/files/0x000a0000000232fa-118.dat	upx
behavioral2/files/0x000c0000000232fd-127.dat	upx
behavioral2/files/0x00070000000233cb-132.dat	upx
behavioral2/files/0x00070000000233cc-134.dat	upx
behavioral2/memory/856-136-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp	upx
behavioral2/memory/2780-135-0x00007FF793B40000-0x00007FF793E91000-memory.dmp	upx
behavioral2/memory/1908-131-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp	upx
behavioral2/memory/2368-130-0x00007FF715D30000-0x00007FF716081000-memory.dmp	upx
behavioral2/memory/3704-125-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp	upx
behavioral2/memory/2900-124-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp	upx
behavioral2/memory/4572-116-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp	upx
behavioral2/memory/4828-115-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp	upx
behavioral2/memory/900-110-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp	upx
behavioral2/memory/3144-109-0x00007FF76A770000-0x00007FF76AAC1000-memory.dmp	upx
behavioral2/files/0x000b0000000232f2-112.dat	upx
behavioral2/memory/3040-104-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp	upx
behavioral2/memory/4840-103-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	upx
behavioral2/files/0x00070000000233ca-101.dat	upx
behavioral2/memory/4476-139-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	upx
behavioral2/memory/1216-151-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp	upx
behavioral2/memory/900-154-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp	upx
behavioral2/memory/4572-155-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp	upx
behavioral2/memory/4828-158-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp	upx
behavioral2/memory/3704-164-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp	upx
behavioral2/memory/856-165-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp	upx
behavioral2/memory/1908-163-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp	upx
behavioral2/memory/4476-166-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp	upx
behavioral2/memory/4224-215-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cSJYzXd.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSENGog.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MDatgQN.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nfghucY.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFBUiyz.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GBywMJJ.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dPBNyGh.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Mcepdri.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xMObdaZ.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndrDfnw.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HtisKBE.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rMHLjrG.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WiryXWh.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAEuuSN.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQTbCvN.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjZEuof.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\makakTP.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzYguhU.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ARZTStB.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fczVCuM.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pXhNbcx.exe	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 4224	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4476 wrote to memory of 4224	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4476 wrote to memory of 1032	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4476 wrote to memory of 1032	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4476 wrote to memory of 1188	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4476 wrote to memory of 1188	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4476 wrote to memory of 1224	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4476 wrote to memory of 1224	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4476 wrote to memory of 1388	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4476 wrote to memory of 1388	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4476 wrote to memory of 3636	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4476 wrote to memory of 3636	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4476 wrote to memory of 4840	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4476 wrote to memory of 4840	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4476 wrote to memory of 3040	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4476 wrote to memory of 3040	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4476 wrote to memory of 2368	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4476 wrote to memory of 2368	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4476 wrote to memory of 2900	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4476 wrote to memory of 2900	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4476 wrote to memory of 1884	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4476 wrote to memory of 1884	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4476 wrote to memory of 2780	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4476 wrote to memory of 2780	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4476 wrote to memory of 1216	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4476 wrote to memory of 1216	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4476 wrote to memory of 4608	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4476 wrote to memory of 4608	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4476 wrote to memory of 3144	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4476 wrote to memory of 3144	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4476 wrote to memory of 4828	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4476 wrote to memory of 4828	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4476 wrote to memory of 4572	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4476 wrote to memory of 4572	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4476 wrote to memory of 900	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4476 wrote to memory of 900	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4476 wrote to memory of 3704	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4476 wrote to memory of 3704	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4476 wrote to memory of 1908	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4476 wrote to memory of 1908	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4476 wrote to memory of 856	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4476 wrote to memory of 856	4476	2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_ed163bc56dcc77599c78594129115d33_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\System\GBywMJJ.exe
  C:\Windows\System\GBywMJJ.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\jzYguhU.exe
  C:\Windows\System\jzYguhU.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\ARZTStB.exe
  C:\Windows\System\ARZTStB.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\dPBNyGh.exe
  C:\Windows\System\dPBNyGh.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\Mcepdri.exe
  C:\Windows\System\Mcepdri.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\HtisKBE.exe
  C:\Windows\System\HtisKBE.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\fczVCuM.exe
  C:\Windows\System\fczVCuM.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\xMObdaZ.exe
  C:\Windows\System\xMObdaZ.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\cSJYzXd.exe
  C:\Windows\System\cSJYzXd.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\zSENGog.exe
  C:\Windows\System\zSENGog.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\rMHLjrG.exe
  C:\Windows\System\rMHLjrG.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\WiryXWh.exe
  C:\Windows\System\WiryXWh.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\HAEuuSN.exe
  C:\Windows\System\HAEuuSN.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\pXhNbcx.exe
  C:\Windows\System\pXhNbcx.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\EQTbCvN.exe
  C:\Windows\System\EQTbCvN.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\MDatgQN.exe
  C:\Windows\System\MDatgQN.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\nfghucY.exe
  C:\Windows\System\nfghucY.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\AjZEuof.exe
  C:\Windows\System\AjZEuof.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System\HFBUiyz.exe
  C:\Windows\System\HFBUiyz.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\makakTP.exe
  C:\Windows\System\makakTP.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\ndrDfnw.exe
  C:\Windows\System\ndrDfnw.exe
  2⤵
  - Executes dropped EXE
  PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ARZTStB.exe

Filesize
5.2MB

MD5
a08a4a5938d0d84656f4625ae0a59a34

SHA1
901c19927b6039e588a24b1f094e59f4bf1c3e90

SHA256
5ad199bb3fc326d125ab5d8bfec848ad4082ce07b51f3e848d2769b057686658

SHA512
b86a882582b1e0c679518325160b22a37832b3ea9d245e636c65fb8e6ee536986068562c9d2caad8ea307b9de4c3426fec953302fa7526622f2b085803af1f0e

Download Submit
C:\Windows\System\AjZEuof.exe

Filesize
5.2MB

MD5
3b038bde7ded089d14a4f65a9b3fae93

SHA1
45c8ef0adf9f1aa51b7d073e9e088e4b026e30b1

SHA256
aedfed3210011befa4e1f285a1107f06e60b64ad63b329f9286b1ad2910473f7

SHA512
58772f234fb4370d2ab0d2116ec49a21bafa75729dee45e7d22e6409e30d1e38e09cdcbbd46cf526fa3cc0f29fb6c598d8f4cc21b005be1c0780edb808163846

Download Submit
C:\Windows\System\EQTbCvN.exe

Filesize
5.2MB

MD5
3b92a0faf774c68804383f52f2df888d

SHA1
4e3cd845d67a4c1a5ca3a26c34b331b3fdc784b2

SHA256
d9746a16dbe6603f96141c9c294b222e320217460de131aace0e7cf5c73b80e5

SHA512
36ba0e356ebb99e06ee4a63b0ef7aec56e48dc8e42eeb7517984bf52589ee0fc0db90f2ebbadfee19962134f4a3ec84771855df6d32311727449ba96165797d2

Download Submit
C:\Windows\System\GBywMJJ.exe

Filesize
5.2MB

MD5
70f89868161cdff59592072f29166640

SHA1
c4789fa4a786875d2e4aa0a814e3c23666e0ac80

SHA256
58d70ff28ff7b4bd9803a049aff4b049eb6ed9baccc1f9d7f5414a21ce5ea935

SHA512
32fce844927967612198ad4df45410d99546222cc5e2d605bdf612f2dc8123ea97eaa2b1244617990b97512bcfd96a669b182b513bb087bed30eae6bb311d197

Download Submit
C:\Windows\System\HAEuuSN.exe

Filesize
5.2MB

MD5
c881297fc129d5f1ebb97325f1428e8e

SHA1
fbe1979ef83c8328ce845126b6bb8cb55c753b23

SHA256
08e4cd67f330cdd70f97c960e0e84de71261bc7f5c288dbfcb4353784c52cb77

SHA512
feb29b566cfe25ec1f81ce20b086e28a56fd818deb346d08cf619b7980fca32af7cf4e63bef7f7733c41f0c58e45581bc3ddc6d985b41d16eb440ae47a8f98bd

Download Submit
C:\Windows\System\HFBUiyz.exe

Filesize
5.2MB

MD5
17ab47370984de7225e73e14e12c72ab

SHA1
bc31a4e508c1e8af69f9b78a96402696756e0442

SHA256
d6fa7e2f0911645273163c98e4f0f6385478b50d97f507dbac68c7b2bd7c89b6

SHA512
18ff655b907db54dcb51b3d3c44f584a32d2b13056fccb23a4a7b5e9ac8b2084f7ab3890a951ef1810e319ae205e43cdbed16bb5c07f525cdde4ccb2c31d6516

Download Submit
C:\Windows\System\HtisKBE.exe

Filesize
5.2MB

MD5
85ab880710f68951a089d6e48bf2e81a

SHA1
2db0ea3a236488213ec5bb27eecc24ded9758b3b

SHA256
7b02ad440c71f57a2dc979fe93ac195ac144b8ced0526dd6f83bc23abc89ff4b

SHA512
8b2c2aea580f2ad243892a60de94b0bffbe0fc8f2d61ac7bccd7f55cd738ae05e197b69932bf63d9d6950e14b0a87812644ca504e98858f012deb912cf216adb

Download Submit
C:\Windows\System\MDatgQN.exe

Filesize
5.2MB

MD5
fe8f93727d10883515c9c4ac3e09eb9f

SHA1
0a35d554ec481815889f6ea196aa295e488b2f7b

SHA256
d531dc7144267098cf2a3a5a4d9f83f1f1bc2b5bb1991391c5aa978d9b9cc55e

SHA512
cf28dcf9f710e4c5570e1193a2cf34cf7d106ba32747cd12921f205b51c29238f314c9862a8eef6ea7f016291889c866fb74b3af7f31d08fabe1e555500fd0f1

Download Submit
C:\Windows\System\Mcepdri.exe

Filesize
5.2MB

MD5
d75f01a958b39776e48d94917dc87923

SHA1
821162a84da80025fe8b595125d33516dd455a9c

SHA256
2c025cb6aab92b3d720b3dddc814e0498f3c4fc32ae4b534758f32e014b60bdb

SHA512
fa95728c845ec1e3c7cdafcf32cab8c125828faed5fb963d785e3652ac070e22cf4c69f14e279c13cfc666cc4eae13383a4f6955d77a51828ac50f19a2b7b725

Download Submit
C:\Windows\System\WiryXWh.exe

Filesize
5.2MB

MD5
efd4cb7b938fb358b8fc2f75b70e8e89

SHA1
4ad61dba204389ad36e74984cc28d12193d5c383

SHA256
9ec75c10fc245de01004920a2c8a3487d49b702eeea5eb3a32203cdef900eb13

SHA512
12ae74f0a92cf8f5f817f7311feebf5f6e3ee548709b843a731aa706de7dfa44c5536291a29c6265face69c6161b3ef0218541b35ed9ce9409f8d9520b019f91

Download Submit
C:\Windows\System\cSJYzXd.exe

Filesize
5.2MB

MD5
5df4e2a66d64463199e6d5c20d74ff81

SHA1
fe2c37d52f7422c1978c795e249026fd4111fd11

SHA256
2a4aec96c6248a04f70e78ffcda8ebe28d31b63b444b4a9a993bbea156c80c5a

SHA512
01b1a87611f8dc4b95acc1911a5283bf2398f7ff5621ca8fc755f42e8b387868b8de606af141630e337ec91abddd71ae50d302a91bf8c5ec21ef0c173c672a3f

Download Submit
C:\Windows\System\dPBNyGh.exe

Filesize
5.2MB

MD5
560cd486fd856dc3be3eba7fcf0cc6e1

SHA1
f1571c9c524e5ae99c9082740861063dc4cff916

SHA256
0d905f9f9383faed9535779b91efcedf097b13ea221993e8f5dc9833e50c03d5

SHA512
1d91531ab92183f42396ab20b86d243de2d250668a227385a368041c2c189983b112c5bc4ac82a16d904d04b4faa8a77b73d4b4876a546cc84809cf6013f2df3

Download Submit
C:\Windows\System\fczVCuM.exe

Filesize
5.2MB

MD5
52f526e00985982c64249430b23d1cda

SHA1
89e5a434a986b6d5195f6955a95456e15e794227

SHA256
a024c9c1772a981a8d07990059dfdfc82621c5ee5af5025be7a768a18bc7abcb

SHA512
64a3db8cc3bfef36e67ae0e10480fbc22eea09d6a675d6c6acda666127ebb2d1023ac143734cda919b1288d94c9ffdccfe3fad6de2d862827add7dfec1fbd5ff

Download Submit
C:\Windows\System\jzYguhU.exe

Filesize
5.2MB

MD5
24781a03dc4262289f99cf14102451c5

SHA1
9551fa71b73a8cd897bed2ca87fc146e2c251892

SHA256
a333106088244475b76e9a5327fd5691dd086630df75aa47995046d4681550ce

SHA512
e6a1dca47321fd9ea063edb365fe055367987b91219bb8a079794c6f392e50db01d5bf39493ab256be2f4fb6efd2dfd56143826691ed7f05ee3c9c9b21303b4e

Download Submit
C:\Windows\System\makakTP.exe

Filesize
5.2MB

MD5
202ef065053a242d87f188943fd0ddb9

SHA1
298908b5ef80cfa5d668b5996cb6c36b7e608e6f

SHA256
15076f145a5d3a5e12c5876d28231d6398b62c68c88f74224add4d51434be06c

SHA512
f3baefc1234e3cbc5b359f5ebb95f080a59dc1fe026cc0d70e167e8ea3918aa0bac733e37265d2a4c687a0eb3f54330d9fdccb93511c007580c6f9ea9b99e776

Download Submit
C:\Windows\System\ndrDfnw.exe

Filesize
5.2MB

MD5
9f325b366eb1c50e2c9b2eea01189e2c

SHA1
8a48bf5f9b61bce8c3b23e1f96a183390f5ecd36

SHA256
03e70267ba6619f493c04fed646c01e55f86215e28b863ce36db8420a5df672c

SHA512
c37f464a4d1f0f50845cd1ed1ab695922f5d6f251782afa7f2dfdcc58c4c54a21341d968aab685db9ccfbac0258d3ae654c53757e0cec72b1d01f6b189e96668

Download Submit
C:\Windows\System\nfghucY.exe

Filesize
5.2MB

MD5
56c2928829507cfb0ab18c6b5a028f7c

SHA1
af4a259aea0db3805a6ff5c1d2decff8b7e7803f

SHA256
0c8fb546ddd8357b718f4dd351006925bc70c8597b6b7f49902d085061567a0a

SHA512
89e451e13a56cde61cea24585b2fd80fa7d77bcaa35faa03996b2b99e6ba6a145c7ca68422acd0ae7b1f0c482cb9262499a21f631df06cb5bec009fdbd5533d1

Download Submit
C:\Windows\System\pXhNbcx.exe

Filesize
5.2MB

MD5
a4d1eecc3932460efe99be3cd7ca15ba

SHA1
ddb1c3f560c1a4efd5bd779df354c7cbdb2e782d

SHA256
8cc636318e2644359dcd92c40523b8a390cd06eafdc3de4688d468653dcbec31

SHA512
2ee579778b2381da0d910020eb2e8bc27e0fbfd77e7114b81cff6d76e3bf95967d9d710012b76ae386b5c0dd5cc743a8a15fa15e0181c3b2c5c64affa02d7d8b

Download Submit
C:\Windows\System\rMHLjrG.exe

Filesize
5.2MB

MD5
812004b4276ae36803fa1a6f04525c71

SHA1
4cb7f1bf6fd6744201894f6632684cefad60a2df

SHA256
fef07028d501d70bc8207ac81cc3298fbb7378b5526575ad0fb065d60bcdc0d5

SHA512
598a7d6a12f0cde3e33605a65cbdc2b4fa1b9751ec3b8f339ff3d604694221bb910212ca9995c3a91690ec2759386dc3183ef36cc77a60705043dfbf0ce3e7a5

Download Submit
C:\Windows\System\xMObdaZ.exe

Filesize
5.2MB

MD5
e42b2b93fc4a86c4d92850224831399e

SHA1
b3ca42478188ae8e1843892243d04c6b44c4c91c

SHA256
a7719adef6ea544e65b7130c7628159ccbdcb6ba073a0cad171a88c5f54bd5d1

SHA512
675d7ea1312e88eef64e3a26c5c5a2e05fcf6a660b316bc68695444e94deb44548e1d307025d2b1952967f707bb619a04e9146013a19c55323eaa88d9ab95937

Download Submit
C:\Windows\System\zSENGog.exe

Filesize
5.2MB

MD5
8efb760fbe2bf2d6c0a76e6819f04b60

SHA1
b3000d9d5b1e6a2d5e85f59682126f1e7e73223b

SHA256
128f95759a40141372625a858239a82a7b5dff4b56fa1c0ef202801319feb247

SHA512
d98c56b5b548f171f381b5188efe4b24950028759c8fb80c9435f11076fae3a9bac598deb6862f7090425fe8d9115a0b66818ef709189d4e1d2cef1f68cf1e02

Download Submit
memory/856-165-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp

Filesize
3.3MB

Download
memory/856-270-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp

Filesize
3.3MB

Download
memory/856-136-0x00007FF77B8E0000-0x00007FF77BC31000-memory.dmp

Filesize
3.3MB

Download
memory/900-266-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp

Filesize
3.3MB

Download
memory/900-154-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp

Filesize
3.3MB

Download
memory/900-110-0x00007FF7AD6E0000-0x00007FF7ADA31000-memory.dmp

Filesize
3.3MB

Download
memory/1032-76-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp

Filesize
3.3MB

Download
memory/1032-227-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp

Filesize
3.3MB

Download
memory/1032-16-0x00007FF7B0820000-0x00007FF7B0B71000-memory.dmp

Filesize
3.3MB

Download
memory/1188-77-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-25-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-229-0x00007FF78E190000-0x00007FF78E4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-253-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp

Filesize
3.3MB

Download
memory/1216-82-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp

Filesize
3.3MB

Download
memory/1216-151-0x00007FF61BCD0000-0x00007FF61C021000-memory.dmp

Filesize
3.3MB

Download
memory/1224-231-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-81-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-29-0x00007FF641C50000-0x00007FF641FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-92-0x00007FF760B10000-0x00007FF760E61000-memory.dmp

Filesize
3.3MB

Download
memory/1388-38-0x00007FF760B10000-0x00007FF760E61000-memory.dmp

Filesize
3.3MB

Download
memory/1388-238-0x00007FF760B10000-0x00007FF760E61000-memory.dmp

Filesize
3.3MB

Download
memory/1884-72-0x00007FF7F4EB0000-0x00007FF7F5201000-memory.dmp

Filesize
3.3MB

Download
memory/1884-241-0x00007FF7F4EB0000-0x00007FF7F5201000-memory.dmp

Filesize
3.3MB

Download
memory/1908-163-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp

Filesize
3.3MB

Download
memory/1908-131-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp

Filesize
3.3MB

Download
memory/1908-273-0x00007FF77D0B0000-0x00007FF77D401000-memory.dmp

Filesize
3.3MB

Download
memory/2368-64-0x00007FF715D30000-0x00007FF716081000-memory.dmp

Filesize
3.3MB

Download
memory/2368-130-0x00007FF715D30000-0x00007FF716081000-memory.dmp

Filesize
3.3MB

Download
memory/2368-243-0x00007FF715D30000-0x00007FF716081000-memory.dmp

Filesize
3.3MB

Download
memory/2780-75-0x00007FF793B40000-0x00007FF793E91000-memory.dmp

Filesize
3.3MB

Download
memory/2780-135-0x00007FF793B40000-0x00007FF793E91000-memory.dmp

Filesize
3.3MB

Download
memory/2780-247-0x00007FF793B40000-0x00007FF793E91000-memory.dmp

Filesize
3.3MB

Download
memory/2900-124-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-56-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-245-0x00007FF69C980000-0x00007FF69CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-48-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-236-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-104-0x00007FF6F9450000-0x00007FF6F97A1000-memory.dmp

Filesize
3.3MB

Download
memory/3144-261-0x00007FF76A770000-0x00007FF76AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3144-109-0x00007FF76A770000-0x00007FF76AAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3636-32-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp

Filesize
3.3MB

Download
memory/3636-90-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp

Filesize
3.3MB

Download
memory/3636-239-0x00007FF67E0C0000-0x00007FF67E411000-memory.dmp

Filesize
3.3MB

Download
memory/3704-164-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp

Filesize
3.3MB

Download
memory/3704-125-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp

Filesize
3.3MB

Download
memory/3704-272-0x00007FF6787F0000-0x00007FF678B41000-memory.dmp

Filesize
3.3MB

Download
memory/4224-8-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-215-0x00007FF69F4A0000-0x00007FF69F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-71-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-0-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-166-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-1-0x000001CC70DD0000-0x000001CC70DE0000-memory.dmp

Filesize
64KB

Download
memory/4476-139-0x00007FF6C5470000-0x00007FF6C57C1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-267-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-155-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-116-0x00007FF7D1160000-0x00007FF7D14B1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-91-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp

Filesize
3.3MB

Download
memory/4608-252-0x00007FF7BF4F0000-0x00007FF7BF841000-memory.dmp

Filesize
3.3MB

Download
memory/4828-263-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-115-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-158-0x00007FF7A2F80000-0x00007FF7A32D1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-233-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp

Filesize
3.3MB

Download
memory/4840-43-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp

Filesize
3.3MB

Download
memory/4840-103-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp

Filesize
3.3MB

Download