cobaltstrike | 96ea748e69195a60775f54341db948ce5d7c0f043013aa7f104e7fe986aa97bb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f02eb19f775a3ee6688b8495d8a20184
SHA1

af98811589dfb667b6b6382dfc47deed0af091c1
SHA256

96ea748e69195a60775f54341db948ce5d7c0f043013aa7f104e7fe986aa97bb
SHA512

656f302ec967d47af88345c9d5f61604991dc33eef7627bb9856aa0b0b67590bdee2d068b38505041243fd7fd3a99911ddb64721798443d3e9bd1c1b54259ba7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUB

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023402-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-20.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-33.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023403-98.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/796-97-0x00007FF77EE90000-0x00007FF77F1E1000-memory.dmp	xmrig
behavioral2/memory/2192-94-0x00007FF6827C0000-0x00007FF682B11000-memory.dmp	xmrig
behavioral2/memory/2336-93-0x00007FF6BF570000-0x00007FF6BF8C1000-memory.dmp	xmrig
behavioral2/memory/3152-90-0x00007FF600920000-0x00007FF600C71000-memory.dmp	xmrig
behavioral2/memory/2032-85-0x00007FF7A68F0000-0x00007FF7A6C41000-memory.dmp	xmrig
behavioral2/memory/3740-77-0x00007FF6089C0000-0x00007FF608D11000-memory.dmp	xmrig
behavioral2/memory/4536-61-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp	xmrig
behavioral2/memory/3988-56-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp	xmrig
behavioral2/memory/528-37-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	xmrig
behavioral2/memory/3472-123-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	xmrig
behavioral2/memory/2472-126-0x00007FF6101E0000-0x00007FF610531000-memory.dmp	xmrig
behavioral2/memory/4240-130-0x00007FF772A40000-0x00007FF772D91000-memory.dmp	xmrig
behavioral2/memory/900-131-0x00007FF7712C0000-0x00007FF771611000-memory.dmp	xmrig
behavioral2/memory/5040-132-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp	xmrig
behavioral2/memory/3988-133-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp	xmrig
behavioral2/memory/4536-134-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp	xmrig
behavioral2/memory/2016-135-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp	xmrig
behavioral2/memory/3472-136-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	xmrig
behavioral2/memory/3956-145-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp	xmrig
behavioral2/memory/2920-154-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp	xmrig
behavioral2/memory/5080-158-0x00007FF608220000-0x00007FF608571000-memory.dmp	xmrig
behavioral2/memory/4480-156-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp	xmrig
behavioral2/memory/2448-153-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp	xmrig
behavioral2/memory/3572-157-0x00007FF739360000-0x00007FF7396B1000-memory.dmp	xmrig
behavioral2/memory/4172-155-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	xmrig
behavioral2/memory/3472-159-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	xmrig
behavioral2/memory/2472-219-0x00007FF6101E0000-0x00007FF610531000-memory.dmp	xmrig
behavioral2/memory/4240-221-0x00007FF772A40000-0x00007FF772D91000-memory.dmp	xmrig
behavioral2/memory/528-223-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	xmrig
behavioral2/memory/900-225-0x00007FF7712C0000-0x00007FF771611000-memory.dmp	xmrig
behavioral2/memory/5040-227-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp	xmrig
behavioral2/memory/3988-229-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp	xmrig
behavioral2/memory/3152-231-0x00007FF600920000-0x00007FF600C71000-memory.dmp	xmrig
behavioral2/memory/2336-240-0x00007FF6BF570000-0x00007FF6BF8C1000-memory.dmp	xmrig
behavioral2/memory/4536-242-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp	xmrig
behavioral2/memory/2032-248-0x00007FF7A68F0000-0x00007FF7A6C41000-memory.dmp	xmrig
behavioral2/memory/2016-247-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp	xmrig
behavioral2/memory/2192-251-0x00007FF6827C0000-0x00007FF682B11000-memory.dmp	xmrig
behavioral2/memory/3956-252-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp	xmrig
behavioral2/memory/3740-244-0x00007FF6089C0000-0x00007FF608D11000-memory.dmp	xmrig
behavioral2/memory/4480-259-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp	xmrig
behavioral2/memory/3572-256-0x00007FF739360000-0x00007FF7396B1000-memory.dmp	xmrig
behavioral2/memory/2920-264-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp	xmrig
behavioral2/memory/796-262-0x00007FF77EE90000-0x00007FF77F1E1000-memory.dmp	xmrig
behavioral2/memory/2448-261-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp	xmrig
behavioral2/memory/4172-255-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	xmrig
behavioral2/memory/5080-266-0x00007FF608220000-0x00007FF608571000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2472	YScVjMV.exe
4240	qhNUSYN.exe
900	DpInBuz.exe
5040	KoDpsZC.exe
3988	XYCtMAI.exe
528	sikYrbW.exe
3152	ZFJnKjS.exe
4536	nlGRfzs.exe
2016	uhpHtyi.exe
3740	gZoKjGD.exe
2336	gEHxazl.exe
2032	gqUMRNA.exe
2192	jGtYfPm.exe
3956	mcXEnSU.exe
796	AbWWpzq.exe
2448	ZyiDzjX.exe
2920	olDvtaB.exe
4172	UiPwjcK.exe
4480	EaBRzdF.exe
3572	juLaRsw.exe
5080	nZYQRps.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3472-0-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	upx
behavioral2/files/0x0008000000023402-5.dat	upx
behavioral2/files/0x0007000000023407-9.dat	upx
behavioral2/memory/4240-14-0x00007FF772A40000-0x00007FF772D91000-memory.dmp	upx
behavioral2/files/0x0007000000023406-16.dat	upx
behavioral2/files/0x0007000000023408-20.dat	upx
behavioral2/files/0x000700000002340a-33.dat	upx
behavioral2/files/0x000700000002340b-52.dat	upx
behavioral2/files/0x000700000002340d-65.dat	upx
behavioral2/files/0x0007000000023411-67.dat	upx
behavioral2/files/0x000700000002340f-72.dat	upx
behavioral2/files/0x0007000000023412-88.dat	upx
behavioral2/files/0x0007000000023413-91.dat	upx
behavioral2/memory/796-97-0x00007FF77EE90000-0x00007FF77F1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023414-100.dat	upx
behavioral2/files/0x0007000000023417-111.dat	upx
behavioral2/files/0x0007000000023416-118.dat	upx
behavioral2/files/0x0007000000023415-117.dat	upx
behavioral2/memory/3572-116-0x00007FF739360000-0x00007FF7396B1000-memory.dmp	upx
behavioral2/memory/4172-115-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	upx
behavioral2/memory/4480-114-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp	upx
behavioral2/memory/2920-110-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp	upx
behavioral2/memory/2448-105-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp	upx
behavioral2/memory/2192-94-0x00007FF6827C0000-0x00007FF682B11000-memory.dmp	upx
behavioral2/files/0x0008000000023403-98.dat	upx
behavioral2/memory/2336-93-0x00007FF6BF570000-0x00007FF6BF8C1000-memory.dmp	upx
behavioral2/memory/3152-90-0x00007FF600920000-0x00007FF600C71000-memory.dmp	upx
behavioral2/memory/3956-86-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp	upx
behavioral2/memory/2032-85-0x00007FF7A68F0000-0x00007FF7A6C41000-memory.dmp	upx
behavioral2/memory/3740-77-0x00007FF6089C0000-0x00007FF608D11000-memory.dmp	upx
behavioral2/memory/2016-76-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp	upx
behavioral2/files/0x000700000002340e-69.dat	upx
behavioral2/files/0x0007000000023410-62.dat	upx
behavioral2/memory/4536-61-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp	upx
behavioral2/memory/3988-56-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp	upx
behavioral2/files/0x000700000002340c-53.dat	upx
behavioral2/files/0x0007000000023409-44.dat	upx
behavioral2/memory/528-37-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	upx
behavioral2/memory/900-24-0x00007FF7712C0000-0x00007FF771611000-memory.dmp	upx
behavioral2/memory/5040-27-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp	upx
behavioral2/memory/2472-6-0x00007FF6101E0000-0x00007FF610531000-memory.dmp	upx
behavioral2/memory/3472-123-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	upx
behavioral2/memory/2472-126-0x00007FF6101E0000-0x00007FF610531000-memory.dmp	upx
behavioral2/files/0x0007000000023418-128.dat	upx
behavioral2/memory/5080-127-0x00007FF608220000-0x00007FF608571000-memory.dmp	upx
behavioral2/memory/4240-130-0x00007FF772A40000-0x00007FF772D91000-memory.dmp	upx
behavioral2/memory/900-131-0x00007FF7712C0000-0x00007FF771611000-memory.dmp	upx
behavioral2/memory/5040-132-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp	upx
behavioral2/memory/3988-133-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp	upx
behavioral2/memory/4536-134-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp	upx
behavioral2/memory/2016-135-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp	upx
behavioral2/memory/3472-136-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	upx
behavioral2/memory/3956-145-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp	upx
behavioral2/memory/2920-154-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp	upx
behavioral2/memory/5080-158-0x00007FF608220000-0x00007FF608571000-memory.dmp	upx
behavioral2/memory/4480-156-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp	upx
behavioral2/memory/2448-153-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp	upx
behavioral2/memory/3572-157-0x00007FF739360000-0x00007FF7396B1000-memory.dmp	upx
behavioral2/memory/4172-155-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp	upx
behavioral2/memory/3472-159-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp	upx
behavioral2/memory/2472-219-0x00007FF6101E0000-0x00007FF610531000-memory.dmp	upx
behavioral2/memory/4240-221-0x00007FF772A40000-0x00007FF772D91000-memory.dmp	upx
behavioral2/memory/528-223-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	upx
behavioral2/memory/900-225-0x00007FF7712C0000-0x00007FF771611000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EaBRzdF.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UiPwjcK.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KoDpsZC.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XYCtMAI.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqUMRNA.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\olDvtaB.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jGtYfPm.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mcXEnSU.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZYQRps.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhNUSYN.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpInBuz.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sikYrbW.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEHxazl.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZoKjGD.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AbWWpzq.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZyiDzjX.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\juLaRsw.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YScVjMV.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nlGRfzs.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZFJnKjS.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhpHtyi.exe	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2472	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3472 wrote to memory of 2472	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3472 wrote to memory of 4240	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3472 wrote to memory of 4240	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3472 wrote to memory of 900	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3472 wrote to memory of 900	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3472 wrote to memory of 5040	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3472 wrote to memory of 5040	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3472 wrote to memory of 3988	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3472 wrote to memory of 3988	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3472 wrote to memory of 528	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3472 wrote to memory of 528	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3472 wrote to memory of 4536	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3472 wrote to memory of 4536	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3472 wrote to memory of 3152	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3472 wrote to memory of 3152	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3472 wrote to memory of 2016	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3472 wrote to memory of 2016	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3472 wrote to memory of 3740	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3472 wrote to memory of 3740	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3472 wrote to memory of 2336	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3472 wrote to memory of 2336	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3472 wrote to memory of 2032	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3472 wrote to memory of 2032	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3472 wrote to memory of 2192	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3472 wrote to memory of 2192	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3472 wrote to memory of 3956	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3472 wrote to memory of 3956	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3472 wrote to memory of 796	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3472 wrote to memory of 796	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3472 wrote to memory of 2448	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3472 wrote to memory of 2448	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3472 wrote to memory of 2920	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3472 wrote to memory of 2920	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3472 wrote to memory of 4172	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3472 wrote to memory of 4172	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3472 wrote to memory of 4480	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3472 wrote to memory of 4480	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3472 wrote to memory of 3572	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3472 wrote to memory of 3572	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3472 wrote to memory of 5080	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3472 wrote to memory of 5080	3472	2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_f02eb19f775a3ee6688b8495d8a20184_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System\YScVjMV.exe
  C:\Windows\System\YScVjMV.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\qhNUSYN.exe
  C:\Windows\System\qhNUSYN.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\DpInBuz.exe
  C:\Windows\System\DpInBuz.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System\KoDpsZC.exe
  C:\Windows\System\KoDpsZC.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\XYCtMAI.exe
  C:\Windows\System\XYCtMAI.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\sikYrbW.exe
  C:\Windows\System\sikYrbW.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\nlGRfzs.exe
  C:\Windows\System\nlGRfzs.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\ZFJnKjS.exe
  C:\Windows\System\ZFJnKjS.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\uhpHtyi.exe
  C:\Windows\System\uhpHtyi.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\gZoKjGD.exe
  C:\Windows\System\gZoKjGD.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\gEHxazl.exe
  C:\Windows\System\gEHxazl.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\gqUMRNA.exe
  C:\Windows\System\gqUMRNA.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\jGtYfPm.exe
  C:\Windows\System\jGtYfPm.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\mcXEnSU.exe
  C:\Windows\System\mcXEnSU.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\AbWWpzq.exe
  C:\Windows\System\AbWWpzq.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\ZyiDzjX.exe
  C:\Windows\System\ZyiDzjX.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\olDvtaB.exe
  C:\Windows\System\olDvtaB.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\UiPwjcK.exe
  C:\Windows\System\UiPwjcK.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\EaBRzdF.exe
  C:\Windows\System\EaBRzdF.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\juLaRsw.exe
  C:\Windows\System\juLaRsw.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\nZYQRps.exe
  C:\Windows\System\nZYQRps.exe
  2⤵
  - Executes dropped EXE
  PID:5080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AbWWpzq.exe

Filesize
5.2MB

MD5
b25d2b4515f4fab6ad22c8a9ff039def

SHA1
dfb50089f0c2bb502b1c264e914b77ec6ec64a0f

SHA256
d93bb70b0d22dbb602dcc3d29cee5f7bc1b6d79138a8555d0762c343564fe1d8

SHA512
70625440ddd99b8c629370eda4e045072db048654db46aa48200e09312d1c1c897087c1b125c9ac184fa8eb67f8565b37b7098eb1a5a91edfcd5075a785323ae

Download Submit
C:\Windows\System\DpInBuz.exe

Filesize
5.2MB

MD5
bb59134b9039288098c18fd7fe73aa58

SHA1
86c948a5bab15ab24be788d5f2c55a7c5751c760

SHA256
9261f68277646f0b3f86d182b11a12bfaf98d4258405a5b3f75afd1dc6f13db5

SHA512
2bcf548e30aa74ec7515dca0d662ae0043012348e0a59173fcec8afd5d45f9ae5dc493941082bf5347b934418a31e5d32ef65a84c7b20e346b34b0ed29be083b

Download Submit
C:\Windows\System\EaBRzdF.exe

Filesize
5.2MB

MD5
e8adb7414b38ec1eb18f50cdc949b62e

SHA1
ff9808dcf13c8c5aca94015f1816fd986d7af867

SHA256
261289675c81512033822f9962726822df8a4fff7618c590386359be3ab28c92

SHA512
3a87db1fb3ac99b268a5497088d13d83f81cfb57d589becb5d6ac9063118e80bfbeb73c882917ed73badf1cd509c4a1629e1bfaae04036cc2e584e3c0ee94990

Download Submit
C:\Windows\System\KoDpsZC.exe

Filesize
5.2MB

MD5
5421dbae2a63d9955b08dc1057fb65ff

SHA1
fbae27763eac28aba0d7038c41e9668fbae978c1

SHA256
df24feb5307d35742042dee2fde999b7b53ce4eb9f0ae6d0fd9f3bc2bbf86831

SHA512
505566c5602c0a5cf09b4b6dd86c3a1810e541615766b78758f45823ef003aa950168ec2a9ca6a4b7bdbb8ad0719e49c253afcfa929791979e39e21673836ff0

Download Submit
C:\Windows\System\UiPwjcK.exe

Filesize
5.2MB

MD5
93a6e95f6597699deb97922fbcf1dc06

SHA1
8fa008c298c53124ede3f37cac96ff74f98afd9e

SHA256
02834f147ce730a801cd11ee48cf9761c8fd10d32de9ff244860e07a17efd010

SHA512
6d3023d22d1adafe659f4596a58ba8ed6bb5dd88cf6f5159d34d6cafab9ce718f1e4814e1714dbe34c5594cc8a221b078ff9dc3c42d3828518f8c9e8be766a99

Download Submit
C:\Windows\System\XYCtMAI.exe

Filesize
5.2MB

MD5
bdd53ce2960ac704f2c1880694a10c9f

SHA1
0cea484863198d118ac62e3677fc92922ee20fdc

SHA256
b3a2b374610658cc6fa21c94dcffcba3c417fd50bf1f11fda07d27b77e5a839f

SHA512
fe578500771a8ca1d79d8bd379c4f061025c91b7270b20616c025d9525df96fe45fa817e5a81ea9be0cfd929a2aa42c29479cab91283549e7959e06cd1cc3299

Download Submit
C:\Windows\System\YScVjMV.exe

Filesize
5.2MB

MD5
0fbb3ec725aaea72b5d7cc95578b68ba

SHA1
45ee2cd3e01e2e5a2e8ad81b39f1e9a705c9c58c

SHA256
783a6db1987539243706c214131347efe5f82ffc8e3b4ee67a357b1cbcce6b61

SHA512
ffeeb4cd044ef4902675fad9eda8ed82e77496a8277037a616168d11fa867b9a7263612b8781ebecc7f0adb50e4702c9fdf1f52ad952561965e42399feafb413

Download Submit
C:\Windows\System\ZFJnKjS.exe

Filesize
5.2MB

MD5
4910151fac4162d425fd80e4e3d4ce5a

SHA1
3e785959478ad95dc3f993892706cf4d8284420e

SHA256
eb2d9f81abb9057c34ca6b8ca8aa5b2a591adc9de833c01982ec9c164bee2f0b

SHA512
558949695971c9e73d7e512cf3d15cbb1b59580fb8d58a2a93390170c7e4f8a20302c9ef740e6008f4a6df20d911a9fe4bd577daca52deff1317acad50702529

Download Submit
C:\Windows\System\ZyiDzjX.exe

Filesize
5.2MB

MD5
edde4e3c051945c9ced59cd17bbfb103

SHA1
946f6cbb564c94b89eaa0b9cd3b189ef6e2ea1d5

SHA256
255e96a9b64a353c5c153c9218ac27225e9ef87c0ceb2caca720623c17513ded

SHA512
a97e12aa6ef19b86a30975e1c484bdd3595ec50dfb5d71c1aed8cfc9b9702e59120f25805087ee303992ccc8e7f302f05e0f3f4c4428fd1825191bf2a4113abe

Download Submit
C:\Windows\System\gEHxazl.exe

Filesize
5.2MB

MD5
e283574ca34e22159f4f21a298f23c39

SHA1
01adf833769dd43b36414d80f43b7bfbde6887a8

SHA256
235dcc8db268911f056450524bc52a64c8afd69d34e14a9aa7900b1459c21ed2

SHA512
12b0d52910fd227f10ef5bd71779c2df06e5b2c5e730606b432c34e4fd663b7f740a2e5f5ed8ea735cdca3b1188a090ca92ef4b8bef5a683d36bab870388f000

Download Submit
C:\Windows\System\gZoKjGD.exe

Filesize
5.2MB

MD5
354164bb12b5245a7255c719b06b2bd0

SHA1
d500df53a0a37d702ddd77388d57bd960fa3e711

SHA256
bf6f2e95983ba38144f2eee2958e7b348cc776f74bf2a918191d05eca7cb4068

SHA512
da411477e6465bca1541ab72a18ee26412d5f1129ce3400f938a633dcb667a514b8ec8401074838ae3dd9d0899943fe496c660611044f6945a60be2b5170937f

Download Submit
C:\Windows\System\gqUMRNA.exe

Filesize
5.2MB

MD5
dcbd8e1860a060e9f55444056d1778f2

SHA1
d668945da11ebc079a6d06ab671ddd2bdd6f8a04

SHA256
d655673e0d1fa173cd480a2de1a90722088d98727b5a80c55d122bfb10b1797e

SHA512
3201c856ac8b22512b554aee860ad9eb422cf0c2897b84ede40561d4b95064cd0acef32d61f00446115f95671c0a6892d476c7cce03201b2aff02ac45879e131

Download Submit
C:\Windows\System\jGtYfPm.exe

Filesize
5.2MB

MD5
f0b48b10e3938421aaaa39f21ecb9a36

SHA1
422733c5a99d4abbc10ffb32587ccf6e4930213e

SHA256
063aebc4882716ff7a45f498302949a22c2a2413d621ce5e0d0ed06230ae9063

SHA512
6b205f75781d16fe7e2635bddcec8abaff884c4d0e98a87345d73c10d9e22b0e7cdaad38b5ad556e51ab797019e87f02b7bacdf2c44cd723490d0618539b78ac

Download Submit
C:\Windows\System\juLaRsw.exe

Filesize
5.2MB

MD5
f97e694511a69a0e341ff2ee83149b51

SHA1
94eeb00ac93b16d02351738a6854064841c2989a

SHA256
dfd6a1292c73943484470ed9f990ddb70afbe42fbc94b3aa4dd606acd365c25f

SHA512
615cc9b1b3b45192dd8c7a97cc9a55f3fa6a8887d7d21fcb7e2b0c0ad4dcca5166829a4321547918af9522eb7ff17f0056e07598834822696eccb26e7fa8f843

Download Submit
C:\Windows\System\mcXEnSU.exe

Filesize
5.2MB

MD5
fcfde694875277e3e90ce9ff0af083df

SHA1
5b5c3f7c57146a797c06b06e2d91b77bf6908695

SHA256
5fe4ebf5ade793c75f1de129ccafa8051faf85024cd8b974aae1756b5d585706

SHA512
c7460382410e5e5151a9fa8caba06f16d679b01825f21e8ed62929d7e6e2c998526b3089efef4bfd0a50e13609af181f7f611c2d4702113828d843d7214f95e6

Download Submit
C:\Windows\System\nZYQRps.exe

Filesize
5.2MB

MD5
fa0b633aca484ce604dce3a779754960

SHA1
bb2b4bfedc61f968f214b4c3d7591b9292d6aa27

SHA256
f9d7e5ff6db4835a52e2cedc8bcd8eefe7d2d09753c7b170f2df35ad61005915

SHA512
92817033aa57b3dec3c77242e878244c147b3d5a24196f6374319c428e841d04422194e110f8e62d1404e37063d5f4c7d7f117a5b86958da7bcfa786d8b48d63

Download Submit
C:\Windows\System\nlGRfzs.exe

Filesize
5.2MB

MD5
3e8fbe15497bb83ff8349d694ab32ea0

SHA1
2a06496c0841779a09f2d0d791a0923649a9b333

SHA256
43200b579b540ddcabb5a70b06a536fd2abb40679214b056b1138c096bec4182

SHA512
f5d4514f920991a3c2b826135a4b1796f0d09126e8ac450db854914030669957cdf39d5bcd555ebb5949d068c50a20642a91976acdf8ecfa6f835d5642e71b5e

Download Submit
C:\Windows\System\olDvtaB.exe

Filesize
5.2MB

MD5
e703dc07b3dc634334ee0ea8b9415b0e

SHA1
c66f1042a5fd2f70e4e791b6c1994619683e8424

SHA256
e1acea667f2792f9735fdefb661e6c3d95371549fa7c8e77ba5aaaa8e66c7d09

SHA512
82ed7fe169227d74e4bc01517a1b62f34b9fca31acd147c78e178f5c34b75d8027f6dae8714e15614c3aae208edbeff11d2e99bbb1daa6c8aa11893ba99bda59

Download Submit
C:\Windows\System\qhNUSYN.exe

Filesize
5.2MB

MD5
b7b25f6a718b320d7683f4d9275dfe37

SHA1
e5110bf74d59d297152e4cda789ceea93b041801

SHA256
5ab0acf0096880d65a67c5c0bc9e511e60cf20b5143929ffb9582c3078db53fa

SHA512
a8e4ad8133ca00857514475df9fa2042bd753f89020e2bfa0704d7028c4a16c9a4f908fd860f73c38a6a7932f19976ced7301de4652bfa713a3363508a68a26b

Download Submit
C:\Windows\System\sikYrbW.exe

Filesize
5.2MB

MD5
5d888868299603e4482f8f8cb9cb938b

SHA1
26daf2523f304287cc136b053a64f033dcf90d01

SHA256
b9221291c91ab7399d5c3806362c7e44cd216c3929fd350b56a327b1a49cb5ea

SHA512
59a8a9c02e77583743617fd5e709add1c5623956d6cd797ec9ac37e4c8ba0b9e80ac7a388eb2245bcdfd580ded7c84f63c0b5abec150b6966001977b487fba67

Download Submit
C:\Windows\System\uhpHtyi.exe

Filesize
5.2MB

MD5
5d3ebacf95a031a587f1c34bbfa4cca6

SHA1
a58914d7fa051e92c3777b28d28e76ae41430787

SHA256
e01d32187ddc9639c46602f01fac3d5917dd0caf5d91bf376f58ef9c4230e204

SHA512
ba415e6932163313f79fee72bb098dff17b10484ea912153d51abf3334b849a06d5969424c4d04dd54b97a30c0560c274f53b63caf053cd6cb8e316771086a0c

Download Submit
memory/528-223-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp

Filesize
3.3MB

Download
memory/528-37-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp

Filesize
3.3MB

Download
memory/796-97-0x00007FF77EE90000-0x00007FF77F1E1000-memory.dmp

Filesize
3.3MB

Download
memory/796-262-0x00007FF77EE90000-0x00007FF77F1E1000-memory.dmp

Filesize
3.3MB

Download
memory/900-24-0x00007FF7712C0000-0x00007FF771611000-memory.dmp

Filesize
3.3MB

Download
memory/900-225-0x00007FF7712C0000-0x00007FF771611000-memory.dmp

Filesize
3.3MB

Download
memory/900-131-0x00007FF7712C0000-0x00007FF771611000-memory.dmp

Filesize
3.3MB

Download
memory/2016-76-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp

Filesize
3.3MB

Download
memory/2016-135-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp

Filesize
3.3MB

Download
memory/2016-247-0x00007FF77D1B0000-0x00007FF77D501000-memory.dmp

Filesize
3.3MB

Download
memory/2032-85-0x00007FF7A68F0000-0x00007FF7A6C41000-memory.dmp

Filesize
3.3MB

Download
memory/2032-248-0x00007FF7A68F0000-0x00007FF7A6C41000-memory.dmp

Filesize
3.3MB

Download
memory/2192-251-0x00007FF6827C0000-0x00007FF682B11000-memory.dmp

Filesize
3.3MB

Download
memory/2192-94-0x00007FF6827C0000-0x00007FF682B11000-memory.dmp

Filesize
3.3MB

Download
memory/2336-240-0x00007FF6BF570000-0x00007FF6BF8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-93-0x00007FF6BF570000-0x00007FF6BF8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-261-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-105-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-153-0x00007FF683C60000-0x00007FF683FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-6-0x00007FF6101E0000-0x00007FF610531000-memory.dmp

Filesize
3.3MB

Download
memory/2472-219-0x00007FF6101E0000-0x00007FF610531000-memory.dmp

Filesize
3.3MB

Download
memory/2472-126-0x00007FF6101E0000-0x00007FF610531000-memory.dmp

Filesize
3.3MB

Download
memory/2920-110-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-264-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-154-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-231-0x00007FF600920000-0x00007FF600C71000-memory.dmp

Filesize
3.3MB

Download
memory/3152-90-0x00007FF600920000-0x00007FF600C71000-memory.dmp

Filesize
3.3MB

Download
memory/3472-159-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-123-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-0-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-1-0x00000200B54D0000-0x00000200B54E0000-memory.dmp

Filesize
64KB

Download
memory/3472-136-0x00007FF734F90000-0x00007FF7352E1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-116-0x00007FF739360000-0x00007FF7396B1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-256-0x00007FF739360000-0x00007FF7396B1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-157-0x00007FF739360000-0x00007FF7396B1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-77-0x00007FF6089C0000-0x00007FF608D11000-memory.dmp

Filesize
3.3MB

Download
memory/3740-244-0x00007FF6089C0000-0x00007FF608D11000-memory.dmp

Filesize
3.3MB

Download
memory/3956-145-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-252-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-86-0x00007FF7BDCA0000-0x00007FF7BDFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-133-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp

Filesize
3.3MB

Download
memory/3988-229-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp

Filesize
3.3MB

Download
memory/3988-56-0x00007FF72F1B0000-0x00007FF72F501000-memory.dmp

Filesize
3.3MB

Download
memory/4172-155-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

Filesize
3.3MB

Download
memory/4172-255-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

Filesize
3.3MB

Download
memory/4172-115-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

Filesize
3.3MB

Download
memory/4240-130-0x00007FF772A40000-0x00007FF772D91000-memory.dmp

Filesize
3.3MB

Download
memory/4240-221-0x00007FF772A40000-0x00007FF772D91000-memory.dmp

Filesize
3.3MB

Download
memory/4240-14-0x00007FF772A40000-0x00007FF772D91000-memory.dmp

Filesize
3.3MB

Download
memory/4480-259-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-114-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-156-0x00007FF68F3A0000-0x00007FF68F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-242-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-61-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-134-0x00007FF71F670000-0x00007FF71F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-227-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp

Filesize
3.3MB

Download
memory/5040-27-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp

Filesize
3.3MB

Download
memory/5040-132-0x00007FF704AC0000-0x00007FF704E11000-memory.dmp

Filesize
3.3MB

Download
memory/5080-127-0x00007FF608220000-0x00007FF608571000-memory.dmp

Filesize
3.3MB

Download
memory/5080-158-0x00007FF608220000-0x00007FF608571000-memory.dmp

Filesize
3.3MB

Download
memory/5080-266-0x00007FF608220000-0x00007FF608571000-memory.dmp

Filesize
3.3MB

Download