cobaltstrike | 101156afe16f101e64aadd16ccfbee93679dca736f26bf6b0e7ffb370c4e6315

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3c58d06436369f7549bc8d7ccf93eeaf
SHA1

084fbe962f7cfebd5464f07239b625752ff683c6
SHA256

101156afe16f101e64aadd16ccfbee93679dca736f26bf6b0e7ffb370c4e6315
SHA512

a398046c1da417d23f8544614ea1ecbe9c5019cdb591b1bf546080da501c8feca31dbb2fb6266c0047b61c910753d989e0b484aa0e0721d1fb9aa794483003a8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023478-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-8.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023473-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-123.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-114.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4928-74-0x00007FF712670000-0x00007FF7129C1000-memory.dmp	xmrig
behavioral2/memory/1652-73-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	xmrig
behavioral2/memory/684-70-0x00007FF798A00000-0x00007FF798D51000-memory.dmp	xmrig
behavioral2/memory/2256-66-0x00007FF7289C0000-0x00007FF728D11000-memory.dmp	xmrig
behavioral2/memory/1788-60-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	xmrig
behavioral2/memory/2888-99-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp	xmrig
behavioral2/memory/3924-108-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp	xmrig
behavioral2/memory/3380-110-0x00007FF683240000-0x00007FF683591000-memory.dmp	xmrig
behavioral2/memory/1788-126-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	xmrig
behavioral2/memory/2080-120-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp	xmrig
behavioral2/memory/412-109-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp	xmrig
behavioral2/memory/756-103-0x00007FF7E6FF0000-0x00007FF7E7341000-memory.dmp	xmrig
behavioral2/memory/1252-97-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp	xmrig
behavioral2/memory/4728-96-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	xmrig
behavioral2/memory/4728-134-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	xmrig
behavioral2/memory/2456-133-0x00007FF729BF0000-0x00007FF729F41000-memory.dmp	xmrig
behavioral2/memory/3956-147-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp	xmrig
behavioral2/memory/3832-149-0x00007FF7B7820000-0x00007FF7B7B71000-memory.dmp	xmrig
behavioral2/memory/1120-150-0x00007FF6602F0000-0x00007FF660641000-memory.dmp	xmrig
behavioral2/memory/1216-148-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp	xmrig
behavioral2/memory/3352-151-0x00007FF785320000-0x00007FF785671000-memory.dmp	xmrig
behavioral2/memory/4232-152-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp	xmrig
behavioral2/memory/2976-156-0x00007FF714710000-0x00007FF714A61000-memory.dmp	xmrig
behavioral2/memory/3460-161-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp	xmrig
behavioral2/memory/4728-162-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	xmrig
behavioral2/memory/1252-214-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp	xmrig
behavioral2/memory/2888-223-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp	xmrig
behavioral2/memory/2080-225-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp	xmrig
behavioral2/memory/3924-227-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp	xmrig
behavioral2/memory/1788-230-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	xmrig
behavioral2/memory/412-231-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp	xmrig
behavioral2/memory/684-233-0x00007FF798A00000-0x00007FF798D51000-memory.dmp	xmrig
behavioral2/memory/3380-235-0x00007FF683240000-0x00007FF683591000-memory.dmp	xmrig
behavioral2/memory/4928-241-0x00007FF712670000-0x00007FF7129C1000-memory.dmp	xmrig
behavioral2/memory/1652-238-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	xmrig
behavioral2/memory/1216-243-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp	xmrig
behavioral2/memory/2256-240-0x00007FF7289C0000-0x00007FF728D11000-memory.dmp	xmrig
behavioral2/memory/3956-249-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp	xmrig
behavioral2/memory/3352-250-0x00007FF785320000-0x00007FF785671000-memory.dmp	xmrig
behavioral2/memory/4232-252-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp	xmrig
behavioral2/memory/756-259-0x00007FF7E6FF0000-0x00007FF7E7341000-memory.dmp	xmrig
behavioral2/memory/2976-261-0x00007FF714710000-0x00007FF714A61000-memory.dmp	xmrig
behavioral2/memory/3460-265-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp	xmrig
behavioral2/memory/2456-264-0x00007FF729BF0000-0x00007FF729F41000-memory.dmp	xmrig
behavioral2/memory/3832-267-0x00007FF7B7820000-0x00007FF7B7B71000-memory.dmp	xmrig
behavioral2/memory/1120-269-0x00007FF6602F0000-0x00007FF660641000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1252	LsKmqBT.exe
2888	EosEobY.exe
2080	QkVlsmW.exe
3924	RStKxQj.exe
412	hhQApLN.exe
3380	pJSmVHx.exe
684	ijiTpyb.exe
1788	SIYCpgd.exe
1652	iPOBbvE.exe
2256	gnEJBpL.exe
1216	hlVWkos.exe
4928	maRlTWI.exe
3956	XHwhmCi.exe
3352	zwfcCBs.exe
4232	GzLMUCR.exe
756	sCMSPHm.exe
2976	IfZaabT.exe
3460	IDPPoev.exe
2456	gpjMeEY.exe
3832	jnXHaxl.exe
1120	ngTUmJz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4728-0-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	upx
behavioral2/files/0x0007000000023478-7.dat	upx
behavioral2/files/0x0007000000023477-8.dat	upx
behavioral2/memory/412-32-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp	upx
behavioral2/files/0x000700000002347b-53.dat	upx
behavioral2/files/0x000700000002347f-63.dat	upx
behavioral2/files/0x0007000000023480-67.dat	upx
behavioral2/files/0x0007000000023481-71.dat	upx
behavioral2/memory/4928-74-0x00007FF712670000-0x00007FF7129C1000-memory.dmp	upx
behavioral2/memory/1652-73-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp	upx
behavioral2/memory/684-70-0x00007FF798A00000-0x00007FF798D51000-memory.dmp	upx
behavioral2/memory/1216-69-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp	upx
behavioral2/memory/2256-66-0x00007FF7289C0000-0x00007FF728D11000-memory.dmp	upx
behavioral2/memory/1788-60-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	upx
behavioral2/files/0x000700000002347e-57.dat	upx
behavioral2/files/0x000700000002347c-47.dat	upx
behavioral2/files/0x000700000002347d-45.dat	upx
behavioral2/memory/3380-43-0x00007FF683240000-0x00007FF683591000-memory.dmp	upx
behavioral2/files/0x000700000002347a-38.dat	upx
behavioral2/files/0x0007000000023479-34.dat	upx
behavioral2/memory/2080-25-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp	upx
behavioral2/memory/3924-23-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp	upx
behavioral2/memory/2888-19-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp	upx
behavioral2/files/0x0008000000023473-12.dat	upx
behavioral2/memory/1252-9-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp	upx
behavioral2/files/0x0007000000023482-77.dat	upx
behavioral2/files/0x0007000000023483-84.dat	upx
behavioral2/memory/3352-85-0x00007FF785320000-0x00007FF785671000-memory.dmp	upx
behavioral2/files/0x0007000000023484-89.dat	upx
behavioral2/memory/4232-90-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp	upx
behavioral2/memory/3956-78-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp	upx
behavioral2/files/0x0007000000023485-95.dat	upx
behavioral2/memory/2888-99-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp	upx
behavioral2/files/0x0007000000023487-107.dat	upx
behavioral2/memory/3924-108-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp	upx
behavioral2/memory/3380-110-0x00007FF683240000-0x00007FF683591000-memory.dmp	upx
behavioral2/files/0x0007000000023488-123.dat	upx
behavioral2/files/0x000700000002348a-128.dat	upx
behavioral2/memory/1788-126-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	upx
behavioral2/files/0x0007000000023489-122.dat	upx
behavioral2/memory/2080-120-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp	upx
behavioral2/memory/3460-119-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp	upx
behavioral2/memory/412-109-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp	upx
behavioral2/files/0x0007000000023486-114.dat	upx
behavioral2/memory/2976-111-0x00007FF714710000-0x00007FF714A61000-memory.dmp	upx
behavioral2/memory/756-103-0x00007FF7E6FF0000-0x00007FF7E7341000-memory.dmp	upx
behavioral2/memory/1252-97-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp	upx
behavioral2/memory/4728-96-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	upx
behavioral2/memory/4728-134-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	upx
behavioral2/memory/2456-133-0x00007FF729BF0000-0x00007FF729F41000-memory.dmp	upx
behavioral2/memory/3956-147-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp	upx
behavioral2/memory/3832-149-0x00007FF7B7820000-0x00007FF7B7B71000-memory.dmp	upx
behavioral2/memory/1120-150-0x00007FF6602F0000-0x00007FF660641000-memory.dmp	upx
behavioral2/memory/1216-148-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp	upx
behavioral2/memory/3352-151-0x00007FF785320000-0x00007FF785671000-memory.dmp	upx
behavioral2/memory/4232-152-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp	upx
behavioral2/memory/2976-156-0x00007FF714710000-0x00007FF714A61000-memory.dmp	upx
behavioral2/memory/3460-161-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp	upx
behavioral2/memory/4728-162-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp	upx
behavioral2/memory/1252-214-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp	upx
behavioral2/memory/2888-223-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp	upx
behavioral2/memory/2080-225-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp	upx
behavioral2/memory/3924-227-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp	upx
behavioral2/memory/1788-230-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zwfcCBs.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDPPoev.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pJSmVHx.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hlVWkos.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHwhmCi.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnEJBpL.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\maRlTWI.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sCMSPHm.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ngTUmJz.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LsKmqBT.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EosEobY.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ijiTpyb.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jnXHaxl.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhQApLN.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfZaabT.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpjMeEY.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iPOBbvE.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzLMUCR.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QkVlsmW.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RStKxQj.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SIYCpgd.exe	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1252	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4728 wrote to memory of 1252	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4728 wrote to memory of 2888	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4728 wrote to memory of 2888	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4728 wrote to memory of 2080	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4728 wrote to memory of 2080	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4728 wrote to memory of 3924	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4728 wrote to memory of 3924	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4728 wrote to memory of 412	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4728 wrote to memory of 412	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4728 wrote to memory of 3380	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4728 wrote to memory of 3380	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4728 wrote to memory of 684	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4728 wrote to memory of 684	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4728 wrote to memory of 1788	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4728 wrote to memory of 1788	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4728 wrote to memory of 1652	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4728 wrote to memory of 1652	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4728 wrote to memory of 2256	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4728 wrote to memory of 2256	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4728 wrote to memory of 1216	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4728 wrote to memory of 1216	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4728 wrote to memory of 4928	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4728 wrote to memory of 4928	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4728 wrote to memory of 3956	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4728 wrote to memory of 3956	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4728 wrote to memory of 3352	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4728 wrote to memory of 3352	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4728 wrote to memory of 4232	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4728 wrote to memory of 4232	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4728 wrote to memory of 756	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4728 wrote to memory of 756	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4728 wrote to memory of 2976	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4728 wrote to memory of 2976	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4728 wrote to memory of 3460	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4728 wrote to memory of 3460	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4728 wrote to memory of 2456	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4728 wrote to memory of 2456	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4728 wrote to memory of 3832	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4728 wrote to memory of 3832	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4728 wrote to memory of 1120	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4728 wrote to memory of 1120	4728	2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c58d06436369f7549bc8d7ccf93eeaf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\System\LsKmqBT.exe
  C:\Windows\System\LsKmqBT.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\EosEobY.exe
  C:\Windows\System\EosEobY.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\QkVlsmW.exe
  C:\Windows\System\QkVlsmW.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\RStKxQj.exe
  C:\Windows\System\RStKxQj.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\hhQApLN.exe
  C:\Windows\System\hhQApLN.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\pJSmVHx.exe
  C:\Windows\System\pJSmVHx.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\ijiTpyb.exe
  C:\Windows\System\ijiTpyb.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\SIYCpgd.exe
  C:\Windows\System\SIYCpgd.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\iPOBbvE.exe
  C:\Windows\System\iPOBbvE.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\gnEJBpL.exe
  C:\Windows\System\gnEJBpL.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\hlVWkos.exe
  C:\Windows\System\hlVWkos.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\maRlTWI.exe
  C:\Windows\System\maRlTWI.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\XHwhmCi.exe
  C:\Windows\System\XHwhmCi.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\zwfcCBs.exe
  C:\Windows\System\zwfcCBs.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\GzLMUCR.exe
  C:\Windows\System\GzLMUCR.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\sCMSPHm.exe
  C:\Windows\System\sCMSPHm.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\IfZaabT.exe
  C:\Windows\System\IfZaabT.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\IDPPoev.exe
  C:\Windows\System\IDPPoev.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\gpjMeEY.exe
  C:\Windows\System\gpjMeEY.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\jnXHaxl.exe
  C:\Windows\System\jnXHaxl.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\ngTUmJz.exe
  C:\Windows\System\ngTUmJz.exe
  2⤵
  - Executes dropped EXE
  PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EosEobY.exe

Filesize
5.2MB

MD5
e75b16b0a5d4d95da268911d9b60395e

SHA1
73a260b4538aa2a5c9a159258f6e75c5225b962f

SHA256
b6df35f620aa74c00633bfdc8cbe1b2909f58faf5493226304f9b5a9ca749944

SHA512
a658621b83fa026f7c79d28cff26d5987b301c3c562fd638581e17806af94dfe0ff9fdcad6c67adb35233b5847866a953c914d7a8119b98be64a0b3a941bb3ae

Download Submit
C:\Windows\System\GzLMUCR.exe

Filesize
5.2MB

MD5
68c1cdced1527f38111f106c2078aa3b

SHA1
4497d90178f32e3f0254f62ba710392d4d8ce904

SHA256
b294117c9332e2c36b2c2e8f34476702a055917a544802eaa37aef3277d19235

SHA512
0eea29e49bdde86cdf6662331438c4f6be6a4ebfd4b74f421e17adde4db58b561048aeac90c87647ea6ff5b14353fd0295b10d4290a8f28d63e9ac7323b1aa35

Download Submit
C:\Windows\System\IDPPoev.exe

Filesize
5.2MB

MD5
27c21b91d12d2eaf727a6d9d59544bba

SHA1
f9776f0cde50ee2790b44c64481c6c85de31c47c

SHA256
6d828443357d313ee7e013fdd77af81d85bb876c64a0636cd8b0aba297a12868

SHA512
8817a37b63f73e9e2a328e2d1522f0d4abd26f26194374b49da6ab0386dddac76e006553deafcaf5e3185546eae8012e6942f4f680bbc0712df270837c4cd3c0

Download Submit
C:\Windows\System\IfZaabT.exe

Filesize
5.2MB

MD5
96fa1df4de6f8a740d9c47c15531ce58

SHA1
22e7952d6d58b4081d327f1ba688cd16ae034c2c

SHA256
20c53faf98832e69d304613219fa88b8b49860c5d975105ab264390d386d8ece

SHA512
d8a74f18744f2bd24fbe4ea56222ed0ce1eee81bd9af1233cae490fc9c25cfa6785a9425e3825ff3ef9208b9a3fc7fce297860b0554ce25facb7683ef94f6bc3

Download Submit
C:\Windows\System\LsKmqBT.exe

Filesize
5.2MB

MD5
16a7f8caaf66c7f65daa6d06ca4dbbc5

SHA1
6d862cc1f7d01743451ae77dd869c7efb3561ae3

SHA256
c5b1c7d4fb8c45de576ebff9805d0982fb3302be8f576c1795e224d2cd65c206

SHA512
e77cb5dc16d18a876860eaaa483bd076d2006abbd6f33bc0f5b08b1f9163d46cff2d424bd581704f8ffb04a11e57d16648da40ac8b8bb8b085f6b6e740e01173

Download Submit
C:\Windows\System\QkVlsmW.exe

Filesize
5.2MB

MD5
d4c49baaee34f04ae991465fd7b6c358

SHA1
42d09f19fcc3100e258a49942f50e71f58d2209c

SHA256
601b54a4f945104faab3bb53fb790b24455d1e7c2ec75e640af44bf5974f3fad

SHA512
ff5ff27702c50ee6ba9bbeef1337230ed855eac12d83c180ce1a9e736e2a79337ab6acc28f283ebe193cda1d4be17da34a7ffba7d6fe9052737b79572e695f71

Download Submit
C:\Windows\System\RStKxQj.exe

Filesize
5.2MB

MD5
ca65bd9abf5ec3cff7b3ee3c66c37872

SHA1
5b83892895215db26c3e90b76017bee4fc06a905

SHA256
6581aa2e452b811b3ca8436fee17e7cbda259f7d49ee5608a8610567e6377c73

SHA512
400209e7b0e2cefb9325d180bcf3dc94f60c943997bd059e967815d134983148a481857e4e07651af720b6440d4ff0a4240cdb412a97f4b6eb1e6758d94e5d33

Download Submit
C:\Windows\System\SIYCpgd.exe

Filesize
5.2MB

MD5
70675bb4de2cf2a41d6b3b33c46cbc97

SHA1
a1a967ee90aae330ff93f6290db408b804423909

SHA256
38cdf8f183b6356798e7541d0153ab72d3b77348583a521f62f619cfe0b5defe

SHA512
20a035f6d933a563cb2ceb8c2a5c2c735b04c515029e7bbd0596767d0cbf24f3abb0605fbd356687729726c36d964691b2943fb22a41d59839bfffee9fc4fc5a

Download Submit
C:\Windows\System\XHwhmCi.exe

Filesize
5.2MB

MD5
c13f5c6d63fdb15466f8e1f715a6ef24

SHA1
4ac084834f87449d6d2e763a4ff0ebed8a9dc3db

SHA256
0a7f72c78ba9911dc05ed562ab0618648579f8bdaca04b90aa7e6ac88f4bb492

SHA512
2696a6b72aefcc016d2bbf07608c2ef0aed3f89995983b08570a53f45104c81fb6fd1f10cef6e9114bdbff16c50e49fdee636717457d099136bd9a84d97cbd31

Download Submit
C:\Windows\System\gnEJBpL.exe

Filesize
5.2MB

MD5
19c857df9505001e9a6c0cd5a8590e62

SHA1
988edf06bfb52e2a632c9c1e21d154f8536d08bc

SHA256
78337eeb85af5c49efc5b5c4259273f7e7c6c75904d885d382e239925d324765

SHA512
e3c091d432603c1d6511075ad1c675e0933e692a75df5d011202b454c8ab7d7557479769c10256c16c3d2634939b40070c74ceea329b9aac875c559c2bfab63b

Download Submit
C:\Windows\System\gpjMeEY.exe

Filesize
5.2MB

MD5
a82a24370b610bc87cf3df862f7c082f

SHA1
07245810189f8fa7c984f88fdd677b6140086df9

SHA256
70128c1e2e8bfc4f561c9bacbc6860d85a2ba09909347d50bde421ee0756b2c5

SHA512
05cf42439ef1dfbaf4fc25823a4a7f988f715bdf8aab14cb3acd4ef633e0f73af079ad142f0ace22be10c0e7ea70be5e204e5d3862570ab8419b18d841b9c010

Download Submit
C:\Windows\System\hhQApLN.exe

Filesize
5.2MB

MD5
b28511e8cfa90a0884d2c280687b8b8a

SHA1
23c433c53f429dc9bc620f9975b53d6caa38bc12

SHA256
51332ad95de648c831479cd6b8f0a17856962f1879ae08ac494dcebd0200c199

SHA512
e467674f20994370b1a51c266ef254e8c177bc90db2cc01dcd38acf1b5c95b2d6d6534d9f5e62c43eb57b92d3c6fd1f30eac31e3c599b95f60b7032251cb532d

Download Submit
C:\Windows\System\hlVWkos.exe

Filesize
5.2MB

MD5
23e25ef01f54524ff2e715b732d427c7

SHA1
f29564a4c9591cde598cac468c43b73c08b31516

SHA256
d66926e8f482ef1678530dfa390ddac2d3f489237e65b82e7ad1a521645a81ea

SHA512
ee1157cd5ffcb2752f46a0a936480e7f04ecfba391f19408fddfca50761bff653d6377f94290701e55cddb363e70d95555978268e77332c2393b84d1c98232dd

Download Submit
C:\Windows\System\iPOBbvE.exe

Filesize
5.2MB

MD5
03d8e3d5d0af1dc587775a31e088c7bc

SHA1
8f5dbfa5d3d743715fbf62d7e94f45c2ad45ba16

SHA256
9638b66f0d9328539a3d7ad5ddb856918bbf43968080a0d196daa9781c3493fa

SHA512
95b20c736aef40da4c9dca02d9e704717dd09a893d0fd24e6d20e4af9cd1d2d82598c58b53a3be7b5d3d69e99eb6b06ed54896e9a5969c98da99ea4a20734557

Download Submit
C:\Windows\System\ijiTpyb.exe

Filesize
5.2MB

MD5
4fd82c688e904f6dbfb9c99fc942dd62

SHA1
408845c0603e57a5181c59d49228a26e9a19f0c9

SHA256
0a9bfbc57cbbde2cf64b6ba57e50153ebe1a2441ecb232ccd6840db9051b8de0

SHA512
8a0a98db32f9793b81b7a7081ae6ae56f88a48065970cc5cd8d3b8db5d87b89f53b40a12aa8e4e20b359cc7c0ee26022f866b5223b1fece8e30d34e814fecf43

Download Submit
C:\Windows\System\jnXHaxl.exe

Filesize
5.2MB

MD5
533d0ab793b741b8bdffe5db20e915d2

SHA1
b4427ea711cdcdfc0413fd4353b02d93a26a186d

SHA256
5854af377aaaf6350d4aa6d82bad6b3231af17eb6a8154baa5c4f85d7e13eedb

SHA512
da969b2410957590282f17bab4b6a80d558c8caed097f9970ae75cb8560d32f802ad8e188b37ec93f9e22c1ec5f9b8c0fc493ea602d407c634fbcd2020440cf4

Download Submit
C:\Windows\System\maRlTWI.exe

Filesize
5.2MB

MD5
9c885f2fef0ab9dad9bb9c8c79faaa0a

SHA1
b80045f46f0655a39ba512a1be5cd7ba06db81fd

SHA256
d40c10a7898eafa62230182e9b10d9e1e915d9785c5b6332a3d3ab5524b5da6c

SHA512
43f477f55f88a50610372dd6e6f95d9593297393a9fbcbd2d75c776efd0748f72cfc6abe5f3e0de24f9e3ad214f3dcccc74c015d9b34bd8310b85777efee21e5

Download Submit
C:\Windows\System\ngTUmJz.exe

Filesize
5.2MB

MD5
716c74ee6826364ce5a92fbf3d24a391

SHA1
aca40104d3fa8364ca977a3903bb8c8fe1c06cc8

SHA256
cf8b5232f444c3c479b19d69ea4b64f4aa6d8a075e0149d03f19fc91fd30d99d

SHA512
8a3fa719cfbd6b3d955937c7ad9a50fa4555b3f412329df9126a0a648cf1798810bcd4229b39e12db2b9acf3eb30f85c605c40549c93602882777ebd32ae2e0f

Download Submit
C:\Windows\System\pJSmVHx.exe

Filesize
5.2MB

MD5
59e7f5dd7cede13a24c75c8496b0f307

SHA1
0b218a0bc071a849f00310d61ad1488203fb3052

SHA256
e2a8211d766581159800dcf996bc8d848dc0bba6a2ed48369e941f826735d775

SHA512
962e6ab79788dfe3b9965579311e4bb1d4ef654d732aa746a5ee8c295bb16dccd4a91c20f5da7dd0dff401ad7582bda5093f6e5691664231f1e1263351e4a7e7

Download Submit
C:\Windows\System\sCMSPHm.exe

Filesize
5.2MB

MD5
3706058f8b1a448cbcf0e15a0a2091f1

SHA1
a3a8510a4d37f7e484613ae4e3c91f66daa4420f

SHA256
377270e77e819ccf23385bc6f92b047eeba7b92a92dcac622acab9902e5e05fb

SHA512
cd3f146db1ffae7605b665b6ffaa324160a711cccaa119738731067a390e9976fb4b20a1b9fe9055c85d4907ba30f122bb8dd41d8cf6e3e968675d3f188146d3

Download Submit
C:\Windows\System\zwfcCBs.exe

Filesize
5.2MB

MD5
66822ba5d9d66b0746fe8ed126120b44

SHA1
5cb75cc301ccd31c2791f033158727cce82062d1

SHA256
972a6436f8e3cf79ecb78e4eb0f745ed6b2dc99a75fb63ef46e48b801a7bbbfb

SHA512
e1f693ac3ad39e77e13d2e440d8f158ee2a91266dc50d5a135ed72f9d802f77de0723a5ff8bd865cffab966335af8c0be78c29abe35ceba61ec95c0d4d58f14f

Download Submit
memory/412-109-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp

Filesize
3.3MB

Download
memory/412-32-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp

Filesize
3.3MB

Download
memory/412-231-0x00007FF7DC8F0000-0x00007FF7DCC41000-memory.dmp

Filesize
3.3MB

Download
memory/684-233-0x00007FF798A00000-0x00007FF798D51000-memory.dmp

Filesize
3.3MB

Download
memory/684-70-0x00007FF798A00000-0x00007FF798D51000-memory.dmp

Filesize
3.3MB

Download
memory/756-103-0x00007FF7E6FF0000-0x00007FF7E7341000-memory.dmp

Filesize
3.3MB

Download
memory/756-259-0x00007FF7E6FF0000-0x00007FF7E7341000-memory.dmp

Filesize
3.3MB

Download
memory/1120-150-0x00007FF6602F0000-0x00007FF660641000-memory.dmp

Filesize
3.3MB

Download
memory/1120-269-0x00007FF6602F0000-0x00007FF660641000-memory.dmp

Filesize
3.3MB

Download
memory/1216-243-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-69-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-148-0x00007FF7640A0000-0x00007FF7643F1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-214-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp

Filesize
3.3MB

Download
memory/1252-97-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp

Filesize
3.3MB

Download
memory/1252-9-0x00007FF6187B0000-0x00007FF618B01000-memory.dmp

Filesize
3.3MB

Download
memory/1652-238-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp

Filesize
3.3MB

Download
memory/1652-73-0x00007FF66A3D0000-0x00007FF66A721000-memory.dmp

Filesize
3.3MB

Download
memory/1788-126-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp

Filesize
3.3MB

Download
memory/1788-60-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp

Filesize
3.3MB

Download
memory/1788-230-0x00007FF65D9C0000-0x00007FF65DD11000-memory.dmp

Filesize
3.3MB

Download
memory/2080-120-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp

Filesize
3.3MB

Download
memory/2080-225-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp

Filesize
3.3MB

Download
memory/2080-25-0x00007FF6B87F0000-0x00007FF6B8B41000-memory.dmp

Filesize
3.3MB

Download
memory/2256-240-0x00007FF7289C0000-0x00007FF728D11000-memory.dmp

Filesize
3.3MB

Download
memory/2256-66-0x00007FF7289C0000-0x00007FF728D11000-memory.dmp

Filesize
3.3MB

Download
memory/2456-264-0x00007FF729BF0000-0x00007FF729F41000-memory.dmp

Filesize
3.3MB

Download
memory/2456-133-0x00007FF729BF0000-0x00007FF729F41000-memory.dmp

Filesize
3.3MB

Download
memory/2888-223-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp

Filesize
3.3MB

Download
memory/2888-99-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp

Filesize
3.3MB

Download
memory/2888-19-0x00007FF6ABC40000-0x00007FF6ABF91000-memory.dmp

Filesize
3.3MB

Download
memory/2976-111-0x00007FF714710000-0x00007FF714A61000-memory.dmp

Filesize
3.3MB

Download
memory/2976-261-0x00007FF714710000-0x00007FF714A61000-memory.dmp

Filesize
3.3MB

Download
memory/2976-156-0x00007FF714710000-0x00007FF714A61000-memory.dmp

Filesize
3.3MB

Download
memory/3352-250-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/3352-151-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/3352-85-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/3380-235-0x00007FF683240000-0x00007FF683591000-memory.dmp

Filesize
3.3MB

Download
memory/3380-43-0x00007FF683240000-0x00007FF683591000-memory.dmp

Filesize
3.3MB

Download
memory/3380-110-0x00007FF683240000-0x00007FF683591000-memory.dmp

Filesize
3.3MB

Download
memory/3460-161-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp

Filesize
3.3MB

Download
memory/3460-265-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp

Filesize
3.3MB

Download
memory/3460-119-0x00007FF7637D0000-0x00007FF763B21000-memory.dmp

Filesize
3.3MB

Download
memory/3832-267-0x00007FF7B7820000-0x00007FF7B7B71000-memory.dmp

Filesize
3.3MB

Download
memory/3832-149-0x00007FF7B7820000-0x00007FF7B7B71000-memory.dmp

Filesize
3.3MB

Download
memory/3924-227-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-23-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-108-0x00007FF790FA0000-0x00007FF7912F1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-147-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp

Filesize
3.3MB

Download
memory/3956-78-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp

Filesize
3.3MB

Download
memory/3956-249-0x00007FF78C7C0000-0x00007FF78CB11000-memory.dmp

Filesize
3.3MB

Download
memory/4232-252-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp

Filesize
3.3MB

Download
memory/4232-152-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp

Filesize
3.3MB

Download
memory/4232-90-0x00007FF6CFFB0000-0x00007FF6D0301000-memory.dmp

Filesize
3.3MB

Download
memory/4728-134-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-162-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-0-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-96-0x00007FF73C480000-0x00007FF73C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-1-0x000001E7FABE0000-0x000001E7FABF0000-memory.dmp

Filesize
64KB

Download
memory/4928-74-0x00007FF712670000-0x00007FF7129C1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-241-0x00007FF712670000-0x00007FF7129C1000-memory.dmp

Filesize
3.3MB

Download