cobaltstrike | dcea5059a7f6c904d6a2e67a69cf15e8ac685f32b104908ce558db441052faaf

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

63604fdbe990b36cbc4405b6b04c626c
SHA1

79f338dde435a015458b1382c797cd282b4e4cf8
SHA256

dcea5059a7f6c904d6a2e67a69cf15e8ac685f32b104908ce558db441052faaf
SHA512

6135da31b072c432a00dc83a33083b6e78b5ae29d46734528718c09f3e7ad6baf0d58547f9b593f6ad94ce53b3658d4469a18cfbcaa603ebf62988a6f4be351b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibf56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002362d-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023631-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023633-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023634-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023637-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023636-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023635-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023632-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023638-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023639-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363a-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363c-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363d-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363b-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363f-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023643-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023644-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023641-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023642-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023640-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363e-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2896-40-0x00007FF7B6870000-0x00007FF7B6BC1000-memory.dmp	xmrig
behavioral2/memory/1908-45-0x00007FF70A8B0000-0x00007FF70AC01000-memory.dmp	xmrig
behavioral2/memory/3564-31-0x00007FF674020000-0x00007FF674371000-memory.dmp	xmrig
behavioral2/memory/2960-59-0x00007FF603870000-0x00007FF603BC1000-memory.dmp	xmrig
behavioral2/memory/4860-76-0x00007FF6E43F0000-0x00007FF6E4741000-memory.dmp	xmrig
behavioral2/memory/1496-81-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	xmrig
behavioral2/memory/1536-85-0x00007FF723DC0000-0x00007FF724111000-memory.dmp	xmrig
behavioral2/memory/2332-84-0x00007FF653380000-0x00007FF6536D1000-memory.dmp	xmrig
behavioral2/memory/2960-99-0x00007FF603870000-0x00007FF603BC1000-memory.dmp	xmrig
behavioral2/memory/3564-103-0x00007FF674020000-0x00007FF674371000-memory.dmp	xmrig
behavioral2/memory/4284-141-0x00007FF68AA30000-0x00007FF68AD81000-memory.dmp	xmrig
behavioral2/memory/4804-136-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp	xmrig
behavioral2/memory/3448-100-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp	xmrig
behavioral2/memory/1784-98-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp	xmrig
behavioral2/memory/2808-96-0x00007FF6543B0000-0x00007FF654701000-memory.dmp	xmrig
behavioral2/memory/1448-146-0x00007FF633E00000-0x00007FF634151000-memory.dmp	xmrig
behavioral2/memory/1168-144-0x00007FF687780000-0x00007FF687AD1000-memory.dmp	xmrig
behavioral2/memory/948-147-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp	xmrig
behavioral2/memory/2720-142-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp	xmrig
behavioral2/memory/1496-148-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	xmrig
behavioral2/memory/1460-162-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp	xmrig
behavioral2/memory/3984-164-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp	xmrig
behavioral2/memory/4988-161-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp	xmrig
behavioral2/memory/372-160-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp	xmrig
behavioral2/memory/1088-159-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp	xmrig
behavioral2/memory/1496-170-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	xmrig
behavioral2/memory/2332-198-0x00007FF653380000-0x00007FF6536D1000-memory.dmp	xmrig
behavioral2/memory/1536-211-0x00007FF723DC0000-0x00007FF724111000-memory.dmp	xmrig
behavioral2/memory/2896-213-0x00007FF7B6870000-0x00007FF7B6BC1000-memory.dmp	xmrig
behavioral2/memory/3564-215-0x00007FF674020000-0x00007FF674371000-memory.dmp	xmrig
behavioral2/memory/3448-217-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp	xmrig
behavioral2/memory/2808-220-0x00007FF6543B0000-0x00007FF654701000-memory.dmp	xmrig
behavioral2/memory/1784-221-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp	xmrig
behavioral2/memory/1908-223-0x00007FF70A8B0000-0x00007FF70AC01000-memory.dmp	xmrig
behavioral2/memory/2960-229-0x00007FF603870000-0x00007FF603BC1000-memory.dmp	xmrig
behavioral2/memory/2720-233-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp	xmrig
behavioral2/memory/1168-235-0x00007FF687780000-0x00007FF687AD1000-memory.dmp	xmrig
behavioral2/memory/4860-237-0x00007FF6E43F0000-0x00007FF6E4741000-memory.dmp	xmrig
behavioral2/memory/948-239-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp	xmrig
behavioral2/memory/1448-241-0x00007FF633E00000-0x00007FF634151000-memory.dmp	xmrig
behavioral2/memory/4804-253-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp	xmrig
behavioral2/memory/4284-252-0x00007FF68AA30000-0x00007FF68AD81000-memory.dmp	xmrig
behavioral2/memory/1088-261-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp	xmrig
behavioral2/memory/4988-257-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp	xmrig
behavioral2/memory/3984-256-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp	xmrig
behavioral2/memory/1460-260-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp	xmrig
behavioral2/memory/372-263-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2332	SdRmZsZ.exe
1536	VtXnBWF.exe
2896	CiyeecU.exe
3448	uBQyycQ.exe
3564	LsAECEJ.exe
2808	ghzQRBe.exe
1908	ogrTZEn.exe
1784	TCHwaYb.exe
2960	BTjDQIm.exe
2720	ERaQLfZ.exe
1168	geFEQaK.exe
4860	nMpfkuF.exe
948	ErZjUbE.exe
1448	gEUvmpZ.exe
1088	zzojtmE.exe
372	lkkuUcH.exe
4988	QXFMYFZ.exe
1460	gCEWxeW.exe
4804	ttophVM.exe
4284	pOEOoRa.exe
3984	wjgDckm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1496-0-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	upx
behavioral2/files/0x000800000002362d-4.dat	upx
behavioral2/memory/2332-8-0x00007FF653380000-0x00007FF6536D1000-memory.dmp	upx
behavioral2/files/0x0007000000023631-11.dat	upx
behavioral2/files/0x0007000000023633-27.dat	upx
behavioral2/files/0x0007000000023634-23.dat	upx
behavioral2/memory/2896-40-0x00007FF7B6870000-0x00007FF7B6BC1000-memory.dmp	upx
behavioral2/memory/1908-45-0x00007FF70A8B0000-0x00007FF70AC01000-memory.dmp	upx
behavioral2/files/0x0007000000023637-49.dat	upx
behavioral2/memory/1784-48-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp	upx
behavioral2/memory/2808-47-0x00007FF6543B0000-0x00007FF654701000-memory.dmp	upx
behavioral2/files/0x0007000000023636-42.dat	upx
behavioral2/files/0x0007000000023635-41.dat	upx
behavioral2/memory/3564-31-0x00007FF674020000-0x00007FF674371000-memory.dmp	upx
behavioral2/files/0x0007000000023632-26.dat	upx
behavioral2/memory/3448-25-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp	upx
behavioral2/memory/1536-21-0x00007FF723DC0000-0x00007FF724111000-memory.dmp	upx
behavioral2/files/0x0007000000023638-52.dat	upx
behavioral2/files/0x0007000000023639-58.dat	upx
behavioral2/memory/2960-59-0x00007FF603870000-0x00007FF603BC1000-memory.dmp	upx
behavioral2/files/0x000700000002363a-65.dat	upx
behavioral2/memory/1168-67-0x00007FF687780000-0x00007FF687AD1000-memory.dmp	upx
behavioral2/memory/4860-76-0x00007FF6E43F0000-0x00007FF6E4741000-memory.dmp	upx
behavioral2/memory/1496-81-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	upx
behavioral2/memory/948-82-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp	upx
behavioral2/memory/1536-85-0x00007FF723DC0000-0x00007FF724111000-memory.dmp	upx
behavioral2/memory/2332-84-0x00007FF653380000-0x00007FF6536D1000-memory.dmp	upx
behavioral2/memory/1448-83-0x00007FF633E00000-0x00007FF634151000-memory.dmp	upx
behavioral2/files/0x000700000002363c-80.dat	upx
behavioral2/files/0x000700000002363d-79.dat	upx
behavioral2/files/0x000700000002363b-72.dat	upx
behavioral2/memory/2720-62-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp	upx
behavioral2/memory/2960-99-0x00007FF603870000-0x00007FF603BC1000-memory.dmp	upx
behavioral2/memory/3564-103-0x00007FF674020000-0x00007FF674371000-memory.dmp	upx
behavioral2/files/0x000700000002363f-112.dat	upx
behavioral2/files/0x0007000000023643-120.dat	upx
behavioral2/memory/4988-132-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp	upx
behavioral2/memory/1460-135-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp	upx
behavioral2/memory/3984-140-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp	upx
behavioral2/memory/4284-141-0x00007FF68AA30000-0x00007FF68AD81000-memory.dmp	upx
behavioral2/files/0x0007000000023644-137.dat	upx
behavioral2/memory/4804-136-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp	upx
behavioral2/files/0x0007000000023641-133.dat	upx
behavioral2/files/0x0007000000023642-131.dat	upx
behavioral2/files/0x0007000000023640-130.dat	upx
behavioral2/memory/372-128-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp	upx
behavioral2/memory/1088-126-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp	upx
behavioral2/files/0x000700000002363e-122.dat	upx
behavioral2/memory/3448-100-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp	upx
behavioral2/memory/1784-98-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp	upx
behavioral2/memory/2808-96-0x00007FF6543B0000-0x00007FF654701000-memory.dmp	upx
behavioral2/memory/1448-146-0x00007FF633E00000-0x00007FF634151000-memory.dmp	upx
behavioral2/memory/1168-144-0x00007FF687780000-0x00007FF687AD1000-memory.dmp	upx
behavioral2/memory/948-147-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp	upx
behavioral2/memory/2720-142-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp	upx
behavioral2/memory/1496-148-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	upx
behavioral2/memory/1460-162-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp	upx
behavioral2/memory/3984-164-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp	upx
behavioral2/memory/4988-161-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp	upx
behavioral2/memory/372-160-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp	upx
behavioral2/memory/1088-159-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp	upx
behavioral2/memory/1496-170-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp	upx
behavioral2/memory/2332-198-0x00007FF653380000-0x00007FF6536D1000-memory.dmp	upx
behavioral2/memory/1536-211-0x00007FF723DC0000-0x00007FF724111000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ERaQLfZ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEUvmpZ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VtXnBWF.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CiyeecU.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LsAECEJ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ghzQRBe.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ogrTZEn.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TCHwaYb.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zzojtmE.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCEWxeW.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SdRmZsZ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BTjDQIm.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lkkuUcH.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXFMYFZ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wjgDckm.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBQyycQ.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\geFEQaK.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nMpfkuF.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErZjUbE.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ttophVM.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pOEOoRa.exe	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2332	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1496 wrote to memory of 2332	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1496 wrote to memory of 1536	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1496 wrote to memory of 1536	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1496 wrote to memory of 2896	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1496 wrote to memory of 2896	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1496 wrote to memory of 3448	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1496 wrote to memory of 3448	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1496 wrote to memory of 3564	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1496 wrote to memory of 3564	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1496 wrote to memory of 2808	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1496 wrote to memory of 2808	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1496 wrote to memory of 1908	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1496 wrote to memory of 1908	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1496 wrote to memory of 1784	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1496 wrote to memory of 1784	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1496 wrote to memory of 2960	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1496 wrote to memory of 2960	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1496 wrote to memory of 2720	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1496 wrote to memory of 2720	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1496 wrote to memory of 1168	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1496 wrote to memory of 1168	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1496 wrote to memory of 4860	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1496 wrote to memory of 4860	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1496 wrote to memory of 1448	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1496 wrote to memory of 1448	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1496 wrote to memory of 948	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1496 wrote to memory of 948	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1496 wrote to memory of 4804	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1496 wrote to memory of 4804	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1496 wrote to memory of 1088	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1496 wrote to memory of 1088	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1496 wrote to memory of 372	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1496 wrote to memory of 372	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1496 wrote to memory of 4988	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 1496 wrote to memory of 4988	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 1496 wrote to memory of 1460	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 1496 wrote to memory of 1460	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 1496 wrote to memory of 4284	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1496 wrote to memory of 4284	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1496 wrote to memory of 3984	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 1496 wrote to memory of 3984	1496	2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_63604fdbe990b36cbc4405b6b04c626c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System\SdRmZsZ.exe
  C:\Windows\System\SdRmZsZ.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\VtXnBWF.exe
  C:\Windows\System\VtXnBWF.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\CiyeecU.exe
  C:\Windows\System\CiyeecU.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\uBQyycQ.exe
  C:\Windows\System\uBQyycQ.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\LsAECEJ.exe
  C:\Windows\System\LsAECEJ.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\ghzQRBe.exe
  C:\Windows\System\ghzQRBe.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\ogrTZEn.exe
  C:\Windows\System\ogrTZEn.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\TCHwaYb.exe
  C:\Windows\System\TCHwaYb.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\BTjDQIm.exe
  C:\Windows\System\BTjDQIm.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\ERaQLfZ.exe
  C:\Windows\System\ERaQLfZ.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\geFEQaK.exe
  C:\Windows\System\geFEQaK.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\nMpfkuF.exe
  C:\Windows\System\nMpfkuF.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\gEUvmpZ.exe
  C:\Windows\System\gEUvmpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\ErZjUbE.exe
  C:\Windows\System\ErZjUbE.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\ttophVM.exe
  C:\Windows\System\ttophVM.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\zzojtmE.exe
  C:\Windows\System\zzojtmE.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\lkkuUcH.exe
  C:\Windows\System\lkkuUcH.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\QXFMYFZ.exe
  C:\Windows\System\QXFMYFZ.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\gCEWxeW.exe
  C:\Windows\System\gCEWxeW.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\pOEOoRa.exe
  C:\Windows\System\pOEOoRa.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\wjgDckm.exe
  C:\Windows\System\wjgDckm.exe
  2⤵
  - Executes dropped EXE
  PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BTjDQIm.exe

Filesize
5.2MB

MD5
d404a0e859aeb32dddb132b39bead158

SHA1
9afa26224f4e08e6f18302a215872cedd7f2a4e9

SHA256
970493ce7e8db3d054c4370545c6a84e5d283431f0fd43a2628b84e99fd25ef1

SHA512
b77e072b1db55e54e8eedf9bf431353de3afdb5d09f40c614af3919fba9c99bfedaa55be4e5aaff86eaaeb4db8445af4c6472760943915de24739ee9c50a18dd

Download Submit
C:\Windows\System\CiyeecU.exe

Filesize
5.2MB

MD5
d913e1ca2484520e6786740ba01a448a

SHA1
b1f80fe008ecca43e16bb395d0cfa61dcc7a6c34

SHA256
8ae6a34e9d12b1be39db696b270e3800de9aa1822f13625c9da39f37886b2913

SHA512
37ddde53ca51f7414a3cead34bdab7c6c2579261022ca1975fa10aa5fe9e75bfb8a15221e1bd020c4b9d5dfdf64af51b5c6632b20ca434469b477d2a0765eafa

Download Submit
C:\Windows\System\ERaQLfZ.exe

Filesize
5.2MB

MD5
484a029750d59b7a734bad1ae15c5df1

SHA1
1beda6a6f104aef4a7047a636cfd4dae3a30e31e

SHA256
e1887644709e32c3a5768b72d02c2e0666e0df0a74e0b61ee008afbb539b0bf8

SHA512
fdbba8397bc262d1327e6d94970b06e1cd2a28004e2bf3e42428f265cde36a94fc5961a774309ab51f5455383cc6746cf05b56722d9b7301c7e04080ca572f2f

Download Submit
C:\Windows\System\ErZjUbE.exe

Filesize
5.2MB

MD5
e60b5fe8af039bd7cec2177ad42e012b

SHA1
23824901f3b654574a327fe33e9f01e236ee1583

SHA256
91ba79e38d1822a3e9303189bf6f65f040f2984fd065135641f3477d983bfcf3

SHA512
8d29058352bec43b12b147193ae073fe52cda6749bfa5684c3994a337517013161d1f474cececa52c7708552d29b927bf6ec26bb95cd6b67b90587227c0fd8c3

Download Submit
C:\Windows\System\LsAECEJ.exe

Filesize
5.2MB

MD5
e87e1f3f5e400ab5c92257b7da6bd2ee

SHA1
c50a2e220b245a6a0a550d5c822c45d4e21fb2e8

SHA256
b94900ebe32c0f1116822ecff9187a1f77114caf9f2fbaf7d36fa90f456d3f72

SHA512
2c4be84e906591688f3d6a28c8cd4117297a6e0e497b855831e3e8c69318de74564664149d222b4b3005bfbe7e989cabdd23dc7c81a8e0c157758fbfd6a091c7

Download Submit
C:\Windows\System\QXFMYFZ.exe

Filesize
5.2MB

MD5
8f142501d1112c1ef5119eff2792daa8

SHA1
312e6545621f9c5b4219e964aff8e6d187c6bcbc

SHA256
2dcb2485b5d75e6c1320f126f35bbe8b12a3a5095983e1f53f05aa62d20a5616

SHA512
4ddab9b8be2689a57f1f40b204c33e142769bea9013a818de3ddebe99b229ec2c650849016ab8087504a5a7b0a6e6b8e0d2db3e0dd8662bbc329f061412b88bf

Download Submit
C:\Windows\System\SdRmZsZ.exe

Filesize
5.2MB

MD5
ef2dc8834c2d40f29427dfe22731a3d0

SHA1
d1a0284f85d3dda961151e921c127546778aa338

SHA256
cbfe3999baab10c08ab4f4dff56979d72d309529a7dea9862222caf964dd8639

SHA512
d2fbc13295e9cba3740a36807a62e5f9284af5501064d07a4c1276f0906b59df17cdd70f02e86539cb102e4d00912cb5c1c4ce6910c9fdcfab4b8553fefd5520

Download Submit
C:\Windows\System\TCHwaYb.exe

Filesize
5.2MB

MD5
6aeba52c66d1dfed97b4cb1a36171767

SHA1
1e80af01712cef26818e32c749c554e7b222cd1e

SHA256
18ac6eac8db81414fe0da9b38eea879e0ce9de76110643e28ff9386e34120106

SHA512
a0a8a7a4d3e4c6166c06a591df82927ae96c75b170d803215793875ea2512be350772026b78527144168dea5eac27a92e6b5d1195307ca8cf9fe6ebb7746cb0d

Download Submit
C:\Windows\System\VtXnBWF.exe

Filesize
5.2MB

MD5
a4e6f99f4941b03d4827ac6e7f393ef1

SHA1
4efbbc00eaed113f456dfdc7ebac4f6c34b47367

SHA256
d241f7512974842f91dc6f4603144e00bdd3afa8b000cf5d8ecc55d8cb0991f3

SHA512
f2389ccec7cfb1a78e1d4eea670ee995bbf67060c88c4c92814b5bc6fb8911fbffc46dbe3a8f6ede18fae8a1fb0d2f13f390723e738e77edb5f0bf8459a8aca1

Download Submit
C:\Windows\System\gCEWxeW.exe

Filesize
5.2MB

MD5
0d0e1bce5c966cd658f011401973418d

SHA1
dfdce231284ee0dccbf8a1c93bdbacf3fa70a91a

SHA256
536f3883e7141a58ac6fa2e8533a9a3ba3663e8076886e6c0a74b059afaaf3e9

SHA512
45670cdae1eeb9f8551592870928a10232bfc968fe8e6c02f02fdac32c703676f9aa2807a500134021beb405a1f90e7acf121633656feedab0efbd91727f8cc3

Download Submit
C:\Windows\System\gEUvmpZ.exe

Filesize
5.2MB

MD5
c5dd45277a75e179135cc9cb26cd2152

SHA1
eeb90b1d9a25f16127c5faafad8b1891bd3e5b1b

SHA256
8a55264e8adde04b4aaad56e6c7aacf5289166d8d5ab9a1edf4d439c31b11914

SHA512
d3817876aba5e9932b1bd11b51765d4f188512ccdfcb082a743a602b0a78dd84cee05a089f2a77884b687190207465ce3c761250b82a9fb219607408d9b8b06b

Download Submit
C:\Windows\System\geFEQaK.exe

Filesize
5.2MB

MD5
25c80dcb9c4305fcf863a72f93c01a9b

SHA1
16e9c182a084ae6dae7847adea464b1c60929ab1

SHA256
a6315c3c6c3704afbba59664b15a1e84a635e0c8d1476b5da1bcadadd8d663c0

SHA512
7a0fbd631dabd00a8fd284f2170506ae12a6885b9f31da474c106daa7ea9743673f7fe001c64d0cb12ca4f5fd86ddf27f02543d2d8e084a5d4796b2fec51f63c

Download Submit
C:\Windows\System\ghzQRBe.exe

Filesize
5.2MB

MD5
4606396ee60deeb813d4ec77ec5cbbfc

SHA1
ea843b44777ad5349723a749bf29462469d4c513

SHA256
54465449c6349131b7236168872053a53667647a0b476714bd53edf7e952ac44

SHA512
535e6cbb16105d12bbf54c4e6c8898dc0aea4c6208668106aa16ed6a97167c748f1fee0adcc7c6e68368b7e54fb66d7cee7f8b2f8488466ec573b2c3de88da4a

Download Submit
C:\Windows\System\lkkuUcH.exe

Filesize
5.2MB

MD5
a3b5b119b6c3f913d213a1c79e00392d

SHA1
eba757aa0848ffa6c47b9cd28fb711db3ed245a5

SHA256
13ced65238524edf49cd5080a756ffbdb167c4e5b26b5982d3a383a6533bf44b

SHA512
6430b0c85093e4c13227c33b67cf83af9ee5d7b36ca9f325ccd96253f6f6c7ca5500bf0df6e0a4287b6b5e08456aa8657b416b77794baf77cb4ba3d6686a31db

Download Submit
C:\Windows\System\nMpfkuF.exe

Filesize
5.2MB

MD5
fc330ac62601259393b8e2236cd774f6

SHA1
315da3e27397f747061ef3d5d56a1a7542b22f1d

SHA256
472ac2545bb5a858953ccf7da2f8dc7aeb8a16766c86cdf1ff651bd37e76e92c

SHA512
f8bcc44bd40e26b1a30917e34ac1a6b3bc575f6447cc34a40a4e657a1b1616188458ede7b1dfb69c0ddfe5be7cb7518d8e289b59bba36028cde7a60faff9722c

Download Submit
C:\Windows\System\ogrTZEn.exe

Filesize
5.2MB

MD5
afa2a20b5e09cd2a0583b0d22c351d67

SHA1
2242dde696640dcd5ab973fa361a519f22374e02

SHA256
7e0985b0ff86acb2d5125483aea9d77ed80186fe78d1b8e0dc7a12322a768f8f

SHA512
3c6839a4394feb99ecd73b014e0d48386121c2c0ea6d8d29fffbce1d56633ec259bd3f66eb4f5d71f96af3f31710b1dc7541d19dbf07fcedf4697d8f7fd1ddf2

Download Submit
C:\Windows\System\pOEOoRa.exe

Filesize
5.2MB

MD5
64667cb277af6d6baf6c8ebdb511c3e3

SHA1
bb36ed0cab7a7020d868dcf23421a2cc48d90674

SHA256
8cbcb88b0b181e53300be81db6ab67d21ecade5c57e9bf78e96bef41a821b3e7

SHA512
b662a577838681c4b2460906efd94b472ffc1678816bc81540caf2e5496ba65f75aa5facbbf4af523fdde4229ee8481d42cf6b9b5ae2991c9c86d6377ad3a0ab

Download Submit
C:\Windows\System\ttophVM.exe

Filesize
5.2MB

MD5
a44e94748289b5388ff784cefa1f4f7e

SHA1
2021dbeeeb429520db017a0ca461d97553c3cf8c

SHA256
335e3e2479e3d23a6322c94a7a933700829d20251092cd757c604ff7b37f278c

SHA512
a2fc2ec23039bd577295640b0394b44804ed66aa6df9dcbb5c7c61a8dc9703373383c64fa710495dc7458ea971ada70b85f00d8d7c0e1dccf0e93c92ec604132

Download Submit
C:\Windows\System\uBQyycQ.exe

Filesize
5.2MB

MD5
d14f73473d5e0375a8e3cdd182f478b6

SHA1
5cb632012b9774f5da7d18cd6fb0bf7fdccebcb5

SHA256
464c9c3939295ee24cffc9705697c833138f695aeebfdd592e274b44a535a7e0

SHA512
2cb849b46fdf5dc0537749bdd16d06875d98ade66e38375e3b258c207ea0aa410b3d17beee72b561f9e6ac402b32fce1f58428ce18fb5bc8c20acd1b9a020ef4

Download Submit
C:\Windows\System\wjgDckm.exe

Filesize
5.2MB

MD5
43cb555144136aff0d6591000f7703ba

SHA1
ad71be0c7ff7c4668a68b7a1b034694c8c2efd43

SHA256
fe133b535cb0a89e373d3c5fb52baf560bae5688a9eafdc9f399edf2a99149a6

SHA512
f5a6899cb47ff17525a8089c1df646ce500dfdf3b2e7ac1d4bef211326ca14face296fd6186d3b33bf4a5b233cf7933d17d95f61469b8e0786797fdbbc7c1808

Download Submit
C:\Windows\System\zzojtmE.exe

Filesize
5.2MB

MD5
b196f86f80f6408d1eead803587adfb6

SHA1
d207ba0a88496e51e85940b4b6550e84d9414142

SHA256
637ca4bded81cf872e754c5c1c5931a55231ad59b3cfae5ff6c8b0e7e0b483b9

SHA512
322cb75fae28d5c726d6b5ae7e0382552ca61113814e850ceda64d419f9db7579b11fb126e2f53a621da49254b232c9b67b19056b5820fa7762ba1860021d728

Download Submit
memory/372-128-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp

Filesize
3.3MB

Download
memory/372-160-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp

Filesize
3.3MB

Download
memory/372-263-0x00007FF6D6DB0000-0x00007FF6D7101000-memory.dmp

Filesize
3.3MB

Download
memory/948-147-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp

Filesize
3.3MB

Download
memory/948-239-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp

Filesize
3.3MB

Download
memory/948-82-0x00007FF7E8660000-0x00007FF7E89B1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-126-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-159-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-261-0x00007FF795E50000-0x00007FF7961A1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-67-0x00007FF687780000-0x00007FF687AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-144-0x00007FF687780000-0x00007FF687AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-235-0x00007FF687780000-0x00007FF687AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-146-0x00007FF633E00000-0x00007FF634151000-memory.dmp

Filesize
3.3MB

Download
memory/1448-241-0x00007FF633E00000-0x00007FF634151000-memory.dmp

Filesize
3.3MB

Download
memory/1448-83-0x00007FF633E00000-0x00007FF634151000-memory.dmp

Filesize
3.3MB

Download
memory/1460-162-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-260-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-135-0x00007FF69DF70000-0x00007FF69E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-170-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-81-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-148-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-0-0x00007FF6D7860000-0x00007FF6D7BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-1-0x000002019D0C0000-0x000002019D0D0000-memory.dmp

Filesize
64KB

Download
memory/1536-211-0x00007FF723DC0000-0x00007FF724111000-memory.dmp

Filesize
3.3MB

Download
memory/1536-85-0x00007FF723DC0000-0x00007FF724111000-memory.dmp

Filesize
3.3MB

Download
memory/1536-21-0x00007FF723DC0000-0x00007FF724111000-memory.dmp

Filesize
3.3MB

Download
memory/1784-221-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp

Filesize
3.3MB

Download
memory/1784-48-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp

Filesize
3.3MB

Download
memory/1784-98-0x00007FF6CE0B0000-0x00007FF6CE401000-memory.dmp

Filesize
3.3MB

Download
memory/1908-223-0x00007FF70A8B0000-0x00007FF70AC01000-memory.dmp

Filesize
3.3MB

Download
memory/1908-45-0x00007FF70A8B0000-0x00007FF70AC01000-memory.dmp

Filesize
3.3MB

Download
memory/2332-84-0x00007FF653380000-0x00007FF6536D1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-198-0x00007FF653380000-0x00007FF6536D1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-8-0x00007FF653380000-0x00007FF6536D1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-62-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-142-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-233-0x00007FF6CD790000-0x00007FF6CDAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-47-0x00007FF6543B0000-0x00007FF654701000-memory.dmp

Filesize
3.3MB

Download
memory/2808-96-0x00007FF6543B0000-0x00007FF654701000-memory.dmp

Filesize
3.3MB

Download
memory/2808-220-0x00007FF6543B0000-0x00007FF654701000-memory.dmp

Filesize
3.3MB

Download
memory/2896-40-0x00007FF7B6870000-0x00007FF7B6BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-213-0x00007FF7B6870000-0x00007FF7B6BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-59-0x00007FF603870000-0x00007FF603BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-229-0x00007FF603870000-0x00007FF603BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-99-0x00007FF603870000-0x00007FF603BC1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-217-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-100-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-25-0x00007FF7D5370000-0x00007FF7D56C1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-215-0x00007FF674020000-0x00007FF674371000-memory.dmp

Filesize
3.3MB

Download
memory/3564-31-0x00007FF674020000-0x00007FF674371000-memory.dmp

Filesize
3.3MB

Download
memory/3564-103-0x00007FF674020000-0x00007FF674371000-memory.dmp

Filesize
3.3MB

Download
memory/3984-164-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp

Filesize
3.3MB

Download
memory/3984-256-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp

Filesize
3.3MB

Download
memory/3984-140-0x00007FF756F80000-0x00007FF7572D1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-252-0x00007FF68AA30000-0x00007FF68AD81000-memory.dmp

Filesize
3.3MB

Download
memory/4284-141-0x00007FF68AA30000-0x00007FF68AD81000-memory.dmp

Filesize
3.3MB

Download
memory/4804-136-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-253-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-237-0x00007FF6E43F0000-0x00007FF6E4741000-memory.dmp

Filesize
3.3MB

Download
memory/4860-76-0x00007FF6E43F0000-0x00007FF6E4741000-memory.dmp

Filesize
3.3MB

Download
memory/4988-161-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-132-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-257-0x00007FF6FF680000-0x00007FF6FF9D1000-memory.dmp

Filesize
3.3MB

Download