cobaltstrike | 6076562dee7842a62802cb60f690c322af1958a0102e2da8f5612c0e6c8f05a7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

155d32430eaba135728f1b9a1b7bc077
SHA1

23680c10bfc2fa533927ac953455e43b4a9916ef
SHA256

6076562dee7842a62802cb60f690c322af1958a0102e2da8f5612c0e6c8f05a7
SHA512

3126290270683fcfc455e80e0ee5a6aa9258bbed7ce983c8289d0fab2630087ecb51b949cf5fcffbb5ac46af393e42286c5268faa4e55a55edecc83dad8479b3
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibf56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234ce-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-130.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-116.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234cc-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-23.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5092-103-0x00007FF793FA0000-0x00007FF7942F1000-memory.dmp	xmrig
behavioral2/memory/2212-126-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp	xmrig
behavioral2/memory/4428-129-0x00007FF7D85D0000-0x00007FF7D8921000-memory.dmp	xmrig
behavioral2/memory/3332-128-0x00007FF79E900000-0x00007FF79EC51000-memory.dmp	xmrig
behavioral2/memory/4988-127-0x00007FF6537F0000-0x00007FF653B41000-memory.dmp	xmrig
behavioral2/memory/220-123-0x00007FF7130A0000-0x00007FF7133F1000-memory.dmp	xmrig
behavioral2/memory/548-113-0x00007FF69F4C0000-0x00007FF69F811000-memory.dmp	xmrig
behavioral2/memory/2400-96-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp	xmrig
behavioral2/memory/4504-76-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp	xmrig
behavioral2/memory/1476-66-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	xmrig
behavioral2/memory/5000-49-0x00007FF6EBB60000-0x00007FF6EBEB1000-memory.dmp	xmrig
behavioral2/memory/1016-142-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp	xmrig
behavioral2/memory/2724-143-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp	xmrig
behavioral2/memory/3680-144-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	xmrig
behavioral2/memory/3540-141-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp	xmrig
behavioral2/memory/2960-140-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp	xmrig
behavioral2/memory/2084-137-0x00007FF643590000-0x00007FF6438E1000-memory.dmp	xmrig
behavioral2/memory/2540-138-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig
behavioral2/memory/1476-132-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	xmrig
behavioral2/memory/2364-147-0x00007FF6510C0000-0x00007FF651411000-memory.dmp	xmrig
behavioral2/memory/1936-152-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp	xmrig
behavioral2/memory/396-148-0x00007FF668070000-0x00007FF6683C1000-memory.dmp	xmrig
behavioral2/memory/2412-153-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp	xmrig
behavioral2/memory/1476-155-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	xmrig
behavioral2/memory/4504-206-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp	xmrig
behavioral2/memory/2400-208-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp	xmrig
behavioral2/memory/3680-226-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	xmrig
behavioral2/memory/2212-230-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp	xmrig
behavioral2/memory/2084-228-0x00007FF643590000-0x00007FF6438E1000-memory.dmp	xmrig
behavioral2/memory/2540-233-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig
behavioral2/memory/1016-234-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp	xmrig
behavioral2/memory/5000-237-0x00007FF6EBB60000-0x00007FF6EBEB1000-memory.dmp	xmrig
behavioral2/memory/3540-240-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp	xmrig
behavioral2/memory/2960-239-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp	xmrig
behavioral2/memory/2724-242-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp	xmrig
behavioral2/memory/220-245-0x00007FF7130A0000-0x00007FF7133F1000-memory.dmp	xmrig
behavioral2/memory/5092-246-0x00007FF793FA0000-0x00007FF7942F1000-memory.dmp	xmrig
behavioral2/memory/396-248-0x00007FF668070000-0x00007FF6683C1000-memory.dmp	xmrig
behavioral2/memory/548-252-0x00007FF69F4C0000-0x00007FF69F811000-memory.dmp	xmrig
behavioral2/memory/2364-251-0x00007FF6510C0000-0x00007FF651411000-memory.dmp	xmrig
behavioral2/memory/2412-255-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp	xmrig
behavioral2/memory/3332-262-0x00007FF79E900000-0x00007FF79EC51000-memory.dmp	xmrig
behavioral2/memory/4988-259-0x00007FF6537F0000-0x00007FF653B41000-memory.dmp	xmrig
behavioral2/memory/1936-261-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp	xmrig
behavioral2/memory/4428-257-0x00007FF7D85D0000-0x00007FF7D8921000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4504	jiuphHs.exe
2400	uBQagKa.exe
2212	lBRaoZm.exe
3680	asblAHk.exe
2084	GzWsmfr.exe
2540	wICNbso.exe
5000	OAQeiBZ.exe
1016	leeMTiu.exe
2960	gIbdBqC.exe
3540	pYNrHTr.exe
2724	vgkeOyY.exe
5092	AxyBGti.exe
220	MXGICaJ.exe
2364	yGMUQeP.exe
396	mfUmvir.exe
548	PWLtWpN.exe
4988	YUzKkYC.exe
3332	xGopHYG.exe
1936	bSIURTj.exe
2412	omEYGdb.exe
4428	eeZvFQu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-0-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	upx
behavioral2/files/0x00080000000234ce-5.dat	upx
behavioral2/files/0x00070000000234cf-11.dat	upx
behavioral2/memory/4504-7-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp	upx
behavioral2/memory/2212-21-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-26.dat	upx
behavioral2/files/0x00070000000234d3-32.dat	upx
behavioral2/memory/2540-44-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-53.dat	upx
behavioral2/memory/3540-56-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-63.dat	upx
behavioral2/files/0x00070000000234d9-68.dat	upx
behavioral2/memory/2724-72-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp	upx
behavioral2/files/0x00070000000234db-78.dat	upx
behavioral2/files/0x00070000000234dc-89.dat	upx
behavioral2/memory/5092-103-0x00007FF793FA0000-0x00007FF7942F1000-memory.dmp	upx
behavioral2/memory/396-112-0x00007FF668070000-0x00007FF6683C1000-memory.dmp	upx
behavioral2/memory/1936-120-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp	upx
behavioral2/memory/2212-126-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-130.dat	upx
behavioral2/memory/4428-129-0x00007FF7D85D0000-0x00007FF7D8921000-memory.dmp	upx
behavioral2/memory/3332-128-0x00007FF79E900000-0x00007FF79EC51000-memory.dmp	upx
behavioral2/memory/4988-127-0x00007FF6537F0000-0x00007FF653B41000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-124.dat	upx
behavioral2/memory/220-123-0x00007FF7130A0000-0x00007FF7133F1000-memory.dmp	upx
behavioral2/memory/2412-122-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp	upx
behavioral2/files/0x00070000000234df-118.dat	upx
behavioral2/files/0x00070000000234de-116.dat	upx
behavioral2/memory/548-113-0x00007FF69F4C0000-0x00007FF69F811000-memory.dmp	upx
behavioral2/files/0x00080000000234cc-106.dat	upx
behavioral2/memory/2364-104-0x00007FF6510C0000-0x00007FF651411000-memory.dmp	upx
behavioral2/files/0x00070000000234da-98.dat	upx
behavioral2/files/0x00070000000234dd-97.dat	upx
behavioral2/memory/2400-96-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp	upx
behavioral2/memory/4504-76-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp	upx
behavioral2/memory/1476-66-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-59.dat	upx
behavioral2/files/0x00070000000234d7-57.dat	upx
behavioral2/memory/2960-55-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp	upx
behavioral2/memory/1016-54-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp	upx
behavioral2/memory/5000-49-0x00007FF6EBB60000-0x00007FF6EBEB1000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-40.dat	upx
behavioral2/memory/2084-36-0x00007FF643590000-0x00007FF6438E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-29.dat	upx
behavioral2/memory/3680-25-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d0-23.dat	upx
behavioral2/memory/2400-18-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp	upx
behavioral2/memory/1016-142-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp	upx
behavioral2/memory/2724-143-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp	upx
behavioral2/memory/3680-144-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	upx
behavioral2/memory/3540-141-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp	upx
behavioral2/memory/2960-140-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp	upx
behavioral2/memory/2084-137-0x00007FF643590000-0x00007FF6438E1000-memory.dmp	upx
behavioral2/memory/2540-138-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx
behavioral2/memory/1476-132-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	upx
behavioral2/memory/2364-147-0x00007FF6510C0000-0x00007FF651411000-memory.dmp	upx
behavioral2/memory/1936-152-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp	upx
behavioral2/memory/396-148-0x00007FF668070000-0x00007FF6683C1000-memory.dmp	upx
behavioral2/memory/2412-153-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp	upx
behavioral2/memory/1476-155-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp	upx
behavioral2/memory/4504-206-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp	upx
behavioral2/memory/2400-208-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp	upx
behavioral2/memory/3680-226-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	upx
behavioral2/memory/2212-230-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OAQeiBZ.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gIbdBqC.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgkeOyY.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGMUQeP.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YUzKkYC.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBQagKa.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzWsmfr.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wICNbso.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfUmvir.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omEYGdb.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leeMTiu.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AxyBGti.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bSIURTj.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBRaoZm.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\asblAHk.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYNrHTr.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGopHYG.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eeZvFQu.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiuphHs.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXGICaJ.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWLtWpN.exe	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4504	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1476 wrote to memory of 4504	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1476 wrote to memory of 2400	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1476 wrote to memory of 2400	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1476 wrote to memory of 2212	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1476 wrote to memory of 2212	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1476 wrote to memory of 3680	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1476 wrote to memory of 3680	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1476 wrote to memory of 2084	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1476 wrote to memory of 2084	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1476 wrote to memory of 2540	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1476 wrote to memory of 2540	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1476 wrote to memory of 5000	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1476 wrote to memory of 5000	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1476 wrote to memory of 2960	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1476 wrote to memory of 2960	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1476 wrote to memory of 3540	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1476 wrote to memory of 3540	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1476 wrote to memory of 1016	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1476 wrote to memory of 1016	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1476 wrote to memory of 2724	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1476 wrote to memory of 2724	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1476 wrote to memory of 5092	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1476 wrote to memory of 5092	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1476 wrote to memory of 220	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1476 wrote to memory of 220	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1476 wrote to memory of 2364	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1476 wrote to memory of 2364	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1476 wrote to memory of 396	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1476 wrote to memory of 396	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1476 wrote to memory of 548	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1476 wrote to memory of 548	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1476 wrote to memory of 4988	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1476 wrote to memory of 4988	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1476 wrote to memory of 3332	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1476 wrote to memory of 3332	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1476 wrote to memory of 1936	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1476 wrote to memory of 1936	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1476 wrote to memory of 2412	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1476 wrote to memory of 2412	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1476 wrote to memory of 4428	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1476 wrote to memory of 4428	1476	2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_155d32430eaba135728f1b9a1b7bc077_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\System\jiuphHs.exe
  C:\Windows\System\jiuphHs.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\uBQagKa.exe
  C:\Windows\System\uBQagKa.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\lBRaoZm.exe
  C:\Windows\System\lBRaoZm.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\asblAHk.exe
  C:\Windows\System\asblAHk.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\GzWsmfr.exe
  C:\Windows\System\GzWsmfr.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\wICNbso.exe
  C:\Windows\System\wICNbso.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\OAQeiBZ.exe
  C:\Windows\System\OAQeiBZ.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\gIbdBqC.exe
  C:\Windows\System\gIbdBqC.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\pYNrHTr.exe
  C:\Windows\System\pYNrHTr.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\leeMTiu.exe
  C:\Windows\System\leeMTiu.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\vgkeOyY.exe
  C:\Windows\System\vgkeOyY.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\AxyBGti.exe
  C:\Windows\System\AxyBGti.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\MXGICaJ.exe
  C:\Windows\System\MXGICaJ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\yGMUQeP.exe
  C:\Windows\System\yGMUQeP.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\mfUmvir.exe
  C:\Windows\System\mfUmvir.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\PWLtWpN.exe
  C:\Windows\System\PWLtWpN.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\YUzKkYC.exe
  C:\Windows\System\YUzKkYC.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\xGopHYG.exe
  C:\Windows\System\xGopHYG.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\bSIURTj.exe
  C:\Windows\System\bSIURTj.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\omEYGdb.exe
  C:\Windows\System\omEYGdb.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\eeZvFQu.exe
  C:\Windows\System\eeZvFQu.exe
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AxyBGti.exe

Filesize
5.2MB

MD5
b811ede82833439871538e1b2366fc0a

SHA1
9a4d7583695a72d83405a31f697f85e0a9914678

SHA256
769c7c6ddb5eae28830f85d87e6599b92d593384e4ef22d72d89b248c4a6e8bd

SHA512
22f18ec0f72c146aefc2fffd8f717d1d45afc646c08af95a0e2c1260a05a238dd8d681a9f58cfb1ef95c58315816a64f5976d569ea8a69b902a4e7fab5aea193

Download Submit
C:\Windows\System\GzWsmfr.exe

Filesize
5.2MB

MD5
6d9bf9ea10535806a13644d05d61927e

SHA1
64e269e76692b49d8c6f5c52ee10dacba3912092

SHA256
178ec2a810b3f96656666b902b26ecd2d7e1c17977409ba90025602fb98cd6f9

SHA512
dc9fbc960864a2114090287d4c7516b76a8f8c162b9a61a52202f8539cd720b1b2ae072033e43ae38a1d028756d720083a97ed27e76417373b2b327cdb6cf6d1

Download Submit
C:\Windows\System\MXGICaJ.exe

Filesize
5.2MB

MD5
123a9b3c1f3b5b5b56d438b1003a2048

SHA1
c866e9f399e34e912af8b094650fd612173f4af8

SHA256
3ee44e42798905a2976dd9901f4916f51d15292c7f0e787de08ac28109704887

SHA512
92cd8bda0b7bfaed93b5235836f02c6a574c918f67e7ea161881b050cb18bf5f77b80f1379ff442ab0022bbb5d0525250c61e3a6ed2286aba21efca28a24ebb8

Download Submit
C:\Windows\System\OAQeiBZ.exe

Filesize
5.2MB

MD5
95ae543039b686c27da0b14907b89f1d

SHA1
70c117a9b9436a2fecd19989464c58babb515d55

SHA256
713b8e1e97f8537adf740d7a89d83c0c550565135f74dd82d22f556bec73e577

SHA512
31ff6d382cdf7f4bc8b58dcb5952c5c2f543f089b288057fb65897e5869433933804198d01d3f0a02b5df57aaa00f5bfe7d14fcefa73bca8fc03a32cc3cbe350

Download Submit
C:\Windows\System\PWLtWpN.exe

Filesize
5.2MB

MD5
3493e8f2fc6fdcba7ae6a95771a85b59

SHA1
290897a67d8160d3cf017ea3ade283bd50f49b72

SHA256
b47ed7d8e4cbfe136e7e3ba05868753f21d741320a073e90851db2a7924eb1c8

SHA512
b04c681ff6f4975dcb65b1be78add0e12978db7b71ae40e9a72921f77327c29ea4c5da8ec28e0d5d84d7d09db428f401fe4880bb3beef2be59060e08e8c3399b

Download Submit
C:\Windows\System\YUzKkYC.exe

Filesize
5.2MB

MD5
f343bc8dd5381b1f549cbad9b8c535a2

SHA1
0f98f851d46feee4cd2debb42d9281f0476e1497

SHA256
ed89d4726a05bf7ac64aa1f9137260c35ff2d3df6e842221392185c8452f3395

SHA512
096fb0ffb2a54d08a88c79fb41fdfc81567e4b29d16ff46f36c524eb25f9a811cd7d7983bf982f205c3fd65547fde51a3a02b43a1ec527cf814b3c7b3f1ee9f4

Download Submit
C:\Windows\System\asblAHk.exe

Filesize
5.2MB

MD5
86a0d8173d649e448fdc9a806e2720d1

SHA1
bce0c146dd13c8f0c03e0169efda50541ea24873

SHA256
70415c5a1954059d6af8585f13aa88780c7127a562e14ffec31f4002a63b2140

SHA512
d343cb32c2261da82f4a03b0e25bcd095c859a60c7b363166c2337fe9673521e873c44b0f730f60c4a5e04764b833f9d664a7ff3c821e7f8890038daf2a56760

Download Submit
C:\Windows\System\bSIURTj.exe

Filesize
5.2MB

MD5
05b5e4f45ad68d06cd5dd2e01e6bcaa0

SHA1
834a8288a7856f994014f97a2b2a7d05704afc4e

SHA256
6481586b5afd9094ea414379722da587ffa44001161e21ab4286b463ee04e570

SHA512
53d1f97c1c07aa59bf6ef0f64bd8e3421fdd8b19c425fcfc981b99f34f73babe990c8dc1c79d4097aa52c81e72f36486185abc489169fb3e6bc40e11f346abe1

Download Submit
C:\Windows\System\eeZvFQu.exe

Filesize
5.2MB

MD5
077029e3efd04dde359b3c7cf93b460f

SHA1
833d7a0b1079a813f76dd55fad24f5b3dd1bdaa6

SHA256
44bb945dc4f71876f26b42e74aba050cd1a334e064347b5693955be3d6596a6b

SHA512
a1c07ed3c973caee95d2d4d412b4a9d76e2884a11060e498bcc0f27590dfdfa515c37f004d1a6dda666efe42d4c0c87927fc61714aa7474ac44ef3bfae809ee1

Download Submit
C:\Windows\System\gIbdBqC.exe

Filesize
5.2MB

MD5
59e031a6a5b5e38573d89f53378af156

SHA1
e4aaeb2027d448686c3af17e446aff3c5adc94d3

SHA256
ff60bb8990176f7de19319ddaf14f087cba42965e01554c2ffedaf70ec4c7653

SHA512
d4c08794a3877c65a2733cd0057c22112e38f00142d541e48f8372de035a6ef6219317c13155cfbf35d2ca140867c8fc9bafceb4187330a471c6cf9fb0debce6

Download Submit
C:\Windows\System\jiuphHs.exe

Filesize
5.2MB

MD5
c66028dd4c53123358721bd935e51ff3

SHA1
97375e3e700271cc56be950b7c6ef591a2b5a0e3

SHA256
d25d15c764a4d5084b42e94f2c615458220cf5f45d28d27d2c2638e0cb811c5b

SHA512
e6e41d7366f05bf3a7e7993504ca5629872a21d01c2629bc224ddb1338f4f8d8dd016832c2f4f0a06368fa656d85cb6227f90be448a9a73fd7acf031ce28dead

Download Submit
C:\Windows\System\lBRaoZm.exe

Filesize
5.2MB

MD5
97b4f4011a73e38e979776977c8cd196

SHA1
2865e32cc64e9270df8f06df5ba9176d86fce6b9

SHA256
3ba361caf84d462a32e92d107a7dc0daa33fd323c0c3f665a70ca9d69d24ab0d

SHA512
9e5bf7abc5398b4185d9088171b8eeda854a8c6badba8925f1640b1b1275a82009651bb66afcf95d118a4410593d562560e196fc75ede137351cd13f2b8f0de7

Download Submit
C:\Windows\System\leeMTiu.exe

Filesize
5.2MB

MD5
2df192c4bf5920a21d1963b1bda590a6

SHA1
4eb3280133d939adcd09811cf5bb72b97584a35f

SHA256
84e19caa58044fa8bea8a5e3c78a70c740deace64ea7455fea9124911fd3e3d1

SHA512
151283bb936dfd4deaac2a43bcc0d21ee2d83a45ae4bd82fbfa7d5701fafa140ebff846e2a72be60f52b42d81d7b8e810e7bbcee6c12540ce48782ad7fdd4bb9

Download Submit
C:\Windows\System\mfUmvir.exe

Filesize
5.2MB

MD5
5d0bafef4d230ca8527f99a3ed79a494

SHA1
3f5a677f22571067aca903146b35976dd97acae7

SHA256
763cc9426246f54422e385d7ce6a4b890a5d41834c5498f0a4b19aa7d63fc6a2

SHA512
2e0145ebd9f5cc9fad761872f29439dbfd9f82f3c41492b037b14ea102c6607444c1c830f56f2c26ad83350b06714886f0802c20e4e67cb21b21ebe4338800bf

Download Submit
C:\Windows\System\omEYGdb.exe

Filesize
5.2MB

MD5
c4ca31235e94865e5b189ccf147c4cdb

SHA1
d06a1042c3ad4e842607bae1e23c54e2b8d4c998

SHA256
b951b0bf98effc403080bbdf069f0c3d05d1b6cea761be313880def0ad6a28b9

SHA512
a3fad715e8ed6b507ace3b01d5c2b57fd406b1569f2fec89454e67fe90777004c5db3409aae357175e6c779bc48be46c039e470d21c536b086c3a5345f723733

Download Submit
C:\Windows\System\pYNrHTr.exe

Filesize
5.2MB

MD5
4ad3d59e67a4a5cbe541906f37eb3f6c

SHA1
b872cf490882210a79456a9122bc0f7be516beb4

SHA256
7584b3951ffad015337a4166eb506d37098c2578d8f1935dba5d64375535c905

SHA512
4e256ce7ee41243ebc09b98017a114088561a321b7d471e31bbc574dde4faadf79cd601645e5f3b8c339f52430c9da6270979d1d541cc1d6953b262c71e33d0a

Download Submit
C:\Windows\System\uBQagKa.exe

Filesize
5.2MB

MD5
07b1e1bcfe6f00cc2a14f9365ff67454

SHA1
7ddf9a6c5747a68468f907a5cd202b83ebcc898b

SHA256
865d37305d372bd9557f6eb37f513d5709f9b3c433aee1a5f867eeb232b1b29e

SHA512
2b7e01d856fece0d15bf9a4cbac709db41d84427690d6c6ef1df7de5691777849b7eaeb6bca770133fd83dd6b7b90825e399cf1d78ef64c8dc0ce2e30137b2a2

Download Submit
C:\Windows\System\vgkeOyY.exe

Filesize
5.2MB

MD5
e6a76cb415806aebc1e27944ad5b217c

SHA1
10c667bf8c8782db7e8414488c5cedea29b7c236

SHA256
d53c97dc5935138632a5dc6e21a7e6e77d3c1194f1c63c8a54faa5d42ff51b7c

SHA512
46b33180c2d36167d72ca9ff768d77d33243135f2c3e40b40301a9599bc3161fdd0d900b01897bedcaa7f49e1b7dbcfcbe651ea82191263f01b3a79afb57c78d

Download Submit
C:\Windows\System\wICNbso.exe

Filesize
5.2MB

MD5
956646c49354f514e8c4ae85273c567d

SHA1
c355e865427dc49879b381637974cef0ed96f0bd

SHA256
72e0afa31d948af00c40816fcd93c7dae7997ea615db17d692aeaf75178beead

SHA512
0ad0ed165c2bf53449dcea41f3b194245081fe48ca8a2899f2ffb53150aa38441fffa0d61bccc4cc4cdd22d100f6e4c253b990444c8dabc04d46d3863941ab6e

Download Submit
C:\Windows\System\xGopHYG.exe

Filesize
5.2MB

MD5
2ebdd5d263aebb913ae40f398dd6ebca

SHA1
bd38f8ecd088b6e7928d469039813db3c0582f07

SHA256
4fc0be871d9cd955dd483aec2f8ec6d13ff215935b96d82c5bc9b1c20d84b3e0

SHA512
c31b0c96007e51af051209252ab743798cf54d451c0a86b684290bdd252b18b6b17824730ce8212040abdd9991ef29d955a3afa3a435cd1b3fa62348ccd3ef9b

Download Submit
C:\Windows\System\yGMUQeP.exe

Filesize
5.2MB

MD5
9f7f75eec9e9d6caf1f9b810ac83e088

SHA1
0835bd668f6db6633c58d887d4ca022677ee7e17

SHA256
68409804ac22709f4c0b99ead341f0c633bc1993d0c33c2bd6ab4430d7964c8e

SHA512
d010485401c7a4ab8ac76656455e653d716f8a44d3e622eae7fad1f58123ef246d2b44e09b276fe6663b3923b4ba67043fca272fb2b5ac97e3fbc15f8952c0a7

Download Submit
memory/220-123-0x00007FF7130A0000-0x00007FF7133F1000-memory.dmp

Filesize
3.3MB

Download
memory/220-245-0x00007FF7130A0000-0x00007FF7133F1000-memory.dmp

Filesize
3.3MB

Download
memory/396-148-0x00007FF668070000-0x00007FF6683C1000-memory.dmp

Filesize
3.3MB

Download
memory/396-248-0x00007FF668070000-0x00007FF6683C1000-memory.dmp

Filesize
3.3MB

Download
memory/396-112-0x00007FF668070000-0x00007FF6683C1000-memory.dmp

Filesize
3.3MB

Download
memory/548-252-0x00007FF69F4C0000-0x00007FF69F811000-memory.dmp

Filesize
3.3MB

Download
memory/548-113-0x00007FF69F4C0000-0x00007FF69F811000-memory.dmp

Filesize
3.3MB

Download
memory/1016-142-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp

Filesize
3.3MB

Download
memory/1016-234-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp

Filesize
3.3MB

Download
memory/1016-54-0x00007FF6BF0C0000-0x00007FF6BF411000-memory.dmp

Filesize
3.3MB

Download
memory/1476-66-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-0-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-132-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-155-0x00007FF75AB70000-0x00007FF75AEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-1-0x00000226D2650000-0x00000226D2660000-memory.dmp

Filesize
64KB

Download
memory/1936-120-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp

Filesize
3.3MB

Download
memory/1936-152-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp

Filesize
3.3MB

Download
memory/1936-261-0x00007FF7C08E0000-0x00007FF7C0C31000-memory.dmp

Filesize
3.3MB

Download
memory/2084-228-0x00007FF643590000-0x00007FF6438E1000-memory.dmp

Filesize
3.3MB

Download
memory/2084-137-0x00007FF643590000-0x00007FF6438E1000-memory.dmp

Filesize
3.3MB

Download
memory/2084-36-0x00007FF643590000-0x00007FF6438E1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-21-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp

Filesize
3.3MB

Download
memory/2212-126-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp

Filesize
3.3MB

Download
memory/2212-230-0x00007FF7B08E0000-0x00007FF7B0C31000-memory.dmp

Filesize
3.3MB

Download
memory/2364-251-0x00007FF6510C0000-0x00007FF651411000-memory.dmp

Filesize
3.3MB

Download
memory/2364-104-0x00007FF6510C0000-0x00007FF651411000-memory.dmp

Filesize
3.3MB

Download
memory/2364-147-0x00007FF6510C0000-0x00007FF651411000-memory.dmp

Filesize
3.3MB

Download
memory/2400-208-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp

Filesize
3.3MB

Download
memory/2400-18-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp

Filesize
3.3MB

Download
memory/2400-96-0x00007FF7EE010000-0x00007FF7EE361000-memory.dmp

Filesize
3.3MB

Download
memory/2412-153-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-122-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-255-0x00007FF6D3A90000-0x00007FF6D3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-138-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/2540-44-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/2540-233-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/2724-143-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-72-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-242-0x00007FF73FB70000-0x00007FF73FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-55-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-140-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-239-0x00007FF780AA0000-0x00007FF780DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3332-262-0x00007FF79E900000-0x00007FF79EC51000-memory.dmp

Filesize
3.3MB

Download
memory/3332-128-0x00007FF79E900000-0x00007FF79EC51000-memory.dmp

Filesize
3.3MB

Download
memory/3540-240-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-141-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-56-0x00007FF7EC4A0000-0x00007FF7EC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-144-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-25-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-226-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-129-0x00007FF7D85D0000-0x00007FF7D8921000-memory.dmp

Filesize
3.3MB

Download
memory/4428-257-0x00007FF7D85D0000-0x00007FF7D8921000-memory.dmp

Filesize
3.3MB

Download
memory/4504-206-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp

Filesize
3.3MB

Download
memory/4504-7-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp

Filesize
3.3MB

Download
memory/4504-76-0x00007FF7B9BE0000-0x00007FF7B9F31000-memory.dmp

Filesize
3.3MB

Download
memory/4988-127-0x00007FF6537F0000-0x00007FF653B41000-memory.dmp

Filesize
3.3MB

Download
memory/4988-259-0x00007FF6537F0000-0x00007FF653B41000-memory.dmp

Filesize
3.3MB

Download
memory/5000-237-0x00007FF6EBB60000-0x00007FF6EBEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-49-0x00007FF6EBB60000-0x00007FF6EBEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-246-0x00007FF793FA0000-0x00007FF7942F1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-103-0x00007FF793FA0000-0x00007FF7942F1000-memory.dmp

Filesize
3.3MB

Download