cobaltstrike | 783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

38a6bcbd35708a03a4bd104b84264b8b
SHA1

30777981ea899ab92e5c2a06e378ae3be19ebde7
SHA256

783161abb0cd5a55fc64cd158073fe5c654804aee5509552bed6e859525bb6a5
SHA512

fc1585cd1aa1412ad4525aaf9d6fda9c95e18c7bdc1cdf1e01b4d446fc8677dedb65a982f5d8ffb87b618b229b41850462b4fec8ebe8cde697e6b463a496c536
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233d0-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-65.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342d-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-109.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3104-57-0x00007FF619F70000-0x00007FF61A2C1000-memory.dmp	xmrig
behavioral2/memory/2216-71-0x00007FF6EF0F0000-0x00007FF6EF441000-memory.dmp	xmrig
behavioral2/memory/3068-73-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp	xmrig
behavioral2/memory/2876-80-0x00007FF74B510000-0x00007FF74B861000-memory.dmp	xmrig
behavioral2/memory/1476-68-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	xmrig
behavioral2/memory/3420-89-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp	xmrig
behavioral2/memory/3736-91-0x00007FF6F9A00000-0x00007FF6F9D51000-memory.dmp	xmrig
behavioral2/memory/980-84-0x00007FF715510000-0x00007FF715861000-memory.dmp	xmrig
behavioral2/memory/1040-95-0x00007FF762480000-0x00007FF7627D1000-memory.dmp	xmrig
behavioral2/memory/4600-112-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp	xmrig
behavioral2/memory/4428-110-0x00007FF781220000-0x00007FF781571000-memory.dmp	xmrig
behavioral2/memory/4472-107-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp	xmrig
behavioral2/memory/4920-113-0x00007FF629AE0000-0x00007FF629E31000-memory.dmp	xmrig
behavioral2/memory/4908-128-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	xmrig
behavioral2/memory/1476-138-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	xmrig
behavioral2/memory/4992-147-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp	xmrig
behavioral2/memory/2528-151-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp	xmrig
behavioral2/memory/4172-155-0x00007FF683830000-0x00007FF683B81000-memory.dmp	xmrig
behavioral2/memory/2456-157-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp	xmrig
behavioral2/memory/3572-158-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp	xmrig
behavioral2/memory/4512-163-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp	xmrig
behavioral2/memory/1120-166-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp	xmrig
behavioral2/memory/4012-165-0x00007FF673410000-0x00007FF673761000-memory.dmp	xmrig
behavioral2/memory/1476-167-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	xmrig
behavioral2/memory/3068-224-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp	xmrig
behavioral2/memory/2876-226-0x00007FF74B510000-0x00007FF74B861000-memory.dmp	xmrig
behavioral2/memory/980-228-0x00007FF715510000-0x00007FF715861000-memory.dmp	xmrig
behavioral2/memory/3420-230-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp	xmrig
behavioral2/memory/4472-233-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp	xmrig
behavioral2/memory/1040-234-0x00007FF762480000-0x00007FF7627D1000-memory.dmp	xmrig
behavioral2/memory/4428-236-0x00007FF781220000-0x00007FF781571000-memory.dmp	xmrig
behavioral2/memory/3104-238-0x00007FF619F70000-0x00007FF61A2C1000-memory.dmp	xmrig
behavioral2/memory/4600-240-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp	xmrig
behavioral2/memory/4908-242-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	xmrig
behavioral2/memory/2216-247-0x00007FF6EF0F0000-0x00007FF6EF441000-memory.dmp	xmrig
behavioral2/memory/4992-249-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp	xmrig
behavioral2/memory/2528-251-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp	xmrig
behavioral2/memory/3736-256-0x00007FF6F9A00000-0x00007FF6F9D51000-memory.dmp	xmrig
behavioral2/memory/4172-258-0x00007FF683830000-0x00007FF683B81000-memory.dmp	xmrig
behavioral2/memory/4920-264-0x00007FF629AE0000-0x00007FF629E31000-memory.dmp	xmrig
behavioral2/memory/3572-266-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp	xmrig
behavioral2/memory/2456-268-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp	xmrig
behavioral2/memory/4012-272-0x00007FF673410000-0x00007FF673761000-memory.dmp	xmrig
behavioral2/memory/4512-271-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp	xmrig
behavioral2/memory/1120-274-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3068	iVEVktr.exe
2876	dIgtdgD.exe
980	RgEfeBp.exe
3420	zWYQNmG.exe
1040	hkmFWXr.exe
4472	zEftmQl.exe
4428	VhnTZLA.exe
3104	yzGMsyv.exe
4600	OrFTGgH.exe
4908	XpVAabC.exe
2216	BBnCwIs.exe
4992	JkxCWTM.exe
2528	pdsCLhZ.exe
3736	EjuWcwT.exe
4172	eCOIiPM.exe
4920	yAAUHVz.exe
2456	cUDuKmu.exe
3572	EvOkcHO.exe
4012	yKXzbpT.exe
4512	hXdyQKJ.exe
1120	dQnENlt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-0-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	upx
behavioral2/files/0x00090000000233d0-5.dat	upx
behavioral2/memory/3068-7-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp	upx
behavioral2/files/0x0007000000023430-11.dat	upx
behavioral2/memory/2876-12-0x00007FF74B510000-0x00007FF74B861000-memory.dmp	upx
behavioral2/files/0x0007000000023431-22.dat	upx
behavioral2/files/0x0007000000023432-21.dat	upx
behavioral2/memory/980-20-0x00007FF715510000-0x00007FF715861000-memory.dmp	upx
behavioral2/files/0x0007000000023433-26.dat	upx
behavioral2/files/0x0007000000023434-39.dat	upx
behavioral2/files/0x0007000000023437-50.dat	upx
behavioral2/memory/4600-56-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp	upx
behavioral2/memory/4908-58-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	upx
behavioral2/files/0x0007000000023438-61.dat	upx
behavioral2/memory/3104-57-0x00007FF619F70000-0x00007FF61A2C1000-memory.dmp	upx
behavioral2/memory/4428-54-0x00007FF781220000-0x00007FF781571000-memory.dmp	upx
behavioral2/files/0x0007000000023436-49.dat	upx
behavioral2/files/0x0007000000023435-47.dat	upx
behavioral2/memory/4472-36-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp	upx
behavioral2/memory/1040-30-0x00007FF762480000-0x00007FF7627D1000-memory.dmp	upx
behavioral2/memory/3420-29-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp	upx
behavioral2/files/0x0007000000023439-65.dat	upx
behavioral2/files/0x000800000002342d-72.dat	upx
behavioral2/memory/2216-71-0x00007FF6EF0F0000-0x00007FF6EF441000-memory.dmp	upx
behavioral2/memory/3068-73-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp	upx
behavioral2/memory/2876-80-0x00007FF74B510000-0x00007FF74B861000-memory.dmp	upx
behavioral2/files/0x000700000002343a-82.dat	upx
behavioral2/memory/2528-81-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp	upx
behavioral2/memory/4992-74-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp	upx
behavioral2/memory/1476-68-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	upx
behavioral2/files/0x000700000002343b-87.dat	upx
behavioral2/memory/3420-89-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp	upx
behavioral2/memory/3736-91-0x00007FF6F9A00000-0x00007FF6F9D51000-memory.dmp	upx
behavioral2/memory/980-84-0x00007FF715510000-0x00007FF715861000-memory.dmp	upx
behavioral2/memory/1040-95-0x00007FF762480000-0x00007FF7627D1000-memory.dmp	upx
behavioral2/memory/4172-99-0x00007FF683830000-0x00007FF683B81000-memory.dmp	upx
behavioral2/files/0x000700000002343d-98.dat	upx
behavioral2/files/0x0007000000023440-111.dat	upx
behavioral2/memory/4600-112-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp	upx
behavioral2/memory/4428-110-0x00007FF781220000-0x00007FF781571000-memory.dmp	upx
behavioral2/files/0x000700000002343f-109.dat	upx
behavioral2/memory/4472-107-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp	upx
behavioral2/files/0x000700000002343e-101.dat	upx
behavioral2/files/0x0007000000023441-118.dat	upx
behavioral2/memory/3572-117-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp	upx
behavioral2/memory/2456-114-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp	upx
behavioral2/memory/4920-113-0x00007FF629AE0000-0x00007FF629E31000-memory.dmp	upx
behavioral2/files/0x0007000000023443-136.dat	upx
behavioral2/files/0x0007000000023442-134.dat	upx
behavioral2/memory/4512-133-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp	upx
behavioral2/memory/1120-132-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp	upx
behavioral2/memory/4012-129-0x00007FF673410000-0x00007FF673761000-memory.dmp	upx
behavioral2/memory/4908-128-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	upx
behavioral2/memory/1476-138-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	upx
behavioral2/memory/4992-147-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp	upx
behavioral2/memory/2528-151-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp	upx
behavioral2/memory/4172-155-0x00007FF683830000-0x00007FF683B81000-memory.dmp	upx
behavioral2/memory/2456-157-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp	upx
behavioral2/memory/3572-158-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp	upx
behavioral2/memory/4512-163-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp	upx
behavioral2/memory/1120-166-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp	upx
behavioral2/memory/4012-165-0x00007FF673410000-0x00007FF673761000-memory.dmp	upx
behavioral2/memory/1476-167-0x00007FF7975E0000-0x00007FF797931000-memory.dmp	upx
behavioral2/memory/3068-224-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OrFTGgH.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkxCWTM.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EvOkcHO.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dQnENlt.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zWYQNmG.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEftmQl.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BBnCwIs.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EjuWcwT.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCOIiPM.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yKXzbpT.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dIgtdgD.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hkmFWXr.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pdsCLhZ.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yAAUHVz.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUDuKmu.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VhnTZLA.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XpVAabC.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yzGMsyv.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hXdyQKJ.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVEVktr.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RgEfeBp.exe	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3068	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1476 wrote to memory of 3068	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1476 wrote to memory of 2876	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1476 wrote to memory of 2876	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1476 wrote to memory of 980	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1476 wrote to memory of 980	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1476 wrote to memory of 3420	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1476 wrote to memory of 3420	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1476 wrote to memory of 1040	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1476 wrote to memory of 1040	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1476 wrote to memory of 4472	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1476 wrote to memory of 4472	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1476 wrote to memory of 4428	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1476 wrote to memory of 4428	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1476 wrote to memory of 3104	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1476 wrote to memory of 3104	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1476 wrote to memory of 4600	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1476 wrote to memory of 4600	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1476 wrote to memory of 4908	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1476 wrote to memory of 4908	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1476 wrote to memory of 2216	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1476 wrote to memory of 2216	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1476 wrote to memory of 4992	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1476 wrote to memory of 4992	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1476 wrote to memory of 2528	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1476 wrote to memory of 2528	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1476 wrote to memory of 3736	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1476 wrote to memory of 3736	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1476 wrote to memory of 4172	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1476 wrote to memory of 4172	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1476 wrote to memory of 4920	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1476 wrote to memory of 4920	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1476 wrote to memory of 2456	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1476 wrote to memory of 2456	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1476 wrote to memory of 3572	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1476 wrote to memory of 3572	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1476 wrote to memory of 4012	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1476 wrote to memory of 4012	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1476 wrote to memory of 4512	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1476 wrote to memory of 4512	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1476 wrote to memory of 1120	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1476 wrote to memory of 1120	1476	2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_38a6bcbd35708a03a4bd104b84264b8b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\System\iVEVktr.exe
  C:\Windows\System\iVEVktr.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\dIgtdgD.exe
  C:\Windows\System\dIgtdgD.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\RgEfeBp.exe
  C:\Windows\System\RgEfeBp.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\zWYQNmG.exe
  C:\Windows\System\zWYQNmG.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\hkmFWXr.exe
  C:\Windows\System\hkmFWXr.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\zEftmQl.exe
  C:\Windows\System\zEftmQl.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\VhnTZLA.exe
  C:\Windows\System\VhnTZLA.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\yzGMsyv.exe
  C:\Windows\System\yzGMsyv.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\OrFTGgH.exe
  C:\Windows\System\OrFTGgH.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\XpVAabC.exe
  C:\Windows\System\XpVAabC.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\BBnCwIs.exe
  C:\Windows\System\BBnCwIs.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\JkxCWTM.exe
  C:\Windows\System\JkxCWTM.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\pdsCLhZ.exe
  C:\Windows\System\pdsCLhZ.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\EjuWcwT.exe
  C:\Windows\System\EjuWcwT.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\eCOIiPM.exe
  C:\Windows\System\eCOIiPM.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\yAAUHVz.exe
  C:\Windows\System\yAAUHVz.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\cUDuKmu.exe
  C:\Windows\System\cUDuKmu.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\EvOkcHO.exe
  C:\Windows\System\EvOkcHO.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\yKXzbpT.exe
  C:\Windows\System\yKXzbpT.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\hXdyQKJ.exe
  C:\Windows\System\hXdyQKJ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\dQnENlt.exe
  C:\Windows\System\dQnENlt.exe
  2⤵
  - Executes dropped EXE
  PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BBnCwIs.exe

Filesize
5.2MB

MD5
130565f503239c99c4e1b58e30bef10b

SHA1
bcc8402cc0bd98bd17e7c3ec4ae7c809c0cc2fe7

SHA256
4dc90e1dd3c52a95049b39923693da2684185e10303adc319482028c95640b14

SHA512
24041f5cae8839cc23b10f9d35e6226b980943295c69b8abedfaae496267fcf7aeacbbc1c600b74a0bbce01d72f1ee9e816e1ff04f3f22f5cb583e355698d71f

Download Submit
C:\Windows\System\EjuWcwT.exe

Filesize
5.2MB

MD5
48a3adb768e6b8329e90e3fb0ebb9d1c

SHA1
c3b3ed0f6d85aec670185b8e8fa650b111dfadb0

SHA256
c86fb414a1e27c78495a8e5a20715a0f834aaab3e372ec9f674e4a207f49dc33

SHA512
9811c86afb104f387e5cd978a68f7f23083ee3376a0e2500905cb322f0173df1f045982c3181807dbe5a4d5a06d764589cf4749784f1a6b933966d1a427f2b3d

Download Submit
C:\Windows\System\EvOkcHO.exe

Filesize
5.2MB

MD5
fff3224c36f644bdcf36f4db96fbcaa0

SHA1
fe4dc8ddbfd0883153441e34154736ebb2d93fbc

SHA256
e9f3b3a658ec242f1f061ca76b51cbbc490b1df1074928c2c8a5798acdd2f217

SHA512
1de02d822fc28c5bb93667895732511ca3260e4e247020c89068f85c4f342e8b53ce55a14e3c9afb15c07038b218bebb45ef20459e5d38db29b7f1151f2a67c1

Download Submit
C:\Windows\System\JkxCWTM.exe

Filesize
5.2MB

MD5
e6d1658407fdb6771083edbcf8cf2301

SHA1
e854c62cb708c03beb94f147fd0817af2031c215

SHA256
008eaf43de1d4442d9686f4fecc855b1965b932b95511dfb088f8b1428303f35

SHA512
dc5b4226bd33e40e61d71ea207d243252de9be2d94685eba1474354c8480b4d657580d8b3341c4f4b41ae34e258383190474b4f688799a0d25984e81dcd685f1

Download Submit
C:\Windows\System\OrFTGgH.exe

Filesize
5.2MB

MD5
927fb3396bcd2ba78d31a0d4a8b6a903

SHA1
cbfde2b8cca0878b5f7da35b0bf6d3d2b56dd84b

SHA256
71d15928c8fc3eec3094d45693863900f953a8884fe071e930410897079cc2ec

SHA512
80653b8b641a807bde6146947b9faf5151e80f007386157a01c171eaa494e83230d204848633ea77d98894045a2d6c1c3fe6c586f647dd8f608f05b50800ca74

Download Submit
C:\Windows\System\RgEfeBp.exe

Filesize
5.2MB

MD5
6cd39cbc8ff9929338c45a99a5db88b8

SHA1
a04a373aefcd37b32173da952fe687a574e13e11

SHA256
100c32c8c934066719281c37eca06a10d5bf4160d83bae78f15f0f840bf9be58

SHA512
52fd3d4594b21451542237a54e602282a51f977980b2a26b2c4d18bbf911663cd4495cfbd9351d6794da5bacc7afc9bccf5eb79c7e92a35ef2f85e44d553c932

Download Submit
C:\Windows\System\VhnTZLA.exe

Filesize
5.2MB

MD5
8a0e2fb956aa8d5dfa6fb4be6b2ddfe8

SHA1
4902555b12c9938925cd8253125837740d97e4cf

SHA256
fd46ec5d1ef7597e0689479313152a523fa98c4d696e39aedfa2eddf949604ce

SHA512
d4d4909d85aafa2925905d24d702d86f16fac141134bfc30713dec2437f0471b0ce6181cc5212fc0c0d6b32359a795264d327e4736a42352ea122f48ffa9c46f

Download Submit
C:\Windows\System\XpVAabC.exe

Filesize
5.2MB

MD5
3632740399c7dbf0da2043c81ed1763d

SHA1
c0bde2727880274bca7d4f96ff70f16fbd4ab8b0

SHA256
0c5b7b35cf1d05004bac03764511d2806d6df433b0ef60046847ed71679a685f

SHA512
6c76bbc094a69bb75ae2ca1fc270425109a465a477db7b8779bab5039854265eff88fe50178f54594e7dea15fe4e5c3bc1460ee22a6fe9fbd50977c644bff5e9

Download Submit
C:\Windows\System\cUDuKmu.exe

Filesize
5.2MB

MD5
2df9a935d9c51b072804beed2609493e

SHA1
50874cb199fed4fa00121661028724b3fea22bfe

SHA256
53261266a455ca73d2db526104377d9ac528510cef0b357c21b05ecbc967ac5d

SHA512
195d4b9fa7288a16f767d7aa653c70aaba56e17dd179f8e7c3d4811d10e6b7ce09e117e055c749c01ea7f9ccb819077fdf5ad287d777cbf15c225b804097def9

Download Submit
C:\Windows\System\dIgtdgD.exe

Filesize
5.2MB

MD5
fec4fa09e44e2afb9c260e47c23de754

SHA1
acdc14d56c38b9b173732ebaef2bdf47009a24e9

SHA256
de4fff6a31518a5018f3ebbbbb76be088173aa1527b7904f6063dbc1bc5ac40d

SHA512
37f063c9c3246afe2a93671519ecdf7f0e8522bbd82f7f8f4b8bd5833e87da22ab664e951da1009239c0109ec76d0556d4565cc4b3e5edf82f78a191997a96b6

Download Submit
C:\Windows\System\dQnENlt.exe

Filesize
5.2MB

MD5
e8f5a55caf73d829f7dbb986712fddd8

SHA1
f25c2e2e65a980944c8b36e40fe6ee30c9048b05

SHA256
f79398bde4388e6a6fde81c6ef054bf4b4cb5d675ed20e1118c31f7e78b54c55

SHA512
d0bab40dce5f06cb2f51cbdd0936c0dd4fadd55fecf0b6251f12915eac064ef461dabd4e00b153d71041a1c48cbbe55c3bd2e92e3f3d4787bd4398bc4f263b34

Download Submit
C:\Windows\System\eCOIiPM.exe

Filesize
5.2MB

MD5
7596a66780ef090146f65aeb4099f3b7

SHA1
fe2747cef2fd84781d7955a059087a41ed347a8d

SHA256
cee15ba41a16ea1b838a8d80ad4e9d97d4e08b278c68e900d85359a7079735d7

SHA512
2f721c8683d4a5d0a77ee8adf086621581a4be987cb572d4abe134f8500cd6dbe2a03bc0b64c45791ef121cb5f9e858586440d0140c1da18656ff09294b55efc

Download Submit
C:\Windows\System\hXdyQKJ.exe

Filesize
5.2MB

MD5
64c29ceeb1c86f35c1385771ca5bc149

SHA1
60367d21e673c6fbd211901d0fa0b176ebacc120

SHA256
318840da332e931aa66a409896f3318d86a860e8c9899bd560fc249804cc6cea

SHA512
41e5f018b01cd822913a5dac15704a4bded2a9d415f72387f459fbc5dca013f0ed56d363cff5867e7711e8db885aeff7750927027cb885768fe31512dc3d913b

Download Submit
C:\Windows\System\hkmFWXr.exe

Filesize
5.2MB

MD5
0f3b983c67e5d83c92f9b9a6122ec300

SHA1
048aad8abdfebca96dd3faa65b78be1b7e8cb0d1

SHA256
5a6deb9e43d9d19f47224a384875cf91b54526827b93a1aa42bbef2579261858

SHA512
447e14d379b26c8a03171393791e9f028b8d67f6347b21f03d2f395fa2a994fbfb96198a5bd1e5bceef3c17228fab4dbb62f9f0abbb1d630c43ef9bbb03a4243

Download Submit
C:\Windows\System\iVEVktr.exe

Filesize
5.2MB

MD5
a4645b8147969e2e7a5f86701199a4a7

SHA1
be8d7ddf83cdf73e2c8ac87591c397443dbfdf53

SHA256
7b064568a3b46c91545249b75a2f10df7da18b61810d3a041ee2cc128c89d568

SHA512
de54d0f9068813befd201781a617063c7b44eeed0ec4ced01146252a9f7b4a439bf0e959a3f98a1ae76bac50a7231af7ff7cd849a0309df639d20c8179f086e1

Download Submit
C:\Windows\System\pdsCLhZ.exe

Filesize
5.2MB

MD5
ef46cc704e09432859da15170a8f693a

SHA1
cff17763e67a9b77b1241c09d23324efefbf1a21

SHA256
604eef90083f76a96ccdd7d49cd1a5ce716f3ab73c0c5f5caaf37fbb0a1043ce

SHA512
ad922a9e3c131c2ef832b0630dc00e4ac054fb8d119d3131a241c58443d9da0680f63463e0b0a0b26f55f30772ce4600b1e2a3932c18f4f5f5b6568d26d391d3

Download Submit
C:\Windows\System\yAAUHVz.exe

Filesize
5.2MB

MD5
3fdee6abad174b3427a8f3a57a1f659b

SHA1
d9c64f0649573d9a59297ed4c21b7aad3d46d6ef

SHA256
5b5e2a125f001c969a39fd749bb554ff645814b10bc5a5eae2eaf81e155c072b

SHA512
cf353aa82c3fcea057feda50d7b7a6239c7b62a92034a58448e6ad4b0115859306d4b8dcc8dab1fa60b651bd0001c9168acdbb45793b10dbce64febb91fc08ff

Download Submit
C:\Windows\System\yKXzbpT.exe

Filesize
5.2MB

MD5
38b00d2463d57ad8ab58645ad32c6808

SHA1
7e74627a4104c2d3a52984358dccbdaa3bfb3b1c

SHA256
df07ba973f785cfabd850f2bc1c3ba97b8afdc5cbd8b21ecd344c31270910328

SHA512
9dc4eafb7b34922be016fa8a9718991d2fe316f2bb126a15df39e7771c1b2412a0378f5cd41ce19b53514c0757c2da7ece3b5d52afb57ff827ebdcf76e9b1347

Download Submit
C:\Windows\System\yzGMsyv.exe

Filesize
5.2MB

MD5
a4b34e78b6ea78d00780caa697604e44

SHA1
40c937c290c913ff9fb31f8abcf002ba772d84ae

SHA256
ae39efebf759102de84ac10544a794a1628c65449832ec64993b28c2459c3b97

SHA512
45fa42e8ef195d31790d59c1e64023d619bfd5082beda35a3ef093e456c3e677046777f0f5285f01101b085239eb94df8a07c0e1896bd066163c32bba7fe40bb

Download Submit
C:\Windows\System\zEftmQl.exe

Filesize
5.2MB

MD5
dc4e98bc986f046b2ab16d4ca9fb6875

SHA1
b9f72d590f58d6eddab32dc685e89c108cb7b403

SHA256
ce07d6a0cb14f0496db97e3b4564808c71b5ca932718b85bcfbf20370c1f085a

SHA512
47172d9ecc770eb8a7d1711233328e1b0a55676d36dbed707202e15d4a866227fabd9b15ed8d632c83a35e45d2e5100a9299d7f60e37f094825f19e8325b94e5

Download Submit
C:\Windows\System\zWYQNmG.exe

Filesize
5.2MB

MD5
ff76655b95ef2a76ea293b08fc887c6b

SHA1
b0f6ddd39fae5083247adb8698c0de10a5137047

SHA256
b2f1b6b508203391df8c4d5265a19b29b7b3b67980a308ab76962890be253dd6

SHA512
47bcb5a9dea7ed4b0caf942c74924151316f1665bdcbd6770f03a45e6c894790b8bf6aced6f08c2d49e3ea515d695147d8cc79f3ff76de92152502392c6fda7b

Download Submit
memory/980-84-0x00007FF715510000-0x00007FF715861000-memory.dmp

Filesize
3.3MB

Download
memory/980-20-0x00007FF715510000-0x00007FF715861000-memory.dmp

Filesize
3.3MB

Download
memory/980-228-0x00007FF715510000-0x00007FF715861000-memory.dmp

Filesize
3.3MB

Download
memory/1040-30-0x00007FF762480000-0x00007FF7627D1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-234-0x00007FF762480000-0x00007FF7627D1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-95-0x00007FF762480000-0x00007FF7627D1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-132-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-274-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-166-0x00007FF62D180000-0x00007FF62D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-138-0x00007FF7975E0000-0x00007FF797931000-memory.dmp

Filesize
3.3MB

Download
memory/1476-68-0x00007FF7975E0000-0x00007FF797931000-memory.dmp

Filesize
3.3MB

Download
memory/1476-167-0x00007FF7975E0000-0x00007FF797931000-memory.dmp

Filesize
3.3MB

Download
memory/1476-0-0x00007FF7975E0000-0x00007FF797931000-memory.dmp

Filesize
3.3MB

Download
memory/1476-1-0x00000183324C0000-0x00000183324D0000-memory.dmp

Filesize
64KB

Download
memory/2216-71-0x00007FF6EF0F0000-0x00007FF6EF441000-memory.dmp

Filesize
3.3MB

Download
memory/2216-247-0x00007FF6EF0F0000-0x00007FF6EF441000-memory.dmp

Filesize
3.3MB

Download
memory/2456-268-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp

Filesize
3.3MB

Download
memory/2456-157-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp

Filesize
3.3MB

Download
memory/2456-114-0x00007FF6A0A40000-0x00007FF6A0D91000-memory.dmp

Filesize
3.3MB

Download
memory/2528-251-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp

Filesize
3.3MB

Download
memory/2528-151-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp

Filesize
3.3MB

Download
memory/2528-81-0x00007FF7F15E0000-0x00007FF7F1931000-memory.dmp

Filesize
3.3MB

Download
memory/2876-226-0x00007FF74B510000-0x00007FF74B861000-memory.dmp

Filesize
3.3MB

Download
memory/2876-80-0x00007FF74B510000-0x00007FF74B861000-memory.dmp

Filesize
3.3MB

Download
memory/2876-12-0x00007FF74B510000-0x00007FF74B861000-memory.dmp

Filesize
3.3MB

Download
memory/3068-73-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp

Filesize
3.3MB

Download
memory/3068-224-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp

Filesize
3.3MB

Download
memory/3068-7-0x00007FF6377C0000-0x00007FF637B11000-memory.dmp

Filesize
3.3MB

Download
memory/3104-238-0x00007FF619F70000-0x00007FF61A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3104-57-0x00007FF619F70000-0x00007FF61A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-230-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-89-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-29-0x00007FF67D260000-0x00007FF67D5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-158-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-266-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-117-0x00007FF7BD260000-0x00007FF7BD5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-256-0x00007FF6F9A00000-0x00007FF6F9D51000-memory.dmp

Filesize
3.3MB

Download
memory/3736-91-0x00007FF6F9A00000-0x00007FF6F9D51000-memory.dmp

Filesize
3.3MB

Download
memory/4012-129-0x00007FF673410000-0x00007FF673761000-memory.dmp

Filesize
3.3MB

Download
memory/4012-165-0x00007FF673410000-0x00007FF673761000-memory.dmp

Filesize
3.3MB

Download
memory/4012-272-0x00007FF673410000-0x00007FF673761000-memory.dmp

Filesize
3.3MB

Download
memory/4172-258-0x00007FF683830000-0x00007FF683B81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-155-0x00007FF683830000-0x00007FF683B81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-99-0x00007FF683830000-0x00007FF683B81000-memory.dmp

Filesize
3.3MB

Download
memory/4428-54-0x00007FF781220000-0x00007FF781571000-memory.dmp

Filesize
3.3MB

Download
memory/4428-236-0x00007FF781220000-0x00007FF781571000-memory.dmp

Filesize
3.3MB

Download
memory/4428-110-0x00007FF781220000-0x00007FF781571000-memory.dmp

Filesize
3.3MB

Download
memory/4472-107-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp

Filesize
3.3MB

Download
memory/4472-36-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp

Filesize
3.3MB

Download
memory/4472-233-0x00007FF6BF030000-0x00007FF6BF381000-memory.dmp

Filesize
3.3MB

Download
memory/4512-271-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-133-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-163-0x00007FF62CD70000-0x00007FF62D0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-112-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-240-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-56-0x00007FF611E70000-0x00007FF6121C1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-58-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/4908-128-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/4908-242-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/4920-264-0x00007FF629AE0000-0x00007FF629E31000-memory.dmp

Filesize
3.3MB

Download
memory/4920-113-0x00007FF629AE0000-0x00007FF629E31000-memory.dmp

Filesize
3.3MB

Download
memory/4992-249-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-147-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-74-0x00007FF60EE70000-0x00007FF60F1C1000-memory.dmp

Filesize
3.3MB

Download