cobaltstrike | cb72dde034b9f405b43c16ea86bf9ce7200db338faeacd1020163ecb5f88eb93

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4e0a28e11daa4483b7ba685f90f6cd73
SHA1

374ba5af997d283e1e12ba55e4af76fecccf27ac
SHA256

cb72dde034b9f405b43c16ea86bf9ce7200db338faeacd1020163ecb5f88eb93
SHA512

923ff0c924d68cc4e146179e26854f7ac28853dba8b35aa8a7ba4d194dbadf1ce132271968e3498fafd2d1e56613194535d003d5863952212853e64cbe2d867e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibf56utgpPFotBER/mQ32lUD

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023416-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-95.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023457-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-41.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2624-88-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp	xmrig
behavioral2/memory/3288-123-0x00007FF7AA3C0000-0x00007FF7AA711000-memory.dmp	xmrig
behavioral2/memory/5112-122-0x00007FF768470000-0x00007FF7687C1000-memory.dmp	xmrig
behavioral2/memory/3980-118-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp	xmrig
behavioral2/memory/3428-117-0x00007FF7816C0000-0x00007FF781A11000-memory.dmp	xmrig
behavioral2/memory/4508-109-0x00007FF66CF50000-0x00007FF66D2A1000-memory.dmp	xmrig
behavioral2/memory/4512-108-0x00007FF73DC10000-0x00007FF73DF61000-memory.dmp	xmrig
behavioral2/memory/4372-100-0x00007FF6ECED0000-0x00007FF6ED221000-memory.dmp	xmrig
behavioral2/memory/4980-91-0x00007FF7895F0000-0x00007FF789941000-memory.dmp	xmrig
behavioral2/memory/4736-90-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp	xmrig
behavioral2/memory/3572-82-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp	xmrig
behavioral2/memory/220-63-0x00007FF725100000-0x00007FF725451000-memory.dmp	xmrig
behavioral2/memory/2496-62-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp	xmrig
behavioral2/memory/5044-129-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp	xmrig
behavioral2/memory/5104-132-0x00007FF643790000-0x00007FF643AE1000-memory.dmp	xmrig
behavioral2/memory/3236-128-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	xmrig
behavioral2/memory/1428-133-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp	xmrig
behavioral2/memory/1416-130-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp	xmrig
behavioral2/memory/2720-140-0x00007FF771000000-0x00007FF771351000-memory.dmp	xmrig
behavioral2/memory/2420-147-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp	xmrig
behavioral2/memory/3980-145-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp	xmrig
behavioral2/memory/4616-141-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp	xmrig
behavioral2/memory/3392-149-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	xmrig
behavioral2/memory/3236-150-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	xmrig
behavioral2/memory/3236-151-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	xmrig
behavioral2/memory/5044-213-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp	xmrig
behavioral2/memory/1416-215-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp	xmrig
behavioral2/memory/3572-217-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp	xmrig
behavioral2/memory/2496-219-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp	xmrig
behavioral2/memory/1428-221-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp	xmrig
behavioral2/memory/5104-225-0x00007FF643790000-0x00007FF643AE1000-memory.dmp	xmrig
behavioral2/memory/2624-224-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp	xmrig
behavioral2/memory/4736-227-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp	xmrig
behavioral2/memory/220-229-0x00007FF725100000-0x00007FF725451000-memory.dmp	xmrig
behavioral2/memory/4980-231-0x00007FF7895F0000-0x00007FF789941000-memory.dmp	xmrig
behavioral2/memory/2720-233-0x00007FF771000000-0x00007FF771351000-memory.dmp	xmrig
behavioral2/memory/4372-235-0x00007FF6ECED0000-0x00007FF6ED221000-memory.dmp	xmrig
behavioral2/memory/4616-242-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp	xmrig
behavioral2/memory/3428-244-0x00007FF7816C0000-0x00007FF781A11000-memory.dmp	xmrig
behavioral2/memory/4512-246-0x00007FF73DC10000-0x00007FF73DF61000-memory.dmp	xmrig
behavioral2/memory/4508-248-0x00007FF66CF50000-0x00007FF66D2A1000-memory.dmp	xmrig
behavioral2/memory/5112-250-0x00007FF768470000-0x00007FF7687C1000-memory.dmp	xmrig
behavioral2/memory/2420-252-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp	xmrig
behavioral2/memory/3288-254-0x00007FF7AA3C0000-0x00007FF7AA711000-memory.dmp	xmrig
behavioral2/memory/3392-256-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	xmrig
behavioral2/memory/3980-259-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5044	herlywJ.exe
1416	alBJjmb.exe
3572	JQsMHLk.exe
5104	ZMECTBy.exe
1428	pmWSgZP.exe
2624	IicQFos.exe
4736	zMnDsoj.exe
2496	WfBesuW.exe
220	EsQvtwJ.exe
4980	jUDIyxn.exe
2720	GFREkfh.exe
4372	xWWghox.exe
4616	zeEcunf.exe
3428	xFbiTZE.exe
4512	FFAscpy.exe
4508	OGFyLrB.exe
3980	uLjgrFk.exe
5112	qCavcki.exe
2420	ckcPUzC.exe
3288	PDMBVgb.exe
3392	UZXbQfC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3236-0-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	upx
behavioral2/files/0x000b000000023416-5.dat	upx
behavioral2/memory/5044-6-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp	upx
behavioral2/files/0x000700000002345b-10.dat	upx
behavioral2/files/0x000700000002345a-15.dat	upx
behavioral2/files/0x000700000002345f-34.dat	upx
behavioral2/files/0x0007000000023461-57.dat	upx
behavioral2/memory/2720-66-0x00007FF771000000-0x00007FF771351000-memory.dmp	upx
behavioral2/files/0x0007000000023465-76.dat	upx
behavioral2/memory/2624-88-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp	upx
behavioral2/files/0x0007000000023466-92.dat	upx
behavioral2/files/0x0007000000023469-112.dat	upx
behavioral2/files/0x000700000002346b-119.dat	upx
behavioral2/files/0x000700000002346c-125.dat	upx
behavioral2/memory/3392-124-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	upx
behavioral2/memory/3288-123-0x00007FF7AA3C0000-0x00007FF7AA711000-memory.dmp	upx
behavioral2/memory/5112-122-0x00007FF768470000-0x00007FF7687C1000-memory.dmp	upx
behavioral2/memory/3980-118-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp	upx
behavioral2/memory/3428-117-0x00007FF7816C0000-0x00007FF781A11000-memory.dmp	upx
behavioral2/files/0x000700000002346a-114.dat	upx
behavioral2/memory/2420-111-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp	upx
behavioral2/memory/4508-109-0x00007FF66CF50000-0x00007FF66D2A1000-memory.dmp	upx
behavioral2/memory/4512-108-0x00007FF73DC10000-0x00007FF73DF61000-memory.dmp	upx
behavioral2/memory/4372-100-0x00007FF6ECED0000-0x00007FF6ED221000-memory.dmp	upx
behavioral2/files/0x0007000000023468-99.dat	upx
behavioral2/files/0x0007000000023467-95.dat	upx
behavioral2/files/0x0008000000023457-94.dat	upx
behavioral2/memory/4980-91-0x00007FF7895F0000-0x00007FF789941000-memory.dmp	upx
behavioral2/memory/4736-90-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp	upx
behavioral2/memory/3572-82-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp	upx
behavioral2/files/0x0007000000023462-73.dat	upx
behavioral2/files/0x0007000000023464-70.dat	upx
behavioral2/memory/220-63-0x00007FF725100000-0x00007FF725451000-memory.dmp	upx
behavioral2/memory/2496-62-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp	upx
behavioral2/files/0x0007000000023463-68.dat	upx
behavioral2/memory/4616-67-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp	upx
behavioral2/files/0x000700000002345e-46.dat	upx
behavioral2/files/0x000700000002345c-36.dat	upx
behavioral2/files/0x0007000000023460-35.dat	upx
behavioral2/memory/1428-42-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp	upx
behavioral2/files/0x000700000002345d-41.dat	upx
behavioral2/memory/5104-29-0x00007FF643790000-0x00007FF643AE1000-memory.dmp	upx
behavioral2/memory/1416-23-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp	upx
behavioral2/memory/5044-129-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp	upx
behavioral2/memory/5104-132-0x00007FF643790000-0x00007FF643AE1000-memory.dmp	upx
behavioral2/memory/3236-128-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	upx
behavioral2/memory/1428-133-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp	upx
behavioral2/memory/1416-130-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp	upx
behavioral2/memory/2720-140-0x00007FF771000000-0x00007FF771351000-memory.dmp	upx
behavioral2/memory/2420-147-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp	upx
behavioral2/memory/3980-145-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp	upx
behavioral2/memory/4616-141-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp	upx
behavioral2/memory/3392-149-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	upx
behavioral2/memory/3236-150-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	upx
behavioral2/memory/3236-151-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp	upx
behavioral2/memory/5044-213-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp	upx
behavioral2/memory/1416-215-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp	upx
behavioral2/memory/3572-217-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp	upx
behavioral2/memory/2496-219-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp	upx
behavioral2/memory/1428-221-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp	upx
behavioral2/memory/5104-225-0x00007FF643790000-0x00007FF643AE1000-memory.dmp	upx
behavioral2/memory/2624-224-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp	upx
behavioral2/memory/4736-227-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp	upx
behavioral2/memory/220-229-0x00007FF725100000-0x00007FF725451000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xWWghox.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jUDIyxn.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xFbiTZE.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OGFyLrB.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDMBVgb.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\herlywJ.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\alBJjmb.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JQsMHLk.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZXbQfC.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IicQFos.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zeEcunf.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCavcki.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FFAscpy.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uLjgrFk.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ckcPUzC.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmWSgZP.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zMnDsoj.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WfBesuW.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZMECTBy.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EsQvtwJ.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFREkfh.exe	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 5044	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3236 wrote to memory of 5044	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3236 wrote to memory of 1416	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3236 wrote to memory of 1416	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3236 wrote to memory of 3572	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3236 wrote to memory of 3572	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3236 wrote to memory of 5104	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3236 wrote to memory of 5104	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3236 wrote to memory of 1428	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3236 wrote to memory of 1428	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3236 wrote to memory of 2624	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3236 wrote to memory of 2624	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3236 wrote to memory of 4736	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3236 wrote to memory of 4736	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3236 wrote to memory of 2496	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3236 wrote to memory of 2496	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3236 wrote to memory of 220	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3236 wrote to memory of 220	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3236 wrote to memory of 4372	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3236 wrote to memory of 4372	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3236 wrote to memory of 4980	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3236 wrote to memory of 4980	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3236 wrote to memory of 2720	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3236 wrote to memory of 2720	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3236 wrote to memory of 4616	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3236 wrote to memory of 4616	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3236 wrote to memory of 3428	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3236 wrote to memory of 3428	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3236 wrote to memory of 4512	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3236 wrote to memory of 4512	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3236 wrote to memory of 4508	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3236 wrote to memory of 4508	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3236 wrote to memory of 3980	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3236 wrote to memory of 3980	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3236 wrote to memory of 5112	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3236 wrote to memory of 5112	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3236 wrote to memory of 2420	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3236 wrote to memory of 2420	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3236 wrote to memory of 3288	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3236 wrote to memory of 3288	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3236 wrote to memory of 3392	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3236 wrote to memory of 3392	3236	2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_4e0a28e11daa4483b7ba685f90f6cd73_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\System\herlywJ.exe
  C:\Windows\System\herlywJ.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\alBJjmb.exe
  C:\Windows\System\alBJjmb.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\JQsMHLk.exe
  C:\Windows\System\JQsMHLk.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\ZMECTBy.exe
  C:\Windows\System\ZMECTBy.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\pmWSgZP.exe
  C:\Windows\System\pmWSgZP.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\IicQFos.exe
  C:\Windows\System\IicQFos.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\zMnDsoj.exe
  C:\Windows\System\zMnDsoj.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\WfBesuW.exe
  C:\Windows\System\WfBesuW.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\EsQvtwJ.exe
  C:\Windows\System\EsQvtwJ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\xWWghox.exe
  C:\Windows\System\xWWghox.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\jUDIyxn.exe
  C:\Windows\System\jUDIyxn.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\GFREkfh.exe
  C:\Windows\System\GFREkfh.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\zeEcunf.exe
  C:\Windows\System\zeEcunf.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\xFbiTZE.exe
  C:\Windows\System\xFbiTZE.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\FFAscpy.exe
  C:\Windows\System\FFAscpy.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\OGFyLrB.exe
  C:\Windows\System\OGFyLrB.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\uLjgrFk.exe
  C:\Windows\System\uLjgrFk.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\qCavcki.exe
  C:\Windows\System\qCavcki.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\ckcPUzC.exe
  C:\Windows\System\ckcPUzC.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\PDMBVgb.exe
  C:\Windows\System\PDMBVgb.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\UZXbQfC.exe
  C:\Windows\System\UZXbQfC.exe
  2⤵
  - Executes dropped EXE
  PID:3392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EsQvtwJ.exe

Filesize
5.2MB

MD5
e7ae9af9ceaaa8e81a2783db97f7ae15

SHA1
e87dadc7ca90d083cfa1efc328d23bfd85f50529

SHA256
9c58860a5ac6c9b5c69fe0f9c39d4ed1933a0710e79b0e6e4df1d53925d1b8ed

SHA512
b38ad6f45c42d5b6dc16f174a5978c8cdf6318240acf0e375fbbdd2f50e49e6c36a88c345b6dd5b611e7fdead83ab5348847cfbc1769c687bbca33e33187e412

Download Submit
C:\Windows\System\FFAscpy.exe

Filesize
5.2MB

MD5
8a2af216ef47c5b68e5a290cb915dfa0

SHA1
c9842bb9e70dcd7f107fb8afeab03210996321e7

SHA256
42ff83e73fbbbd7c4e7a802f0e16d040ed87b5e114613c830ec92f5064aa3ce6

SHA512
e057f2df30eb6bd8c3beeb793eb93bff0068b48a1440b6048034a216380f47dcf33f10cd1fe790071ce20032a39ca518be1aba5bae6fb760fcc8aa4a1c439d2a

Download Submit
C:\Windows\System\GFREkfh.exe

Filesize
5.2MB

MD5
14cb09f9453bb55b92c2eb9c9dd0dc2e

SHA1
a314520db6440ae6fe9c412879d79e09b8f69353

SHA256
10c50c3ab8a4cde18c42fbbe312e3333ebc6e423e798654414a3221720c9fb1d

SHA512
4f2b2a352889c4329f3b5d29fb8d98f3219e188fa10ccf2ac2f0fd2f32bfccffd74123429105af0779379a6e96a8e0367fac5ae1f465590e1ed4abda66e997f0

Download Submit
C:\Windows\System\IicQFos.exe

Filesize
5.2MB

MD5
1525318e0c90b87816f7587f063c14b0

SHA1
7c700de51aa2f7153520ea8206c5568c37b47c36

SHA256
de69d55beefc3920b30189a5666f0cdf3c8e5f3827fdaa51aeea6c732f2d7a4a

SHA512
d9015cb8aef291ffd5527dc90e64a1ab2d82e47cae64e27a609d760471d8dfe6289b2ff67e3b51bc22bae671a0b8c0b295f7293ca1207488d81a2c84f4bea13a

Download Submit
C:\Windows\System\JQsMHLk.exe

Filesize
5.2MB

MD5
a97766ed909f153f81309e05884fe19c

SHA1
dca0182724c8cb62dbc2f37257dcded27e084f24

SHA256
4b725ae584693169b2c7298ef5eb6821abf0424087219ce31a2552f95118e471

SHA512
8bd31ae4882d9a76519f0ab5520f5cbe69a7ef9682b55005abe7564ab5a0fbc9d9a19798be37fdbfc4b6e9e1f1913d946731858d9fa5ed0360d728917033918f

Download Submit
C:\Windows\System\OGFyLrB.exe

Filesize
5.2MB

MD5
043bce6e574283a5dce5b0914b3d115a

SHA1
24ee296e6b1ee1c51597d1154d1e56bc5ee088a3

SHA256
18991890033fbe132f81df47a16f6a0ba180940bc470fe4f2cba327aaed338ae

SHA512
6aaaded25a1b463f53a746ad97d3bae6ea4204553d514a8bae6aeb9861097549258c8e0fff488b7927e956f9c18084664401df6a352b3d7d62e044cf2a671010

Download Submit
C:\Windows\System\PDMBVgb.exe

Filesize
5.2MB

MD5
0716383c3c6d9c3aba1457b80096e8fd

SHA1
279c0d19a70e392419bff8feb63981a806eff242

SHA256
99c24b984526f2a379bc23bf22f17a6a39b88dfa4eab190724b589a71e394688

SHA512
c1ea6b915de1fb865ac4c4972226727800f7a2566c436bf87d6168f5a802ab0c1bad3d1f43b8d56a9ad36640a4ddd66b87b81f612f13c14efbecdfdc9e57ea90

Download Submit
C:\Windows\System\UZXbQfC.exe

Filesize
5.2MB

MD5
207b9ca4cb1ce748c85bfe01d0ddf8c7

SHA1
47290bbb51462a02cbae8f223707c659fb0c7a49

SHA256
d2e66817fc9214b0611a0c3ecdda49e61cff65409dfff19ff48a9dc0538f7228

SHA512
a9da4fe5dfae7ee9fed314c331ab1e22aba87cd3a97d40435c981362faa133c8dbe526d50c8ccf0b176f0dcb32825baff734d13dee9fb1bb28c0c92bff5da74f

Download Submit
C:\Windows\System\WfBesuW.exe

Filesize
5.2MB

MD5
5520bc481dc76da5c80d2ee2f8fab8d3

SHA1
7ab6c1c1538f32bcbd6521222026aa9b84941a9d

SHA256
92242aa8be926cea84825ddaf9a244a901820afe983cea864007eedbebe20188

SHA512
4e06f88aec1057a292f64a90265b353582af2eee3258feafcc4e1b46e64b448c770b1708f4da5113212b1c0cd35217ae1f1a2718cd9883ddf49f441d1ca824f8

Download Submit
C:\Windows\System\ZMECTBy.exe

Filesize
5.2MB

MD5
166352f47d3e9f65e79b022cda10cff7

SHA1
674e588600413fde49864683788a7c3223884ba0

SHA256
6b02a26ece26e2f15a332a9e52347e280421eef3e0b30ac86ecace2c919d4019

SHA512
a9c1737a5c25e864174eb0edfccf05b406415be2fe72f8f397602a146d07fabbd92e38c5af4cdbfe83f1ad1165c34f2e4e7176d632b1ade63250b140a6e2b4c5

Download Submit
C:\Windows\System\alBJjmb.exe

Filesize
5.2MB

MD5
53f778ace93f4e64597267e17e22d0c9

SHA1
1e4f0c0c61c1bf9df9e0f223c004ca64a9bb35e6

SHA256
c482f0e430e255cb56c9b197703e0665b7db4fc25d1e192fdda9c1dca629b56c

SHA512
47bff7e21ae33c7275b83d97148a6a9108f6ffbee29f326b0e2b355b2c58a9a3fb4ab71a117b3886e36618e229034978f0ea4a84b3c8105f668550d0ebfb8f50

Download Submit
C:\Windows\System\ckcPUzC.exe

Filesize
5.2MB

MD5
eb07299180c769b2c3ce8bd9dc08d736

SHA1
c637adddbb7198a05c9327cc9172377a4e878b56

SHA256
7d0c0206e0fa64f73f1cc7f0c440baa4b31f8c447713d2a2eeefdd0a58a8ecf6

SHA512
d3070b31211bfb4ec08dfed13fa69fe1f1b6ef6cb1c78ea2e663dff2360c0c91f37ab2c294e40bf95cec8d019b2d82fa6693199e7e1febead0562d36bde75005

Download Submit
C:\Windows\System\herlywJ.exe

Filesize
5.2MB

MD5
52b0e755386e0535dcc27af1037c1aa0

SHA1
453e0dfd365f7b1b47e43aba2f32fd594e8d83c7

SHA256
11e2118cb7f32702db2a41bbc85dc7687dcca4ce773d84d9d575f820d4eb8408

SHA512
77e29dee7a9b75c58a66d216b0f24007ec70a0527d8a4b1e32c5650daaa912b1087c9ae99408159437c8d3fdcabd91b9d9ec695b70fed5e330773bc0de31756e

Download Submit
C:\Windows\System\jUDIyxn.exe

Filesize
5.2MB

MD5
bf20037d6640431c691c20007fb8ac97

SHA1
c503b5500220b1eada059a85772c1278fa39dfb0

SHA256
feffcf8d06ed08c3578a11ddc06e3425cc8d42a6e67aa90e41118eb5e707d46a

SHA512
9a3201573f20ab81bc39ad45a69e7a7ee66afe827eb96d72eae8617218ede39faae0237b1ec3ff25853767aee386cedf5f451758bc60114747f3a63fe1d8ab6e

Download Submit
C:\Windows\System\pmWSgZP.exe

Filesize
5.2MB

MD5
317b61bf9e43754457f8a4ad41b916b2

SHA1
d276bd32b27fb38dd1653d63898b5acb58376c38

SHA256
e32b8136883647a24355efba283098296a05f2c2f392e60184b7b723f8b7ca34

SHA512
77027f545b54339db94dae97e7efe358e5f0373df7bf5f6e38a3e9ff92e14bc5c29800ed55790af26bed60b7324ffd825d92a5a40f816a011e6b7bb527511e7a

Download Submit
C:\Windows\System\qCavcki.exe

Filesize
5.2MB

MD5
61de9763116ef357fa204b16dd8bc40d

SHA1
cb45d3397ac8553565bfe9cdd38445e9de600fb8

SHA256
6bf8bf5e480db6daec3e0c3e970e82603a34769529c87c24e44109fcb9a6602b

SHA512
3c1144c7077fdbfd92e9e2ac8185b44cb15311e45b7fe216dabc3f19a832a177fcce319c880bee7258f7b71eb8380b687ed80f09fefee6aaa1f304a43c5bde53

Download Submit
C:\Windows\System\uLjgrFk.exe

Filesize
5.2MB

MD5
e65e3692cd6add4c7a063b6828568729

SHA1
c4e7906a37c7eae106966754cd3b9c230b394e34

SHA256
f9e5d39d82aec69829308680197b2f08751991e61523b6b577dc0cf7acb24925

SHA512
e8ddfbbe97d8b366f6937d2e976a5633eaaf9739c4a4849208499f74d67db78cd3d2fa53fa8c85a44a690cfce06b53e208fe6f321beefe8a89eed8f3a43b84dc

Download Submit
C:\Windows\System\xFbiTZE.exe

Filesize
5.2MB

MD5
5cb5238f911f8f7b7e6b9b8cedf4a3c6

SHA1
9ba99eff60286744d0ee62da42204c457a52c691

SHA256
9c3a59721fdc42bcb8f0130c477538c35fd809ba3362c3d4568ba9b3824378d7

SHA512
e913cffef3b7341162c29d484cdcdf97e56bb4830c2fc945aedd5233558c32de7fada091244af2c49ff063621e85958f6d6a8e8ac662f8b02ecdd769c4601199

Download Submit
C:\Windows\System\xWWghox.exe

Filesize
5.2MB

MD5
c8d52539ba7d4272843a17edb207b82d

SHA1
57e00094ce34bc21d8c8fe0ecacdd164a63904ef

SHA256
e880b31c8a65368c9cff21c47a6c624d2f317cb796bb1171864a35cdd8580e65

SHA512
bdcf570779ef02b46262d15c05162983b02e6fe516f0f1132109b9e01cd64396cae82f8f18276b1a2a206ad2ddb8c5f0872d4a6da32e3dc758ab458e863e86ec

Download Submit
C:\Windows\System\zMnDsoj.exe

Filesize
5.2MB

MD5
ccab8c2ceae8e74ee7754c9205efb557

SHA1
e453b088397771f7ecf0c22b60eab83b1d9b1587

SHA256
6523bc5262efe7c8bf8889b4660a075f47146135160bb90623a56e00ed37017c

SHA512
4ef9ae9b4d0a71e23cd0b23949a2ba091048822880c4db85ea11da41d549dcd8d2ecfda0ee0d2e1c1147674fa221ebd92b07cb9702fee11e62748144f19b4e42

Download Submit
C:\Windows\System\zeEcunf.exe

Filesize
5.2MB

MD5
91fdee7e166b684e6ae70e2b1ccfa01a

SHA1
943ab7013888b4e2df5a3ba0bce8ef63e103ccc3

SHA256
10ee2d1ca43ae380281779604ee8e2f6ca6f3e53f8e7470cd2bd8a3e66ec9a07

SHA512
179f557e76d6a95f0116db4e1563a15387f4c3c2a6223d37f39276c6a56196e4a8acaceb7cef297ff8f0a6a01a16f4ea06cac12a4507159449236e728444fa38

Download Submit
memory/220-229-0x00007FF725100000-0x00007FF725451000-memory.dmp

Filesize
3.3MB

Download
memory/220-63-0x00007FF725100000-0x00007FF725451000-memory.dmp

Filesize
3.3MB

Download
memory/1416-215-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1416-23-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1416-130-0x00007FF7A7A50000-0x00007FF7A7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-42-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-221-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-133-0x00007FF62B2A0000-0x00007FF62B5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-111-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp

Filesize
3.3MB

Download
memory/2420-252-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp

Filesize
3.3MB

Download
memory/2420-147-0x00007FF72EFC0000-0x00007FF72F311000-memory.dmp

Filesize
3.3MB

Download
memory/2496-219-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp

Filesize
3.3MB

Download
memory/2496-62-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp

Filesize
3.3MB

Download
memory/2624-224-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp

Filesize
3.3MB

Download
memory/2624-88-0x00007FF74F5D0000-0x00007FF74F921000-memory.dmp

Filesize
3.3MB

Download
memory/2720-233-0x00007FF771000000-0x00007FF771351000-memory.dmp

Filesize
3.3MB

Download
memory/2720-140-0x00007FF771000000-0x00007FF771351000-memory.dmp

Filesize
3.3MB

Download
memory/2720-66-0x00007FF771000000-0x00007FF771351000-memory.dmp

Filesize
3.3MB

Download
memory/3236-128-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3236-151-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3236-0-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3236-150-0x00007FF60E7E0000-0x00007FF60EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3236-1-0x0000029C641B0000-0x0000029C641C0000-memory.dmp

Filesize
64KB

Download
memory/3288-254-0x00007FF7AA3C0000-0x00007FF7AA711000-memory.dmp

Filesize
3.3MB

Download
memory/3288-123-0x00007FF7AA3C0000-0x00007FF7AA711000-memory.dmp

Filesize
3.3MB

Download
memory/3392-124-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3392-256-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3392-149-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3428-117-0x00007FF7816C0000-0x00007FF781A11000-memory.dmp

Filesize
3.3MB

Download
memory/3428-244-0x00007FF7816C0000-0x00007FF781A11000-memory.dmp

Filesize
3.3MB

Download
memory/3572-82-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp

Filesize
3.3MB

Download
memory/3572-217-0x00007FF7D17F0000-0x00007FF7D1B41000-memory.dmp

Filesize
3.3MB

Download
memory/3980-145-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp

Filesize
3.3MB

Download
memory/3980-259-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp

Filesize
3.3MB

Download
memory/3980-118-0x00007FF67D8F0000-0x00007FF67DC41000-memory.dmp

Filesize
3.3MB

Download
memory/4372-100-0x00007FF6ECED0000-0x00007FF6ED221000-memory.dmp

Filesize
3.3MB

Download
memory/4372-235-0x00007FF6ECED0000-0x00007FF6ED221000-memory.dmp

Filesize
3.3MB

Download
memory/4508-248-0x00007FF66CF50000-0x00007FF66D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-109-0x00007FF66CF50000-0x00007FF66D2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-246-0x00007FF73DC10000-0x00007FF73DF61000-memory.dmp

Filesize
3.3MB

Download
memory/4512-108-0x00007FF73DC10000-0x00007FF73DF61000-memory.dmp

Filesize
3.3MB

Download
memory/4616-242-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp

Filesize
3.3MB

Download
memory/4616-141-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp

Filesize
3.3MB

Download
memory/4616-67-0x00007FF79B6D0000-0x00007FF79BA21000-memory.dmp

Filesize
3.3MB

Download
memory/4736-227-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp

Filesize
3.3MB

Download
memory/4736-90-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp

Filesize
3.3MB

Download
memory/4980-231-0x00007FF7895F0000-0x00007FF789941000-memory.dmp

Filesize
3.3MB

Download
memory/4980-91-0x00007FF7895F0000-0x00007FF789941000-memory.dmp

Filesize
3.3MB

Download
memory/5044-213-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-129-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-6-0x00007FF6229A0000-0x00007FF622CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-132-0x00007FF643790000-0x00007FF643AE1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-29-0x00007FF643790000-0x00007FF643AE1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-225-0x00007FF643790000-0x00007FF643AE1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-250-0x00007FF768470000-0x00007FF7687C1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-122-0x00007FF768470000-0x00007FF7687C1000-memory.dmp

Filesize
3.3MB

Download