cobaltstrike | 3afd814a252b8666a87c7f0fba8e9d7dbec5d171c2402964c89cb067d18d2380

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

70e83a3c25aef9bf2daa6c76152c4b6d
SHA1

8ffe056daf426a9153f074067a6958331649ce7b
SHA256

3afd814a252b8666a87c7f0fba8e9d7dbec5d171c2402964c89cb067d18d2380
SHA512

e8ba6a4202a60814b352748af444c7a958450caf35300e4a8d6293442bb893fdd2de6f57fdf8092d08ff3d3060a3928937ddd4bb0243952448b3e0a0b0cc9c3f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBibf56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023463-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-18.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-32.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023464-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-88.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-15.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1388-123-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	xmrig
behavioral2/memory/1760-109-0x00007FF789030000-0x00007FF789381000-memory.dmp	xmrig
behavioral2/memory/3220-100-0x00007FF69E6B0000-0x00007FF69EA01000-memory.dmp	xmrig
behavioral2/memory/4408-93-0x00007FF644EC0000-0x00007FF645211000-memory.dmp	xmrig
behavioral2/memory/4548-129-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp	xmrig
behavioral2/memory/2368-64-0x00007FF72F830000-0x00007FF72FB81000-memory.dmp	xmrig
behavioral2/memory/1888-130-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp	xmrig
behavioral2/memory/2928-131-0x00007FF665770000-0x00007FF665AC1000-memory.dmp	xmrig
behavioral2/memory/864-132-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp	xmrig
behavioral2/memory/956-133-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp	xmrig
behavioral2/memory/1448-135-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp	xmrig
behavioral2/memory/2164-134-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp	xmrig
behavioral2/memory/1244-147-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp	xmrig
behavioral2/memory/4268-148-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp	xmrig
behavioral2/memory/1996-150-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	xmrig
behavioral2/memory/3668-146-0x00007FF7012F0000-0x00007FF701641000-memory.dmp	xmrig
behavioral2/memory/1388-136-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	xmrig
behavioral2/memory/2024-155-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp	xmrig
behavioral2/memory/4972-158-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp	xmrig
behavioral2/memory/2376-159-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp	xmrig
behavioral2/memory/4668-157-0x00007FF681170000-0x00007FF6814C1000-memory.dmp	xmrig
behavioral2/memory/1820-156-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp	xmrig
behavioral2/memory/1188-152-0x00007FF718200000-0x00007FF718551000-memory.dmp	xmrig
behavioral2/memory/1388-160-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	xmrig
behavioral2/memory/4548-222-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp	xmrig
behavioral2/memory/1888-224-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp	xmrig
behavioral2/memory/864-226-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp	xmrig
behavioral2/memory/2928-228-0x00007FF665770000-0x00007FF665AC1000-memory.dmp	xmrig
behavioral2/memory/956-230-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp	xmrig
behavioral2/memory/2164-232-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp	xmrig
behavioral2/memory/2368-234-0x00007FF72F830000-0x00007FF72FB81000-memory.dmp	xmrig
behavioral2/memory/1448-236-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp	xmrig
behavioral2/memory/3668-238-0x00007FF7012F0000-0x00007FF701641000-memory.dmp	xmrig
behavioral2/memory/4268-240-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp	xmrig
behavioral2/memory/1244-243-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp	xmrig
behavioral2/memory/4408-244-0x00007FF644EC0000-0x00007FF645211000-memory.dmp	xmrig
behavioral2/memory/1996-251-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	xmrig
behavioral2/memory/3220-253-0x00007FF69E6B0000-0x00007FF69EA01000-memory.dmp	xmrig
behavioral2/memory/2024-258-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp	xmrig
behavioral2/memory/1760-261-0x00007FF789030000-0x00007FF789381000-memory.dmp	xmrig
behavioral2/memory/1188-260-0x00007FF718200000-0x00007FF718551000-memory.dmp	xmrig
behavioral2/memory/4668-263-0x00007FF681170000-0x00007FF6814C1000-memory.dmp	xmrig
behavioral2/memory/1820-255-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp	xmrig
behavioral2/memory/4972-267-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp	xmrig
behavioral2/memory/2376-266-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4548	qkkqdIq.exe
1888	FLlYDrA.exe
864	bcugwsl.exe
2928	aACBvUx.exe
956	sKiFMko.exe
2164	hibUyOR.exe
2368	CcxYpId.exe
4268	NNhEaei.exe
1448	NGjQjkB.exe
3668	SJLVdHF.exe
1244	BXZvJOO.exe
4408	iQBLXwX.exe
1996	MewVfDu.exe
1188	oItnnQH.exe
1760	FpQkruk.exe
3220	kRmTmfD.exe
2024	UQxfrur.exe
1820	IzgywTP.exe
4668	ixkTtwU.exe
4972	aFSMqwm.exe
2376	wyRmPpU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1388-0-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	upx
behavioral2/files/0x0008000000023463-4.dat	upx
behavioral2/memory/1888-12-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp	upx
behavioral2/files/0x0007000000023468-18.dat	upx
behavioral2/memory/864-21-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp	upx
behavioral2/files/0x000700000002346b-32.dat	upx
behavioral2/memory/2164-41-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp	upx
behavioral2/files/0x000700000002346e-48.dat	upx
behavioral2/files/0x000700000002346d-61.dat	upx
behavioral2/files/0x0007000000023470-62.dat	upx
behavioral2/files/0x0007000000023471-80.dat	upx
behavioral2/memory/1996-75-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	upx
behavioral2/files/0x0008000000023464-90.dat	upx
behavioral2/files/0x0007000000023473-95.dat	upx
behavioral2/memory/2024-108-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp	upx
behavioral2/files/0x0007000000023476-111.dat	upx
behavioral2/files/0x0007000000023477-118.dat	upx
behavioral2/memory/1388-123-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	upx
behavioral2/memory/4972-128-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp	upx
behavioral2/files/0x0007000000023479-126.dat	upx
behavioral2/files/0x0007000000023478-124.dat	upx
behavioral2/memory/2376-122-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp	upx
behavioral2/memory/4668-121-0x00007FF681170000-0x00007FF6814C1000-memory.dmp	upx
behavioral2/memory/1820-113-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp	upx
behavioral2/memory/1760-109-0x00007FF789030000-0x00007FF789381000-memory.dmp	upx
behavioral2/files/0x0007000000023475-103.dat	upx
behavioral2/files/0x0007000000023474-101.dat	upx
behavioral2/memory/3220-100-0x00007FF69E6B0000-0x00007FF69EA01000-memory.dmp	upx
behavioral2/memory/1188-99-0x00007FF718200000-0x00007FF718551000-memory.dmp	upx
behavioral2/memory/4408-93-0x00007FF644EC0000-0x00007FF645211000-memory.dmp	upx
behavioral2/files/0x0007000000023472-88.dat	upx
behavioral2/memory/1244-84-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp	upx
behavioral2/memory/3668-73-0x00007FF7012F0000-0x00007FF701641000-memory.dmp	upx
behavioral2/memory/4548-129-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp	upx
behavioral2/files/0x000700000002346f-66.dat	upx
behavioral2/memory/2368-64-0x00007FF72F830000-0x00007FF72FB81000-memory.dmp	upx
behavioral2/memory/1448-56-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp	upx
behavioral2/memory/4268-51-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-49.dat	upx
behavioral2/files/0x000700000002346a-34.dat	upx
behavioral2/files/0x0007000000023469-30.dat	upx
behavioral2/memory/956-29-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp	upx
behavioral2/memory/2928-23-0x00007FF665770000-0x00007FF665AC1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-15.dat	upx
behavioral2/memory/4548-6-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp	upx
behavioral2/memory/1888-130-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp	upx
behavioral2/memory/2928-131-0x00007FF665770000-0x00007FF665AC1000-memory.dmp	upx
behavioral2/memory/864-132-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp	upx
behavioral2/memory/956-133-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp	upx
behavioral2/memory/1448-135-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp	upx
behavioral2/memory/2164-134-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp	upx
behavioral2/memory/1244-147-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp	upx
behavioral2/memory/4268-148-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp	upx
behavioral2/memory/1996-150-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp	upx
behavioral2/memory/3668-146-0x00007FF7012F0000-0x00007FF701641000-memory.dmp	upx
behavioral2/memory/1388-136-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	upx
behavioral2/memory/2024-155-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp	upx
behavioral2/memory/4972-158-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp	upx
behavioral2/memory/2376-159-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp	upx
behavioral2/memory/4668-157-0x00007FF681170000-0x00007FF6814C1000-memory.dmp	upx
behavioral2/memory/1820-156-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp	upx
behavioral2/memory/1188-152-0x00007FF718200000-0x00007FF718551000-memory.dmp	upx
behavioral2/memory/1388-160-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp	upx
behavioral2/memory/4548-222-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bcugwsl.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKiFMko.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixkTtwU.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXZvJOO.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iQBLXwX.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wyRmPpU.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oItnnQH.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UQxfrur.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hibUyOR.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CcxYpId.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNhEaei.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NGjQjkB.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MewVfDu.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kRmTmfD.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzgywTP.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aFSMqwm.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkkqdIq.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FLlYDrA.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aACBvUx.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SJLVdHF.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpQkruk.exe	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4548	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1388 wrote to memory of 4548	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1388 wrote to memory of 1888	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1388 wrote to memory of 1888	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1388 wrote to memory of 864	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1388 wrote to memory of 864	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1388 wrote to memory of 2928	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1388 wrote to memory of 2928	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1388 wrote to memory of 956	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1388 wrote to memory of 956	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1388 wrote to memory of 2164	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1388 wrote to memory of 2164	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1388 wrote to memory of 2368	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1388 wrote to memory of 2368	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1388 wrote to memory of 4268	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1388 wrote to memory of 4268	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1388 wrote to memory of 1448	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1388 wrote to memory of 1448	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1388 wrote to memory of 3668	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1388 wrote to memory of 3668	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1388 wrote to memory of 1244	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1388 wrote to memory of 1244	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1388 wrote to memory of 4408	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1388 wrote to memory of 4408	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1388 wrote to memory of 1996	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1388 wrote to memory of 1996	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1388 wrote to memory of 1188	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1388 wrote to memory of 1188	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1388 wrote to memory of 1760	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1388 wrote to memory of 1760	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1388 wrote to memory of 3220	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1388 wrote to memory of 3220	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1388 wrote to memory of 2024	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1388 wrote to memory of 2024	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1388 wrote to memory of 1820	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1388 wrote to memory of 1820	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1388 wrote to memory of 4668	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1388 wrote to memory of 4668	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1388 wrote to memory of 4972	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1388 wrote to memory of 4972	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1388 wrote to memory of 2376	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1388 wrote to memory of 2376	1388	2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_70e83a3c25aef9bf2daa6c76152c4b6d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\System\qkkqdIq.exe
  C:\Windows\System\qkkqdIq.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\FLlYDrA.exe
  C:\Windows\System\FLlYDrA.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\bcugwsl.exe
  C:\Windows\System\bcugwsl.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\aACBvUx.exe
  C:\Windows\System\aACBvUx.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\sKiFMko.exe
  C:\Windows\System\sKiFMko.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System\hibUyOR.exe
  C:\Windows\System\hibUyOR.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\CcxYpId.exe
  C:\Windows\System\CcxYpId.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\NNhEaei.exe
  C:\Windows\System\NNhEaei.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\NGjQjkB.exe
  C:\Windows\System\NGjQjkB.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\SJLVdHF.exe
  C:\Windows\System\SJLVdHF.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\BXZvJOO.exe
  C:\Windows\System\BXZvJOO.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\iQBLXwX.exe
  C:\Windows\System\iQBLXwX.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\MewVfDu.exe
  C:\Windows\System\MewVfDu.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\oItnnQH.exe
  C:\Windows\System\oItnnQH.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\FpQkruk.exe
  C:\Windows\System\FpQkruk.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\kRmTmfD.exe
  C:\Windows\System\kRmTmfD.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\UQxfrur.exe
  C:\Windows\System\UQxfrur.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\IzgywTP.exe
  C:\Windows\System\IzgywTP.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ixkTtwU.exe
  C:\Windows\System\ixkTtwU.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\aFSMqwm.exe
  C:\Windows\System\aFSMqwm.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\wyRmPpU.exe
  C:\Windows\System\wyRmPpU.exe
  2⤵
  - Executes dropped EXE
  PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXZvJOO.exe

Filesize
5.2MB

MD5
bf01edd930d6dfc81a5792f90b39084f

SHA1
47eab10e51796d2c2e94a4c07217d291be9568b4

SHA256
464fa9fade6ab1dd04bdab8e2ea3c2e267f1dac6952d9073938237eda980e425

SHA512
8b59fa89018fd84036b7e8637c0556bc6bc6e525c3d936f7caf09b200ddfc68a50ae081f0c5cfe511cd93df497fb6ac3c7ee31bb73df11f8833cbbfde0ed6ff3

Download Submit
C:\Windows\System\CcxYpId.exe

Filesize
5.2MB

MD5
21b81a60c8702317b184883ede103f0d

SHA1
fc4e022af79e84b90f8fe89d4a6e66902195f45a

SHA256
b9893b6c50ea598ea343c39cdea7d0d765643fbfa0ad354bbd1ae665ddb19e44

SHA512
9be208d6b589c27239e6e2c7aee99a429d2b6cd008d20e92f4d241fccabe731b749072af160cfa9d9cacd07415adbc1ea9ba1d768826788fef3978a853b17b29

Download Submit
C:\Windows\System\FLlYDrA.exe

Filesize
5.2MB

MD5
ca6791ded59d6ee9afea38fccd680691

SHA1
2c9369321500d6790cc6d9d7bfc10b4b1f6de6ef

SHA256
8a02799515f960d8730207f272700c083f2e219fbcc97273a25b61fedec9a3d5

SHA512
e781d91900cf10d8c19720053393d2dbedc9bc663a4c29f00eb204da544b11772a7a4aa9398faa7add34e7c57952f47356f4910ba3de253e8f991b9866928c82

Download Submit
C:\Windows\System\FpQkruk.exe

Filesize
5.2MB

MD5
d5e2d77fde999bc65b187e26a53a62c3

SHA1
f1de9623837fda5edb7a0f9d51943738cce2b17b

SHA256
a911a4e332e12ec303c8a59b87e0c286805c878bd0b29ef7c26b095013b19914

SHA512
96b9eadd9c53023f7a27e989a036cba3ab3c520371504e01b88b88ef4b0475358fe5f3e7726b2f612f94a7328f29f0e59b2251a61e4ba53c028d49705e6af408

Download Submit
C:\Windows\System\IzgywTP.exe

Filesize
5.2MB

MD5
d49d5d28c12305940ca793d8b424ddeb

SHA1
292e0bb450836f65bb2d100b1f03dbb69dc3db7f

SHA256
9609e0b6395c7cb6790aa81616f55aee2e468d28b30f0840ca0310c51313088a

SHA512
8a5fa1defa9a0bce6199ce54b651bd24a04d90b206684944e91acf2b786bfce66094229f84c7ad38a8b9cce91e30c39cfba5253dfc8cc167f86fafe4fe5ce9ff

Download Submit
C:\Windows\System\MewVfDu.exe

Filesize
5.2MB

MD5
a16241482aad1212c3d73d9579cefb92

SHA1
c319ba49703c421a26add0f41a9256119720eb16

SHA256
58e27d04c46d2e241416f3946bd3b4146623c84324373a9b249846ed8d179a2b

SHA512
99615168c8253f69656f9f9646d3592a23673a446ce415704b5b6f46a3ab15c741e340d43c8ce6e2ddda761d9b6daabf96fc5a01f8ec219743f417520a296286

Download Submit
C:\Windows\System\NGjQjkB.exe

Filesize
5.2MB

MD5
a91c179acc01fd77d74547337f82136f

SHA1
80322a8d3a6c95a0d19927fa662251bc028b4fd4

SHA256
867b12390981ca3643b5c1ec818996202247689f48d3db3a6740417e9c734261

SHA512
6f36349e637cdd1c973d9cf8d1be774ebef1fb8bd2597587b70e2d9d6c88c8f0185d5f6dd72eef80d6f49a1f962aaca22fefbe8efbfcb5deef0026a57bc277db

Download Submit
C:\Windows\System\NNhEaei.exe

Filesize
5.2MB

MD5
028a913c997587866d3e875c18155360

SHA1
ec76d97a5396e75336c7fafc6c8eb59065d82e8e

SHA256
2170e909ebd51a26e37cce461c5b4eda3e056fc1f5c2713c8872d0b392f39c19

SHA512
70556763eda1d1f04187b270a69ddfacabafd85990bac3252cf9170ae96d1dcc2b84f1ae95836610babd3ee01466c3d0a328ca5e2110a5693db0ab3d381c995e

Download Submit
C:\Windows\System\SJLVdHF.exe

Filesize
5.2MB

MD5
37dbb3ab2d2b58229196d2a84242be02

SHA1
397962a7e061efe2b6c95d74304214cadc196e16

SHA256
a563fd863aefb42f7e9d91ad5044b9c8164f3ed48debef10022c5f4b3f60ef6a

SHA512
f96f81fad66ae24a673bea84ac7d276ee909fe69834a4821e75675cc92c8970c1459c45aa9e789b9276374a056340b1a45bacf84bb7ca6723ad4d2168b85fd57

Download Submit
C:\Windows\System\UQxfrur.exe

Filesize
5.2MB

MD5
08092785c94451c0c9fb2435aa65b399

SHA1
d359a6e47f376a1eb8dd1ae148508a94872ee2b1

SHA256
2bd14f6a887778548965e3e583dceac126f965b8c0ca7dfcd77e63c48d1e5738

SHA512
01a21867130265b56a16fec5827c799f78f209e76f5c190c9bde5113f2a4eaecc63164aa564654b292d3c55d2c658d8b046fc9e91f4d399035e57a1993e2d621

Download Submit
C:\Windows\System\aACBvUx.exe

Filesize
5.2MB

MD5
4d62b24dd5c70072ba762bbf26cd7df8

SHA1
1dfb7816914696ce2421ff610e80c51ce23e546c

SHA256
2c4377547319b6e5f0e9d280a6cb5d7854c7db08426a7921cd5e293ac559a342

SHA512
5908a10e1db5948158c0c2feaa4c4c1242fff939c5ff9d602f3468d12a5ab50aa8dd3aebf2b9175296743d60811634f2845368d0b2725224868a5cb994eb309e

Download Submit
C:\Windows\System\aFSMqwm.exe

Filesize
5.2MB

MD5
07c46c2d715344c1b8764724411df990

SHA1
56bd9fbea9de5e7e9f4dc0a36e37d3e674ba0377

SHA256
5e4bbbb099eee36bf752db5516b92f01f2f8bc446ab4e0084a032c6e3dd5f5ea

SHA512
fa7a9cd093ce8729261c97c0f8a1c06b4b176ee90c7ef093349bcafc9a3a04c41b73a130c37eaa88098ac3320df346c099b933622333d11a96079c51037ce4a7

Download Submit
C:\Windows\System\bcugwsl.exe

Filesize
5.2MB

MD5
12c86e1be6029ed4afe1a900f7506455

SHA1
eb142fb2e27129ad542b0f3ae26d805795b21ce1

SHA256
ce5aa60d9ff2b4131b321cb8ba338e40b29453837be77251beec87b4475facf0

SHA512
f94c48aa93eabec0e9106818836b81e8e255e29c1be91200a352e9556e5db0b7589ef402e0149cbfbbcad26c715e39fe6793a2f791214a0aa8b966a8cdc8332d

Download Submit
C:\Windows\System\hibUyOR.exe

Filesize
5.2MB

MD5
1af0af6cb00ca43f817a23766d6398b5

SHA1
587dbf0be357f347646d52fb962bf31a0237de1a

SHA256
1376165be53da3ab2e2b69ce20992750682f4c3c0e416d7ff5ddddc79dcac69b

SHA512
14be8be96c302dc7f4670ff2d9b7c34c49691050f9e7735b3e979fd278ed1b60bda4a3a6b9a6a62ad89333753e9a3077df580078f642ab2f842905d100f28123

Download Submit
C:\Windows\System\iQBLXwX.exe

Filesize
5.2MB

MD5
36d1a36eedd4f723edb0f2b74e213619

SHA1
1f11bfcbb2ddc17e8783c70a9cec79429368f134

SHA256
07759bc3e1f704983f62d2f1810986c51bf3ac609929ac69e1dae859f41c8b9c

SHA512
a8626cf7179a06329ee326fe8d8e192f59201237d66a01a6a2ad7e6d308d2ed40dce3c39495433bcd091d260eac584c9504c34e9dc1574b48e75646ed2b7299f

Download Submit
C:\Windows\System\ixkTtwU.exe

Filesize
5.2MB

MD5
fc4d5a285039a66c810571988406d33e

SHA1
3cce30697844b027cb44def32224e432a57d3746

SHA256
46d972d68dfd2cf7fb032e5c4b1dc43eed24c0a6bd8971575b511bc8a194747e

SHA512
47d23c15ffe6cd58884128bd6279a5b6a093547edbee30ca44e9458cd302c29dda380d9bc3558c650b3334054d96d348cd223c442f34734769554403bf56798d

Download Submit
C:\Windows\System\kRmTmfD.exe

Filesize
5.2MB

MD5
35b794b9ed458dadd71e10adffaa3f23

SHA1
f193b1891820edc306ef27b87b91bd66298beb33

SHA256
97c017918f79d054d73ea6da7adbda9f4282793505bc4638f0fd130befa7c332

SHA512
cde9ee702fc9a59921c177719270fec3edf8deafa011effae67d64ee446a7a1b8dbc2c279063982cb13f2b9a5e0e5fcca0e8e2a595fe3bed22eb03ad2d9ce6f1

Download Submit
C:\Windows\System\oItnnQH.exe

Filesize
5.2MB

MD5
187cb3fc765bfc4ab0019d1feb5b0039

SHA1
1370409945590af42c3c539e7d5e0addb7427384

SHA256
d51057bdd92813c6c83fc8fd8a7d1ffe9d945cad3a21cf46e4ccd5a23d495ec3

SHA512
511d7469e8da2e21b3dc6b62936f470bed523d914684a35b25528fddc3bd733df3bd233ab03deed50e18ffd75977a2c821459d4253d28522f17fc5d8516e9c18

Download Submit
C:\Windows\System\qkkqdIq.exe

Filesize
5.2MB

MD5
b378c096b07448087f3aa90b074f73b4

SHA1
aa1bf5637673e254fc93e5b4f55137d54f942bda

SHA256
5cc00c3ae79901484b0049a2435755344c6de043ea5cb2b13aca85a0dddeffb8

SHA512
c5ed3dff3b1dac4ca9ff67ed75adcfc452556b4a6b2f44241e76fe6af4344cc4b1818f0a323837f1e9df44835cefa5985d4c8a72857cdfaa21b4e7bebf8c1a1b

Download Submit
C:\Windows\System\sKiFMko.exe

Filesize
5.2MB

MD5
58998851a63e1a6873ec3fb9d4a6a240

SHA1
910636f24eca8252aa75a2b780c92f1b32405974

SHA256
67421b59d8ec4fa5c08e39426563bdb048e1c453d840f2b77d98382a6563ad88

SHA512
3d388425eb52a927c919029ba40bcc5cc903d20f6d6602dcd39fd25813a1bea70a96903e2254f4eb0e15864014e5daa784957908153ad1beccca0d9e245ddf85

Download Submit
C:\Windows\System\wyRmPpU.exe

Filesize
5.2MB

MD5
8066e9e73134eac9461d2094ac9a6b51

SHA1
750496668235e507f669223f68dd6b9c9e69b11a

SHA256
de9d4e8da8dd059ab23964cb300d8037594ff7892b92211b885e21523a8b37e8

SHA512
fde6b2b0d422ff597418a1b928b3a40c0f6bd2dc3eadcf8397195a3ebf04290427547314e29eeab5567e1953c4b7ab17f60e16f7382c4d2fb387602541685010

Download Submit
memory/864-21-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/864-132-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/864-226-0x00007FF79A760000-0x00007FF79AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/956-29-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp

Filesize
3.3MB

Download
memory/956-230-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp

Filesize
3.3MB

Download
memory/956-133-0x00007FF731A90000-0x00007FF731DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-260-0x00007FF718200000-0x00007FF718551000-memory.dmp

Filesize
3.3MB

Download
memory/1188-99-0x00007FF718200000-0x00007FF718551000-memory.dmp

Filesize
3.3MB

Download
memory/1188-152-0x00007FF718200000-0x00007FF718551000-memory.dmp

Filesize
3.3MB

Download
memory/1244-147-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp

Filesize
3.3MB

Download
memory/1244-243-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp

Filesize
3.3MB

Download
memory/1244-84-0x00007FF70DA30000-0x00007FF70DD81000-memory.dmp

Filesize
3.3MB

Download
memory/1388-136-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-0-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-1-0x0000023085DF0000-0x0000023085E00000-memory.dmp

Filesize
64KB

Download
memory/1388-160-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-123-0x00007FF7E63A0000-0x00007FF7E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-135-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-56-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-236-0x00007FF7DD990000-0x00007FF7DDCE1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-261-0x00007FF789030000-0x00007FF789381000-memory.dmp

Filesize
3.3MB

Download
memory/1760-109-0x00007FF789030000-0x00007FF789381000-memory.dmp

Filesize
3.3MB

Download
memory/1820-156-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-255-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-113-0x00007FF7FEAA0000-0x00007FF7FEDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-130-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp

Filesize
3.3MB

Download
memory/1888-224-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp

Filesize
3.3MB

Download
memory/1888-12-0x00007FF7E91D0000-0x00007FF7E9521000-memory.dmp

Filesize
3.3MB

Download
memory/1996-150-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-251-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-75-0x00007FF673D50000-0x00007FF6740A1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-258-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp

Filesize
3.3MB

Download
memory/2024-108-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp

Filesize
3.3MB

Download
memory/2024-155-0x00007FF67ADF0000-0x00007FF67B141000-memory.dmp

Filesize
3.3MB

Download
memory/2164-134-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-41-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-232-0x00007FF72ECA0000-0x00007FF72EFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-234-0x00007FF72F830000-0x00007FF72FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2368-64-0x00007FF72F830000-0x00007FF72FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2376-266-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp

Filesize
3.3MB

Download
memory/2376-159-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp

Filesize
3.3MB

Download
memory/2376-122-0x00007FF7FB420000-0x00007FF7FB771000-memory.dmp

Filesize
3.3MB

Download
memory/2928-131-0x00007FF665770000-0x00007FF665AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-228-0x00007FF665770000-0x00007FF665AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-23-0x00007FF665770000-0x00007FF665AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-100-0x00007FF69E6B0000-0x00007FF69EA01000-memory.dmp

Filesize
3.3MB

Download
memory/3220-253-0x00007FF69E6B0000-0x00007FF69EA01000-memory.dmp

Filesize
3.3MB

Download
memory/3668-146-0x00007FF7012F0000-0x00007FF701641000-memory.dmp

Filesize
3.3MB

Download
memory/3668-73-0x00007FF7012F0000-0x00007FF701641000-memory.dmp

Filesize
3.3MB

Download
memory/3668-238-0x00007FF7012F0000-0x00007FF701641000-memory.dmp

Filesize
3.3MB

Download
memory/4268-148-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-240-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-51-0x00007FF7DA260000-0x00007FF7DA5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-244-0x00007FF644EC0000-0x00007FF645211000-memory.dmp

Filesize
3.3MB

Download
memory/4408-93-0x00007FF644EC0000-0x00007FF645211000-memory.dmp

Filesize
3.3MB

Download
memory/4548-222-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp

Filesize
3.3MB

Download
memory/4548-129-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp

Filesize
3.3MB

Download
memory/4548-6-0x00007FF7AA240000-0x00007FF7AA591000-memory.dmp

Filesize
3.3MB

Download
memory/4668-157-0x00007FF681170000-0x00007FF6814C1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-121-0x00007FF681170000-0x00007FF6814C1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-263-0x00007FF681170000-0x00007FF6814C1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-158-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp

Filesize
3.3MB

Download
memory/4972-267-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp

Filesize
3.3MB

Download
memory/4972-128-0x00007FF7D4FD0000-0x00007FF7D5321000-memory.dmp

Filesize
3.3MB

Download