cobaltstrike | 59c374befe40652df52b85b2aa3b0fc4a59cc234542e9b99a88162615d99131d

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1c7015d9f60c0915225ed021f53d66a7
SHA1

6b2f6b5cc71e87e76da68894727d7070f1584ae6
SHA256

59c374befe40652df52b85b2aa3b0fc4a59cc234542e9b99a88162615d99131d
SHA512

6337b5d92aa295632fd440407f7a6f81b9cd97cf80e8908bf5c30bdaeb8f1b7e2d8e2367048cb40da5db0088ad44f98c1cf3843bb66269203a6c4d5cf92fbd26
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234f1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023509-9.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350c-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350d-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351b-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023517-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023506-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350f-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350e-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350b-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3084-100-0x00007FF783A00000-0x00007FF783D51000-memory.dmp	xmrig
behavioral2/memory/3000-98-0x00007FF6195C0000-0x00007FF619911000-memory.dmp	xmrig
behavioral2/memory/3756-123-0x00007FF6ACD80000-0x00007FF6AD0D1000-memory.dmp	xmrig
behavioral2/memory/5020-127-0x00007FF734710000-0x00007FF734A61000-memory.dmp	xmrig
behavioral2/memory/4068-126-0x00007FF7ACEA0000-0x00007FF7AD1F1000-memory.dmp	xmrig
behavioral2/memory/604-125-0x00007FF62D7E0000-0x00007FF62DB31000-memory.dmp	xmrig
behavioral2/memory/412-124-0x00007FF710300000-0x00007FF710651000-memory.dmp	xmrig
behavioral2/memory/4064-122-0x00007FF614250000-0x00007FF6145A1000-memory.dmp	xmrig
behavioral2/memory/3180-115-0x00007FF62A5F0000-0x00007FF62A941000-memory.dmp	xmrig
behavioral2/memory/1916-112-0x00007FF674DA0000-0x00007FF6750F1000-memory.dmp	xmrig
behavioral2/memory/3652-106-0x00007FF6D9510000-0x00007FF6D9861000-memory.dmp	xmrig
behavioral2/memory/964-46-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp	xmrig
behavioral2/memory/2472-29-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp	xmrig
behavioral2/memory/1344-129-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp	xmrig
behavioral2/memory/2916-132-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	xmrig
behavioral2/memory/3764-131-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp	xmrig
behavioral2/memory/2904-130-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp	xmrig
behavioral2/memory/2916-128-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	xmrig
behavioral2/memory/2652-136-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp	xmrig
behavioral2/memory/4716-135-0x00007FF730700000-0x00007FF730A51000-memory.dmp	xmrig
behavioral2/memory/2404-142-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp	xmrig
behavioral2/memory/4828-138-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp	xmrig
behavioral2/memory/3940-137-0x00007FF783C40000-0x00007FF783F91000-memory.dmp	xmrig
behavioral2/memory/2916-151-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	xmrig
behavioral2/memory/1344-207-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp	xmrig
behavioral2/memory/2904-209-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp	xmrig
behavioral2/memory/3764-211-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp	xmrig
behavioral2/memory/2472-213-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp	xmrig
behavioral2/memory/964-215-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp	xmrig
behavioral2/memory/4716-217-0x00007FF730700000-0x00007FF730A51000-memory.dmp	xmrig
behavioral2/memory/2652-230-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp	xmrig
behavioral2/memory/3000-232-0x00007FF6195C0000-0x00007FF619911000-memory.dmp	xmrig
behavioral2/memory/3940-234-0x00007FF783C40000-0x00007FF783F91000-memory.dmp	xmrig
behavioral2/memory/4828-237-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp	xmrig
behavioral2/memory/3084-238-0x00007FF783A00000-0x00007FF783D51000-memory.dmp	xmrig
behavioral2/memory/2404-240-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp	xmrig
behavioral2/memory/3652-242-0x00007FF6D9510000-0x00007FF6D9861000-memory.dmp	xmrig
behavioral2/memory/4068-244-0x00007FF7ACEA0000-0x00007FF7AD1F1000-memory.dmp	xmrig
behavioral2/memory/1916-246-0x00007FF674DA0000-0x00007FF6750F1000-memory.dmp	xmrig
behavioral2/memory/3180-248-0x00007FF62A5F0000-0x00007FF62A941000-memory.dmp	xmrig
behavioral2/memory/3756-250-0x00007FF6ACD80000-0x00007FF6AD0D1000-memory.dmp	xmrig
behavioral2/memory/4064-252-0x00007FF614250000-0x00007FF6145A1000-memory.dmp	xmrig
behavioral2/memory/604-258-0x00007FF62D7E0000-0x00007FF62DB31000-memory.dmp	xmrig
behavioral2/memory/412-257-0x00007FF710300000-0x00007FF710651000-memory.dmp	xmrig
behavioral2/memory/5020-254-0x00007FF734710000-0x00007FF734A61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1344	VlKWbiv.exe
2904	HDFBfzu.exe
3764	CMbaThI.exe
2472	AJjulhm.exe
964	eAmDKfN.exe
4716	GiFfwIM.exe
2652	JgQtjyF.exe
3940	ZCwziRU.exe
4828	GDXewMn.exe
3000	HLnrEiF.exe
3084	EVIOMOZ.exe
2404	LCukpkw.exe
3652	kgtgeDb.exe
4068	xlMtkDM.exe
1916	qsWFMdZ.exe
3180	rnQmGLn.exe
4064	QdcgVIx.exe
3756	UgYviLA.exe
5020	fRhxFyZ.exe
412	zlwBLFF.exe
604	eImgxpg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-0-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	upx
behavioral2/files/0x00090000000234f1-5.dat	upx
behavioral2/memory/1344-6-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp	upx
behavioral2/files/0x0007000000023509-9.dat	upx
behavioral2/files/0x000700000002350a-10.dat	upx
behavioral2/memory/2904-14-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp	upx
behavioral2/files/0x000700000002350c-28.dat	upx
behavioral2/files/0x000700000002350d-42.dat	upx
behavioral2/files/0x0007000000023511-58.dat	upx
behavioral2/files/0x0007000000023513-68.dat	upx
behavioral2/memory/4828-67-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp	upx
behavioral2/files/0x0007000000023512-74.dat	upx
behavioral2/files/0x0007000000023518-96.dat	upx
behavioral2/memory/3084-100-0x00007FF783A00000-0x00007FF783D51000-memory.dmp	upx
behavioral2/memory/3000-98-0x00007FF6195C0000-0x00007FF619911000-memory.dmp	upx
behavioral2/files/0x0007000000023519-116.dat	upx
behavioral2/memory/3756-123-0x00007FF6ACD80000-0x00007FF6AD0D1000-memory.dmp	upx
behavioral2/memory/5020-127-0x00007FF734710000-0x00007FF734A61000-memory.dmp	upx
behavioral2/memory/4068-126-0x00007FF7ACEA0000-0x00007FF7AD1F1000-memory.dmp	upx
behavioral2/memory/604-125-0x00007FF62D7E0000-0x00007FF62DB31000-memory.dmp	upx
behavioral2/memory/412-124-0x00007FF710300000-0x00007FF710651000-memory.dmp	upx
behavioral2/memory/4064-122-0x00007FF614250000-0x00007FF6145A1000-memory.dmp	upx
behavioral2/files/0x000700000002351b-120.dat	upx
behavioral2/files/0x000700000002351a-118.dat	upx
behavioral2/memory/3180-115-0x00007FF62A5F0000-0x00007FF62A941000-memory.dmp	upx
behavioral2/memory/1916-112-0x00007FF674DA0000-0x00007FF6750F1000-memory.dmp	upx
behavioral2/files/0x0007000000023517-108.dat	upx
behavioral2/memory/3652-106-0x00007FF6D9510000-0x00007FF6D9861000-memory.dmp	upx
behavioral2/files/0x0007000000023515-94.dat	upx
behavioral2/files/0x0007000000023514-92.dat	upx
behavioral2/files/0x0007000000023516-89.dat	upx
behavioral2/memory/2404-75-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp	upx
behavioral2/files/0x0008000000023506-72.dat	upx
behavioral2/files/0x0007000000023510-66.dat	upx
behavioral2/files/0x000700000002350f-57.dat	upx
behavioral2/files/0x000700000002350e-52.dat	upx
behavioral2/memory/2652-49-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp	upx
behavioral2/memory/964-46-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp	upx
behavioral2/memory/3940-41-0x00007FF783C40000-0x00007FF783F91000-memory.dmp	upx
behavioral2/memory/4716-40-0x00007FF730700000-0x00007FF730A51000-memory.dmp	upx
behavioral2/memory/2472-29-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp	upx
behavioral2/files/0x000700000002350b-24.dat	upx
behavioral2/memory/3764-20-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp	upx
behavioral2/memory/1344-129-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp	upx
behavioral2/memory/2916-132-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	upx
behavioral2/memory/3764-131-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp	upx
behavioral2/memory/2904-130-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp	upx
behavioral2/memory/2916-128-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	upx
behavioral2/memory/2652-136-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp	upx
behavioral2/memory/4716-135-0x00007FF730700000-0x00007FF730A51000-memory.dmp	upx
behavioral2/memory/2404-142-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp	upx
behavioral2/memory/4828-138-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp	upx
behavioral2/memory/3940-137-0x00007FF783C40000-0x00007FF783F91000-memory.dmp	upx
behavioral2/memory/2916-151-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp	upx
behavioral2/memory/1344-207-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp	upx
behavioral2/memory/2904-209-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp	upx
behavioral2/memory/3764-211-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp	upx
behavioral2/memory/2472-213-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp	upx
behavioral2/memory/964-215-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp	upx
behavioral2/memory/4716-217-0x00007FF730700000-0x00007FF730A51000-memory.dmp	upx
behavioral2/memory/2652-230-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp	upx
behavioral2/memory/3000-232-0x00007FF6195C0000-0x00007FF619911000-memory.dmp	upx
behavioral2/memory/3940-234-0x00007FF783C40000-0x00007FF783F91000-memory.dmp	upx
behavioral2/memory/4828-237-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\UgYviLA.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JgQtjyF.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GDXewMn.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVIOMOZ.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsWFMdZ.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QdcgVIx.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJjulhm.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLnrEiF.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCukpkw.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eImgxpg.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMbaThI.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kgtgeDb.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnQmGLn.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xlMtkDM.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zlwBLFF.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fRhxFyZ.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VlKWbiv.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDFBfzu.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eAmDKfN.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GiFfwIM.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCwziRU.exe	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1344	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2916 wrote to memory of 1344	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2916 wrote to memory of 2904	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2916 wrote to memory of 2904	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2916 wrote to memory of 3764	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2916 wrote to memory of 3764	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2916 wrote to memory of 2472	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2916 wrote to memory of 2472	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2916 wrote to memory of 964	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2916 wrote to memory of 964	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2916 wrote to memory of 4716	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2916 wrote to memory of 4716	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2916 wrote to memory of 2652	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2916 wrote to memory of 2652	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2916 wrote to memory of 3940	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2916 wrote to memory of 3940	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2916 wrote to memory of 4828	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2916 wrote to memory of 4828	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2916 wrote to memory of 3000	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2916 wrote to memory of 3000	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2916 wrote to memory of 3084	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2916 wrote to memory of 3084	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2916 wrote to memory of 3652	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2916 wrote to memory of 3652	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2916 wrote to memory of 2404	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2916 wrote to memory of 2404	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2916 wrote to memory of 3180	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2916 wrote to memory of 3180	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2916 wrote to memory of 4068	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2916 wrote to memory of 4068	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2916 wrote to memory of 1916	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2916 wrote to memory of 1916	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2916 wrote to memory of 4064	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2916 wrote to memory of 4064	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2916 wrote to memory of 3756	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2916 wrote to memory of 3756	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2916 wrote to memory of 5020	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2916 wrote to memory of 5020	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2916 wrote to memory of 412	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2916 wrote to memory of 412	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2916 wrote to memory of 604	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2916 wrote to memory of 604	2916	2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_1c7015d9f60c0915225ed021f53d66a7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\System\VlKWbiv.exe
  C:\Windows\System\VlKWbiv.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\HDFBfzu.exe
  C:\Windows\System\HDFBfzu.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\CMbaThI.exe
  C:\Windows\System\CMbaThI.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\AJjulhm.exe
  C:\Windows\System\AJjulhm.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\eAmDKfN.exe
  C:\Windows\System\eAmDKfN.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\GiFfwIM.exe
  C:\Windows\System\GiFfwIM.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\JgQtjyF.exe
  C:\Windows\System\JgQtjyF.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\ZCwziRU.exe
  C:\Windows\System\ZCwziRU.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\GDXewMn.exe
  C:\Windows\System\GDXewMn.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\HLnrEiF.exe
  C:\Windows\System\HLnrEiF.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\EVIOMOZ.exe
  C:\Windows\System\EVIOMOZ.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\kgtgeDb.exe
  C:\Windows\System\kgtgeDb.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\LCukpkw.exe
  C:\Windows\System\LCukpkw.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\rnQmGLn.exe
  C:\Windows\System\rnQmGLn.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\xlMtkDM.exe
  C:\Windows\System\xlMtkDM.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\qsWFMdZ.exe
  C:\Windows\System\qsWFMdZ.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\QdcgVIx.exe
  C:\Windows\System\QdcgVIx.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\UgYviLA.exe
  C:\Windows\System\UgYviLA.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\fRhxFyZ.exe
  C:\Windows\System\fRhxFyZ.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\zlwBLFF.exe
  C:\Windows\System\zlwBLFF.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\eImgxpg.exe
  C:\Windows\System\eImgxpg.exe
  2⤵
  - Executes dropped EXE
  PID:604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AJjulhm.exe

Filesize
5.2MB

MD5
af384929e720b5f1bf1125a8409cf0b3

SHA1
d0dea7d0f6cbd5be2f9c12e2a55b194eb2822daa

SHA256
9213accb4c9654fa3f701f031c29cd852631d2b529d9a01f2a33aefc20f99fee

SHA512
53bb8e41c0c422b3f7b1d21d22682ebd1182568ecebb0cef18a5d74dca9c0a4f566182f187c356e7ff65642936ebde6a1569195531e4c9d89d15793ae497ee3d

Download Submit
C:\Windows\System\CMbaThI.exe

Filesize
5.2MB

MD5
50f5d822b21a1782bcea97709094bd9a

SHA1
de53cf843fbbd6f2c3f695d691d546d6d41709db

SHA256
95e8b19d7043f49ec1e5e2808853eda46c53331f4709d32a1d96255890f6d007

SHA512
6525f02ff8b128d87f78a66e0e3596b197d1750b15f0d37e3b643c567b4da7b486c3cb02542328d7237c27ce8a28f221e0c62056bd12b0c7362f834aa5c5bbda

Download Submit
C:\Windows\System\EVIOMOZ.exe

Filesize
5.2MB

MD5
085f1bedef4f65963c40856b86a3a0cc

SHA1
bdab6226454928eea903727e49b46904ee0dd8ac

SHA256
addf8148220a2e483d15d004393c5ab100cd24b00284e5279697aa4a4e1a2a82

SHA512
bd854a5933f4dea844101c5862b9041103e1a195ed251bf67cff1b8235a1cec6d641c2ab393100aa8bc0149cd70079ee35e0e2bc2d0bca418e8c8c79b074a40d

Download Submit
C:\Windows\System\GDXewMn.exe

Filesize
5.2MB

MD5
e2ca1a533a014e88dae2d27549a0cd2d

SHA1
a4d1e65503e121b3e648cd4dd3cdc5677320b76c

SHA256
aff8ea38455ae5bf3a11a77cc8f64440d4eb4056bc9b27a4d00db50c9b87a187

SHA512
9ee15901c59f5d1f6b4f30a903efb131a6d599b0c1f9094f7031cec226f650d3e17b3dfdb016a4b0efecc427e95c38816055c2e735d2c89e7c426602d2368e6a

Download Submit
C:\Windows\System\GiFfwIM.exe

Filesize
5.2MB

MD5
f5fddee2c6c73959209470c2ca102b18

SHA1
37eb9978d37ca3f33e3f8555180111cf426c774a

SHA256
a22d3673098da4cc600bef9c97f8dcd2430649b5b679fa402a973b6f224440ce

SHA512
e1967ad2136679507c02edbbdb1629cdfb13e74915832d1ea315c04c8279ec0f5b8d8d32aa4f246ce066f98323369ff4deed05dce9d8ddd7944fbaeaf4510f9d

Download Submit
C:\Windows\System\HDFBfzu.exe

Filesize
5.2MB

MD5
57195add54a53ae6e658bf1a80aff66c

SHA1
c16332dcd5fb2d4e78958280b04bcee442d4defe

SHA256
30050506ad028907364a6bf7f030e7334a299e91894a190f22bf7911531bc81d

SHA512
953dbbd0f40615a7e537827667f11a7adb714ab8fef72a14d892aa852a2dc9e810a61682058d77bcc0b83ef9731ae42211ba2e4025bc17ab88d37572362c26ef

Download Submit
C:\Windows\System\HLnrEiF.exe

Filesize
5.2MB

MD5
9d485b0ddbbdb1c2167b1f750e16e9ad

SHA1
9df81fcdd3d7d8247ec6c605bb34f1c82849ad20

SHA256
59b7bbe5c7ad07df75ec55e36c17b2bbda489d1341321d07f9a24f5bcffda34b

SHA512
9013cd820f2eec3255d815157a3e79ef3517b1e10eec250a5ba6bbb36e2b78014dc04499fb44b831da587a77aa227d78b0f5fd5ffce04b1e44eda6edc2890056

Download Submit
C:\Windows\System\JgQtjyF.exe

Filesize
5.2MB

MD5
97a21de32a88dc16dfafcbda3dfbbf2c

SHA1
33846e367d0c26e7a84e9dc21b46a7e459c34018

SHA256
493eee251e93ad06a4f44ba71390aae0c964f2e16bf221a45149c7ce43300d37

SHA512
9b25647f8be6657eca4e0537aecfb1ce29e17822028016330b7484988b903378a92f4c949ee2715d71c6bc54105dcaa77ce02bd10736871775f908da1c6606e9

Download Submit
C:\Windows\System\LCukpkw.exe

Filesize
5.2MB

MD5
2200ee3c2fc805c52012b7d5eb584926

SHA1
8566949d49a3caaaad19b8019edbec1694b85532

SHA256
9b89672f5907efb4d85dd45d57c60b956f7fa401336a0076269d3aa94d0becd2

SHA512
10c0dc527454ca9d37ebd8ef82f6f7f58706b4b5929875a8e7c445b5823dab789377c15ba554d0b1925c326b1a5d5eae5a1b1d82dd56485f94bfb98ab5914a14

Download Submit
C:\Windows\System\QdcgVIx.exe

Filesize
5.2MB

MD5
218595237e3a140cd2ef175010e5d86f

SHA1
a5df2874cd7a21017828918f38143930c009121f

SHA256
6a771e08527f39ad7275d5928f5bea0fa360247eba1fc88f7a68f5dc71328511

SHA512
27f2a9a2de2607cf51f588775a674af124053611c9996d14c7130637e06723242205a992fb0c4d43cd9c8db2389f8d0654df6ddbbc422145fd77c277bddfb570

Download Submit
C:\Windows\System\UgYviLA.exe

Filesize
5.2MB

MD5
fab20d8c95045235ae010ac75cbe9c68

SHA1
ab5d26e1a7abc43a274624b2b3b7724ce9bcb073

SHA256
55ed22638f1c477407f84ab326964b3a6ab13bdfc0a0ae5ebd30f7ca2535612d

SHA512
813713fc8f5b80e15625c0efd1c4dcdfe02a2e39631e65271b1a6ad18f11b6782df62de17d048c44aef0794f968806405b8c44da6163ff3d2df18848822f92ad

Download Submit
C:\Windows\System\VlKWbiv.exe

Filesize
5.2MB

MD5
da79a02c2a38cb37d647042e4e4f94b1

SHA1
5cf959bc7054739a31b0df33609b8636b3d3c713

SHA256
416c2f2151b066cd0c7b2fa7ffe35c51a0d29b05b63047249c97267b040fde0c

SHA512
163ff8c74d1b1bdb4429cbdbc15e31c5fca0315be3d1a2ea382262b01adbc4d4bd06a78423abbd06468548ab7233ed04c4bf5870f966f82fdcd8361abf525247

Download Submit
C:\Windows\System\ZCwziRU.exe

Filesize
5.2MB

MD5
3b0ab497607b2f0d14de3765611bb9fc

SHA1
dca7ddd571031d8b2a0af3a1a42eaf19e5c7d615

SHA256
2a93a8bf24fc84cfc4f60b2e1158ce5fd10798182c35f0391408b6cda530fc17

SHA512
618c99c5037a9fb2b55af4dad669a61bb8ef905b5de2ec4018ad50821e2159358ddc26eda74efa7f96f0f9ec65e98810aea4c115fb05af0222abede7f36f7ee3

Download Submit
C:\Windows\System\eAmDKfN.exe

Filesize
5.2MB

MD5
f8409051016cf3ef813560a49e6cb0a0

SHA1
0528cc51429fe9222ed3ccb31dac1de8b00defb5

SHA256
78d5025cad796dfa4915f61ec023e81862a9c4024bf97c8a2bc79dadabd279fb

SHA512
731632bf6903fec6a767d24622e21d66406345e001cd672def724e69d7f196db8c2570b9d89a9e3b70e497c548a74d8574acfa39bdf9b789d462fa8d25d73389

Download Submit
C:\Windows\System\eImgxpg.exe

Filesize
5.2MB

MD5
82fcbd91144433ff8a32dc54a2b32856

SHA1
087cf032b793cad0602e20a88708e29f39f140d3

SHA256
d54fa993bb294b245edadc4e56ea697f8528cecaef483a6182f6dfcf8561e93b

SHA512
d0737db08a3d3cde48cb5fe0a1812eff05177e024f853670a677e45be4495c9114841d0c81ccd4c37772747c216d4fe38fff90d2a66fce80c6abf984bc1ee852

Download Submit
C:\Windows\System\fRhxFyZ.exe

Filesize
5.2MB

MD5
652bb26bf718639e7532281650c3e949

SHA1
2769a2555c0e3e21210841a89b714d443fb266dc

SHA256
abea4e170fb1d52c49e54bb076ce5c5baee392d9a600cc48ce3df3aef18d9f6c

SHA512
33bff2487740301537ae3f362b0331f1a7f5b18ecec2b945ebde67802885d0dba8c56a3d0ed9197d7a4472112e6494d653e8fc19122c8b2a5073731621582e49

Download Submit
C:\Windows\System\kgtgeDb.exe

Filesize
5.2MB

MD5
91f7879d1e8009ba5a5a33345745a922

SHA1
95580757235de87e0b901f88879a1b889bc89b20

SHA256
389b448f94779895bccfe137380bd963a452167a1848d6a7447a7aa4ad13f6a1

SHA512
0464e589062f5f093b10de114be0a562c0f9c83976a6924a3bad5b9f91877b4e53cc5921df5f9f62cf28c856707334c4dd8ee7196fc7f673de228e94d69fbf30

Download Submit
C:\Windows\System\qsWFMdZ.exe

Filesize
5.2MB

MD5
310c7f454675fe1e8964c5fa625dcdbc

SHA1
266e6995f59e18fb36230f383500f9fa2316aabc

SHA256
0ae2c51335982e1910542bccab13b04e39a51a75d25632496c4fa5af33e50986

SHA512
42ed2ba3935ac49a0646a490edde4427c6bc05057f2c64c96ace62141e8112c974cf3b2916f2dd3a4e5e8acf460816b14ee35c5e200358f9c1935f2d29d812b1

Download Submit
C:\Windows\System\rnQmGLn.exe

Filesize
5.2MB

MD5
cf651e88100c0e7e026cde8810360c45

SHA1
029acdc22fc47a3ba0c0df825976d5c251f5672c

SHA256
578ae4d918053dd18934c4a10c004ff10c3418f7e93149c573d3325d9f8c4d9a

SHA512
3d3aaf11ad76fd17b9cc4125d996740fb0b27cef4b3cd2b4fb3d5700b7d27f231195a489fa830d613be051d8a9848d5211210430ad39258dcbaad33c2d83562c

Download Submit
C:\Windows\System\xlMtkDM.exe

Filesize
5.2MB

MD5
5a7463d86b81192e9217ac05636a7245

SHA1
eb0c62181bd91853d3896957b41f59274a27afae

SHA256
47e405d7d3d81b4324bf699fe7afb3972ca83971a644d4d50de10767e7438a89

SHA512
79206d3b217d6d628cd326c53ee5653ef583e7794a60a875d040cb7ac7cd5fac26d134451f9f6fef8fb1bf8ee8dfb06a00861399b5bb1e78199bb561be77c159

Download Submit
C:\Windows\System\zlwBLFF.exe

Filesize
5.2MB

MD5
d1126e7681a3ddf8df32157570d129af

SHA1
d00bb32ad72bb27faf16234affaf1e60b74b974e

SHA256
8c1b410fe195c9a633c253d991f194663eb46a42c4727a1f34e86655ef54994f

SHA512
99f12be475cbd3534b7646ab1832b08cd3b7a578f98f8f5fc1a7cde64400b5696760bf9664328d4cad7ac8aff71fd1712807933f2ac5c947bc558123f938d58c

Download Submit
memory/412-257-0x00007FF710300000-0x00007FF710651000-memory.dmp

Filesize
3.3MB

Download
memory/412-124-0x00007FF710300000-0x00007FF710651000-memory.dmp

Filesize
3.3MB

Download
memory/604-258-0x00007FF62D7E0000-0x00007FF62DB31000-memory.dmp

Filesize
3.3MB

Download
memory/604-125-0x00007FF62D7E0000-0x00007FF62DB31000-memory.dmp

Filesize
3.3MB

Download
memory/964-46-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp

Filesize
3.3MB

Download
memory/964-215-0x00007FF6CFE40000-0x00007FF6D0191000-memory.dmp

Filesize
3.3MB

Download
memory/1344-129-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-207-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-6-0x00007FF7D9560000-0x00007FF7D98B1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-112-0x00007FF674DA0000-0x00007FF6750F1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-246-0x00007FF674DA0000-0x00007FF6750F1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-75-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp

Filesize
3.3MB

Download
memory/2404-240-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp

Filesize
3.3MB

Download
memory/2404-142-0x00007FF7F7200000-0x00007FF7F7551000-memory.dmp

Filesize
3.3MB

Download
memory/2472-29-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-213-0x00007FF71F2A0000-0x00007FF71F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-136-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp

Filesize
3.3MB

Download
memory/2652-230-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp

Filesize
3.3MB

Download
memory/2652-49-0x00007FF65B700000-0x00007FF65BA51000-memory.dmp

Filesize
3.3MB

Download
memory/2904-209-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp

Filesize
3.3MB

Download
memory/2904-14-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp

Filesize
3.3MB

Download
memory/2904-130-0x00007FF70CDD0000-0x00007FF70D121000-memory.dmp

Filesize
3.3MB

Download
memory/2916-151-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-1-0x000001C9D9100000-0x000001C9D9110000-memory.dmp

Filesize
64KB

Download
memory/2916-132-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-128-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

Filesize
3.3MB

Download
memory/2916-0-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

Filesize
3.3MB

Download
memory/3000-232-0x00007FF6195C0000-0x00007FF619911000-memory.dmp

Filesize
3.3MB

Download
memory/3000-98-0x00007FF6195C0000-0x00007FF619911000-memory.dmp

Filesize
3.3MB

Download
memory/3084-100-0x00007FF783A00000-0x00007FF783D51000-memory.dmp

Filesize
3.3MB

Download
memory/3084-238-0x00007FF783A00000-0x00007FF783D51000-memory.dmp

Filesize
3.3MB

Download
memory/3180-115-0x00007FF62A5F0000-0x00007FF62A941000-memory.dmp

Filesize
3.3MB

Download
memory/3180-248-0x00007FF62A5F0000-0x00007FF62A941000-memory.dmp

Filesize
3.3MB

Download
memory/3652-242-0x00007FF6D9510000-0x00007FF6D9861000-memory.dmp

Filesize
3.3MB

Download
memory/3652-106-0x00007FF6D9510000-0x00007FF6D9861000-memory.dmp

Filesize
3.3MB

Download
memory/3756-123-0x00007FF6ACD80000-0x00007FF6AD0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3756-250-0x00007FF6ACD80000-0x00007FF6AD0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-131-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp

Filesize
3.3MB

Download
memory/3764-20-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp

Filesize
3.3MB

Download
memory/3764-211-0x00007FF6F35E0000-0x00007FF6F3931000-memory.dmp

Filesize
3.3MB

Download
memory/3940-137-0x00007FF783C40000-0x00007FF783F91000-memory.dmp

Filesize
3.3MB

Download
memory/3940-234-0x00007FF783C40000-0x00007FF783F91000-memory.dmp

Filesize
3.3MB

Download
memory/3940-41-0x00007FF783C40000-0x00007FF783F91000-memory.dmp

Filesize
3.3MB

Download
memory/4064-252-0x00007FF614250000-0x00007FF6145A1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-122-0x00007FF614250000-0x00007FF6145A1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-244-0x00007FF7ACEA0000-0x00007FF7AD1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-126-0x00007FF7ACEA0000-0x00007FF7AD1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-40-0x00007FF730700000-0x00007FF730A51000-memory.dmp

Filesize
3.3MB

Download
memory/4716-135-0x00007FF730700000-0x00007FF730A51000-memory.dmp

Filesize
3.3MB

Download
memory/4716-217-0x00007FF730700000-0x00007FF730A51000-memory.dmp

Filesize
3.3MB

Download
memory/4828-237-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-67-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-138-0x00007FF7DDAA0000-0x00007FF7DDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-127-0x00007FF734710000-0x00007FF734A61000-memory.dmp

Filesize
3.3MB

Download
memory/5020-254-0x00007FF734710000-0x00007FF734A61000-memory.dmp

Filesize
3.3MB

Download