cobaltstrike | 387a65c70cad23d651175c2cd70523c77c99d49a24ec29607c0aa7171afe83d3

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1dae66fefaa0b63669daaa8bdf464b7f
SHA1

133ec975e2632e4a826e1c60adcde2eaefa51c73
SHA256

387a65c70cad23d651175c2cd70523c77c99d49a24ec29607c0aa7171afe83d3
SHA512

0deb26b07c14f43949d9c8b096d9de6d1b10239bdf3e3702a000b3b6c949db83bec9afa17ebbdb0c46b8630abb38e8a8db2d263ad124053b6a9b1d8a20ca1c1b
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibj56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023454-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-64.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023449-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-90.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2792-61-0x00007FF77B520000-0x00007FF77B871000-memory.dmp	xmrig
behavioral2/memory/1476-60-0x00007FF6525B0000-0x00007FF652901000-memory.dmp	xmrig
behavioral2/memory/2168-54-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp	xmrig
behavioral2/memory/4300-51-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp	xmrig
behavioral2/memory/4104-91-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	xmrig
behavioral2/memory/812-98-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp	xmrig
behavioral2/memory/4300-103-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp	xmrig
behavioral2/memory/1860-111-0x00007FF739810000-0x00007FF739B61000-memory.dmp	xmrig
behavioral2/memory/5040-135-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp	xmrig
behavioral2/memory/4556-133-0x00007FF6D7430000-0x00007FF6D7781000-memory.dmp	xmrig
behavioral2/memory/2856-131-0x00007FF7BC5E0000-0x00007FF7BC931000-memory.dmp	xmrig
behavioral2/memory/1556-124-0x00007FF75C840000-0x00007FF75CB91000-memory.dmp	xmrig
behavioral2/memory/228-119-0x00007FF780650000-0x00007FF7809A1000-memory.dmp	xmrig
behavioral2/memory/2232-118-0x00007FF776430000-0x00007FF776781000-memory.dmp	xmrig
behavioral2/memory/4376-100-0x00007FF685D10000-0x00007FF686061000-memory.dmp	xmrig
behavioral2/memory/468-97-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp	xmrig
behavioral2/memory/3204-95-0x00007FF63EEF0000-0x00007FF63F241000-memory.dmp	xmrig
behavioral2/memory/4104-137-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	xmrig
behavioral2/memory/3564-149-0x00007FF643840000-0x00007FF643B91000-memory.dmp	xmrig
behavioral2/memory/4908-150-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp	xmrig
behavioral2/memory/1524-153-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp	xmrig
behavioral2/memory/712-154-0x00007FF67B230000-0x00007FF67B581000-memory.dmp	xmrig
behavioral2/memory/2088-163-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp	xmrig
behavioral2/memory/1900-162-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp	xmrig
behavioral2/memory/4104-164-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	xmrig
behavioral2/memory/468-222-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp	xmrig
behavioral2/memory/812-224-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp	xmrig
behavioral2/memory/2168-226-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp	xmrig
behavioral2/memory/1860-228-0x00007FF739810000-0x00007FF739B61000-memory.dmp	xmrig
behavioral2/memory/1476-230-0x00007FF6525B0000-0x00007FF652901000-memory.dmp	xmrig
behavioral2/memory/4376-234-0x00007FF685D10000-0x00007FF686061000-memory.dmp	xmrig
behavioral2/memory/4300-233-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp	xmrig
behavioral2/memory/2792-237-0x00007FF77B520000-0x00007FF77B871000-memory.dmp	xmrig
behavioral2/memory/2232-238-0x00007FF776430000-0x00007FF776781000-memory.dmp	xmrig
behavioral2/memory/228-245-0x00007FF780650000-0x00007FF7809A1000-memory.dmp	xmrig
behavioral2/memory/5040-247-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp	xmrig
behavioral2/memory/4908-242-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp	xmrig
behavioral2/memory/3564-244-0x00007FF643840000-0x00007FF643B91000-memory.dmp	xmrig
behavioral2/memory/1524-255-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp	xmrig
behavioral2/memory/3204-257-0x00007FF63EEF0000-0x00007FF63F241000-memory.dmp	xmrig
behavioral2/memory/712-259-0x00007FF67B230000-0x00007FF67B581000-memory.dmp	xmrig
behavioral2/memory/1556-263-0x00007FF75C840000-0x00007FF75CB91000-memory.dmp	xmrig
behavioral2/memory/2856-265-0x00007FF7BC5E0000-0x00007FF7BC931000-memory.dmp	xmrig
behavioral2/memory/2088-268-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp	xmrig
behavioral2/memory/4556-269-0x00007FF6D7430000-0x00007FF6D7781000-memory.dmp	xmrig
behavioral2/memory/1900-271-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
468	CnCfUoR.exe
812	qKexNbz.exe
2168	kbEjNhV.exe
1860	RPUmaTo.exe
4376	kAVcjjv.exe
1476	hqgEKjY.exe
4300	xSranXU.exe
2792	BtnZWyn.exe
2232	osJILSs.exe
228	HTIEBIN.exe
5040	ESHltEB.exe
3564	symyJmg.exe
4908	KtweVjW.exe
1524	hzujefM.exe
3204	dduIdRL.exe
712	yrAjEyN.exe
1556	dxzvZrZ.exe
2856	bAfKSho.exe
2088	MYkFkVz.exe
4556	BapGKPK.exe
1900	LkzPfdu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	upx
behavioral2/files/0x0008000000023454-5.dat	upx
behavioral2/memory/468-10-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp	upx
behavioral2/files/0x000700000002345a-32.dat	upx
behavioral2/files/0x0007000000023459-31.dat	upx
behavioral2/memory/1860-29-0x00007FF739810000-0x00007FF739B61000-memory.dmp	upx
behavioral2/files/0x0007000000023456-28.dat	upx
behavioral2/memory/812-25-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023458-21.dat	upx
behavioral2/files/0x0007000000023457-20.dat	upx
behavioral2/files/0x0007000000023455-15.dat	upx
behavioral2/memory/4376-43-0x00007FF685D10000-0x00007FF686061000-memory.dmp	upx
behavioral2/memory/2232-52-0x00007FF776430000-0x00007FF776781000-memory.dmp	upx
behavioral2/memory/228-53-0x00007FF780650000-0x00007FF7809A1000-memory.dmp	upx
behavioral2/files/0x000700000002345c-57.dat	upx
behavioral2/files/0x000700000002345e-64.dat	upx
behavioral2/files/0x000b000000023449-78.dat	upx
behavioral2/files/0x000700000002345f-76.dat	upx
behavioral2/memory/4908-75-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp	upx
behavioral2/memory/3564-74-0x00007FF643840000-0x00007FF643B91000-memory.dmp	upx
behavioral2/memory/5040-68-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp	upx
behavioral2/files/0x000700000002345d-62.dat	upx
behavioral2/memory/2792-61-0x00007FF77B520000-0x00007FF77B871000-memory.dmp	upx
behavioral2/memory/1476-60-0x00007FF6525B0000-0x00007FF652901000-memory.dmp	upx
behavioral2/files/0x000700000002345b-55.dat	upx
behavioral2/memory/2168-54-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp	upx
behavioral2/memory/4300-51-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-83.dat	upx
behavioral2/memory/4104-91-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	upx
behavioral2/memory/812-98-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp	upx
behavioral2/memory/4300-103-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-117.dat	upx
behavioral2/files/0x0007000000023464-113.dat	upx
behavioral2/files/0x0007000000023465-112.dat	upx
behavioral2/memory/1860-111-0x00007FF739810000-0x00007FF739B61000-memory.dmp	upx
behavioral2/files/0x0007000000023468-122.dat	upx
behavioral2/files/0x0007000000023469-132.dat	upx
behavioral2/memory/1900-134-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp	upx
behavioral2/memory/5040-135-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp	upx
behavioral2/memory/4556-133-0x00007FF6D7430000-0x00007FF6D7781000-memory.dmp	upx
behavioral2/memory/2856-131-0x00007FF7BC5E0000-0x00007FF7BC931000-memory.dmp	upx
behavioral2/memory/2088-125-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp	upx
behavioral2/memory/1556-124-0x00007FF75C840000-0x00007FF75CB91000-memory.dmp	upx
behavioral2/memory/228-119-0x00007FF780650000-0x00007FF7809A1000-memory.dmp	upx
behavioral2/memory/2232-118-0x00007FF776430000-0x00007FF776781000-memory.dmp	upx
behavioral2/memory/712-109-0x00007FF67B230000-0x00007FF67B581000-memory.dmp	upx
behavioral2/files/0x0007000000023463-102.dat	upx
behavioral2/memory/4376-100-0x00007FF685D10000-0x00007FF686061000-memory.dmp	upx
behavioral2/memory/468-97-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp	upx
behavioral2/memory/3204-95-0x00007FF63EEF0000-0x00007FF63F241000-memory.dmp	upx
behavioral2/files/0x0007000000023462-90.dat	upx
behavioral2/memory/1524-86-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp	upx
behavioral2/memory/4104-137-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	upx
behavioral2/memory/3564-149-0x00007FF643840000-0x00007FF643B91000-memory.dmp	upx
behavioral2/memory/4908-150-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp	upx
behavioral2/memory/1524-153-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp	upx
behavioral2/memory/712-154-0x00007FF67B230000-0x00007FF67B581000-memory.dmp	upx
behavioral2/memory/2088-163-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp	upx
behavioral2/memory/1900-162-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp	upx
behavioral2/memory/4104-164-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp	upx
behavioral2/memory/468-222-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp	upx
behavioral2/memory/812-224-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp	upx
behavioral2/memory/2168-226-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp	upx
behavioral2/memory/1860-228-0x00007FF739810000-0x00007FF739B61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bAfKSho.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BapGKPK.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CnCfUoR.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAVcjjv.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BtnZWyn.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\symyJmg.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yrAjEyN.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESHltEB.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dduIdRL.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxzvZrZ.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MYkFkVz.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hzujefM.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkzPfdu.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kbEjNhV.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xSranXU.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\osJILSs.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTIEBIN.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtweVjW.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qKexNbz.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RPUmaTo.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hqgEKjY.exe	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 468	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4104 wrote to memory of 468	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4104 wrote to memory of 812	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 812	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 2168	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 2168	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 1860	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4104 wrote to memory of 1860	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4104 wrote to memory of 4376	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4104 wrote to memory of 4376	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4104 wrote to memory of 1476	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 1476	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 4300	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 4300	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 2792	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 2792	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 2232	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 2232	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 228	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4104 wrote to memory of 228	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4104 wrote to memory of 5040	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 5040	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 3564	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 3564	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 4908	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 4908	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 1524	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 1524	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 3204	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 3204	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 712	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 712	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 1556	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 1556	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 2856	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4104 wrote to memory of 2856	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4104 wrote to memory of 2088	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4104 wrote to memory of 2088	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4104 wrote to memory of 4556	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4104 wrote to memory of 4556	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4104 wrote to memory of 1900	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4104 wrote to memory of 1900	4104	2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_1dae66fefaa0b63669daaa8bdf464b7f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System\CnCfUoR.exe
  C:\Windows\System\CnCfUoR.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\qKexNbz.exe
  C:\Windows\System\qKexNbz.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\kbEjNhV.exe
  C:\Windows\System\kbEjNhV.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\RPUmaTo.exe
  C:\Windows\System\RPUmaTo.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\kAVcjjv.exe
  C:\Windows\System\kAVcjjv.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\hqgEKjY.exe
  C:\Windows\System\hqgEKjY.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\xSranXU.exe
  C:\Windows\System\xSranXU.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\BtnZWyn.exe
  C:\Windows\System\BtnZWyn.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\osJILSs.exe
  C:\Windows\System\osJILSs.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\HTIEBIN.exe
  C:\Windows\System\HTIEBIN.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\ESHltEB.exe
  C:\Windows\System\ESHltEB.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\symyJmg.exe
  C:\Windows\System\symyJmg.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\KtweVjW.exe
  C:\Windows\System\KtweVjW.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\hzujefM.exe
  C:\Windows\System\hzujefM.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\dduIdRL.exe
  C:\Windows\System\dduIdRL.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\yrAjEyN.exe
  C:\Windows\System\yrAjEyN.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\dxzvZrZ.exe
  C:\Windows\System\dxzvZrZ.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\bAfKSho.exe
  C:\Windows\System\bAfKSho.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\MYkFkVz.exe
  C:\Windows\System\MYkFkVz.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\BapGKPK.exe
  C:\Windows\System\BapGKPK.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\LkzPfdu.exe
  C:\Windows\System\LkzPfdu.exe
  2⤵
  - Executes dropped EXE
  PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BapGKPK.exe

Filesize
5.2MB

MD5
9b0176e15901304515447ab60102547c

SHA1
e897c56ba948ea1efe82a5613f7a653a1ba80dfe

SHA256
6a1371520a3ba2ade63b92485f7a9f68ff2ee33e0c79d9c8b933f2ce2fb7311f

SHA512
51fdb4172cdf1042810bc71895766d6d138401bc155fdb5f5a4940109a4fdab245ffaa6b92a8ef42516d0e6e54e8f333212514e166770ba9456b2f3e76f58fe3

Download Submit
C:\Windows\System\BtnZWyn.exe

Filesize
5.2MB

MD5
14c3de67fa900958376a1d0cb1f70a54

SHA1
c16b0a4c3381be60df79c964a527f2c26228ce81

SHA256
919623fd1bd3ab709756f12bcc9e423b87a7550723fe0c3dbd2be08c7424b2f2

SHA512
171390cea6cb70e5114ccb9aa889ccf572398b3cb35708e56bda2546d7b0e286d11d5cbdd4e61ee801aa286e66209bc589e1065ea93ce551690e632c7e9da327

Download Submit
C:\Windows\System\CnCfUoR.exe

Filesize
5.2MB

MD5
4d86f12db58c74fddde32a12ef493501

SHA1
f88fc2e62eaeee94ca2a449a7249bb4536a96689

SHA256
184f11f8d2c42a82c2a467108f34850ef375fd3e8c06e4c93e84e9b94500cd06

SHA512
323e5f450241ff77089b1162df88103783f4b04592a2a3ad11fd94f8192816af31ed199dd34f447bac7326d26320fc86093b25d46a103856d71bdadb9b784d7f

Download Submit
C:\Windows\System\ESHltEB.exe

Filesize
5.2MB

MD5
4d0d12b608df011f4ae6aa5d327ae3d1

SHA1
27c4029c7d71f3818b7860c0e1b89a1fec2ad224

SHA256
1933bd85aebaed8150b56c08630e0ea431373b2670ec31bedf3f7c772c03f4df

SHA512
c03e309345f5f54920e071ea4c95b8a4a6378376eed3fb091a9c64dbeedb5ebf76be3fd80d7d7cce2445c4ee7785ee773e12646ee00fae603639e6621e910935

Download Submit
C:\Windows\System\HTIEBIN.exe

Filesize
5.2MB

MD5
d99a74fae5946c93ec59eeabbb7275a4

SHA1
e30f6cdad7025efeee67e640790869ab76ac3818

SHA256
6dd51f55bfb4571070b699a3274c59b340f0c2562ad7219254bb73cb49962736

SHA512
8805966d476c4c8e8662c9d575cca9835b3ce336aa4e8e05500fca0a29e699310af920c3d49f4ce0ba2ca74dbf9e3eb9d9ef53ea58df995f6c71075632a28310

Download Submit
C:\Windows\System\KtweVjW.exe

Filesize
5.2MB

MD5
6b3a9478738c21d66107b6149e59b97a

SHA1
fdf177be0e8aa0c5ff9486497ca553bcc5eaba21

SHA256
7b410847fcde4b1432bef2cf16b48a37ca2bf15883a42741362fc8671ca9e26e

SHA512
6edb2a374e7fb1b0ff079e53acded18408f1a62f4557c560e73d8542a33d8fb5629825103566aebebb7e705fda7fd2526651bae9f22d86c003e2c43554a958a6

Download Submit
C:\Windows\System\LkzPfdu.exe

Filesize
5.2MB

MD5
d5570a042ca525d3956923876dcc54a6

SHA1
ddb9409c2468ab49efc16337a2bfc7b1718b6259

SHA256
f31681f28b932a51762da01d6bee6c681838736ee4114dd0320ae8d11554a62c

SHA512
97c4c18c56a07d156312da745950b3b41484b7fedf804e31838bed9bfe30f56e838ba1a14d1b883cf4bbbcab0e98750c30fa1a715597c91fd497e147d8829a65

Download Submit
C:\Windows\System\MYkFkVz.exe

Filesize
5.2MB

MD5
299938d92f5be6135411092d835b500b

SHA1
5469b4adc67d5421cf63c1023fe9bd605f46bcba

SHA256
45abe1bce197347e9207ddcd2e7125d3bed1176603398363de08bcfa6c78e1ef

SHA512
eda43bf233e45e43bc4c9022c744cc56fc2f206de755e901fb544d14676718414314767afb1b393991e486b1e7857e942cec74d38dda7961f0c1771d91967702

Download Submit
C:\Windows\System\RPUmaTo.exe

Filesize
5.2MB

MD5
1bf9526ce6db0929c585da27e7c3c26f

SHA1
c5e64d491dcb2379e4d0df688c36726fe6855531

SHA256
4be151d59142e9671b4d192eb2f83cd9f9150b4915c178b5a54e218511a99288

SHA512
0522dba404932bd0f61959067b24f0c041b5c6a0a8345929a42914d0db9362cb8763e6e4e2b92780bafa481ea82608ea6f451e68eb37beccc145bd69b69536c1

Download Submit
C:\Windows\System\bAfKSho.exe

Filesize
5.2MB

MD5
074ca8567e6271d7445dabe7da3c5f11

SHA1
5f297fa4d47fdb50590f8eb7fa1edd11ea51a749

SHA256
9691dda90231a8ae55b521ef64228becbe4cc8445b0afba99c744d99bc5476fd

SHA512
99c494d04e55367c87544a87c6246aeacb30792205621d5eb8bb1d43bd90aa75fa100059bb843bd46c445dded832dcbced6e62a4572724453377e5a5f8556616

Download Submit
C:\Windows\System\dduIdRL.exe

Filesize
5.2MB

MD5
b8c87222aba40cf4bce21f4d994ffc32

SHA1
38f6d10542443d7e8eac4bcf3a81415fe7bdfdc6

SHA256
16982d6e1e8b22bca7c2e5e99ece8db1fa671318db98ff173594b875bba47323

SHA512
b5219fbf3aa70ae5fdc11560cdd7d8d3f75c9538736c53d17e6e26a604fcaa48968a223e8d3dcfe2433ef4fac250aa779efa03315db75b36d13c4ddcb1fe8b63

Download Submit
C:\Windows\System\dxzvZrZ.exe

Filesize
5.2MB

MD5
9f0803aea2e2009a8b6932e6e89bc830

SHA1
0d57dcfe5571cae9cb3878d16bdaef960a948278

SHA256
5ff62dd70ff3d582109445bf19613895ab9884e612bda2c1db669f7c9bf8710f

SHA512
f49d8942ff136ea98035bb9d18ea9e92db959a88bb7c48937c52d01643de6ddef1e6ce09898051968ceea26fa797df6ba1838d779e2f10714a26a4a40a5eda63

Download Submit
C:\Windows\System\hqgEKjY.exe

Filesize
5.2MB

MD5
a18bc35783a23ce17f5faeb2db7ee125

SHA1
d3b7964fa8db0c51b9230c5de1cdf9a9bfffeeb0

SHA256
bfba4ccf4c45844b4fa5bba9d682dd9c5dbc0e2bb6c866e7a0720ce8f716261b

SHA512
8162ba56d3fae6c384a541bc485081e9441efe080020d7a1bc5a4442f5b5fe86ed369b03f848c1f38e64a2e3902f2f7ef7b988986239524ddf137be2f14ccb28

Download Submit
C:\Windows\System\hzujefM.exe

Filesize
5.2MB

MD5
b8d8854cee503aa13494c9921fd624d3

SHA1
c8628836b214168dd5fd0c105beca415c0a7567c

SHA256
076ffa4c2f960a036883f9a51537c1968cde419ae0e8e426a32ed95fbb077d92

SHA512
987747c6236a6d02ec387e731506fa2c7828f984961279dfd817a0c0fa45d1137fb6ef134fcf76adc625a11bf239b636d60302a4a17dd47ce7ec9e9f6944b9bc

Download Submit
C:\Windows\System\kAVcjjv.exe

Filesize
5.2MB

MD5
f1a2ba8760b691efa603b36776b00e5c

SHA1
d3733e4d50157e1dc14e8107ce2b1996a524eec4

SHA256
119fd37a61ee52cb56ced44f3834c05e4d45fcf76d53349be1cec5b5a8307d6c

SHA512
d2b781de2dfdaedf5f6f4952dd7367466077be7c659869272749386ccbeb086a043f2b6fbf141524a8ba69c27cf0ed4b35c4b462aa8ff2d81262cac766b48e5c

Download Submit
C:\Windows\System\kbEjNhV.exe

Filesize
5.2MB

MD5
742c985f0bdfc5919193d204d7d8eb23

SHA1
7de1346c2663d84a761f6cd9d7a2433d6dc9f621

SHA256
aea15781066d2446510313b4160722dcba48547572f2abb1b93ba39102988cef

SHA512
e721187ba638c10c15f3014f6a129ace8cc05a4841f374e54a7535fccaa3a35a5f3dfc100718b65d42562f63b99832d3ac96024886bd2fe9d2dfaf43bf89505e

Download Submit
C:\Windows\System\osJILSs.exe

Filesize
5.2MB

MD5
464d1c238292d55c0516a0f0f9793a38

SHA1
ec060735e4f9dd49b77d6ceb9d7cc62b720986e5

SHA256
d43c1063c2d192d6bbf99d1e354a9c04f86475f1250b575cb7eb6c7a14822193

SHA512
66d68df5e2df514655bb47fcd38426f9a75db3ec9ecc987aa392b1b29e044ae5e6968dbba6e778a685de2870f149446ee6156d5dd2ac17459eb595383d4d9b23

Download Submit
C:\Windows\System\qKexNbz.exe

Filesize
5.2MB

MD5
9da4a1f3f12d58c08307e82e4743341c

SHA1
bcbad4898c45cac5257ca333ad73d95794bc71b6

SHA256
799a4e7b6d9baae1dcaef910ed97e691d31ad4bf028fa794adb5705f2753b3c4

SHA512
99b05696d8fcb0b0accb680ca2aacaa75d06a82d9fb664cb9a6062d9af542345e162d8c845a7251c50c2f2c09c1849390c6738354e60ac2322eac2c55a4494ff

Download Submit
C:\Windows\System\symyJmg.exe

Filesize
5.2MB

MD5
1018f322993ac15b9e9eecb2fbeece94

SHA1
999fa7542b1c1927b2cc49d4ecc8098f7bda45d9

SHA256
24da5ef24ab64d79e9e32747b0993328c90bb3916306e1b2bb1c0ff140211e0b

SHA512
d42f9ef9069c8f1586956459d2e0593f496d22bb99aacc980b7ccdb226aa32c8f4d8e621527f496191b6869b71bbea57c1e8a122a492ee0119cfaffbdd71ab1b

Download Submit
C:\Windows\System\xSranXU.exe

Filesize
5.2MB

MD5
c10505c6f7d2dd11817f23dcec8a1b1f

SHA1
b1c78488d44602cf097a0fb424cb132959d55662

SHA256
1099a50e774b35b1bda8fb938afeba38741336df44f3eae928863cc0e260a576

SHA512
dadda7a834c4f1cc0b544941a1e9b870408de66dc94536f9a27ce2f2dfbb3d9268e178a51a15c28e9046fbd549230c45c42d987c929215d3d08ec5c8a17f9439

Download Submit
C:\Windows\System\yrAjEyN.exe

Filesize
5.2MB

MD5
6be1576f524ff25f65b32c4000af96e3

SHA1
fb2b9ffddd99bf4a4a89af133ea29da5a35a2028

SHA256
5e6028753e560f6235dff9bcd94d9f8ff73b4f62ad92c7af280b322387db5739

SHA512
437029b5a2b01983d3c754df60fa268c6086d881ac9d1fb33bef7c06ef2bea6c129d7f95e49dfeab0d8dd8b994f7bd45a5f11cfce69dcff6438dfbbff8cdf751

Download Submit
memory/228-245-0x00007FF780650000-0x00007FF7809A1000-memory.dmp

Filesize
3.3MB

Download
memory/228-53-0x00007FF780650000-0x00007FF7809A1000-memory.dmp

Filesize
3.3MB

Download
memory/228-119-0x00007FF780650000-0x00007FF7809A1000-memory.dmp

Filesize
3.3MB

Download
memory/468-222-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp

Filesize
3.3MB

Download
memory/468-10-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp

Filesize
3.3MB

Download
memory/468-97-0x00007FF7C9330000-0x00007FF7C9681000-memory.dmp

Filesize
3.3MB

Download
memory/712-259-0x00007FF67B230000-0x00007FF67B581000-memory.dmp

Filesize
3.3MB

Download
memory/712-154-0x00007FF67B230000-0x00007FF67B581000-memory.dmp

Filesize
3.3MB

Download
memory/712-109-0x00007FF67B230000-0x00007FF67B581000-memory.dmp

Filesize
3.3MB

Download
memory/812-224-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp

Filesize
3.3MB

Download
memory/812-98-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp

Filesize
3.3MB

Download
memory/812-25-0x00007FF604C60000-0x00007FF604FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-60-0x00007FF6525B0000-0x00007FF652901000-memory.dmp

Filesize
3.3MB

Download
memory/1476-230-0x00007FF6525B0000-0x00007FF652901000-memory.dmp

Filesize
3.3MB

Download
memory/1524-255-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/1524-86-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/1524-153-0x00007FF6CF8F0000-0x00007FF6CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/1556-124-0x00007FF75C840000-0x00007FF75CB91000-memory.dmp

Filesize
3.3MB

Download
memory/1556-263-0x00007FF75C840000-0x00007FF75CB91000-memory.dmp

Filesize
3.3MB

Download
memory/1860-29-0x00007FF739810000-0x00007FF739B61000-memory.dmp

Filesize
3.3MB

Download
memory/1860-111-0x00007FF739810000-0x00007FF739B61000-memory.dmp

Filesize
3.3MB

Download
memory/1860-228-0x00007FF739810000-0x00007FF739B61000-memory.dmp

Filesize
3.3MB

Download
memory/1900-162-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp

Filesize
3.3MB

Download
memory/1900-271-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp

Filesize
3.3MB

Download
memory/1900-134-0x00007FF62A9B0000-0x00007FF62AD01000-memory.dmp

Filesize
3.3MB

Download
memory/2088-125-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp

Filesize
3.3MB

Download
memory/2088-163-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp

Filesize
3.3MB

Download
memory/2088-268-0x00007FF64EB00000-0x00007FF64EE51000-memory.dmp

Filesize
3.3MB

Download
memory/2168-54-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp

Filesize
3.3MB

Download
memory/2168-226-0x00007FF7DB3D0000-0x00007FF7DB721000-memory.dmp

Filesize
3.3MB

Download
memory/2232-118-0x00007FF776430000-0x00007FF776781000-memory.dmp

Filesize
3.3MB

Download
memory/2232-52-0x00007FF776430000-0x00007FF776781000-memory.dmp

Filesize
3.3MB

Download
memory/2232-238-0x00007FF776430000-0x00007FF776781000-memory.dmp

Filesize
3.3MB

Download
memory/2792-61-0x00007FF77B520000-0x00007FF77B871000-memory.dmp

Filesize
3.3MB

Download
memory/2792-237-0x00007FF77B520000-0x00007FF77B871000-memory.dmp

Filesize
3.3MB

Download
memory/2856-131-0x00007FF7BC5E0000-0x00007FF7BC931000-memory.dmp

Filesize
3.3MB

Download
memory/2856-265-0x00007FF7BC5E0000-0x00007FF7BC931000-memory.dmp

Filesize
3.3MB

Download
memory/3204-95-0x00007FF63EEF0000-0x00007FF63F241000-memory.dmp

Filesize
3.3MB

Download
memory/3204-257-0x00007FF63EEF0000-0x00007FF63F241000-memory.dmp

Filesize
3.3MB

Download
memory/3564-149-0x00007FF643840000-0x00007FF643B91000-memory.dmp

Filesize
3.3MB

Download
memory/3564-74-0x00007FF643840000-0x00007FF643B91000-memory.dmp

Filesize
3.3MB

Download
memory/3564-244-0x00007FF643840000-0x00007FF643B91000-memory.dmp

Filesize
3.3MB

Download
memory/4104-91-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp

Filesize
3.3MB

Download
memory/4104-164-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp

Filesize
3.3MB

Download
memory/4104-0-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp

Filesize
3.3MB

Download
memory/4104-1-0x00000201D1530000-0x00000201D1540000-memory.dmp

Filesize
64KB

Download
memory/4104-137-0x00007FF6776E0000-0x00007FF677A31000-memory.dmp

Filesize
3.3MB

Download
memory/4300-233-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-51-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-103-0x00007FF7AE580000-0x00007FF7AE8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-43-0x00007FF685D10000-0x00007FF686061000-memory.dmp

Filesize
3.3MB

Download
memory/4376-100-0x00007FF685D10000-0x00007FF686061000-memory.dmp

Filesize
3.3MB

Download
memory/4376-234-0x00007FF685D10000-0x00007FF686061000-memory.dmp

Filesize
3.3MB

Download
memory/4556-133-0x00007FF6D7430000-0x00007FF6D7781000-memory.dmp

Filesize
3.3MB

Download
memory/4556-269-0x00007FF6D7430000-0x00007FF6D7781000-memory.dmp

Filesize
3.3MB

Download
memory/4908-242-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-150-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-75-0x00007FF7AC450000-0x00007FF7AC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-247-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp

Filesize
3.3MB

Download
memory/5040-135-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp

Filesize
3.3MB

Download
memory/5040-68-0x00007FF7A8CC0000-0x00007FF7A9011000-memory.dmp

Filesize
3.3MB

Download