cobaltstrike | 4e9bb03a72761969758d9d6b54080ff4545143e65806e7631ead2917b029453b

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2ea33fb1945ca6f96c734b3ba33a681a
SHA1

a67a9cb45233164337c41a98cb2c09e99511d241
SHA256

4e9bb03a72761969758d9d6b54080ff4545143e65806e7631ead2917b029453b
SHA512

671a40dc790a1052a34ef4ba3a18ce9ce55bcce0e1e25cbf753202ed3c726a6e498bf416e2b0e9bfea8a8e8de642f71d273ff70d511b7b0fdee723f7258ec523
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lUw

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023426-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-34.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342b-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-124.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-109.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-100.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3604-14-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp	xmrig
behavioral2/memory/2016-47-0x00007FF784DF0000-0x00007FF785141000-memory.dmp	xmrig
behavioral2/memory/1952-72-0x00007FF7E8650000-0x00007FF7E89A1000-memory.dmp	xmrig
behavioral2/memory/4544-83-0x00007FF769B40000-0x00007FF769E91000-memory.dmp	xmrig
behavioral2/memory/4140-82-0x00007FF61F730000-0x00007FF61FA81000-memory.dmp	xmrig
behavioral2/memory/4192-79-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	xmrig
behavioral2/memory/1560-102-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	xmrig
behavioral2/memory/1440-130-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp	xmrig
behavioral2/memory/4468-128-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp	xmrig
behavioral2/memory/3220-127-0x00007FF625100000-0x00007FF625451000-memory.dmp	xmrig
behavioral2/memory/1468-116-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp	xmrig
behavioral2/memory/2852-131-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp	xmrig
behavioral2/memory/4388-133-0x00007FF640180000-0x00007FF6404D1000-memory.dmp	xmrig
behavioral2/memory/4148-134-0x00007FF691690000-0x00007FF6919E1000-memory.dmp	xmrig
behavioral2/memory/3792-132-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp	xmrig
behavioral2/memory/1560-135-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	xmrig
behavioral2/memory/5028-142-0x00007FF60D230000-0x00007FF60D581000-memory.dmp	xmrig
behavioral2/memory/4668-152-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp	xmrig
behavioral2/memory/3304-154-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	xmrig
behavioral2/memory/2740-153-0x00007FF741F30000-0x00007FF742281000-memory.dmp	xmrig
behavioral2/memory/3528-155-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp	xmrig
behavioral2/memory/4852-156-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp	xmrig
behavioral2/memory/4468-160-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp	xmrig
behavioral2/memory/2888-162-0x00007FF6564D0000-0x00007FF656821000-memory.dmp	xmrig
behavioral2/memory/1560-163-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	xmrig
behavioral2/memory/1468-212-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp	xmrig
behavioral2/memory/3604-214-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp	xmrig
behavioral2/memory/2852-225-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp	xmrig
behavioral2/memory/3792-227-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp	xmrig
behavioral2/memory/2016-229-0x00007FF784DF0000-0x00007FF785141000-memory.dmp	xmrig
behavioral2/memory/1952-231-0x00007FF7E8650000-0x00007FF7E89A1000-memory.dmp	xmrig
behavioral2/memory/1440-237-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp	xmrig
behavioral2/memory/4192-239-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	xmrig
behavioral2/memory/4388-241-0x00007FF640180000-0x00007FF6404D1000-memory.dmp	xmrig
behavioral2/memory/4140-243-0x00007FF61F730000-0x00007FF61FA81000-memory.dmp	xmrig
behavioral2/memory/4148-245-0x00007FF691690000-0x00007FF6919E1000-memory.dmp	xmrig
behavioral2/memory/4544-247-0x00007FF769B40000-0x00007FF769E91000-memory.dmp	xmrig
behavioral2/memory/3304-253-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	xmrig
behavioral2/memory/5028-251-0x00007FF60D230000-0x00007FF60D581000-memory.dmp	xmrig
behavioral2/memory/2740-250-0x00007FF741F30000-0x00007FF742281000-memory.dmp	xmrig
behavioral2/memory/4668-260-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp	xmrig
behavioral2/memory/3528-262-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp	xmrig
behavioral2/memory/4852-264-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp	xmrig
behavioral2/memory/2888-266-0x00007FF6564D0000-0x00007FF656821000-memory.dmp	xmrig
behavioral2/memory/3220-268-0x00007FF625100000-0x00007FF625451000-memory.dmp	xmrig
behavioral2/memory/4468-270-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1468	gYlyCEn.exe
3604	rsZwGXh.exe
2852	EUQVuAj.exe
3792	TBwCbzc.exe
1952	ZvzMCSk.exe
2016	lQdgwVd.exe
4192	OdratBa.exe
1440	RsSrhEO.exe
4140	zaWilHB.exe
4148	dEVTPgm.exe
4388	utkoRTu.exe
4544	lSLVcve.exe
2740	RsSYFqh.exe
3304	ATAuzEb.exe
5028	IkblsHe.exe
4668	tOuANOG.exe
3528	MKrAesL.exe
4852	koQnkcF.exe
2888	CJfxsvS.exe
3220	nwcxarB.exe
4468	sYgSnwq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1560-0-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	upx
behavioral2/files/0x0009000000023426-5.dat	upx
behavioral2/memory/1468-7-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-10.dat	upx
behavioral2/files/0x000700000002342f-11.dat	upx
behavioral2/memory/3604-14-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp	upx
behavioral2/files/0x0007000000023430-26.dat	upx
behavioral2/memory/2016-47-0x00007FF784DF0000-0x00007FF785141000-memory.dmp	upx
behavioral2/files/0x0007000000023435-53.dat	upx
behavioral2/memory/4148-56-0x00007FF691690000-0x00007FF6919E1000-memory.dmp	upx
behavioral2/memory/1952-72-0x00007FF7E8650000-0x00007FF7E89A1000-memory.dmp	upx
behavioral2/files/0x0007000000023437-75.dat	upx
behavioral2/memory/4544-83-0x00007FF769B40000-0x00007FF769E91000-memory.dmp	upx
behavioral2/memory/3304-86-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	upx
behavioral2/files/0x000700000002343a-89.dat	upx
behavioral2/files/0x0007000000023439-88.dat	upx
behavioral2/files/0x0007000000023438-87.dat	upx
behavioral2/memory/2740-85-0x00007FF741F30000-0x00007FF742281000-memory.dmp	upx
behavioral2/memory/5028-84-0x00007FF60D230000-0x00007FF60D581000-memory.dmp	upx
behavioral2/memory/4140-82-0x00007FF61F730000-0x00007FF61FA81000-memory.dmp	upx
behavioral2/memory/4192-79-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	upx
behavioral2/memory/4388-67-0x00007FF640180000-0x00007FF6404D1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-66.dat	upx
behavioral2/files/0x0007000000023436-63.dat	upx
behavioral2/files/0x0007000000023433-58.dat	upx
behavioral2/memory/1440-48-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp	upx
behavioral2/files/0x0007000000023432-52.dat	upx
behavioral2/memory/3792-36-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp	upx
behavioral2/files/0x0007000000023431-34.dat	upx
behavioral2/files/0x000800000002342b-27.dat	upx
behavioral2/memory/2852-19-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp	upx
behavioral2/memory/1560-102-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	upx
behavioral2/files/0x000700000002343e-105.dat	upx
behavioral2/memory/4852-114-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp	upx
behavioral2/files/0x000700000002343f-120.dat	upx
behavioral2/files/0x0007000000023440-126.dat	upx
behavioral2/memory/1440-130-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp	upx
behavioral2/memory/4468-128-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp	upx
behavioral2/memory/3220-127-0x00007FF625100000-0x00007FF625451000-memory.dmp	upx
behavioral2/files/0x0007000000023441-124.dat	upx
behavioral2/memory/2888-122-0x00007FF6564D0000-0x00007FF656821000-memory.dmp	upx
behavioral2/memory/1468-116-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp	upx
behavioral2/files/0x000700000002343c-109.dat	upx
behavioral2/memory/3528-108-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-100.dat	upx
behavioral2/memory/4668-98-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp	upx
behavioral2/memory/2852-131-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp	upx
behavioral2/memory/4388-133-0x00007FF640180000-0x00007FF6404D1000-memory.dmp	upx
behavioral2/memory/4148-134-0x00007FF691690000-0x00007FF6919E1000-memory.dmp	upx
behavioral2/memory/3792-132-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp	upx
behavioral2/memory/1560-135-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	upx
behavioral2/memory/5028-142-0x00007FF60D230000-0x00007FF60D581000-memory.dmp	upx
behavioral2/memory/4668-152-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp	upx
behavioral2/memory/3304-154-0x00007FF6231D0000-0x00007FF623521000-memory.dmp	upx
behavioral2/memory/2740-153-0x00007FF741F30000-0x00007FF742281000-memory.dmp	upx
behavioral2/memory/3528-155-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp	upx
behavioral2/memory/4852-156-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp	upx
behavioral2/memory/4468-160-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp	upx
behavioral2/memory/2888-162-0x00007FF6564D0000-0x00007FF656821000-memory.dmp	upx
behavioral2/memory/1560-163-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp	upx
behavioral2/memory/1468-212-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp	upx
behavioral2/memory/3604-214-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp	upx
behavioral2/memory/2852-225-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp	upx
behavioral2/memory/3792-227-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CJfxsvS.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sYgSnwq.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\utkoRTu.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lSLVcve.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RsSYFqh.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ATAuzEb.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tOuANOG.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nwcxarB.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gYlyCEn.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OdratBa.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEVTPgm.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkblsHe.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKrAesL.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rsZwGXh.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EUQVuAj.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lQdgwVd.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RsSrhEO.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TBwCbzc.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvzMCSk.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zaWilHB.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\koQnkcF.exe	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1468	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1560 wrote to memory of 1468	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1560 wrote to memory of 3604	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1560 wrote to memory of 3604	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1560 wrote to memory of 2852	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1560 wrote to memory of 2852	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1560 wrote to memory of 3792	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1560 wrote to memory of 3792	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1560 wrote to memory of 1952	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1560 wrote to memory of 1952	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1560 wrote to memory of 2016	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1560 wrote to memory of 2016	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1560 wrote to memory of 4192	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1560 wrote to memory of 4192	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1560 wrote to memory of 1440	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1560 wrote to memory of 1440	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1560 wrote to memory of 4140	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1560 wrote to memory of 4140	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1560 wrote to memory of 4148	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1560 wrote to memory of 4148	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1560 wrote to memory of 4388	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1560 wrote to memory of 4388	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1560 wrote to memory of 4544	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1560 wrote to memory of 4544	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1560 wrote to memory of 2740	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1560 wrote to memory of 2740	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1560 wrote to memory of 3304	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1560 wrote to memory of 3304	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1560 wrote to memory of 5028	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1560 wrote to memory of 5028	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1560 wrote to memory of 4668	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1560 wrote to memory of 4668	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1560 wrote to memory of 3528	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1560 wrote to memory of 3528	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1560 wrote to memory of 4852	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1560 wrote to memory of 4852	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1560 wrote to memory of 2888	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1560 wrote to memory of 2888	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1560 wrote to memory of 4468	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1560 wrote to memory of 4468	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1560 wrote to memory of 3220	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1560 wrote to memory of 3220	1560	2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_2ea33fb1945ca6f96c734b3ba33a681a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System\gYlyCEn.exe
  C:\Windows\System\gYlyCEn.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\rsZwGXh.exe
  C:\Windows\System\rsZwGXh.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\EUQVuAj.exe
  C:\Windows\System\EUQVuAj.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\TBwCbzc.exe
  C:\Windows\System\TBwCbzc.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\ZvzMCSk.exe
  C:\Windows\System\ZvzMCSk.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\lQdgwVd.exe
  C:\Windows\System\lQdgwVd.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\OdratBa.exe
  C:\Windows\System\OdratBa.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\RsSrhEO.exe
  C:\Windows\System\RsSrhEO.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\zaWilHB.exe
  C:\Windows\System\zaWilHB.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\dEVTPgm.exe
  C:\Windows\System\dEVTPgm.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\utkoRTu.exe
  C:\Windows\System\utkoRTu.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\lSLVcve.exe
  C:\Windows\System\lSLVcve.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\RsSYFqh.exe
  C:\Windows\System\RsSYFqh.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\ATAuzEb.exe
  C:\Windows\System\ATAuzEb.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\IkblsHe.exe
  C:\Windows\System\IkblsHe.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\tOuANOG.exe
  C:\Windows\System\tOuANOG.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\MKrAesL.exe
  C:\Windows\System\MKrAesL.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\koQnkcF.exe
  C:\Windows\System\koQnkcF.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\CJfxsvS.exe
  C:\Windows\System\CJfxsvS.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\sYgSnwq.exe
  C:\Windows\System\sYgSnwq.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\nwcxarB.exe
  C:\Windows\System\nwcxarB.exe
  2⤵
  - Executes dropped EXE
  PID:3220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ATAuzEb.exe

Filesize
5.2MB

MD5
bd31602c9964a48921d4d7326c44a236

SHA1
dcaf0382cd8829dcabcb53013f62e01db705067b

SHA256
048bf44e94adf8ab6147acc51231cb23354caaa0d5a4f8ba2d93fb1aebfd73ca

SHA512
3c12e6a8a3f7437103c2fab29d30051bf4a60976731b9989b6b84dba8b6dd8c663237b3098a5ecafceb70853b01a1dec8b73357a5120465c8a40639ee99fbbc4

Download Submit
C:\Windows\System\CJfxsvS.exe

Filesize
5.2MB

MD5
6559ff051969c2accf3b5e625c29942f

SHA1
f85a2eb24e2eb4da30044b2277ad75adf8dbe14a

SHA256
13a57bbb4cbc5f99d63c6fe08add4fa966ad0fcb07eae56b08255bba57e6ad4a

SHA512
2c70a158cd22259a35e23f959b810ea302f827d75a98315dce13f5baa29a8794c45a4657198872f7deb3f5f8915d04ccbf2a12082599ecfb8bbd010e99d9a23e

Download Submit
C:\Windows\System\EUQVuAj.exe

Filesize
5.2MB

MD5
a654fa4760035d8cb7629d8e55f093ea

SHA1
09eb4da20fa5a1ba72315a1f854a8e042eff426a

SHA256
daa3ff2e97603f83fc790c27925bf5963bee88c6040791875436a86a02f1f7e7

SHA512
53485ed37cca9899f841d294987c508feeeec3ba79897a61573b52ada0d751a684b677c1503bc89e8f18c1938101147843ee812e6f2be0ff28f1e815eb112c8f

Download Submit
C:\Windows\System\IkblsHe.exe

Filesize
5.2MB

MD5
1c77bb3eaacc514b4d1c9d48e0667f2c

SHA1
089e48bcbd66e2e1b121e6eb1b086bcda18eb8ce

SHA256
8d3db6ed546f5779a19d9db40447c5bbd0146c11c3f665fe50f57bc28611b770

SHA512
276448d667132fcee69bdfbb0a523a22188ccfeebb26c3daf43327fb52cffa00df41e063a706ebf690dc93de11343a71bd68e7546f2404facc278ae3628b0963

Download Submit
C:\Windows\System\MKrAesL.exe

Filesize
5.2MB

MD5
00f5d2e5cbd0bd628392e110ef14164b

SHA1
b65edaddb38169a23ab3597f3641767382eec5be

SHA256
2116bbf5529b3d11af948d4ae645253d8661b050c310dd773e38de4b48b2be01

SHA512
94fabb0e6c952948c7951f82483d896120487e384022b9fa14fc4a3e346d1e98e9de6780416cdbcd3c29b8a2a1683e3ad93ecca66560d7e05b8cb78f11578671

Download Submit
C:\Windows\System\OdratBa.exe

Filesize
5.2MB

MD5
caf0cd0ff73c63e5db170505d54dd14e

SHA1
2289e6b9f99c7589e65a12a01f00d535b472d19f

SHA256
332d1d8293c0f37c6cbf8808589b001ada5a62bae33fada31eef134124d5788b

SHA512
d62b86e5cbca097ac2ed35fe5be0eadb207c94834b1eaca55f49a36015194cf8f2622f5ea9d8f1819b24cccc2ffcc02eb3904d0521fb066ff69dee2d37d2711f

Download Submit
C:\Windows\System\RsSYFqh.exe

Filesize
5.2MB

MD5
3c4b010fd6b3cb3fd7027f9ca22d5616

SHA1
9238904e485f0adbcd01f08893054dadb4562013

SHA256
0766b1891e934de23da1635c3512f4ea4d59e78c322ed199998fe608b355d7ad

SHA512
c969ac7580e91ee75ec72c57e572307bf8d7d8d728531606d7d84a0ae9012c998a872de04f0f5a4ac1f08f3c8d7cae6b71f72b793cae49ca394a0dad3c4c54aa

Download Submit
C:\Windows\System\RsSrhEO.exe

Filesize
5.2MB

MD5
15a24f6fa7180ecb87075f3398d956c7

SHA1
43d0d6399c4f840643408dceed21b342a5742caf

SHA256
d529c6fa057a815ab5e7c7f8ad7012478d579f23b848036ebcc19f4620f7f276

SHA512
5c58dc2e92f4f033d7293e4c8a766b832fedc366f9c0ab35d806d2208d44cd9ffec801b81e724df170f915524de73708bf5e0b2dae1244f887ded6e59f46e842

Download Submit
C:\Windows\System\TBwCbzc.exe

Filesize
5.2MB

MD5
2c67b60c2fd3a916fcd38aa65545a70e

SHA1
8ad278ab8b59144a5d87a6412b5c0b9c77f57c7c

SHA256
ff7fa9b026524286ea4779cc825b4c64a7cf574816783691e714158129a378c7

SHA512
c6a6f647c3abeff9dc4bc14a9383d8b3a8c05d24974d597e1517b94710f2a3bd9f37ee97892a4d790e23011c2d8d70b177a233102c271a35775df8d05cb5cf75

Download Submit
C:\Windows\System\ZvzMCSk.exe

Filesize
5.2MB

MD5
d95831de90a3063d1293e8a935768d6f

SHA1
f3e8e9f2b9c362515055f403e28c47434ece027d

SHA256
c921f2824785c3d551a06ef1857ef27d910a33a0455840791afbad441dded0bf

SHA512
811c1533f0f4e4453a46e46e1fbddfb6bcde2ffa87f3d05a920af57089dcf268ba3ba4825dd2e71f65350d9dc23720f49ded978fc3925bf79ee617bde38dde0f

Download Submit
C:\Windows\System\dEVTPgm.exe

Filesize
5.2MB

MD5
37422ab2bc4aaa05de45bc28a3306944

SHA1
a3216bd66dcde9371b04bf8c3413ce2d92b5fee0

SHA256
d2b86a4f248788467ebf20ac19cba755cb4763a3482f412f218c6833f4685f47

SHA512
e14c7b0654f3bd19a3a06690152ab786d5d3cc282d771da04edb79381cba408a8610c5f26ab2c147a0221400ae10faba6305598a1eb02912437c849f0220a724

Download Submit
C:\Windows\System\gYlyCEn.exe

Filesize
5.2MB

MD5
a8113a3a45aabee7dd38d808c9709142

SHA1
6cc0bfc5b27374fa162732cb30eaf2248e232c38

SHA256
7f17c03d5b58c4552084a95c6dee990d89096ed60c9798aeb02aadb17b758866

SHA512
376fe567572d1ed89739bc7e6af3cee94f6ac5014f1d2f2c982a7b4b2902337217078a33c7d43e7c76d7b0f27ab0c89886e799c7ae19a6a89b1172ec7f15df13

Download Submit
C:\Windows\System\koQnkcF.exe

Filesize
5.2MB

MD5
6b0e7c6575313edf527636a8e87cb2b5

SHA1
49929a83e0444369d45c24b90d5b2bcaf2aa41d5

SHA256
a5741b234167bb3deaa31375fd2bfd1a7a46113a342ef53e2447621b0dcf0701

SHA512
95b6b0e6e49db0973bd6f117c5a00debf0cf7b8c2bc38b532c9c6ece753606738da235064beeb439a670849f8e0166e330c782521ad8a4e193780ebe08566b42

Download Submit
C:\Windows\System\lQdgwVd.exe

Filesize
5.2MB

MD5
396f5a33080ba43d4348b2589cf75375

SHA1
06efc474a9aa934b54be55682bd2954ad7398204

SHA256
5c0cdee087c78607296d1711f0f07cc81d5dc1ba3d366f9cd2587a48872d2ec9

SHA512
c7c4e36467a76d86bb5b6d9cd4349381956b41f55f4c600c1dad48f04842adeec7515530251107f0b41575cb8b75f7de9eee16fc578c28508fecc8cdf6687e08

Download Submit
C:\Windows\System\lSLVcve.exe

Filesize
5.2MB

MD5
b55c31d4710f03449a8a241ad5357765

SHA1
39b7ee347264ecf4d3301cbd9b4f212da4b9d330

SHA256
7dd483aa92adebb7c1f6d61e898034cfbc0ab8318bbccfc3de7c316b3c4ab1a1

SHA512
2233e6c381a44ea4d7bce91d20bd5483b8930aa047a73afd151dfe3b2a2f6a1c8072a4409966d1b0038c47835f1e4f986da88ccd75dc5b5feaae68fcb190e2d4

Download Submit
C:\Windows\System\nwcxarB.exe

Filesize
5.2MB

MD5
bdd7439da0d8f259faa0bcaf1d24bb71

SHA1
a485b827495ebcf37ab1926e8ba888530b04f737

SHA256
bae06b3f7e355e134f5ff67bb26ec92f00b84a3be8f4c9a66a887b303605267a

SHA512
d0340e755c3e13fdbef2e1a07128eea7769813a59357448c126e05ef0bc424a8a57520ed2d00bc0207011430e12354ea7113ba6173b8d2020d03544b3caefc63

Download Submit
C:\Windows\System\rsZwGXh.exe

Filesize
5.2MB

MD5
4f0a688f00e504e764dc9e87aa28845c

SHA1
873128088399e6ee44ed593633be0fada935ea75

SHA256
0e857fcbfa424f51aa1b970f67c020ebf7f005578151996ba4be49db70dd1490

SHA512
9b24ae036c82782248d13b83880199352aad90f52daa2bd235d8d6a5d67ff14fb3f07aeffc19974bd276dad0cca5b63251d522a22be6fe621f585ecbf49366bb

Download Submit
C:\Windows\System\sYgSnwq.exe

Filesize
5.2MB

MD5
b624fb841509e5e39977f21baa043f47

SHA1
7aa379ccbf889b33e94f1a01b830afbb54250699

SHA256
b6df33ded0f88f96231d6b7ecdf265bf65d567dbf5cbf8f0ad711715c5dfca6f

SHA512
0d4a6cb8a6a0cd6687977ed309454e4e99d4af954572a22ecb750358e25800bfd09b4c4c9b8022fbc2bc9067d6958dd1d267ce826b20d622d77dc92c7bb3caca

Download Submit
C:\Windows\System\tOuANOG.exe

Filesize
5.2MB

MD5
7daee9fe5beb38d17656b0a33693984e

SHA1
1ac4b250b287f6f00a294c21d05ad1c09608c150

SHA256
9807cc8a349590d53742a685fa1146c040992d42b148a64a61cd984cc696475d

SHA512
4e1907a373888ff15f479255404119f6a0ef7031f24ef6bb79068a90d2bbcd1178d5bdddd6fe20e22fc1e30c1ac67e911190c608f90222ddda835e461a37d594

Download Submit
C:\Windows\System\utkoRTu.exe

Filesize
5.2MB

MD5
d8ddef3c6f407eff5690361e15295249

SHA1
ea06ae34f6d40aaf1e90c949ec12c9c6f95d8ceb

SHA256
ad69b71a64c2e0c5bc6a3d6513acb5671ca22cbac904ed62d6be60fa41f1559e

SHA512
35c9c897e0ff61a24beb8b2c68d4ff3d5c026a8a7b0febe7afe64cfcdf21c8425442f8c3148df8a2ca2a9deb691272510689053a97df0772a4b6e125f0fba5f2

Download Submit
C:\Windows\System\zaWilHB.exe

Filesize
5.2MB

MD5
d8e86318056798c45d45ebac89fe2de1

SHA1
28267566a7a1d619d95532f93a49b203086e025d

SHA256
e57a6fa8c766ae3ad2bfd443c52b15867cb5b895ccd767f2669ed73bf872ba00

SHA512
5e338df9f6def025bb57a51e9595c112d85602d20cd9053e99565346d32e5c80b44d7a908c4137c1dc60c1e1b4d1b5f1e63816f1afe645003c048845cc9a5a86

Download Submit
memory/1440-237-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp

Filesize
3.3MB

Download
memory/1440-130-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp

Filesize
3.3MB

Download
memory/1440-48-0x00007FF6CBAF0000-0x00007FF6CBE41000-memory.dmp

Filesize
3.3MB

Download
memory/1468-116-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-7-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-212-0x00007FF78EF70000-0x00007FF78F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-102-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-163-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-0-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-135-0x00007FF6D3FA0000-0x00007FF6D42F1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-1-0x00000239E50D0000-0x00000239E50E0000-memory.dmp

Filesize
64KB

Download
memory/1952-231-0x00007FF7E8650000-0x00007FF7E89A1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-72-0x00007FF7E8650000-0x00007FF7E89A1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-229-0x00007FF784DF0000-0x00007FF785141000-memory.dmp

Filesize
3.3MB

Download
memory/2016-47-0x00007FF784DF0000-0x00007FF785141000-memory.dmp

Filesize
3.3MB

Download
memory/2740-153-0x00007FF741F30000-0x00007FF742281000-memory.dmp

Filesize
3.3MB

Download
memory/2740-85-0x00007FF741F30000-0x00007FF742281000-memory.dmp

Filesize
3.3MB

Download
memory/2740-250-0x00007FF741F30000-0x00007FF742281000-memory.dmp

Filesize
3.3MB

Download
memory/2852-131-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp

Filesize
3.3MB

Download
memory/2852-225-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp

Filesize
3.3MB

Download
memory/2852-19-0x00007FF65D710000-0x00007FF65DA61000-memory.dmp

Filesize
3.3MB

Download
memory/2888-122-0x00007FF6564D0000-0x00007FF656821000-memory.dmp

Filesize
3.3MB

Download
memory/2888-266-0x00007FF6564D0000-0x00007FF656821000-memory.dmp

Filesize
3.3MB

Download
memory/2888-162-0x00007FF6564D0000-0x00007FF656821000-memory.dmp

Filesize
3.3MB

Download
memory/3220-127-0x00007FF625100000-0x00007FF625451000-memory.dmp

Filesize
3.3MB

Download
memory/3220-268-0x00007FF625100000-0x00007FF625451000-memory.dmp

Filesize
3.3MB

Download
memory/3304-253-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download
memory/3304-86-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download
memory/3304-154-0x00007FF6231D0000-0x00007FF623521000-memory.dmp

Filesize
3.3MB

Download
memory/3528-262-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-108-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-155-0x00007FF7D51A0000-0x00007FF7D54F1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-14-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp

Filesize
3.3MB

Download
memory/3604-214-0x00007FF6CACD0000-0x00007FF6CB021000-memory.dmp

Filesize
3.3MB

Download
memory/3792-132-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp

Filesize
3.3MB

Download
memory/3792-36-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp

Filesize
3.3MB

Download
memory/3792-227-0x00007FF771E50000-0x00007FF7721A1000-memory.dmp

Filesize
3.3MB

Download
memory/4140-243-0x00007FF61F730000-0x00007FF61FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4140-82-0x00007FF61F730000-0x00007FF61FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4148-56-0x00007FF691690000-0x00007FF6919E1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-134-0x00007FF691690000-0x00007FF6919E1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-245-0x00007FF691690000-0x00007FF6919E1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-79-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-239-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4388-241-0x00007FF640180000-0x00007FF6404D1000-memory.dmp

Filesize
3.3MB

Download
memory/4388-67-0x00007FF640180000-0x00007FF6404D1000-memory.dmp

Filesize
3.3MB

Download
memory/4388-133-0x00007FF640180000-0x00007FF6404D1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-160-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp

Filesize
3.3MB

Download
memory/4468-270-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp

Filesize
3.3MB

Download
memory/4468-128-0x00007FF6A58B0000-0x00007FF6A5C01000-memory.dmp

Filesize
3.3MB

Download
memory/4544-83-0x00007FF769B40000-0x00007FF769E91000-memory.dmp

Filesize
3.3MB

Download
memory/4544-247-0x00007FF769B40000-0x00007FF769E91000-memory.dmp

Filesize
3.3MB

Download
memory/4668-98-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp

Filesize
3.3MB

Download
memory/4668-152-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp

Filesize
3.3MB

Download
memory/4668-260-0x00007FF6C7E20000-0x00007FF6C8171000-memory.dmp

Filesize
3.3MB

Download
memory/4852-156-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-114-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-264-0x00007FF6F0360000-0x00007FF6F06B1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-142-0x00007FF60D230000-0x00007FF60D581000-memory.dmp

Filesize
3.3MB

Download
memory/5028-251-0x00007FF60D230000-0x00007FF60D581000-memory.dmp

Filesize
3.3MB

Download
memory/5028-84-0x00007FF60D230000-0x00007FF60D581000-memory.dmp

Filesize
3.3MB

Download