cobaltstrike | 9e2327d0b6d11951f1dd6832cb48d8c554e57f1df9845fc24709ee774df3b5c6

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3b93c55d63772cdaf7f89ed43fa54b55
SHA1

6838c06d9638dc0d0b611b2e33599773415be383
SHA256

9e2327d0b6d11951f1dd6832cb48d8c554e57f1df9845fc24709ee774df3b5c6
SHA512

5e108ba3402dc2091e6b1a05d77c84ba0eea07b31f76f8bfd51683da3e92e423def9170d6ee0476af05b9c7a644c3985b16d4951094483000fa49a15382da98a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023464-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-57.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4760-99-0x00007FF7D8520000-0x00007FF7D8871000-memory.dmp	xmrig
behavioral2/memory/3000-117-0x00007FF723F40000-0x00007FF724291000-memory.dmp	xmrig
behavioral2/memory/2660-123-0x00007FF69A730000-0x00007FF69AA81000-memory.dmp	xmrig
behavioral2/memory/1364-128-0x00007FF6938A0000-0x00007FF693BF1000-memory.dmp	xmrig
behavioral2/memory/4052-127-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	xmrig
behavioral2/memory/4744-124-0x00007FF6C09D0000-0x00007FF6C0D21000-memory.dmp	xmrig
behavioral2/memory/1396-120-0x00007FF7E4000000-0x00007FF7E4351000-memory.dmp	xmrig
behavioral2/memory/5036-119-0x00007FF7688D0000-0x00007FF768C21000-memory.dmp	xmrig
behavioral2/memory/4784-116-0x00007FF635AA0000-0x00007FF635DF1000-memory.dmp	xmrig
behavioral2/memory/4860-109-0x00007FF7F4AB0000-0x00007FF7F4E01000-memory.dmp	xmrig
behavioral2/memory/4732-95-0x00007FF6C27C0000-0x00007FF6C2B11000-memory.dmp	xmrig
behavioral2/memory/1964-94-0x00007FF6E92C0000-0x00007FF6E9611000-memory.dmp	xmrig
behavioral2/memory/2884-129-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp	xmrig
behavioral2/memory/4972-133-0x00007FF6412B0000-0x00007FF641601000-memory.dmp	xmrig
behavioral2/memory/2844-134-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp	xmrig
behavioral2/memory/3220-135-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp	xmrig
behavioral2/memory/4052-130-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	xmrig
behavioral2/memory/936-140-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	xmrig
behavioral2/memory/3648-137-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp	xmrig
behavioral2/memory/3244-139-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp	xmrig
behavioral2/memory/5084-145-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp	xmrig
behavioral2/memory/2512-138-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	xmrig
behavioral2/memory/4092-136-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp	xmrig
behavioral2/memory/4052-153-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	xmrig
behavioral2/memory/2884-202-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp	xmrig
behavioral2/memory/3220-208-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp	xmrig
behavioral2/memory/4972-210-0x00007FF6412B0000-0x00007FF641601000-memory.dmp	xmrig
behavioral2/memory/2844-212-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp	xmrig
behavioral2/memory/4092-223-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp	xmrig
behavioral2/memory/3244-232-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp	xmrig
behavioral2/memory/2512-231-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	xmrig
behavioral2/memory/936-235-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	xmrig
behavioral2/memory/3648-236-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp	xmrig
behavioral2/memory/5036-238-0x00007FF7688D0000-0x00007FF768C21000-memory.dmp	xmrig
behavioral2/memory/1964-240-0x00007FF6E92C0000-0x00007FF6E9611000-memory.dmp	xmrig
behavioral2/memory/4732-244-0x00007FF6C27C0000-0x00007FF6C2B11000-memory.dmp	xmrig
behavioral2/memory/4760-243-0x00007FF7D8520000-0x00007FF7D8871000-memory.dmp	xmrig
behavioral2/memory/4860-246-0x00007FF7F4AB0000-0x00007FF7F4E01000-memory.dmp	xmrig
behavioral2/memory/4784-248-0x00007FF635AA0000-0x00007FF635DF1000-memory.dmp	xmrig
behavioral2/memory/3000-250-0x00007FF723F40000-0x00007FF724291000-memory.dmp	xmrig
behavioral2/memory/1396-252-0x00007FF7E4000000-0x00007FF7E4351000-memory.dmp	xmrig
behavioral2/memory/2660-254-0x00007FF69A730000-0x00007FF69AA81000-memory.dmp	xmrig
behavioral2/memory/5084-256-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp	xmrig
behavioral2/memory/4744-258-0x00007FF6C09D0000-0x00007FF6C0D21000-memory.dmp	xmrig
behavioral2/memory/1364-260-0x00007FF6938A0000-0x00007FF693BF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2884	uyQxCmR.exe
3220	ahMtxTi.exe
4972	SrGppzZ.exe
2844	hjQDMWZ.exe
4092	aLrGXqd.exe
3648	ErpNxtD.exe
2512	JGvYrYp.exe
3244	iCzLNlx.exe
936	juoNGVG.exe
5036	nqMfQjx.exe
1964	LkEetfW.exe
4732	Qxzhqeq.exe
4760	rrHcGWb.exe
5084	igQRKMo.exe
4860	QDDmMHj.exe
4784	BMLruXF.exe
1396	MdvsoUt.exe
3000	qRiHsWP.exe
2660	GETrowu.exe
4744	WieEmvU.exe
1364	zQhHpxL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4052-0-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	upx
behavioral2/files/0x0008000000023464-5.dat	upx
behavioral2/memory/2884-7-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp	upx
behavioral2/files/0x0007000000023469-9.dat	upx
behavioral2/files/0x0007000000023468-12.dat	upx
behavioral2/memory/4972-18-0x00007FF6412B0000-0x00007FF641601000-memory.dmp	upx
behavioral2/memory/3220-15-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp	upx
behavioral2/files/0x000700000002346a-27.dat	upx
behavioral2/memory/2512-43-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	upx
behavioral2/memory/3244-52-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp	upx
behavioral2/files/0x0007000000023470-59.dat	upx
behavioral2/files/0x0007000000023471-64.dat	upx
behavioral2/files/0x0007000000023475-83.dat	upx
behavioral2/files/0x0007000000023474-80.dat	upx
behavioral2/files/0x0007000000023478-93.dat	upx
behavioral2/memory/4760-99-0x00007FF7D8520000-0x00007FF7D8871000-memory.dmp	upx
behavioral2/memory/3000-117-0x00007FF723F40000-0x00007FF724291000-memory.dmp	upx
behavioral2/memory/2660-123-0x00007FF69A730000-0x00007FF69AA81000-memory.dmp	upx
behavioral2/memory/1364-128-0x00007FF6938A0000-0x00007FF693BF1000-memory.dmp	upx
behavioral2/memory/4052-127-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	upx
behavioral2/files/0x000700000002347b-125.dat	upx
behavioral2/memory/4744-124-0x00007FF6C09D0000-0x00007FF6C0D21000-memory.dmp	upx
behavioral2/files/0x000700000002347a-121.dat	upx
behavioral2/memory/1396-120-0x00007FF7E4000000-0x00007FF7E4351000-memory.dmp	upx
behavioral2/memory/5036-119-0x00007FF7688D0000-0x00007FF768C21000-memory.dmp	upx
behavioral2/memory/4784-116-0x00007FF635AA0000-0x00007FF635DF1000-memory.dmp	upx
behavioral2/files/0x0007000000023479-111.dat	upx
behavioral2/memory/4860-109-0x00007FF7F4AB0000-0x00007FF7F4E01000-memory.dmp	upx
behavioral2/files/0x0007000000023477-104.dat	upx
behavioral2/memory/5084-100-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023476-101.dat	upx
behavioral2/memory/4732-95-0x00007FF6C27C0000-0x00007FF6C2B11000-memory.dmp	upx
behavioral2/memory/1964-94-0x00007FF6E92C0000-0x00007FF6E9611000-memory.dmp	upx
behavioral2/memory/936-89-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	upx
behavioral2/files/0x0007000000023473-74.dat	upx
behavioral2/files/0x0007000000023472-72.dat	upx
behavioral2/files/0x000700000002346f-57.dat	upx
behavioral2/files/0x0008000000023465-50.dat	upx
behavioral2/files/0x000700000002346e-46.dat	upx
behavioral2/files/0x000700000002346d-45.dat	upx
behavioral2/memory/3648-42-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-33.dat	upx
behavioral2/memory/4092-32-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp	upx
behavioral2/memory/2844-24-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp	upx
behavioral2/memory/2884-129-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp	upx
behavioral2/memory/4972-133-0x00007FF6412B0000-0x00007FF641601000-memory.dmp	upx
behavioral2/memory/2844-134-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp	upx
behavioral2/memory/3220-135-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp	upx
behavioral2/memory/4052-130-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	upx
behavioral2/memory/936-140-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	upx
behavioral2/memory/3648-137-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp	upx
behavioral2/memory/3244-139-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp	upx
behavioral2/memory/5084-145-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp	upx
behavioral2/memory/2512-138-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	upx
behavioral2/memory/4092-136-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp	upx
behavioral2/memory/4052-153-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp	upx
behavioral2/memory/2884-202-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp	upx
behavioral2/memory/3220-208-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp	upx
behavioral2/memory/4972-210-0x00007FF6412B0000-0x00007FF641601000-memory.dmp	upx
behavioral2/memory/2844-212-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp	upx
behavioral2/memory/4092-223-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp	upx
behavioral2/memory/3244-232-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp	upx
behavioral2/memory/2512-231-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	upx
behavioral2/memory/936-235-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uyQxCmR.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjQDMWZ.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLrGXqd.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqMfQjx.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rrHcGWb.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MdvsoUt.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SrGppzZ.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JGvYrYp.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkEetfW.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igQRKMo.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qRiHsWP.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErpNxtD.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iCzLNlx.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQhHpxL.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WieEmvU.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ahMtxTi.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\juoNGVG.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Qxzhqeq.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDDmMHj.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BMLruXF.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GETrowu.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2884	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4052 wrote to memory of 2884	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4052 wrote to memory of 3220	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4052 wrote to memory of 3220	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4052 wrote to memory of 4972	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4052 wrote to memory of 4972	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4052 wrote to memory of 2844	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4052 wrote to memory of 2844	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4052 wrote to memory of 4092	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4052 wrote to memory of 4092	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4052 wrote to memory of 3648	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4052 wrote to memory of 3648	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4052 wrote to memory of 2512	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4052 wrote to memory of 2512	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4052 wrote to memory of 3244	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4052 wrote to memory of 3244	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4052 wrote to memory of 936	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4052 wrote to memory of 936	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4052 wrote to memory of 5036	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4052 wrote to memory of 5036	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4052 wrote to memory of 1964	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4052 wrote to memory of 1964	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4052 wrote to memory of 4732	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4052 wrote to memory of 4732	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4052 wrote to memory of 4760	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4052 wrote to memory of 4760	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4052 wrote to memory of 5084	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4052 wrote to memory of 5084	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4052 wrote to memory of 4860	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4052 wrote to memory of 4860	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4052 wrote to memory of 4784	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4052 wrote to memory of 4784	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4052 wrote to memory of 1396	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4052 wrote to memory of 1396	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4052 wrote to memory of 3000	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4052 wrote to memory of 3000	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4052 wrote to memory of 2660	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4052 wrote to memory of 2660	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4052 wrote to memory of 4744	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4052 wrote to memory of 4744	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4052 wrote to memory of 1364	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4052 wrote to memory of 1364	4052	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\System\uyQxCmR.exe
  C:\Windows\System\uyQxCmR.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\ahMtxTi.exe
  C:\Windows\System\ahMtxTi.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\SrGppzZ.exe
  C:\Windows\System\SrGppzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\hjQDMWZ.exe
  C:\Windows\System\hjQDMWZ.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\aLrGXqd.exe
  C:\Windows\System\aLrGXqd.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\ErpNxtD.exe
  C:\Windows\System\ErpNxtD.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\JGvYrYp.exe
  C:\Windows\System\JGvYrYp.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\iCzLNlx.exe
  C:\Windows\System\iCzLNlx.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\juoNGVG.exe
  C:\Windows\System\juoNGVG.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\nqMfQjx.exe
  C:\Windows\System\nqMfQjx.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\LkEetfW.exe
  C:\Windows\System\LkEetfW.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\Qxzhqeq.exe
  C:\Windows\System\Qxzhqeq.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\rrHcGWb.exe
  C:\Windows\System\rrHcGWb.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\igQRKMo.exe
  C:\Windows\System\igQRKMo.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\QDDmMHj.exe
  C:\Windows\System\QDDmMHj.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\BMLruXF.exe
  C:\Windows\System\BMLruXF.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\MdvsoUt.exe
  C:\Windows\System\MdvsoUt.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\qRiHsWP.exe
  C:\Windows\System\qRiHsWP.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\GETrowu.exe
  C:\Windows\System\GETrowu.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\WieEmvU.exe
  C:\Windows\System\WieEmvU.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\zQhHpxL.exe
  C:\Windows\System\zQhHpxL.exe
  2⤵
  - Executes dropped EXE
  PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMLruXF.exe

Filesize
5.2MB

MD5
45879818feebcf6d4cff9839bdecd8f4

SHA1
bf30559dbf6df37e9461de2f52282d99bddd914c

SHA256
b2f89b3d761dcd4a56db6945786d4da39a644c8cb85b36046165b187a5ca43e1

SHA512
5194780acd076e40f913b6b651267cb38803e82a2d07a1b11fe2b8b555b096abc3b3ffe49664db791191faa1433e45c6b448f0297aa04e5cf6b47297d1d9d790

Download Submit
C:\Windows\System\ErpNxtD.exe

Filesize
5.2MB

MD5
1ac48fb144544821b75e7635df5443c1

SHA1
f66b981c39c66e45e76e5026877bfb115573224c

SHA256
f4fd378b691c41a5847313ad9e449f2afda122938a4c55b407dcc149059b975c

SHA512
719cd15aafe8c9d5ae3d32af0d734cb2d088952ef532786ad8c39ad75e11d88e3d953980c7d99463243500b477ffd75de7d44df6b1ca582673235ece33e32d56

Download Submit
C:\Windows\System\GETrowu.exe

Filesize
5.2MB

MD5
005b9e35f9adee8f35c1c086472f0a7a

SHA1
2efa3d286a7e2ed0916c8b75412f6d0b0ec5eacb

SHA256
807ca388fea337d92f042dd0e05ebdc0707b5960c2ce3a94aae1b8ec68d9b335

SHA512
168099b13870f6a51577ce24586b9060fec2ad5f4a1e147f4a2c35b95ca869e9746c0f01fa23c7292ed7eee83b913b1f0b79fac860d6e8f96eeaff7dd207e1bc

Download Submit
C:\Windows\System\JGvYrYp.exe

Filesize
5.2MB

MD5
a703da5820307e91eb7821675d51bd88

SHA1
a61ec97b7ecc5356415f3fe079f3d543c177eada

SHA256
00012f062b0e3ba21c94a789be7c597c50ca7d53730e422516b82998a80560f8

SHA512
e5cb7cdaa0a98baaa5ecd3635461d1751da11f9659dd0690d906cf682f813cc85ddfaff3a28a1fc7d07b83b92b1a472c0ebec55c406a5e8609206b06b0b2baa8

Download Submit
C:\Windows\System\LkEetfW.exe

Filesize
5.2MB

MD5
f93a71dd14efdb4094f7fe2d0bad62b1

SHA1
98b8ad751629d7c864e30fc00bf84b15e3d10dbf

SHA256
2b0d9866cda08bfbfac7e1fe85d8e373ac6b2c12f4a497167290addf9c6cac7e

SHA512
a04baf8ff916be96a9dc3eabe3222a78a1f10256a21413bc1297d6c8460fee8aadd53270aff3243e551b1e97f30e9364c30f3f813c9f022345148d32cb33a050

Download Submit
C:\Windows\System\MdvsoUt.exe

Filesize
5.2MB

MD5
fb7842c5951742eb8232e5e571a7e8bb

SHA1
bebfbd1839851137c1f4ed99e27c4e14742e6c7a

SHA256
f9a4a0e91a3b8dd9bc4cef999a36153ee7362f9c5dd636af5eb56f481f05d64f

SHA512
610e0b0c2604b292f224be2ed497427d6a72010a973220bd2e0c205d5f7df37db47f8b4d32c0d25742b229e3ee7534ee99b98464790137f09b04f5f0894536eb

Download Submit
C:\Windows\System\QDDmMHj.exe

Filesize
5.2MB

MD5
c01e60f3d2c63ac6e04e6b0d3bf062cd

SHA1
6d3ce35976388ece50cdc82ad2581ef3acf1fe1a

SHA256
c71fb17d0443a42e408e6aeec0154905640dc544ec6f64b4728f581980ab0fee

SHA512
c5a9886b4d02ec89d6ea54a5c55bfefbe46d039d14a7e306b738f35b7daef897a95ff28ce86ee49384db64d0695fd6faa23c2b8799042df50d2b3a7c478ee8f2

Download Submit
C:\Windows\System\Qxzhqeq.exe

Filesize
5.2MB

MD5
98a17949aaacbd3595bec0e3113f3c9e

SHA1
8a66b8105161ac7f82e37fb5c5e4202e5934aa96

SHA256
5986019384626f7398a6f07d7e5f48250e8a6bc89a1a6566863123d83c334f12

SHA512
1abab55b572ee70b7f8f925b33fd9ac3bb033f5dcc29110696ae3c904ca40b02d9d6b706e56d37367d87e0c68970c4a59dcf1f00f862f229b556fe507cfc1e19

Download Submit
C:\Windows\System\SrGppzZ.exe

Filesize
5.2MB

MD5
c1ac1fb66640a0f1e3301e6963805bc4

SHA1
6efa3b10d67280d52a048369ffee557c51e7a52a

SHA256
ee32f1177d994ff336470af86e54d852bfefe3e61c680544076e763d94daee95

SHA512
e6520f41f69a8e06916e9cd0e8b0ea1bcd7e94c04a51a4b9282e7dfe27730d8a4d0701e6847df170398c19b5840387dac7bc2d75fd9ae8d20ee8fce2cfae96e9

Download Submit
C:\Windows\System\WieEmvU.exe

Filesize
5.2MB

MD5
6e17039ede505d9d37341f63d708bae9

SHA1
3c9d63f5f657e90da2d8380af4fba9e76360f1e7

SHA256
33e750f387f9cfd9c931e836e9234f2e208df0a32e81e6090e1d52aab8db94e6

SHA512
7e67991fce47cf5ad1dfd2c48abf8b972e7d25075bf0d7c980ab7b8f108909fffa226f783c86301c765c3c6ac7eb01b8d0566182fe1db26eb477166898dad885

Download Submit
C:\Windows\System\aLrGXqd.exe

Filesize
5.2MB

MD5
69a08015faba4c69ed583cabf311d85b

SHA1
56d288a9a51df002c7f0aded7c22ce4a18c5825c

SHA256
cb625087d67a90088a97b1d52603853275c638843d8b6c72aea2b1b1c9204048

SHA512
58ffebc440e3613f558db06c497b2429ce37a4fb0949942cd6a4dd466f79c133ce44ea8550ca090516300fec0f602f97721f6a90d60510c315acaf4238a01860

Download Submit
C:\Windows\System\ahMtxTi.exe

Filesize
5.2MB

MD5
3a25f3f85224e3f943c0480d47b40f0f

SHA1
439ce78d39eb7c8180c6886693cf418a6794dda0

SHA256
9cde61b176d42ca0f4a7b61f418f7392229912d5319f8197313d7b9cc86fd30f

SHA512
459bb882a51d932d4dfbc2a87f8a464467c7fc6b1c720e73b9377a0613e232e6a70fabc3dc3d8b80420fe0b97e9cfbdabf20709efc36f18bb84a1db7051030bf

Download Submit
C:\Windows\System\hjQDMWZ.exe

Filesize
5.2MB

MD5
c6141dbdde7393d9ee2594c49ce630e7

SHA1
48f38634bc282f1a9819e5debcda5a2e82f589c6

SHA256
524439301c222c8068cd3840128bb7e8dc4a6de6fa0633e87d6b94259e57fa0a

SHA512
9f5f6f503597a85dd703ec1b5b35887f8def841ed0bea3f768ce9840bf614aef8618867fe3eda985117f7c4f3e51d915f9dfde76ba32d4dd38b0865958b9d06a

Download Submit
C:\Windows\System\iCzLNlx.exe

Filesize
5.2MB

MD5
3c3ac21cb0b59ff392c735651abf5427

SHA1
5b40edd66a3e6d5198b8dbfdfb56e940e9607cd4

SHA256
7c2c849f0cc036418a8fe220a7aef62e356b19577d080b0403d5ca822a48852b

SHA512
cc23aef707efbd8b25d8cc3701f5028e1321d3bc381099e318a17d2d6d1a84cbdeb111057f371fd2a2f07b1c8b85fb7b55d3832cddaa15285a1232342a7651f1

Download Submit
C:\Windows\System\igQRKMo.exe

Filesize
5.2MB

MD5
2c4e5f0d89348c1eb4a9197096bedc9d

SHA1
47a0bd2d34f9522622c5600d9ea5c5bccf4381df

SHA256
f02371cf2e20030f06d56c01f8a354d19511f4cf9be797ccf2f29eccc1f11bf3

SHA512
8f6c1bd532dea4430cc134b3bbc4ba5d918fae118e9819e4772f5b022a76da17aee59a5bc02a63d3dae4fabeda79054c1f2ac01538e7828f2d16c637c3b6cd0a

Download Submit
C:\Windows\System\juoNGVG.exe

Filesize
5.2MB

MD5
2a3ac22e42f90f779cad5aa865d71fba

SHA1
e5989da7b9df6265a49da67b93a429d900081226

SHA256
300f7e0729b731b6484d175ff1dfe3da190c1e2f3338ae2d4a6dce9da86c348e

SHA512
3c4a07fc026dd90f07a0119af8671b61d390d80c608b8b7ae46168c805048093ce78abcc59e6fbb4cd221070afb398a9f2dd36149f377771b4ce271772e6d381

Download Submit
C:\Windows\System\nqMfQjx.exe

Filesize
5.2MB

MD5
112cbd322c44acb9efbe7538c013ddb3

SHA1
cd2d14a1ec0b2486c17bc8e8886969a41a8d329a

SHA256
28d48858a48e1331e0bfafd19d294fc079d826f5a81ad47ebaef902de11564d5

SHA512
9dd576df2f28cc797fb929bd88f2e190bec8a20a88c18b8c5d7a17cd533d573718bcc1b9d6ec09e2376b2de421ac7c19479b3765f3a5ec979a11b34555c703fe

Download Submit
C:\Windows\System\qRiHsWP.exe

Filesize
5.2MB

MD5
acfd739882914cf223778fc279ae971b

SHA1
9a341140c7f9ca0b0c1edbe40eb63434484c75fb

SHA256
0f8cad0a3ca166d391d80cca7ac0efb3fa45a24600f795831a91c670c71648c2

SHA512
5e5f644b1133bee795aa6ed4321e54348fc319fafe18d71b1558cc0c0b11336d2427b49786506672e5d190d5559e9a789dfe8f52f7796f07152ccb12eb18ca10

Download Submit
C:\Windows\System\rrHcGWb.exe

Filesize
5.2MB

MD5
2028c27688f8d74142e82b68c9c31b8f

SHA1
ab357c051a6648fd326683563c67f6d9300b046e

SHA256
18ab798afa0eb886f0a977d54150b80e9b18ca1913a2f301cde2a865cfeba8c7

SHA512
b18f9e4f0daf7ede163f387117f8fe8a49646e9893e57fe797f2158289d59b5ccce1984b0da89b45aeabba68db180002c4589ef95f81a8bbd76185a1a9f2eed0

Download Submit
C:\Windows\System\uyQxCmR.exe

Filesize
5.2MB

MD5
a6bd0d4d3efbd4aa669dcf10ad9ee1b5

SHA1
f932940ab7a7cc483389e05df75f93e4d01957d3

SHA256
1ed5867833a75ee35576cae0dd456da7c7c431921ddb94768cfa30a1f0c2ca12

SHA512
d26748614c24989f9175e632a9569d87fd2c2b5ed9f68a9b3835bfaa42f8feaf3c3e188bc3c6e7e3d51b34bba9a3a06cbcd5c4c744ea98bab040a5bd54e7ebe6

Download Submit
C:\Windows\System\zQhHpxL.exe

Filesize
5.2MB

MD5
6188236b27ae62608fd66e964a3e9e61

SHA1
68ad22692e34cfd71be1e594f7deae15ad95daf2

SHA256
5ac47f20b37721d89afdf2d2dde52e863ed16f18ed0c0bb8048b376812f3b27c

SHA512
9912c810be10e897802b1f81b9445e4af3a45d1ce437d2f3f193bb7af541b536a182c36f4c5e9450c68e98024b05277f7887063643220c45c5977fbe2bbd89f6

Download Submit
memory/936-140-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp

Filesize
3.3MB

Download
memory/936-89-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp

Filesize
3.3MB

Download
memory/936-235-0x00007FF7DA0E0000-0x00007FF7DA431000-memory.dmp

Filesize
3.3MB

Download
memory/1364-128-0x00007FF6938A0000-0x00007FF693BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-260-0x00007FF6938A0000-0x00007FF693BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-120-0x00007FF7E4000000-0x00007FF7E4351000-memory.dmp

Filesize
3.3MB

Download
memory/1396-252-0x00007FF7E4000000-0x00007FF7E4351000-memory.dmp

Filesize
3.3MB

Download
memory/1964-94-0x00007FF6E92C0000-0x00007FF6E9611000-memory.dmp

Filesize
3.3MB

Download
memory/1964-240-0x00007FF6E92C0000-0x00007FF6E9611000-memory.dmp

Filesize
3.3MB

Download
memory/2512-138-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/2512-231-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/2512-43-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/2660-123-0x00007FF69A730000-0x00007FF69AA81000-memory.dmp

Filesize
3.3MB

Download
memory/2660-254-0x00007FF69A730000-0x00007FF69AA81000-memory.dmp

Filesize
3.3MB

Download
memory/2844-134-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp

Filesize
3.3MB

Download
memory/2844-212-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp

Filesize
3.3MB

Download
memory/2844-24-0x00007FF77A710000-0x00007FF77AA61000-memory.dmp

Filesize
3.3MB

Download
memory/2884-7-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-202-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-129-0x00007FF6542A0000-0x00007FF6545F1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-250-0x00007FF723F40000-0x00007FF724291000-memory.dmp

Filesize
3.3MB

Download
memory/3000-117-0x00007FF723F40000-0x00007FF724291000-memory.dmp

Filesize
3.3MB

Download
memory/3220-208-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp

Filesize
3.3MB

Download
memory/3220-15-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp

Filesize
3.3MB

Download
memory/3220-135-0x00007FF6EF3F0000-0x00007FF6EF741000-memory.dmp

Filesize
3.3MB

Download
memory/3244-232-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-139-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-52-0x00007FF7522A0000-0x00007FF7525F1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-42-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-236-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-137-0x00007FF7678A0000-0x00007FF767BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-153-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp

Filesize
3.3MB

Download
memory/4052-130-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp

Filesize
3.3MB

Download
memory/4052-127-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp

Filesize
3.3MB

Download
memory/4052-0-0x00007FF6E4B30000-0x00007FF6E4E81000-memory.dmp

Filesize
3.3MB

Download
memory/4052-1-0x000002A8DCB50000-0x000002A8DCB60000-memory.dmp

Filesize
64KB

Download
memory/4092-223-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp

Filesize
3.3MB

Download
memory/4092-32-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp

Filesize
3.3MB

Download
memory/4092-136-0x00007FF76F2B0000-0x00007FF76F601000-memory.dmp

Filesize
3.3MB

Download
memory/4732-95-0x00007FF6C27C0000-0x00007FF6C2B11000-memory.dmp

Filesize
3.3MB

Download
memory/4732-244-0x00007FF6C27C0000-0x00007FF6C2B11000-memory.dmp

Filesize
3.3MB

Download
memory/4744-258-0x00007FF6C09D0000-0x00007FF6C0D21000-memory.dmp

Filesize
3.3MB

Download
memory/4744-124-0x00007FF6C09D0000-0x00007FF6C0D21000-memory.dmp

Filesize
3.3MB

Download
memory/4760-99-0x00007FF7D8520000-0x00007FF7D8871000-memory.dmp

Filesize
3.3MB

Download
memory/4760-243-0x00007FF7D8520000-0x00007FF7D8871000-memory.dmp

Filesize
3.3MB

Download
memory/4784-116-0x00007FF635AA0000-0x00007FF635DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-248-0x00007FF635AA0000-0x00007FF635DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-246-0x00007FF7F4AB0000-0x00007FF7F4E01000-memory.dmp

Filesize
3.3MB

Download
memory/4860-109-0x00007FF7F4AB0000-0x00007FF7F4E01000-memory.dmp

Filesize
3.3MB

Download
memory/4972-210-0x00007FF6412B0000-0x00007FF641601000-memory.dmp

Filesize
3.3MB

Download
memory/4972-18-0x00007FF6412B0000-0x00007FF641601000-memory.dmp

Filesize
3.3MB

Download
memory/4972-133-0x00007FF6412B0000-0x00007FF641601000-memory.dmp

Filesize
3.3MB

Download
memory/5036-238-0x00007FF7688D0000-0x00007FF768C21000-memory.dmp

Filesize
3.3MB

Download
memory/5036-119-0x00007FF7688D0000-0x00007FF768C21000-memory.dmp

Filesize
3.3MB

Download
memory/5084-100-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-256-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-145-0x00007FF6289A0000-0x00007FF628CF1000-memory.dmp

Filesize
3.3MB

Download