cobaltstrike | 4dfb6e355c06d3ba30bbc53e6a515dcc16c537450e375c767d5752a1534bf29b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

81c3a749f6e58253b1eeec336b240a54
SHA1

ce074767f2e9469d7d7a81c19f1f2fc5cdd81a5c
SHA256

4dfb6e355c06d3ba30bbc53e6a515dcc16c537450e375c767d5752a1534bf29b
SHA512

9788abb2d0b2daff4faf77fec34c42061ac2048d1e0fe4502358466979aef80cb076fc28d07b2f91b7bc7f3f2decb45a581acaf5e1e55a505c904209a77734a9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lr:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234bb-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-48.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234bc-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-136.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3160-60-0x00007FF748520000-0x00007FF748871000-memory.dmp	xmrig
behavioral2/memory/3952-75-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp	xmrig
behavioral2/memory/1196-68-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp	xmrig
behavioral2/memory/4960-65-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp	xmrig
behavioral2/memory/4264-89-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp	xmrig
behavioral2/memory/3696-103-0x00007FF6B68F0000-0x00007FF6B6C41000-memory.dmp	xmrig
behavioral2/memory/1568-111-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp	xmrig
behavioral2/memory/1420-118-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp	xmrig
behavioral2/memory/4300-108-0x00007FF651860000-0x00007FF651BB1000-memory.dmp	xmrig
behavioral2/memory/1820-105-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp	xmrig
behavioral2/memory/948-100-0x00007FF712EB0000-0x00007FF713201000-memory.dmp	xmrig
behavioral2/memory/4812-83-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp	xmrig
behavioral2/memory/3100-79-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp	xmrig
behavioral2/memory/3672-128-0x00007FF758440000-0x00007FF758791000-memory.dmp	xmrig
behavioral2/memory/5040-132-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp	xmrig
behavioral2/memory/1604-141-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp	xmrig
behavioral2/memory/4868-142-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp	xmrig
behavioral2/memory/4300-146-0x00007FF651860000-0x00007FF651BB1000-memory.dmp	xmrig
behavioral2/memory/3160-143-0x00007FF748520000-0x00007FF748871000-memory.dmp	xmrig
behavioral2/memory/3900-155-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp	xmrig
behavioral2/memory/4652-157-0x00007FF679A00000-0x00007FF679D51000-memory.dmp	xmrig
behavioral2/memory/4544-160-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp	xmrig
behavioral2/memory/3400-168-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp	xmrig
behavioral2/memory/2500-169-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp	xmrig
behavioral2/memory/3160-170-0x00007FF748520000-0x00007FF748871000-memory.dmp	xmrig
behavioral2/memory/4960-221-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp	xmrig
behavioral2/memory/1196-223-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp	xmrig
behavioral2/memory/3952-225-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp	xmrig
behavioral2/memory/3100-227-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp	xmrig
behavioral2/memory/4812-235-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp	xmrig
behavioral2/memory/4264-237-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp	xmrig
behavioral2/memory/948-239-0x00007FF712EB0000-0x00007FF713201000-memory.dmp	xmrig
behavioral2/memory/1820-241-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp	xmrig
behavioral2/memory/1568-243-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp	xmrig
behavioral2/memory/1420-245-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp	xmrig
behavioral2/memory/3672-249-0x00007FF758440000-0x00007FF758791000-memory.dmp	xmrig
behavioral2/memory/5040-251-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp	xmrig
behavioral2/memory/1604-259-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp	xmrig
behavioral2/memory/4868-261-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp	xmrig
behavioral2/memory/3696-263-0x00007FF6B68F0000-0x00007FF6B6C41000-memory.dmp	xmrig
behavioral2/memory/4300-265-0x00007FF651860000-0x00007FF651BB1000-memory.dmp	xmrig
behavioral2/memory/3900-267-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp	xmrig
behavioral2/memory/4652-269-0x00007FF679A00000-0x00007FF679D51000-memory.dmp	xmrig
behavioral2/memory/4544-272-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp	xmrig
behavioral2/memory/2500-277-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp	xmrig
behavioral2/memory/3400-276-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4960	yqSwWxn.exe
1196	xQnFMvg.exe
3952	KtnWJSD.exe
3100	xzBQjMi.exe
4812	QntcGDI.exe
4264	tDeuTuj.exe
948	MIHdEGD.exe
1820	yfyxcuZ.exe
1568	kWfDmXn.exe
1420	EHOmCAk.exe
3672	NzmUFiQ.exe
5040	YdNEPHe.exe
1604	HVcFlIc.exe
4868	lNqpgCy.exe
3696	QAwvGtc.exe
4300	GLbwCiL.exe
3900	NYbwyWs.exe
4652	CPcesWD.exe
4544	ahGayLW.exe
3400	bJxObih.exe
2500	GXIwjbz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3160-0-0x00007FF748520000-0x00007FF748871000-memory.dmp	upx
behavioral2/files/0x00080000000234bb-4.dat	upx
behavioral2/memory/4960-8-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-10.dat	upx
behavioral2/files/0x00070000000234c0-11.dat	upx
behavioral2/memory/1196-13-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp	upx
behavioral2/memory/3952-19-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-24.dat	upx
behavioral2/memory/3100-26-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp	upx
behavioral2/memory/4812-31-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-35.dat	upx
behavioral2/files/0x00070000000234c5-40.dat	upx
behavioral2/memory/1820-49-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-48.dat	upx
behavioral2/files/0x00080000000234bc-53.dat	upx
behavioral2/files/0x00070000000234c7-59.dat	upx
behavioral2/memory/1420-61-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp	upx
behavioral2/memory/3160-60-0x00007FF748520000-0x00007FF748871000-memory.dmp	upx
behavioral2/memory/1568-54-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp	upx
behavioral2/memory/948-42-0x00007FF712EB0000-0x00007FF713201000-memory.dmp	upx
behavioral2/memory/4264-37-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-30.dat	upx
behavioral2/files/0x00070000000234c8-67.dat	upx
behavioral2/files/0x00070000000234c9-74.dat	upx
behavioral2/memory/3952-75-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp	upx
behavioral2/memory/5040-76-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp	upx
behavioral2/memory/3672-73-0x00007FF758440000-0x00007FF758791000-memory.dmp	upx
behavioral2/memory/1196-68-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp	upx
behavioral2/memory/4960-65-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp	upx
behavioral2/memory/1604-84-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-92.dat	upx
behavioral2/memory/4868-91-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp	upx
behavioral2/memory/4264-89-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp	upx
behavioral2/memory/3696-103-0x00007FF6B68F0000-0x00007FF6B6C41000-memory.dmp	upx
behavioral2/memory/1568-111-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-113.dat	upx
behavioral2/memory/4652-121-0x00007FF679A00000-0x00007FF679D51000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-119.dat	upx
behavioral2/memory/4544-125-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp	upx
behavioral2/files/0x00070000000234d0-126.dat	upx
behavioral2/memory/1420-118-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp	upx
behavioral2/memory/3900-112-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp	upx
behavioral2/memory/4300-108-0x00007FF651860000-0x00007FF651BB1000-memory.dmp	upx
behavioral2/memory/1820-105-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-104.dat	upx
behavioral2/memory/948-100-0x00007FF712EB0000-0x00007FF713201000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-97.dat	upx
behavioral2/files/0x00070000000234ca-86.dat	upx
behavioral2/memory/4812-83-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp	upx
behavioral2/memory/3100-79-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp	upx
behavioral2/memory/3672-128-0x00007FF758440000-0x00007FF758791000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-131.dat	upx
behavioral2/files/0x00070000000234d2-136.dat	upx
behavioral2/memory/2500-137-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp	upx
behavioral2/memory/3400-133-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp	upx
behavioral2/memory/5040-132-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp	upx
behavioral2/memory/1604-141-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp	upx
behavioral2/memory/4868-142-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp	upx
behavioral2/memory/4300-146-0x00007FF651860000-0x00007FF651BB1000-memory.dmp	upx
behavioral2/memory/3160-143-0x00007FF748520000-0x00007FF748871000-memory.dmp	upx
behavioral2/memory/3900-155-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp	upx
behavioral2/memory/4652-157-0x00007FF679A00000-0x00007FF679D51000-memory.dmp	upx
behavioral2/memory/4544-160-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp	upx
behavioral2/memory/3400-168-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kWfDmXn.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HVcFlIc.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QAwvGtc.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqSwWxn.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xQnFMvg.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xzBQjMi.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QntcGDI.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDeuTuj.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NYbwyWs.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NzmUFiQ.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ahGayLW.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJxObih.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YdNEPHe.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLbwCiL.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPcesWD.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GXIwjbz.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtnWJSD.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIHdEGD.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfyxcuZ.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHOmCAk.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lNqpgCy.exe	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4960	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3160 wrote to memory of 4960	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3160 wrote to memory of 1196	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3160 wrote to memory of 1196	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3160 wrote to memory of 3952	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3160 wrote to memory of 3952	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3160 wrote to memory of 3100	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3160 wrote to memory of 3100	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3160 wrote to memory of 4812	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3160 wrote to memory of 4812	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3160 wrote to memory of 4264	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3160 wrote to memory of 4264	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3160 wrote to memory of 948	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3160 wrote to memory of 948	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3160 wrote to memory of 1820	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 1820	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 1568	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 1568	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 1420	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 1420	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 3672	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 3672	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 5040	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 5040	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 1604	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 1604	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 4868	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 4868	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 3696	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 3696	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 4300	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 4300	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 3900	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 3900	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 4652	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 4652	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 4544	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 4544	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 3400	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 3400	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 2500	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3160 wrote to memory of 2500	3160	2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_81c3a749f6e58253b1eeec336b240a54_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\System\yqSwWxn.exe
  C:\Windows\System\yqSwWxn.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\xQnFMvg.exe
  C:\Windows\System\xQnFMvg.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\KtnWJSD.exe
  C:\Windows\System\KtnWJSD.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\xzBQjMi.exe
  C:\Windows\System\xzBQjMi.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\QntcGDI.exe
  C:\Windows\System\QntcGDI.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\tDeuTuj.exe
  C:\Windows\System\tDeuTuj.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\MIHdEGD.exe
  C:\Windows\System\MIHdEGD.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\yfyxcuZ.exe
  C:\Windows\System\yfyxcuZ.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\kWfDmXn.exe
  C:\Windows\System\kWfDmXn.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\EHOmCAk.exe
  C:\Windows\System\EHOmCAk.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\NzmUFiQ.exe
  C:\Windows\System\NzmUFiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\YdNEPHe.exe
  C:\Windows\System\YdNEPHe.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\HVcFlIc.exe
  C:\Windows\System\HVcFlIc.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\lNqpgCy.exe
  C:\Windows\System\lNqpgCy.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\QAwvGtc.exe
  C:\Windows\System\QAwvGtc.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\GLbwCiL.exe
  C:\Windows\System\GLbwCiL.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\NYbwyWs.exe
  C:\Windows\System\NYbwyWs.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\CPcesWD.exe
  C:\Windows\System\CPcesWD.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\ahGayLW.exe
  C:\Windows\System\ahGayLW.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\bJxObih.exe
  C:\Windows\System\bJxObih.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\GXIwjbz.exe
  C:\Windows\System\GXIwjbz.exe
  2⤵
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CPcesWD.exe

Filesize
5.2MB

MD5
532e5271253879d8b4614e412916273a

SHA1
d52d6efad426c2af9f0bed5d7856fa0db39b1d8a

SHA256
33f879fbbecea095dd784d3ecac84f75aed11f70d7eb729ffb2fd8b953de2f90

SHA512
49ff4317ecf683b9dd1eac23a5a8bbadc1ac516325c19411723c2d191afdd4097a4b97c6e6f67335f3e8ea624025893cd848bf51857a7616bf809986528afe7a

Download Submit
C:\Windows\System\EHOmCAk.exe

Filesize
5.2MB

MD5
67aacd44e7aab071d72cdb574122c0c7

SHA1
e0515db3bf909210b0780e1ecfafb17a7c42b8c7

SHA256
873a0cfe528a2fe9fad05f2df83d9e1607f020796e3156764fae1cef817696fe

SHA512
6098a2fb67d009ea0e36d1f0109d4082b2ae8b9df6660d1231e306d5eb9186ed9653a24a1be610572046cba79841cceaae6749d59475e31515f4bdaa9846edba

Download Submit
C:\Windows\System\GLbwCiL.exe

Filesize
5.2MB

MD5
68a10e223d40ed78b8374a5bbf2ae266

SHA1
1655ecb9f1f07a13b1ee63ffe0b39485d7b475a9

SHA256
16e8cb563cc8a359e21ead0ad3ef7ac0a7663e57aae77f8bb915070fb2804013

SHA512
c7bb8b27fd11b9b2cd1c8306cd7fbaa627a17f5eba6c834b7c544749162dee0ded48ccf88e0c93b9435717e47930378f3a82973b27c10d8294d69a8a5c253649

Download Submit
C:\Windows\System\GXIwjbz.exe

Filesize
5.2MB

MD5
e8995d6e5d8134aec3304e785bb51c47

SHA1
5b263e67312b43fa8a49b3a2fc6a895e673deee4

SHA256
994eefd663a33a460cd3f0902b1a29b8183fd6046cf97e47d13a492f1f9866fb

SHA512
155372f8eb236a1e7a54bede49875e3ad913652f78c94fc4eee97bc87e0fcd2242dea34380aaa1611470b71c9cd13502df83a9bc8476bc1ffd771392501bedcf

Download Submit
C:\Windows\System\HVcFlIc.exe

Filesize
5.2MB

MD5
992fb852abdf2d23b2ef72c03092e54b

SHA1
051542599bfd2dc1c90bdfbe4d3c43874b9e2a26

SHA256
b72e464d7e8009fa397d066543863d9a2e661053810577d28615040121d533a4

SHA512
0b02030be6150ff1c92b8bebab1c2941e04cf584e87fcb296eb2ceef8a21a1aef556166e65fa6d76c3f4ccb0fb1a7690bc187e29f82897f949e33293bd9a51a7

Download Submit
C:\Windows\System\KtnWJSD.exe

Filesize
5.2MB

MD5
9f033a818358686df2bad6afc83a1eb0

SHA1
395f3e451f3bc0aa4619683fd89ccdf003c572e4

SHA256
f2398551b6d3a9461e6df7975753be6bc8a7f1be3f904715c299c6eb60a9bcb4

SHA512
a26f5f636eda7ac937ebe5f331c5f4003348a859966fd73f31f5739308f39773370730d80924620fb545ad9a0457128dec11697d3bdbf04328d57c3fd93625eb

Download Submit
C:\Windows\System\MIHdEGD.exe

Filesize
5.2MB

MD5
d1585f432e32d7b4ee2b3425cdfc2427

SHA1
f6247ccdc7949f1e4386c2dbac330855ed4c2d2c

SHA256
ce5232ade466ca6ff75a113ab6fd6c15852719607b209adbe68bbe0cbfff19f7

SHA512
eb4347f68821abca17cf97b1f87d179b4f968e3452d303969d106e7d4e228420fd729df2dcccb7d9664b5572d810db99629d56f08fd9df630a9516ca3f2326de

Download Submit
C:\Windows\System\NYbwyWs.exe

Filesize
5.2MB

MD5
8112977a0e86f98d1cc74b60375acc30

SHA1
82a17b74dcb228099fb270c3ca187da2af03ffc0

SHA256
394185c5eced9aba4f87f70f01731e42390fe72c727477b547b65324ae960370

SHA512
67148910da10c05fb716ec87a8a8fab4ccedf150c96b8859f522089f34ffc230222078b35dbbb6a68d543fb637bab1cd0fb0406f972325157cf4908e154391d9

Download Submit
C:\Windows\System\NzmUFiQ.exe

Filesize
5.2MB

MD5
af1a64d134417c0cd0cb203648ac86c1

SHA1
666cf6815d10ed7643e9e8416439a4854b58a1e0

SHA256
b683690ed3d4846f33805720e01d7e3a46812239afa1d763503f796f8fd2dacc

SHA512
bc2f0fed91038f1358b61b7eafbbfa0ff4acd932f98143e59cee3e5a6d56e72b7301b228407f06d621ad0dbe917ceaf65bd8870bd9a5d2d2e1c3ed745849d2d3

Download Submit
C:\Windows\System\QAwvGtc.exe

Filesize
5.2MB

MD5
1c6f44f3e78cf3f2121e173b9799a07e

SHA1
e8e1804e821e98e8c21be07b92092e786c6f7829

SHA256
c9da6d4191ee1370eebf46e0faf0d9bf52260e931ef859c380e5a84f64bcd244

SHA512
251e888e68be2beb0239530b6af0e004deda0e65d8187975bafebfea4123a1243205bd2d8446006f354583df5992ab89fe0af3675e4e2115d4afe06bacfc014e

Download Submit
C:\Windows\System\QntcGDI.exe

Filesize
5.2MB

MD5
ca4d73814883c43ff59b11b186f58a7a

SHA1
6a4d3b1976695feb744a3a46ec78817d8ef6c957

SHA256
c9f1daf98782d29122f660cbd06a5e2f0b233bb2a69c4cd0ff5783ab55507330

SHA512
cf0919bb72bee5c642d4ed559907f3760ab6bd9a25152d51dd7ddc207074f7ae8f583f8255b3d2014ca7b6b0dca1733cd5adbeed8abd2059e8def8a01aea79c1

Download Submit
C:\Windows\System\YdNEPHe.exe

Filesize
5.2MB

MD5
f546d2e251dd68d411ba721929b80c41

SHA1
770f3d7289b827ddfa153416190dd4aaaa1f9bf7

SHA256
f65f0679dad554d8bedefeac20ce3d85e463a8507a48f43c6c9fd3142fdc6f46

SHA512
2a0986108302f80570fd358c47feb5255b902cc37a6d2478b86762ccf1aa4c263d396cae80565c61c00c09e8004768bd3b5ad152d8a92d71e3fa6ed303c26678

Download Submit
C:\Windows\System\ahGayLW.exe

Filesize
5.2MB

MD5
9c983f69b568c2b30171495ad136652d

SHA1
02ce04b6b5b4f1cdf5aa95f9a66d63dc6bb2bc08

SHA256
d7a224db986ee0fab55103aff94cb8eae033ba80b3b7e1afd0f799704f8fff62

SHA512
852e3aa8f2865e6e70d522b9d6e4eea1d174dafdd6c343c4d709bca8048fc02b084e8bbd61d04ea3bc55e5a507a3c1747961a2bf0209bdd7c1b20ede0bafa561

Download Submit
C:\Windows\System\bJxObih.exe

Filesize
5.2MB

MD5
b177566e3a45f49b4038d2bb89842756

SHA1
3f67096c6be6390ee6cf89b90f443f710cf587f7

SHA256
1b5ea77f28ee3d62bf0171ba3d53a60bb2b0f7d774b6be9a9f7c2b0a9f0beaa4

SHA512
59c5f66b7e90fd6322cf37c3c08441bd7cbc2cd8d698a70244ac852b48a00c6287fb502d01d767f14dd51957f54ae3bd6f39a698ad53c2e03e41f4f6544c673f

Download Submit
C:\Windows\System\kWfDmXn.exe

Filesize
5.2MB

MD5
9330c946f7e545413f45d46f231802dd

SHA1
ee80e83bb7fd49df7b60370b3c8d9e01e83329f6

SHA256
48555729f70b51849262d24035474b0fddd61356cca24aa1a537c0edc2c6f0dd

SHA512
22cfd32562835ba82decc6ad2bdcef4530bfcb95df84420043b6ab6d293fe7f5e0e680a0698bb2bc7240c02067e1a3b940fa83777765001466c736aa7a3c1ac0

Download Submit
C:\Windows\System\lNqpgCy.exe

Filesize
5.2MB

MD5
b821f057bb9ef6be6e2602f9f97ce53f

SHA1
74d2b37e44ebdba23ecf43b070327ac2e161068c

SHA256
af9480d1d48d60bfcedaf472d5b760822fb6c31562754083f4d1588d2c72a6fb

SHA512
48fc45fc2f102fd414caf426cb4c310ce8c5ea757032de294805b7b46c5de12c67dcd713e3a8260320575ab496ff0a31890081d37803957c2b3c6ce8fdcd0bc4

Download Submit
C:\Windows\System\tDeuTuj.exe

Filesize
5.2MB

MD5
04885b954d75d81a30f946204ebf3a8c

SHA1
6c7dc547b8e87c0ea9eef61a21a96ee58a767e81

SHA256
210ceddf208c56479649f7ae05f01b897f3617e525fe4ac1a7a96bee2c375243

SHA512
442e9090397c2188c26a3c0b9f9d44c0b22f851d15829c418688b1d73f98ce1eb3b5432efd701a0ba3856e6791da6fc92a586a231bd7d9a86352b55933f87af3

Download Submit
C:\Windows\System\xQnFMvg.exe

Filesize
5.2MB

MD5
a2014d636faa32ffc27b48e745c6293e

SHA1
8ee9c29c4189ff3646f01fba647e6b9475786a22

SHA256
28a2294c4cbd4fec66a11d48f82f8a6b80c5895c2a7bae200a876ff013de95bf

SHA512
97a927b36cf869faff43b7e2199e7cf0c54e94d276b7468ca3e7b43643713c4dabc209e1bd9e8cb5776a6303af088fb129d72f7f4117239df858e222b4f4fdca

Download Submit
C:\Windows\System\xzBQjMi.exe

Filesize
5.2MB

MD5
ecc1b7968a4192b6258b45f5292feab1

SHA1
c1f3aa422be5ce97c552dbcaa8397dde7af2fc2b

SHA256
3810d2b98480d2cac4f6cc3ebe83f5d151a2bc0ea6cd097626c600506904ed54

SHA512
43a4d1244bf674eb08216dc98b7e829b877a84d021fbfc6abccbb450dfd1c8c88137d9001c8a948a54872e781866a417690c9f59dbefc280187b2588bc724d89

Download Submit
C:\Windows\System\yfyxcuZ.exe

Filesize
5.2MB

MD5
6a0e970b3f34aeea41dcebcf7911b773

SHA1
1971bb61bde6d44da59c9d654e80a2262f419d58

SHA256
926bfbc5f1518a5ed051ef511e62ba68f9bc60b97383393b2d54c457332209d2

SHA512
dfe3dea15681316efb11125befef6ea3e3b66dd440a45c717e800e7158caa64ee0811f1a9a3877d595930b7603342496bb10836f12cf31240fa35329aa13b654

Download Submit
C:\Windows\System\yqSwWxn.exe

Filesize
5.2MB

MD5
6a9685bd33cdf7a0479158fa4eb75104

SHA1
b00d7702ec3b9c2f7716bcc4042c119184fa17e3

SHA256
326adaba9e71748412eae7ad711dc9159ae85eef3cf93d4639d68c4d28e4e8c2

SHA512
9dafafdadff9631566c5214b07e6e25ae236b11f4d0718905903885c62b5fc2871fca8c644f14d3a09466f83d8760caba8cc415aebaa750feffcd3812cf4ff1e

Download Submit
memory/948-239-0x00007FF712EB0000-0x00007FF713201000-memory.dmp

Filesize
3.3MB

Download
memory/948-100-0x00007FF712EB0000-0x00007FF713201000-memory.dmp

Filesize
3.3MB

Download
memory/948-42-0x00007FF712EB0000-0x00007FF713201000-memory.dmp

Filesize
3.3MB

Download
memory/1196-13-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp

Filesize
3.3MB

Download
memory/1196-223-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp

Filesize
3.3MB

Download
memory/1196-68-0x00007FF75C1D0000-0x00007FF75C521000-memory.dmp

Filesize
3.3MB

Download
memory/1420-61-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp

Filesize
3.3MB

Download
memory/1420-118-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp

Filesize
3.3MB

Download
memory/1420-245-0x00007FF75A900000-0x00007FF75AC51000-memory.dmp

Filesize
3.3MB

Download
memory/1568-243-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp

Filesize
3.3MB

Download
memory/1568-54-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp

Filesize
3.3MB

Download
memory/1568-111-0x00007FF76E4D0000-0x00007FF76E821000-memory.dmp

Filesize
3.3MB

Download
memory/1604-141-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp

Filesize
3.3MB

Download
memory/1604-84-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp

Filesize
3.3MB

Download
memory/1604-259-0x00007FF602BE0000-0x00007FF602F31000-memory.dmp

Filesize
3.3MB

Download
memory/1820-105-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-241-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-49-0x00007FF6A5A80000-0x00007FF6A5DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-137-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-277-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-169-0x00007FF6CEB60000-0x00007FF6CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3100-26-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp

Filesize
3.3MB

Download
memory/3100-227-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp

Filesize
3.3MB

Download
memory/3100-79-0x00007FF67A7D0000-0x00007FF67AB21000-memory.dmp

Filesize
3.3MB

Download
memory/3160-60-0x00007FF748520000-0x00007FF748871000-memory.dmp

Filesize
3.3MB

Download
memory/3160-0-0x00007FF748520000-0x00007FF748871000-memory.dmp

Filesize
3.3MB

Download
memory/3160-1-0x0000027CA4240000-0x0000027CA4250000-memory.dmp

Filesize
64KB

Download
memory/3160-143-0x00007FF748520000-0x00007FF748871000-memory.dmp

Filesize
3.3MB

Download
memory/3160-170-0x00007FF748520000-0x00007FF748871000-memory.dmp

Filesize
3.3MB

Download
memory/3400-168-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-133-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-276-0x00007FF7BDC50000-0x00007FF7BDFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-73-0x00007FF758440000-0x00007FF758791000-memory.dmp

Filesize
3.3MB

Download
memory/3672-128-0x00007FF758440000-0x00007FF758791000-memory.dmp

Filesize
3.3MB

Download
memory/3672-249-0x00007FF758440000-0x00007FF758791000-memory.dmp

Filesize
3.3MB

Download
memory/3696-263-0x00007FF6B68F0000-0x00007FF6B6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3696-103-0x00007FF6B68F0000-0x00007FF6B6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3900-155-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3900-112-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3900-267-0x00007FF6DEAE0000-0x00007FF6DEE31000-memory.dmp

Filesize
3.3MB

Download
memory/3952-225-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-75-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-19-0x00007FF6C3B30000-0x00007FF6C3E81000-memory.dmp

Filesize
3.3MB

Download
memory/4264-89-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-37-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-237-0x00007FF6A3A60000-0x00007FF6A3DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-146-0x00007FF651860000-0x00007FF651BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-108-0x00007FF651860000-0x00007FF651BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-265-0x00007FF651860000-0x00007FF651BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-125-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp

Filesize
3.3MB

Download
memory/4544-272-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp

Filesize
3.3MB

Download
memory/4544-160-0x00007FF6E7AF0000-0x00007FF6E7E41000-memory.dmp

Filesize
3.3MB

Download
memory/4652-121-0x00007FF679A00000-0x00007FF679D51000-memory.dmp

Filesize
3.3MB

Download
memory/4652-269-0x00007FF679A00000-0x00007FF679D51000-memory.dmp

Filesize
3.3MB

Download
memory/4652-157-0x00007FF679A00000-0x00007FF679D51000-memory.dmp

Filesize
3.3MB

Download
memory/4812-235-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp

Filesize
3.3MB

Download
memory/4812-31-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp

Filesize
3.3MB

Download
memory/4812-83-0x00007FF7696E0000-0x00007FF769A31000-memory.dmp

Filesize
3.3MB

Download
memory/4868-261-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-91-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-142-0x00007FF68F170000-0x00007FF68F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4960-8-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4960-65-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4960-221-0x00007FF632CA0000-0x00007FF632FF1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-251-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp

Filesize
3.3MB

Download
memory/5040-76-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp

Filesize
3.3MB

Download
memory/5040-132-0x00007FF7EC300000-0x00007FF7EC651000-memory.dmp

Filesize
3.3MB

Download