cobaltstrike | 53fca9194064ee663272e601c961549355ebbcf1ebe20b1ffbd85914b3455d45

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

53aeb58d8b6b7b0091d8cdbb1830292e
SHA1

6f46433efdf38c6719935cb2a7e874782cccd040
SHA256

53fca9194064ee663272e601c961549355ebbcf1ebe20b1ffbd85914b3455d45
SHA512

8f4d95c1ae3cb9271527506074dcf5f13b2659aedf2d98823435f843181eaf472a53edee7860d9a3e391e4cfdaa326152a3053ee7db83234da942572dadca7f4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUv

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233e4-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-36.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023447-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023445-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-76.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/732-47-0x00007FF64DE60000-0x00007FF64E1B1000-memory.dmp	xmrig
behavioral2/memory/1652-119-0x00007FF70CF90000-0x00007FF70D2E1000-memory.dmp	xmrig
behavioral2/memory/2436-121-0x00007FF74FC60000-0x00007FF74FFB1000-memory.dmp	xmrig
behavioral2/memory/4972-120-0x00007FF62BBE0000-0x00007FF62BF31000-memory.dmp	xmrig
behavioral2/memory/4856-128-0x00007FF779900000-0x00007FF779C51000-memory.dmp	xmrig
behavioral2/memory/1576-133-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp	xmrig
behavioral2/memory/5072-137-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp	xmrig
behavioral2/memory/3324-141-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp	xmrig
behavioral2/memory/3316-142-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp	xmrig
behavioral2/memory/760-140-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	xmrig
behavioral2/memory/2584-138-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp	xmrig
behavioral2/memory/4836-135-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp	xmrig
behavioral2/memory/2468-134-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp	xmrig
behavioral2/memory/3888-132-0x00007FF743010000-0x00007FF743361000-memory.dmp	xmrig
behavioral2/memory/1780-139-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp	xmrig
behavioral2/memory/4856-129-0x00007FF779900000-0x00007FF779C51000-memory.dmp	xmrig
behavioral2/memory/3056-131-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp	xmrig
behavioral2/memory/1180-130-0x00007FF681130000-0x00007FF681481000-memory.dmp	xmrig
behavioral2/memory/948-147-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp	xmrig
behavioral2/memory/3144-149-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp	xmrig
behavioral2/memory/4868-150-0x00007FF686C10000-0x00007FF686F61000-memory.dmp	xmrig
behavioral2/memory/4220-145-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp	xmrig
behavioral2/memory/1416-143-0x00007FF7432C0000-0x00007FF743611000-memory.dmp	xmrig
behavioral2/memory/4856-151-0x00007FF779900000-0x00007FF779C51000-memory.dmp	xmrig
behavioral2/memory/3056-206-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp	xmrig
behavioral2/memory/1180-205-0x00007FF681130000-0x00007FF681481000-memory.dmp	xmrig
behavioral2/memory/1576-210-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp	xmrig
behavioral2/memory/3888-209-0x00007FF743010000-0x00007FF743361000-memory.dmp	xmrig
behavioral2/memory/2468-226-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp	xmrig
behavioral2/memory/4836-228-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp	xmrig
behavioral2/memory/732-230-0x00007FF64DE60000-0x00007FF64E1B1000-memory.dmp	xmrig
behavioral2/memory/2584-232-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp	xmrig
behavioral2/memory/5072-234-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp	xmrig
behavioral2/memory/3316-239-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp	xmrig
behavioral2/memory/1780-242-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp	xmrig
behavioral2/memory/760-241-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	xmrig
behavioral2/memory/1652-237-0x00007FF70CF90000-0x00007FF70D2E1000-memory.dmp	xmrig
behavioral2/memory/2436-247-0x00007FF74FC60000-0x00007FF74FFB1000-memory.dmp	xmrig
behavioral2/memory/3324-251-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp	xmrig
behavioral2/memory/3144-256-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp	xmrig
behavioral2/memory/948-258-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp	xmrig
behavioral2/memory/4868-254-0x00007FF686C10000-0x00007FF686F61000-memory.dmp	xmrig
behavioral2/memory/1416-252-0x00007FF7432C0000-0x00007FF743611000-memory.dmp	xmrig
behavioral2/memory/4220-249-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp	xmrig
behavioral2/memory/4972-245-0x00007FF62BBE0000-0x00007FF62BF31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1180	cWQWuzD.exe
3056	IejHQUk.exe
3888	qOzPEUG.exe
1576	QSZaCfz.exe
2468	BvjQAMv.exe
732	wGyvvKi.exe
4836	wDGYHAa.exe
5072	MTqQIzY.exe
2584	PKoHuda.exe
1780	dDjxXZc.exe
760	doZagYn.exe
3316	HEWZMKu.exe
3324	oleJyMB.exe
1416	WLjakdp.exe
1652	gjSAtDl.exe
4220	wvjrOdV.exe
4972	qwNaMGt.exe
948	RnpEbWh.exe
2436	hpyUANM.exe
3144	AJUHroX.exe
4868	yQHQSaZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4856-0-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx
behavioral2/files/0x00090000000233e4-5.dat	upx
behavioral2/memory/1180-6-0x00007FF681130000-0x00007FF681481000-memory.dmp	upx
behavioral2/files/0x0007000000023448-10.dat	upx
behavioral2/files/0x0007000000023449-27.dat	upx
behavioral2/files/0x000700000002344c-40.dat	upx
behavioral2/files/0x000700000002344b-42.dat	upx
behavioral2/files/0x000700000002344d-57.dat	upx
behavioral2/memory/2584-54-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp	upx
behavioral2/memory/5072-53-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp	upx
behavioral2/files/0x000700000002344e-52.dat	upx
behavioral2/memory/732-47-0x00007FF64DE60000-0x00007FF64E1B1000-memory.dmp	upx
behavioral2/memory/4836-46-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp	upx
behavioral2/memory/2468-38-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp	upx
behavioral2/files/0x000700000002344f-58.dat	upx
behavioral2/files/0x000700000002344a-36.dat	upx
behavioral2/memory/1576-30-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp	upx
behavioral2/memory/3888-21-0x00007FF743010000-0x00007FF743361000-memory.dmp	upx
behavioral2/memory/3056-16-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp	upx
behavioral2/files/0x0008000000023447-13.dat	upx
behavioral2/files/0x0007000000023451-78.dat	upx
behavioral2/files/0x0007000000023455-84.dat	upx
behavioral2/files/0x0007000000023456-97.dat	upx
behavioral2/files/0x0008000000023445-109.dat	upx
behavioral2/memory/1652-119-0x00007FF70CF90000-0x00007FF70D2E1000-memory.dmp	upx
behavioral2/memory/2436-121-0x00007FF74FC60000-0x00007FF74FFB1000-memory.dmp	upx
behavioral2/files/0x0007000000023459-126.dat	upx
behavioral2/files/0x0007000000023457-124.dat	upx
behavioral2/memory/4972-120-0x00007FF62BBE0000-0x00007FF62BF31000-memory.dmp	upx
behavioral2/files/0x0007000000023458-117.dat	upx
behavioral2/memory/4868-116-0x00007FF686C10000-0x00007FF686F61000-memory.dmp	upx
behavioral2/memory/3144-115-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp	upx
behavioral2/memory/948-112-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp	upx
behavioral2/memory/4220-103-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp	upx
behavioral2/memory/1416-101-0x00007FF7432C0000-0x00007FF743611000-memory.dmp	upx
behavioral2/files/0x0007000000023453-96.dat	upx
behavioral2/memory/3324-91-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp	upx
behavioral2/memory/3316-89-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp	upx
behavioral2/files/0x0007000000023454-92.dat	upx
behavioral2/files/0x0007000000023452-82.dat	upx
behavioral2/files/0x0007000000023450-76.dat	upx
behavioral2/memory/1780-70-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp	upx
behavioral2/memory/760-62-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	upx
behavioral2/memory/4856-128-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx
behavioral2/memory/1576-133-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp	upx
behavioral2/memory/5072-137-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp	upx
behavioral2/memory/3324-141-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp	upx
behavioral2/memory/3316-142-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp	upx
behavioral2/memory/760-140-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	upx
behavioral2/memory/2584-138-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp	upx
behavioral2/memory/4836-135-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp	upx
behavioral2/memory/2468-134-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp	upx
behavioral2/memory/3888-132-0x00007FF743010000-0x00007FF743361000-memory.dmp	upx
behavioral2/memory/1780-139-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp	upx
behavioral2/memory/4856-129-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx
behavioral2/memory/3056-131-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp	upx
behavioral2/memory/1180-130-0x00007FF681130000-0x00007FF681481000-memory.dmp	upx
behavioral2/memory/948-147-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp	upx
behavioral2/memory/3144-149-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp	upx
behavioral2/memory/4868-150-0x00007FF686C10000-0x00007FF686F61000-memory.dmp	upx
behavioral2/memory/4220-145-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp	upx
behavioral2/memory/1416-143-0x00007FF7432C0000-0x00007FF743611000-memory.dmp	upx
behavioral2/memory/4856-151-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx
behavioral2/memory/3056-206-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wGyvvKi.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MTqQIzY.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\doZagYn.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WLjakdp.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wvjrOdV.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QSZaCfz.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjSAtDl.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnpEbWh.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpyUANM.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qOzPEUG.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BvjQAMv.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PKoHuda.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oleJyMB.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HEWZMKu.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJUHroX.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQHQSaZ.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cWQWuzD.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IejHQUk.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDGYHAa.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDjxXZc.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qwNaMGt.exe	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1180	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4856 wrote to memory of 1180	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4856 wrote to memory of 3056	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4856 wrote to memory of 3056	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4856 wrote to memory of 3888	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4856 wrote to memory of 3888	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4856 wrote to memory of 1576	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4856 wrote to memory of 1576	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4856 wrote to memory of 2468	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4856 wrote to memory of 2468	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4856 wrote to memory of 4836	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4856 wrote to memory of 4836	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4856 wrote to memory of 732	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4856 wrote to memory of 732	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4856 wrote to memory of 5072	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4856 wrote to memory of 5072	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4856 wrote to memory of 2584	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4856 wrote to memory of 2584	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4856 wrote to memory of 1780	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4856 wrote to memory of 1780	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4856 wrote to memory of 760	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4856 wrote to memory of 760	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4856 wrote to memory of 3324	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4856 wrote to memory of 3324	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4856 wrote to memory of 3316	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4856 wrote to memory of 3316	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4856 wrote to memory of 1416	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4856 wrote to memory of 1416	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4856 wrote to memory of 1652	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4856 wrote to memory of 1652	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4856 wrote to memory of 4220	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4856 wrote to memory of 4220	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4856 wrote to memory of 4972	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4856 wrote to memory of 4972	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4856 wrote to memory of 948	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4856 wrote to memory of 948	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4856 wrote to memory of 2436	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4856 wrote to memory of 2436	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4856 wrote to memory of 3144	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4856 wrote to memory of 3144	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4856 wrote to memory of 4868	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4856 wrote to memory of 4868	4856	2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_53aeb58d8b6b7b0091d8cdbb1830292e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\System\cWQWuzD.exe
  C:\Windows\System\cWQWuzD.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\IejHQUk.exe
  C:\Windows\System\IejHQUk.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\qOzPEUG.exe
  C:\Windows\System\qOzPEUG.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\QSZaCfz.exe
  C:\Windows\System\QSZaCfz.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\BvjQAMv.exe
  C:\Windows\System\BvjQAMv.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\wDGYHAa.exe
  C:\Windows\System\wDGYHAa.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\wGyvvKi.exe
  C:\Windows\System\wGyvvKi.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\MTqQIzY.exe
  C:\Windows\System\MTqQIzY.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\PKoHuda.exe
  C:\Windows\System\PKoHuda.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\dDjxXZc.exe
  C:\Windows\System\dDjxXZc.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\doZagYn.exe
  C:\Windows\System\doZagYn.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\oleJyMB.exe
  C:\Windows\System\oleJyMB.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\HEWZMKu.exe
  C:\Windows\System\HEWZMKu.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\WLjakdp.exe
  C:\Windows\System\WLjakdp.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\gjSAtDl.exe
  C:\Windows\System\gjSAtDl.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\wvjrOdV.exe
  C:\Windows\System\wvjrOdV.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\qwNaMGt.exe
  C:\Windows\System\qwNaMGt.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\RnpEbWh.exe
  C:\Windows\System\RnpEbWh.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\hpyUANM.exe
  C:\Windows\System\hpyUANM.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\AJUHroX.exe
  C:\Windows\System\AJUHroX.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\yQHQSaZ.exe
  C:\Windows\System\yQHQSaZ.exe
  2⤵
  - Executes dropped EXE
  PID:4868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AJUHroX.exe

Filesize
5.2MB

MD5
5766c9ae678d707bb16e23cd241efd15

SHA1
2314dddb8b622ff7917a9d698bf382523a3871e2

SHA256
ca92484e606bdc2ad8fb47a03dbf0a6c1652dcedf4c9b9e8c832b74d1381161b

SHA512
5a6bea149c8ad1449c5d69ae5d293bbebc7c199bb5e04ec46344963d449f14d1247a1ab7b04ecb0b6546026b502e43f1c9ecce789a835eb4571a4a1a344f96c1

Download Submit
C:\Windows\System\BvjQAMv.exe

Filesize
5.2MB

MD5
ebaa1b94c8571806e63da81e391d2d59

SHA1
55ef41770aa5f391b1a6e11c6da69912532c425f

SHA256
0cb21f7dca12945c7988a1c310af2a547fcec464b90484d7c8a72928c9902429

SHA512
769262ab02874c7687befafd47549785667d7559ab5a88fabe7b591b85f1a677f0c3f72db59d977f7651ed250c731b33c067fd18d590c24b3f1f2167a32d1464

Download Submit
C:\Windows\System\HEWZMKu.exe

Filesize
5.2MB

MD5
80fe3d707a2c94a1d12acbe094d4b7fc

SHA1
ae7d9ac1b35b32957da333c4be283efe0bb85227

SHA256
e1f643300eb0a1ed00f5b571ce68369d50a35f57d008681b2980f680bf84ae0b

SHA512
27d747222ea0efb3cb0c28c18ddc8ade0d8cd14df7122dc543649228a42b8d095ab8878aa216973d119b30e180ee266920c84c895663c91fe88d77dbd2f26ad1

Download Submit
C:\Windows\System\IejHQUk.exe

Filesize
5.2MB

MD5
8e422a40cbad501952144abc30227496

SHA1
3d710200d33557ece0893a281bd9ccc6c425f24a

SHA256
7d47cbe5d40856d0a06603823128bb8cc5bff5a11611b2874f4598d4d6ca275d

SHA512
c92b60ffbe55ccee3d2df644002a3f3e98460bef2a22c1bdb0694d66a702786c36ac573f425222276919b2b810bde10622263b7df5578c7b23d7c80b09f4e150

Download Submit
C:\Windows\System\MTqQIzY.exe

Filesize
5.2MB

MD5
42c498820ee7a13657d1a4fa5a494104

SHA1
8496bc303bef9a4db1b6394bddf378c5c4a6fce1

SHA256
2a2d7ea1ecd00a8038709657b06c765124a679b5855753122fe42ffbafb19dbe

SHA512
196cd349aba49ae5e22e2f7b1718e9c9a32018190eb667a0deacec8a07b6a2630d4957ebca78a7ef50be6744f64c084dbaf8824fa00b59f35a9b604f8d507f37

Download Submit
C:\Windows\System\PKoHuda.exe

Filesize
5.2MB

MD5
d1e1a9da464c7651ac1aa90f010de808

SHA1
b4b961e920e9ecd17832292a7964ca2d869f27bb

SHA256
841c3b6b3b5b386ea94ee9386162bef16c3f7f99eef809671614a73805719c3e

SHA512
270d0727961e6af8c11de5ee6de54adec5794f3a3a25f68b770c9819a90c04d2105301ec1bb3778df3d80c71bdc80992da14007e1eeaa045ed264e366159c647

Download Submit
C:\Windows\System\QSZaCfz.exe

Filesize
5.2MB

MD5
3b06ee6361de3106e8e230e910ba4f65

SHA1
3bfb74863fc11c0615d5ea5fcaaef9db270c3fb8

SHA256
1ffdfa3d2ad88361a9953750b1ce3be7a1645408ce7b076d748c39e3bbcfb4c4

SHA512
d0f54a86c72ebde3566e0d081394829f71f98ccd860c59d2df708eff029329801c72d049a453e4087962b69754d522889c8ef3e8a106322cb811cb07ee871943

Download Submit
C:\Windows\System\RnpEbWh.exe

Filesize
5.2MB

MD5
3c073491248b13cfa14bb53a36ef9c03

SHA1
cbd41db53371016bdca5fe5a53174001924bfc59

SHA256
a46ae690c36b973bd8496b6c54de2f6f9f26d896a95c0196a108f8cfd465e748

SHA512
3f66d78c8bcf7fc587bc82d949badef9c87a3c849169883681b6354a68ea4cc1f0dd7f68689cf1ded873b6baee0e4b5ea6b91f7bcb19fd4cd84c529332bc141d

Download Submit
C:\Windows\System\WLjakdp.exe

Filesize
5.2MB

MD5
7beec86042c6dd70de5a91c8d78a8917

SHA1
19aa34961c498475689a8a3886841a17f8af5e15

SHA256
5f52b99ad041d5696e5ce9c8e063e410473b88a4fe5df59bda18f76c0b5e028a

SHA512
90e051c543499e01333ac3dd0b7a33a026f4de3e09647694663126e9b52864ebdc092649302062512cf3283110b4fcdf7a18d7b5fece03d84ffbb71737a4a6a0

Download Submit
C:\Windows\System\cWQWuzD.exe

Filesize
5.2MB

MD5
8ada9165dbf05bc9619993e8e23fdba0

SHA1
be8c5deb16a273b04216050800972ce5dcdd1d25

SHA256
85f6b51fe8e219a61fc31af09c15ea1a22df2f03ef017baf4a4082dfb437563c

SHA512
8cbb082a5c41196df9558281bed3bc8271dfcb67be77b74aea6d986fe8d909997ce5e5065a1165dec086009fdf63e1f48ef5fec17307f737a1b2b2a4af1a96bd

Download Submit
C:\Windows\System\dDjxXZc.exe

Filesize
5.2MB

MD5
7222f5403815421142a89afe130111d5

SHA1
9c0d034cedb7a72c11ddea3c7ed66fcd58c303bd

SHA256
bd6076bf53d804fb3a6f457dcdd6f162757ddd12c2a7babc779014d50f51970a

SHA512
f429460e9452397c6bd0be21681834c302f3da7c7c042bc98fe58c51a1b3170e3400277db7e176155714a389363591028ee553528b7da4692f2d06c548fc1b74

Download Submit
C:\Windows\System\doZagYn.exe

Filesize
5.2MB

MD5
50343c744222b9d002a6dbe15ce6d98c

SHA1
764ce793925154daffa0c457b34b3c53610b1580

SHA256
cb627a3fd3180ebc12e233b2273aa7469c5dd526197d04e8550a9679c619fd80

SHA512
58d9539df07c680af21c6a0d522d900450d1f06a90f2e225bab76f9385a453e108750f27d304ca6255d83a3daedbe06dfaa76bf9f81bc8329557fc12e43a2fce

Download Submit
C:\Windows\System\gjSAtDl.exe

Filesize
5.2MB

MD5
d6192dea11c1bc972e47d912d7bae3f7

SHA1
9fd7bf9e1168be40d21176b7f6da07a1634313d1

SHA256
68b3de9c10a60c9669e59818ebc409edcc151e804cc511cfce97cf828530d78b

SHA512
80dc0c3fd6bdfdb2b0e1cec00ec7837aa48af9fc67f9853fe79ea8f19a2212b6e9aa34946b86c3ed06c95b69e4abcf9b3a4419329ee0f43062f69fd99a69e68d

Download Submit
C:\Windows\System\hpyUANM.exe

Filesize
5.2MB

MD5
08999b21220e2afe61349e9051aa6f47

SHA1
54f23616e95216be7ff17f0254a4d7ca249ce7d6

SHA256
41be7f0c2e66ce03c3402c2eaad2c142b242f6b80f58ae9a34f154ac19b2178e

SHA512
62f7a08b48f6fcdb6cfc041450d52c78f94f38a88ba62ca96481622e2fb81749a4cafc15f4ea2ac69b4cf2425d2218b25247f57577479784a6e36acfbebd99f5

Download Submit
C:\Windows\System\oleJyMB.exe

Filesize
5.2MB

MD5
4517ff0ba0dd3469ce2f7b1630728078

SHA1
3f06723d51fd0dac0bfbfe4879a13d50ac3cc49d

SHA256
13af8b36dad7303fe685b6e3c4b19ea89eefc36d25a95dccb39f6a5a583a85b4

SHA512
d436c16f77534e88f3052325f067453503c1d0850417629f22282475a0232a1c1b8ed3a8d62408236a406b1476ce67683c0565be5738e8bb3c3e54b8bc301088

Download Submit
C:\Windows\System\qOzPEUG.exe

Filesize
5.2MB

MD5
50d23983acdaa63282eec0b0ab3bc17a

SHA1
1c75c38cbcab45dd9f9b2da624d6b9fa9b495b5c

SHA256
7475c9f4d1f6e55ce2e9a6b27b5631f4c5db3d916b85f4a3db280bc59cb73562

SHA512
5c051e0907b425aa286354ac3d1f2d9ded020cdbe77303ecf945d033b9c4e4b3da59e007073823e56411711ec5d1321b140ce1316fa058fb77f39168e73cb269

Download Submit
C:\Windows\System\qwNaMGt.exe

Filesize
5.2MB

MD5
c9edf2314380c8dc336a070e5c6e30d3

SHA1
cd7200e3b7eedb17af5f8109bc3484b346ebad6f

SHA256
9ff32837d5834756111e68fe07de3e15fc9c9b50f2da153e35c5879827dc763c

SHA512
fe16264fc0a212bb5f9b4fd1cc1bfe0c82cec96b3a4da35614570f9c5f9d0cdd3b075019b4f5203af7ba830557931b5674518256d0cb404278b364f97525611d

Download Submit
C:\Windows\System\wDGYHAa.exe

Filesize
5.2MB

MD5
d1e09065110223a5ea9620f289b782f3

SHA1
61ae36b135c61fbfc07017fe0fed369bd2d86baf

SHA256
35f6a91a9c51beca47ce6a218814d8821ac2bfbaea82434669b354c83fbff8f8

SHA512
fec5f7f7196f70e631f161d1ad9107fedb9240e11ca050c3d9bce539b4c16cb872508088a0e94376fb961063c6ebce711a2d86a1393ae67ea7bc5df36535274d

Download Submit
C:\Windows\System\wGyvvKi.exe

Filesize
5.2MB

MD5
d8ecace2574cebe4171f60ab08ab340b

SHA1
ae7b09ad3f965dd36f8d2a6888ba4b0cacd5471b

SHA256
be276c52664ed8533f47ba5d7287f58c44a9deec755b42596f9a6e0ad8b753b8

SHA512
01dccdb0c65630c780e76d3677b55526480faa4b776495dbdcb847841e91c823976ad7afceda6f12ff88b2f20320af992b3aca788250914b0e1a5e670c2e2454

Download Submit
C:\Windows\System\wvjrOdV.exe

Filesize
5.2MB

MD5
60b5c9620359425397f71b428abfbe60

SHA1
b387149bdced61772c5e4c92fa4afd65eeaac60d

SHA256
70bbe465dfcd685408828dadd4a287a689a3f67f17bc08aafb69cfc343b70401

SHA512
f9d331f584a44cfaaa3bb9d032eed05fcde18a7de965329126626e62f2d1b7356c31a55931d00495a0308754fa4ad544831b2112c2a54938221455e8dd0a78c2

Download Submit
C:\Windows\System\yQHQSaZ.exe

Filesize
5.2MB

MD5
bdb980e28b6f853e6459571ccd9e4828

SHA1
a2fafe3f78dae268763584983d01b762270be4a3

SHA256
dde73b8b9736d726793190f6c474fa47ab906797b17085a86f271474d418edbe

SHA512
2cc9774848d47e72dc85fa28c22efb156b1a8c57432dc4ee75864730820c4e9d15a334505554d09d1b94b2238422e7679e1265046b920ae78bc28389b00ab66b

Download Submit
memory/732-47-0x00007FF64DE60000-0x00007FF64E1B1000-memory.dmp

Filesize
3.3MB

Download
memory/732-230-0x00007FF64DE60000-0x00007FF64E1B1000-memory.dmp

Filesize
3.3MB

Download
memory/760-62-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/760-140-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/760-241-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/948-147-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp

Filesize
3.3MB

Download
memory/948-258-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp

Filesize
3.3MB

Download
memory/948-112-0x00007FF7B8DB0000-0x00007FF7B9101000-memory.dmp

Filesize
3.3MB

Download
memory/1180-205-0x00007FF681130000-0x00007FF681481000-memory.dmp

Filesize
3.3MB

Download
memory/1180-6-0x00007FF681130000-0x00007FF681481000-memory.dmp

Filesize
3.3MB

Download
memory/1180-130-0x00007FF681130000-0x00007FF681481000-memory.dmp

Filesize
3.3MB

Download
memory/1416-252-0x00007FF7432C0000-0x00007FF743611000-memory.dmp

Filesize
3.3MB

Download
memory/1416-101-0x00007FF7432C0000-0x00007FF743611000-memory.dmp

Filesize
3.3MB

Download
memory/1416-143-0x00007FF7432C0000-0x00007FF743611000-memory.dmp

Filesize
3.3MB

Download
memory/1576-210-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-30-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-133-0x00007FF7BCB50000-0x00007FF7BCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-119-0x00007FF70CF90000-0x00007FF70D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-237-0x00007FF70CF90000-0x00007FF70D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-70-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp

Filesize
3.3MB

Download
memory/1780-242-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp

Filesize
3.3MB

Download
memory/1780-139-0x00007FF7E7C10000-0x00007FF7E7F61000-memory.dmp

Filesize
3.3MB

Download
memory/2436-121-0x00007FF74FC60000-0x00007FF74FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-247-0x00007FF74FC60000-0x00007FF74FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-38-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-226-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-134-0x00007FF7A5550000-0x00007FF7A58A1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-232-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp

Filesize
3.3MB

Download
memory/2584-54-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp

Filesize
3.3MB

Download
memory/2584-138-0x00007FF6F6C10000-0x00007FF6F6F61000-memory.dmp

Filesize
3.3MB

Download
memory/3056-131-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp

Filesize
3.3MB

Download
memory/3056-16-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp

Filesize
3.3MB

Download
memory/3056-206-0x00007FF6EE9D0000-0x00007FF6EED21000-memory.dmp

Filesize
3.3MB

Download
memory/3144-115-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp

Filesize
3.3MB

Download
memory/3144-149-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp

Filesize
3.3MB

Download
memory/3144-256-0x00007FF6CAA20000-0x00007FF6CAD71000-memory.dmp

Filesize
3.3MB

Download
memory/3316-142-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-239-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-89-0x00007FF6BC4A0000-0x00007FF6BC7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-141-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp

Filesize
3.3MB

Download
memory/3324-91-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp

Filesize
3.3MB

Download
memory/3324-251-0x00007FF63EBE0000-0x00007FF63EF31000-memory.dmp

Filesize
3.3MB

Download
memory/3888-132-0x00007FF743010000-0x00007FF743361000-memory.dmp

Filesize
3.3MB

Download
memory/3888-209-0x00007FF743010000-0x00007FF743361000-memory.dmp

Filesize
3.3MB

Download
memory/3888-21-0x00007FF743010000-0x00007FF743361000-memory.dmp

Filesize
3.3MB

Download
memory/4220-145-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-249-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-103-0x00007FF7ABB80000-0x00007FF7ABED1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-46-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-228-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-135-0x00007FF6AE950000-0x00007FF6AECA1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-128-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/4856-151-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/4856-0-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/4856-1-0x0000018A72E60000-0x0000018A72E70000-memory.dmp

Filesize
64KB

Download
memory/4856-129-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/4868-116-0x00007FF686C10000-0x00007FF686F61000-memory.dmp

Filesize
3.3MB

Download
memory/4868-254-0x00007FF686C10000-0x00007FF686F61000-memory.dmp

Filesize
3.3MB

Download
memory/4868-150-0x00007FF686C10000-0x00007FF686F61000-memory.dmp

Filesize
3.3MB

Download
memory/4972-120-0x00007FF62BBE0000-0x00007FF62BF31000-memory.dmp

Filesize
3.3MB

Download
memory/4972-245-0x00007FF62BBE0000-0x00007FF62BF31000-memory.dmp

Filesize
3.3MB

Download
memory/5072-137-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp

Filesize
3.3MB

Download
memory/5072-53-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp

Filesize
3.3MB

Download
memory/5072-234-0x00007FF72D5E0000-0x00007FF72D931000-memory.dmp

Filesize
3.3MB

Download