cobaltstrike | 4eb0d2675d02f378e5f9a24f0aa69b8d4d5a93b740d78f09daf5a6f14005cb24

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5f8b8ef95446d470d0469448586a4775
SHA1

20c4c9375e2d4ba453b6fe78b05527ef94b966ed
SHA256

4eb0d2675d02f378e5f9a24f0aa69b8d4d5a93b740d78f09daf5a6f14005cb24
SHA512

19c94d1fed2e10cbf86924c8a8805b8e4583ae0f3fedc059a479ee1d246add6e51341ca7ef537c943d1fe9ca00a3d13b0c3b2613ff53d94cb12bace7b8610d69
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002346c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-86.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-30.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002346d-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-124.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-103.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4928-17-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	xmrig
behavioral2/memory/3112-89-0x00007FF728980000-0x00007FF728CD1000-memory.dmp	xmrig
behavioral2/memory/2460-88-0x00007FF7D4DE0000-0x00007FF7D5131000-memory.dmp	xmrig
behavioral2/memory/3832-87-0x00007FF7FE7F0000-0x00007FF7FEB41000-memory.dmp	xmrig
behavioral2/memory/3564-85-0x00007FF76B350000-0x00007FF76B6A1000-memory.dmp	xmrig
behavioral2/memory/2904-69-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp	xmrig
behavioral2/memory/1452-56-0x00007FF671940000-0x00007FF671C91000-memory.dmp	xmrig
behavioral2/memory/2552-128-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	xmrig
behavioral2/memory/2176-129-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp	xmrig
behavioral2/memory/4928-130-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	xmrig
behavioral2/memory/3428-131-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	xmrig
behavioral2/memory/2552-132-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	xmrig
behavioral2/memory/1932-133-0x00007FF751140000-0x00007FF751491000-memory.dmp	xmrig
behavioral2/memory/3984-134-0x00007FF709910000-0x00007FF709C61000-memory.dmp	xmrig
behavioral2/memory/3188-135-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp	xmrig
behavioral2/memory/2868-151-0x00007FF687E20000-0x00007FF688171000-memory.dmp	xmrig
behavioral2/memory/4936-149-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp	xmrig
behavioral2/memory/2904-153-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp	xmrig
behavioral2/memory/2872-152-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp	xmrig
behavioral2/memory/4696-150-0x00007FF695780000-0x00007FF695AD1000-memory.dmp	xmrig
behavioral2/memory/860-148-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp	xmrig
behavioral2/memory/1936-154-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp	xmrig
behavioral2/memory/4276-155-0x00007FF6604C0000-0x00007FF660811000-memory.dmp	xmrig
behavioral2/memory/4396-156-0x00007FF714ED0000-0x00007FF715221000-memory.dmp	xmrig
behavioral2/memory/4464-161-0x00007FF71B440000-0x00007FF71B791000-memory.dmp	xmrig
behavioral2/memory/2552-162-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	xmrig
behavioral2/memory/2176-218-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp	xmrig
behavioral2/memory/4928-220-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	xmrig
behavioral2/memory/3428-222-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	xmrig
behavioral2/memory/3832-230-0x00007FF7FE7F0000-0x00007FF7FEB41000-memory.dmp	xmrig
behavioral2/memory/3564-229-0x00007FF76B350000-0x00007FF76B6A1000-memory.dmp	xmrig
behavioral2/memory/1452-227-0x00007FF671940000-0x00007FF671C91000-memory.dmp	xmrig
behavioral2/memory/1932-225-0x00007FF751140000-0x00007FF751491000-memory.dmp	xmrig
behavioral2/memory/2460-241-0x00007FF7D4DE0000-0x00007FF7D5131000-memory.dmp	xmrig
behavioral2/memory/3112-239-0x00007FF728980000-0x00007FF728CD1000-memory.dmp	xmrig
behavioral2/memory/2904-244-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp	xmrig
behavioral2/memory/3188-246-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp	xmrig
behavioral2/memory/3984-247-0x00007FF709910000-0x00007FF709C61000-memory.dmp	xmrig
behavioral2/memory/4936-251-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp	xmrig
behavioral2/memory/860-249-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp	xmrig
behavioral2/memory/4696-253-0x00007FF695780000-0x00007FF695AD1000-memory.dmp	xmrig
behavioral2/memory/2868-255-0x00007FF687E20000-0x00007FF688171000-memory.dmp	xmrig
behavioral2/memory/2872-261-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp	xmrig
behavioral2/memory/1936-263-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp	xmrig
behavioral2/memory/4276-265-0x00007FF6604C0000-0x00007FF660811000-memory.dmp	xmrig
behavioral2/memory/4464-269-0x00007FF71B440000-0x00007FF71B791000-memory.dmp	xmrig
behavioral2/memory/4396-268-0x00007FF714ED0000-0x00007FF715221000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2176	myDceKN.exe
4928	CYTROcI.exe
3564	WdicAZW.exe
3428	xGjILjv.exe
3832	RQyIeze.exe
1932	wOSExxs.exe
2460	mrGpnwA.exe
1452	QQqcyaL.exe
3112	wgEIOtd.exe
2904	oQggqBY.exe
3984	HpUOpVx.exe
3188	sVvYtQZ.exe
860	shIdDlX.exe
4936	PqtwfrG.exe
4696	nvYWfDI.exe
2868	qCksgoV.exe
2872	bXTqbMA.exe
1936	uJsndrC.exe
4276	FoIOFlU.exe
4396	xcHOdpn.exe
4464	fYHEuiO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2552-0-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/files/0x000800000002346c-4.dat	upx
behavioral2/memory/2176-7-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp	upx
behavioral2/memory/4928-17-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	upx
behavioral2/files/0x0007000000023470-12.dat	upx
behavioral2/files/0x0007000000023473-25.dat	upx
behavioral2/files/0x0007000000023477-49.dat	upx
behavioral2/files/0x0007000000023478-50.dat	upx
behavioral2/files/0x000700000002347d-75.dat	upx
behavioral2/memory/3188-82-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp	upx
behavioral2/files/0x000700000002347b-86.dat	upx
behavioral2/memory/3112-89-0x00007FF728980000-0x00007FF728CD1000-memory.dmp	upx
behavioral2/files/0x000700000002347e-97.dat	upx
behavioral2/files/0x000700000002347c-93.dat	upx
behavioral2/memory/2868-91-0x00007FF687E20000-0x00007FF688171000-memory.dmp	upx
behavioral2/memory/860-90-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp	upx
behavioral2/memory/2460-88-0x00007FF7D4DE0000-0x00007FF7D5131000-memory.dmp	upx
behavioral2/memory/3832-87-0x00007FF7FE7F0000-0x00007FF7FEB41000-memory.dmp	upx
behavioral2/memory/3564-85-0x00007FF76B350000-0x00007FF76B6A1000-memory.dmp	upx
behavioral2/memory/4696-84-0x00007FF695780000-0x00007FF695AD1000-memory.dmp	upx
behavioral2/memory/4936-83-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp	upx
behavioral2/files/0x000700000002347a-79.dat	upx
behavioral2/files/0x0007000000023479-77.dat	upx
behavioral2/memory/3984-76-0x00007FF709910000-0x00007FF709C61000-memory.dmp	upx
behavioral2/memory/2904-69-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp	upx
behavioral2/memory/1452-56-0x00007FF671940000-0x00007FF671C91000-memory.dmp	upx
behavioral2/files/0x0007000000023475-53.dat	upx
behavioral2/files/0x0007000000023474-45.dat	upx
behavioral2/memory/1932-44-0x00007FF751140000-0x00007FF751491000-memory.dmp	upx
behavioral2/files/0x0007000000023476-39.dat	upx
behavioral2/memory/3428-32-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	upx
behavioral2/files/0x0007000000023472-31.dat	upx
behavioral2/files/0x0007000000023471-30.dat	upx
behavioral2/files/0x000800000002346d-107.dat	upx
behavioral2/files/0x0007000000023480-112.dat	upx
behavioral2/files/0x0007000000023481-121.dat	upx
behavioral2/memory/4396-120-0x00007FF714ED0000-0x00007FF715221000-memory.dmp	upx
behavioral2/files/0x0007000000023482-124.dat	upx
behavioral2/memory/4464-125-0x00007FF71B440000-0x00007FF71B791000-memory.dmp	upx
behavioral2/memory/4276-118-0x00007FF6604C0000-0x00007FF660811000-memory.dmp	upx
behavioral2/memory/1936-108-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp	upx
behavioral2/memory/2872-106-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp	upx
behavioral2/files/0x000700000002347f-103.dat	upx
behavioral2/memory/2552-128-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/memory/2176-129-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp	upx
behavioral2/memory/4928-130-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	upx
behavioral2/memory/3428-131-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	upx
behavioral2/memory/2552-132-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/memory/1932-133-0x00007FF751140000-0x00007FF751491000-memory.dmp	upx
behavioral2/memory/3984-134-0x00007FF709910000-0x00007FF709C61000-memory.dmp	upx
behavioral2/memory/3188-135-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp	upx
behavioral2/memory/2868-151-0x00007FF687E20000-0x00007FF688171000-memory.dmp	upx
behavioral2/memory/4936-149-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp	upx
behavioral2/memory/2904-153-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp	upx
behavioral2/memory/2872-152-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp	upx
behavioral2/memory/4696-150-0x00007FF695780000-0x00007FF695AD1000-memory.dmp	upx
behavioral2/memory/860-148-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp	upx
behavioral2/memory/1936-154-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp	upx
behavioral2/memory/4276-155-0x00007FF6604C0000-0x00007FF660811000-memory.dmp	upx
behavioral2/memory/4396-156-0x00007FF714ED0000-0x00007FF715221000-memory.dmp	upx
behavioral2/memory/4464-161-0x00007FF71B440000-0x00007FF71B791000-memory.dmp	upx
behavioral2/memory/2552-162-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp	upx
behavioral2/memory/2176-218-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp	upx
behavioral2/memory/4928-220-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oQggqBY.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sVvYtQZ.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXTqbMA.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FoIOFlU.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQyIeze.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgEIOtd.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpUOpVx.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PqtwfrG.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wOSExxs.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQqcyaL.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGjILjv.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nvYWfDI.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCksgoV.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uJsndrC.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xcHOdpn.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\myDceKN.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WdicAZW.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shIdDlX.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYHEuiO.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYTROcI.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrGpnwA.exe	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2176	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2552 wrote to memory of 2176	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2552 wrote to memory of 4928	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2552 wrote to memory of 4928	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2552 wrote to memory of 3564	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2552 wrote to memory of 3564	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2552 wrote to memory of 3428	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2552 wrote to memory of 3428	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2552 wrote to memory of 3832	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2552 wrote to memory of 3832	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2552 wrote to memory of 1932	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2552 wrote to memory of 1932	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2552 wrote to memory of 2460	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2552 wrote to memory of 2460	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2552 wrote to memory of 1452	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2552 wrote to memory of 1452	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2552 wrote to memory of 3112	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2552 wrote to memory of 3112	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2552 wrote to memory of 2904	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2552 wrote to memory of 2904	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2552 wrote to memory of 3984	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2552 wrote to memory of 3984	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2552 wrote to memory of 3188	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2552 wrote to memory of 3188	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2552 wrote to memory of 860	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2552 wrote to memory of 860	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2552 wrote to memory of 4936	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2552 wrote to memory of 4936	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2552 wrote to memory of 4696	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2552 wrote to memory of 4696	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2552 wrote to memory of 2868	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2552 wrote to memory of 2868	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2552 wrote to memory of 2872	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2552 wrote to memory of 2872	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2552 wrote to memory of 1936	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2552 wrote to memory of 1936	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2552 wrote to memory of 4276	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2552 wrote to memory of 4276	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2552 wrote to memory of 4396	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2552 wrote to memory of 4396	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2552 wrote to memory of 4464	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2552 wrote to memory of 4464	2552	2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_5f8b8ef95446d470d0469448586a4775_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\System\myDceKN.exe
  C:\Windows\System\myDceKN.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\CYTROcI.exe
  C:\Windows\System\CYTROcI.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\WdicAZW.exe
  C:\Windows\System\WdicAZW.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\xGjILjv.exe
  C:\Windows\System\xGjILjv.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\RQyIeze.exe
  C:\Windows\System\RQyIeze.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\wOSExxs.exe
  C:\Windows\System\wOSExxs.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\mrGpnwA.exe
  C:\Windows\System\mrGpnwA.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\QQqcyaL.exe
  C:\Windows\System\QQqcyaL.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\wgEIOtd.exe
  C:\Windows\System\wgEIOtd.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\oQggqBY.exe
  C:\Windows\System\oQggqBY.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\HpUOpVx.exe
  C:\Windows\System\HpUOpVx.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\sVvYtQZ.exe
  C:\Windows\System\sVvYtQZ.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\shIdDlX.exe
  C:\Windows\System\shIdDlX.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\PqtwfrG.exe
  C:\Windows\System\PqtwfrG.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\nvYWfDI.exe
  C:\Windows\System\nvYWfDI.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\qCksgoV.exe
  C:\Windows\System\qCksgoV.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\bXTqbMA.exe
  C:\Windows\System\bXTqbMA.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\uJsndrC.exe
  C:\Windows\System\uJsndrC.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\FoIOFlU.exe
  C:\Windows\System\FoIOFlU.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\xcHOdpn.exe
  C:\Windows\System\xcHOdpn.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\fYHEuiO.exe
  C:\Windows\System\fYHEuiO.exe
  2⤵
  - Executes dropped EXE
  PID:4464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CYTROcI.exe

Filesize
5.2MB

MD5
34a75ed83e82312324cbe822ab10aa60

SHA1
7927c7488bb2a20cc18e435dfbb0f86bbe580b13

SHA256
2a35e00c9ca8c77767c266f865cad5f38e2cdaa24d36a79e7d07acf4f622a4f1

SHA512
b990e47d76fd2ddbbaba215ba6c9e55713e70737144d2533137483f1ca2b98c60945f0de7cb02a090c3b7f1d4e8f47d943f467907e7982d9b81afdc5dde31e67

Download Submit
C:\Windows\System\FoIOFlU.exe

Filesize
5.2MB

MD5
e6c2eb85a198d79f0165e7b0d23414fd

SHA1
8468d78231b5434dfa6f7b3fb18b448af933cd92

SHA256
214e03b685fb38370f46b01d9b8be048da38b0592c9b586a05598c349b27dcc5

SHA512
fb61f6568c5b3a827e180eea463ab51938203ebea6925f25129453ba6c224f92e42d6d5866185e0640558f7d46d2449038fa1c48aee04a2e834da15401751ca4

Download Submit
C:\Windows\System\HpUOpVx.exe

Filesize
5.2MB

MD5
1a44d69f95e50c951937a7f8ab6f883c

SHA1
7774933cf8dd33c75699a82c7c46f90bc41c6a9e

SHA256
2fb388fda12b886c10fa7ae5c3b802af11c58afacf08f45fd926e38fbe35c87f

SHA512
6a3772fafe3cb5614c1ba57db1c9bddfe88c16486013355d092fe6c1738e05997ba36da8b1ae15544e85f596c1ea6a1f077f32f22d4d4e8d8cd06d8f8afb887f

Download Submit
C:\Windows\System\PqtwfrG.exe

Filesize
5.2MB

MD5
91cd4724b908e0b74d8c562e33be3d2e

SHA1
898030e4545faa49bd0b5f194481237874c250e9

SHA256
5fdaf7499b4626d3418d9685af4ba057d1318ee08fdd6c0661cf31c4fa2e4815

SHA512
79d320209c586e1a285a6d2c5cd33cc9acf28d4cdf64f0d959caf6b74415edf4b53cd254e2f5bd19d11da34d004f51d292f45afef464e1c18f50f9e6522d16dd

Download Submit
C:\Windows\System\QQqcyaL.exe

Filesize
5.2MB

MD5
663641fe32571192c59e1521a909e98a

SHA1
cd4bcb9a6b2940291229b32fe213a0af5f8786b7

SHA256
06155ed0360b47b6e9a89b09ffc524c6de24032ebdcc1ee527ca537d86dde401

SHA512
318a0cc95999b9fd6945cb616628587527152c0100d346507eedf8c960ba9c2768e3c17bf7dc3a61eb430d03eafc41b420582d2fce8c027b26f5562bea81b9f8

Download Submit
C:\Windows\System\RQyIeze.exe

Filesize
5.2MB

MD5
acc2c24f74eef75316d387964486ff93

SHA1
a20bf0b7481e1d7c7af3c40f96d0c90bb0c0cf03

SHA256
c0acc04ee03ded5eebeaba6d8848841947deaa123190c13507ceaee0f38003e6

SHA512
9f81ee6c9332d8e6e0ac3f02584a8124f8f13f93715448b57bc36373029f3c367bd703af92656f3d760429a4751eff0048a268131dbbc9d26890b11f9da92b8f

Download Submit
C:\Windows\System\WdicAZW.exe

Filesize
5.2MB

MD5
fdec4fa6389a2939e0b7eeb9633e150f

SHA1
eb8341334a5bae5e836cf59fb7632fec2d1c7e18

SHA256
82993bec2e4662ada5874d7b86a51c5886b8c9aa2774341afd98e2471b4ccf72

SHA512
cb181ed620c23724f1f350f165154bbdae6cd82f148c0de84e5e18a4eff06552b6584c94e939443a4f391975cf4fb8fb01d0c1f8f24ad122e91521499e59cb9f

Download Submit
C:\Windows\System\bXTqbMA.exe

Filesize
5.2MB

MD5
d9b1034243ba7db77f3fe75440ea7ef0

SHA1
0cd77c2a792709b954b36bba55d46b28f7fe354c

SHA256
03464d9fd9643880b5ae2b0877a434bd9ec7bceeb70725e843817de8263e05a9

SHA512
5faec66359c798f517589d75b295d4dc6a807283e4aaab1a093c76cf405ef11631b03ab78373f6ba2385f76e2e31c2447763bd0f41ddf761c5c0efa33c35d1dc

Download Submit
C:\Windows\System\fYHEuiO.exe

Filesize
5.2MB

MD5
05b730de07a289ce888fb78c8abc6d6a

SHA1
f3c10630819b16c01a26462a92e3ebf42d1fd842

SHA256
493f53ba34fcb2dc630b88a221345374714afb301a303c1573daa637dabbd3b7

SHA512
8cf776ee963063dd8c2595c69de823e87f2dfa1f57cfb1147184372505e1dc4b9e8188a1aa82e20440e00d737ccf219b77a4df132cad507a78203bed492c7748

Download Submit
C:\Windows\System\mrGpnwA.exe

Filesize
5.2MB

MD5
ea81355dec3d5fd71520a69c86a9a717

SHA1
86f1e2d4d001f73568491dc8a1a4a2f467a01512

SHA256
5e2fd1bce8bc99ca1bf7672c9513a003fb227238e139d643addf067234abd444

SHA512
9ec9465a0be344a410164fc56d3bdf505f47a7094bdc025ae352bef1fdcef428f93b52f4d187c34938e37b7c674d2fef10ff87a25cf0fd75f109a70eeee1c47b

Download Submit
C:\Windows\System\myDceKN.exe

Filesize
5.2MB

MD5
7edc1559534789a1aa1aa328fab324c0

SHA1
3d9e2ce302ff4e03deda09fd412c42c40c558f73

SHA256
95d14c7808a39d71fe3cf7b386c5c87a005a471c03ccd886234dccd9c084fe09

SHA512
6ffa1bd438a6bc9ff536cfc38729064f7d199b96254d008647e6b019b1532e012e18b5945bfbefd10af427e64b12e53127fc24291aa483859f95565f4053b466

Download Submit
C:\Windows\System\nvYWfDI.exe

Filesize
5.2MB

MD5
785cba3b285903dbcb2c3ca2ae351a91

SHA1
7c08214dd6981e944acf6616a5a13ba5313e06a0

SHA256
b9506242a208d851912a2b152ba639b5242f324c5ad47d489143f53648946c6d

SHA512
beffadb66c63a7a9a226efbc5519097b8ac082b7baa98d3035fedb1eccab91276d3b8f7ece7c538849b16f85fd711350f34199423bf080f288bd6278eef29223

Download Submit
C:\Windows\System\oQggqBY.exe

Filesize
5.2MB

MD5
71686ef5e7c77169c64e25ece6b16d5b

SHA1
8004d352e3d18b38f0495599825bee4ee8ab713d

SHA256
7e1afb3c7c00ecf7ee3d185a117b88bd75d09a89b43f4d7a81bb7a4366edca9a

SHA512
6849299958e9e54af0d1cdd00939b23b197b95087f4c93cd698a8f3c9e3246077346fa61488f3b087b10d495eee548f6a099be7c748ce4454e3b9b60839b4abd

Download Submit
C:\Windows\System\qCksgoV.exe

Filesize
5.2MB

MD5
2a094fe213261058007f8e1dca33449a

SHA1
408531191d497afe71d4efff628ece183bf4c4f3

SHA256
9900c31cc7a16ffa893657cb12ba38239b7394b421bb8b2af82fd33be2843950

SHA512
d26eb55ccc911f7e08ff264433e314eaef539c82651deabaf19f886786736e7146dfce873061f0f5cfb41b62338596d51d2067a57fed7466d0590f6002a324a9

Download Submit
C:\Windows\System\sVvYtQZ.exe

Filesize
5.2MB

MD5
85ae9818d3c107c75dc757bad9f81783

SHA1
f396a8afb83e0094207e7c97b948f6eaeca860d9

SHA256
307551863df8f3ec92b314438ca1d1ad058e2a8a35b1e0cf3b7624afd7a8c3aa

SHA512
944fd33b1afa069b6f73b47c39312c1f3aa09e00c39e4fe439d24b7c432bb0b890be139af4f649e6c5d51e79567bed3aa91163f605785394ae3826c51479b68e

Download Submit
C:\Windows\System\shIdDlX.exe

Filesize
5.2MB

MD5
4cc6028f021e34636532fff9b0083ab2

SHA1
13a59e53a6e3894ad4d19099470112c472d080e8

SHA256
fa728c0e44582c41eeee0986b63074cb70c1076b1a6a0c39a257cf6b92b14abf

SHA512
a6122bc914ef5ac9802b2590cc0707e7ee5bfa2a49128399d847ea7daea32c8fd177a16dde867c12514f698629eabaf5b0102bf8473caa3759bd59cff67ecef9

Download Submit
C:\Windows\System\uJsndrC.exe

Filesize
5.2MB

MD5
57acaaa1a3208f8bbe6ed20ba9041503

SHA1
6406bca45b2495db419c4daa72cbbf30a43c7042

SHA256
791d81ae87322ea67c857ee9cfbee30c24deb22f4c1045caeb90504fb6e35645

SHA512
9f370426a77b92b1cf4433b570faab2830daa81e4641e2fc32c616acc2b3ecebbb86cbc550cb8c7d9fb74aff808fa7bb4f383a55d3238d209c26a7cbbec50ac1

Download Submit
C:\Windows\System\wOSExxs.exe

Filesize
5.2MB

MD5
87911f60fed1dc8e3dc2e4e09634d577

SHA1
4b2d4a40cbcf6b44aa967ced4a5283b96e7c4cb9

SHA256
61c17a90e6f5a9707e4a8751a67ce5936da78b6f5200a7c9670e214f58243ec9

SHA512
196d3a7c626e00d11265703f23503f41d22161f2fbbd4e9b042a3606653b7ae8ce5fc6edca3f97cdc1d87cdb3eac6a4d2e991eff2623c78dc292c0f3ae7c7212

Download Submit
C:\Windows\System\wgEIOtd.exe

Filesize
5.2MB

MD5
ee6f338a50ecd324989b841f2dfc4007

SHA1
cb40447bef66c52669731442753286a39a7e6b2e

SHA256
1683ca0ca6319cddb72af185c9074d5e65d4f696dbd19c170591c63516e27046

SHA512
fa214ffec0b9b097adb0daabb015299706508ffbe1f15ec0d9d8a7ca1dc65fa2d9fc1e5f6ac56bcb3e1562089c5c106dc56570f04c61e50d7defa0675e2abffd

Download Submit
C:\Windows\System\xGjILjv.exe

Filesize
5.2MB

MD5
8bfc2ceb94308ad1721ca347f6aace3a

SHA1
f93b114d8d56da2173e5bcfa5751133dc6311549

SHA256
4c9b321ee9a9d2e51a858ea884eb8d63ae223f382420cfcbc7b1d09477f55d5c

SHA512
c14abb53c4f4da21fb4ae835bb381fa83b1d402da3d1862e2d8e783dc3a84eeecb2355f551c4bbcba92fe1076eb1a1381ead548819847ac54a0c770025c4c613

Download Submit
C:\Windows\System\xcHOdpn.exe

Filesize
5.2MB

MD5
2379ef4f3914ce37779216c019efd3d1

SHA1
8b45890d4a8b50487862896ab9cc530353d10018

SHA256
ec72276cdbf00c4b89a81400e1756c8a0db1a9fc9fe93529f02c13ef4d6d83fc

SHA512
1e1fb231ed5fb9b8f3726c29bae460a4735e27784125b8824fb93a2c66a735462862ee31ae7420588d912496318e12bef9ce474c360eccbed7519adc7d78c168

Download Submit
memory/860-148-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp

Filesize
3.3MB

Download
memory/860-249-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp

Filesize
3.3MB

Download
memory/860-90-0x00007FF7C6FA0000-0x00007FF7C72F1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-227-0x00007FF671940000-0x00007FF671C91000-memory.dmp

Filesize
3.3MB

Download
memory/1452-56-0x00007FF671940000-0x00007FF671C91000-memory.dmp

Filesize
3.3MB

Download
memory/1932-225-0x00007FF751140000-0x00007FF751491000-memory.dmp

Filesize
3.3MB

Download
memory/1932-44-0x00007FF751140000-0x00007FF751491000-memory.dmp

Filesize
3.3MB

Download
memory/1932-133-0x00007FF751140000-0x00007FF751491000-memory.dmp

Filesize
3.3MB

Download
memory/1936-263-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-154-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-108-0x00007FF625E90000-0x00007FF6261E1000-memory.dmp

Filesize
3.3MB

Download
memory/2176-218-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp

Filesize
3.3MB

Download
memory/2176-7-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp

Filesize
3.3MB

Download
memory/2176-129-0x00007FF6F3020000-0x00007FF6F3371000-memory.dmp

Filesize
3.3MB

Download
memory/2460-241-0x00007FF7D4DE0000-0x00007FF7D5131000-memory.dmp

Filesize
3.3MB

Download
memory/2460-88-0x00007FF7D4DE0000-0x00007FF7D5131000-memory.dmp

Filesize
3.3MB

Download
memory/2552-162-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-1-0x0000016EFA5F0000-0x0000016EFA600000-memory.dmp

Filesize
64KB

Download
memory/2552-0-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-132-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-128-0x00007FF7F6E60000-0x00007FF7F71B1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-91-0x00007FF687E20000-0x00007FF688171000-memory.dmp

Filesize
3.3MB

Download
memory/2868-255-0x00007FF687E20000-0x00007FF688171000-memory.dmp

Filesize
3.3MB

Download
memory/2868-151-0x00007FF687E20000-0x00007FF688171000-memory.dmp

Filesize
3.3MB

Download
memory/2872-106-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp

Filesize
3.3MB

Download
memory/2872-261-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp

Filesize
3.3MB

Download
memory/2872-152-0x00007FF7C1E20000-0x00007FF7C2171000-memory.dmp

Filesize
3.3MB

Download
memory/2904-244-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-69-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-153-0x00007FF753DA0000-0x00007FF7540F1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-89-0x00007FF728980000-0x00007FF728CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-239-0x00007FF728980000-0x00007FF728CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-82-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp

Filesize
3.3MB

Download
memory/3188-135-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp

Filesize
3.3MB

Download
memory/3188-246-0x00007FF67AD20000-0x00007FF67B071000-memory.dmp

Filesize
3.3MB

Download
memory/3428-222-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3428-131-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3428-32-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3564-85-0x00007FF76B350000-0x00007FF76B6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-229-0x00007FF76B350000-0x00007FF76B6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-87-0x00007FF7FE7F0000-0x00007FF7FEB41000-memory.dmp

Filesize
3.3MB

Download
memory/3832-230-0x00007FF7FE7F0000-0x00007FF7FEB41000-memory.dmp

Filesize
3.3MB

Download
memory/3984-76-0x00007FF709910000-0x00007FF709C61000-memory.dmp

Filesize
3.3MB

Download
memory/3984-247-0x00007FF709910000-0x00007FF709C61000-memory.dmp

Filesize
3.3MB

Download
memory/3984-134-0x00007FF709910000-0x00007FF709C61000-memory.dmp

Filesize
3.3MB

Download
memory/4276-155-0x00007FF6604C0000-0x00007FF660811000-memory.dmp

Filesize
3.3MB

Download
memory/4276-118-0x00007FF6604C0000-0x00007FF660811000-memory.dmp

Filesize
3.3MB

Download
memory/4276-265-0x00007FF6604C0000-0x00007FF660811000-memory.dmp

Filesize
3.3MB

Download
memory/4396-156-0x00007FF714ED0000-0x00007FF715221000-memory.dmp

Filesize
3.3MB

Download
memory/4396-120-0x00007FF714ED0000-0x00007FF715221000-memory.dmp

Filesize
3.3MB

Download
memory/4396-268-0x00007FF714ED0000-0x00007FF715221000-memory.dmp

Filesize
3.3MB

Download
memory/4464-125-0x00007FF71B440000-0x00007FF71B791000-memory.dmp

Filesize
3.3MB

Download
memory/4464-161-0x00007FF71B440000-0x00007FF71B791000-memory.dmp

Filesize
3.3MB

Download
memory/4464-269-0x00007FF71B440000-0x00007FF71B791000-memory.dmp

Filesize
3.3MB

Download
memory/4696-84-0x00007FF695780000-0x00007FF695AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-150-0x00007FF695780000-0x00007FF695AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-253-0x00007FF695780000-0x00007FF695AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-17-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp

Filesize
3.3MB

Download
memory/4928-130-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp

Filesize
3.3MB

Download
memory/4928-220-0x00007FF76F7E0000-0x00007FF76FB31000-memory.dmp

Filesize
3.3MB

Download
memory/4936-83-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-149-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-251-0x00007FF7D0060000-0x00007FF7D03B1000-memory.dmp

Filesize
3.3MB

Download