cobaltstrike | 0c0caaf55ddd9d8b8bb382857d495565c9383f645ed46c4f1850bacd859f8f6b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

55045cb019e83416f884e16d9890dcb5
SHA1

c0511ba40328cbcc55a287d188c9741ad7f8819d
SHA256

0c0caaf55ddd9d8b8bb382857d495565c9383f645ed46c4f1850bacd859f8f6b
SHA512

e851d92549ee66607191d89d7176d399ee9c3c46536e591149595b53b7e59248dfa40e135aaba9c11e2aab8f774997f13c36bf4814cd31cec57594e900d27038
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibj56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234c0-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000234c6-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-17.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4148-7-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	xmrig
behavioral2/memory/3528-121-0x00007FF761B40000-0x00007FF761E91000-memory.dmp	xmrig
behavioral2/memory/1360-122-0x00007FF73B3F0000-0x00007FF73B741000-memory.dmp	xmrig
behavioral2/memory/952-118-0x00007FF61A380000-0x00007FF61A6D1000-memory.dmp	xmrig
behavioral2/memory/3808-117-0x00007FF68AAB0000-0x00007FF68AE01000-memory.dmp	xmrig
behavioral2/memory/848-116-0x00007FF7876D0000-0x00007FF787A21000-memory.dmp	xmrig
behavioral2/memory/3428-114-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp	xmrig
behavioral2/memory/8-113-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp	xmrig
behavioral2/memory/2104-97-0x00007FF6D8810000-0x00007FF6D8B61000-memory.dmp	xmrig
behavioral2/memory/1160-85-0x00007FF79F4C0000-0x00007FF79F811000-memory.dmp	xmrig
behavioral2/memory/2220-55-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	xmrig
behavioral2/memory/696-43-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp	xmrig
behavioral2/memory/4148-129-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	xmrig
behavioral2/memory/2556-132-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp	xmrig
behavioral2/memory/3148-130-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp	xmrig
behavioral2/memory/2220-133-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	xmrig
behavioral2/memory/2192-128-0x00007FF620720000-0x00007FF620A71000-memory.dmp	xmrig
behavioral2/memory/2864-135-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp	xmrig
behavioral2/memory/4612-146-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	xmrig
behavioral2/memory/4856-136-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp	xmrig
behavioral2/memory/1172-145-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp	xmrig
behavioral2/memory/2532-140-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp	xmrig
behavioral2/memory/1648-138-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp	xmrig
behavioral2/memory/2192-150-0x00007FF620720000-0x00007FF620A71000-memory.dmp	xmrig
behavioral2/memory/3344-149-0x00007FF793310000-0x00007FF793661000-memory.dmp	xmrig
behavioral2/memory/2192-151-0x00007FF620720000-0x00007FF620A71000-memory.dmp	xmrig
behavioral2/memory/4148-212-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	xmrig
behavioral2/memory/3148-214-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp	xmrig
behavioral2/memory/696-216-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp	xmrig
behavioral2/memory/2556-218-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp	xmrig
behavioral2/memory/2220-222-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	xmrig
behavioral2/memory/8-221-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp	xmrig
behavioral2/memory/2864-225-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp	xmrig
behavioral2/memory/3428-226-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp	xmrig
behavioral2/memory/4856-236-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp	xmrig
behavioral2/memory/2104-234-0x00007FF6D8810000-0x00007FF6D8B61000-memory.dmp	xmrig
behavioral2/memory/1648-240-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp	xmrig
behavioral2/memory/1160-239-0x00007FF79F4C0000-0x00007FF79F811000-memory.dmp	xmrig
behavioral2/memory/4612-251-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	xmrig
behavioral2/memory/3528-250-0x00007FF761B40000-0x00007FF761E91000-memory.dmp	xmrig
behavioral2/memory/848-258-0x00007FF7876D0000-0x00007FF787A21000-memory.dmp	xmrig
behavioral2/memory/2532-257-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp	xmrig
behavioral2/memory/3808-255-0x00007FF68AAB0000-0x00007FF68AE01000-memory.dmp	xmrig
behavioral2/memory/952-253-0x00007FF61A380000-0x00007FF61A6D1000-memory.dmp	xmrig
behavioral2/memory/1360-248-0x00007FF73B3F0000-0x00007FF73B741000-memory.dmp	xmrig
behavioral2/memory/3344-246-0x00007FF793310000-0x00007FF793661000-memory.dmp	xmrig
behavioral2/memory/1172-244-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4148	oABKUtF.exe
3148	bHcSAPn.exe
696	TMQVszy.exe
2556	HXUVtiV.exe
2220	tBKjALJ.exe
8	WhZhxOq.exe
2864	zEWBgbV.exe
4856	DCZuZlf.exe
3428	mWzMOuO.exe
1648	whcNfyo.exe
1160	jfJQAXr.exe
2532	xtbzKyb.exe
848	RxYlhLi.exe
2104	CWuCziQ.exe
3808	wisbVaR.exe
952	yEsQEIi.exe
1172	gpxKBeC.exe
4612	gBpvNls.exe
3528	auKKHKn.exe
1360	wIfQrZX.exe
3344	QYWzlje.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-0-0x00007FF620720000-0x00007FF620A71000-memory.dmp	upx
behavioral2/files/0x00090000000234c0-5.dat	upx
behavioral2/memory/4148-7-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-10.dat	upx
behavioral2/files/0x00070000000234cd-20.dat	upx
behavioral2/files/0x00070000000234d0-38.dat	upx
behavioral2/files/0x00070000000234d2-64.dat	upx
behavioral2/files/0x00070000000234d4-78.dat	upx
behavioral2/files/0x00070000000234d6-87.dat	upx
behavioral2/files/0x00070000000234d8-98.dat	upx
behavioral2/files/0x00070000000234da-104.dat	upx
behavioral2/files/0x000a0000000234c6-115.dat	upx
behavioral2/memory/3528-121-0x00007FF761B40000-0x00007FF761E91000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-126.dat	upx
behavioral2/memory/3344-125-0x00007FF793310000-0x00007FF793661000-memory.dmp	upx
behavioral2/memory/1360-122-0x00007FF73B3F0000-0x00007FF73B741000-memory.dmp	upx
behavioral2/memory/952-118-0x00007FF61A380000-0x00007FF61A6D1000-memory.dmp	upx
behavioral2/memory/3808-117-0x00007FF68AAB0000-0x00007FF68AE01000-memory.dmp	upx
behavioral2/memory/848-116-0x00007FF7876D0000-0x00007FF787A21000-memory.dmp	upx
behavioral2/memory/3428-114-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp	upx
behavioral2/memory/8-113-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-111.dat	upx
behavioral2/memory/4612-108-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	upx
behavioral2/files/0x00070000000234db-106.dat	upx
behavioral2/memory/1172-101-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp	upx
behavioral2/memory/2104-97-0x00007FF6D8810000-0x00007FF6D8B61000-memory.dmp	upx
behavioral2/memory/2532-96-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-102.dat	upx
behavioral2/files/0x00070000000234d5-89.dat	upx
behavioral2/memory/1160-85-0x00007FF79F4C0000-0x00007FF79F811000-memory.dmp	upx
behavioral2/memory/1648-83-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-72.dat	upx
behavioral2/memory/4856-71-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-70.dat	upx
behavioral2/memory/2864-58-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp	upx
behavioral2/memory/2220-55-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-52.dat	upx
behavioral2/files/0x00070000000234d1-62.dat	upx
behavioral2/memory/696-43-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-37.dat	upx
behavioral2/memory/2556-29-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp	upx
behavioral2/memory/3148-24-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-17.dat	upx
behavioral2/memory/4148-129-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	upx
behavioral2/memory/2556-132-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp	upx
behavioral2/memory/3148-130-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp	upx
behavioral2/memory/2220-133-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	upx
behavioral2/memory/2192-128-0x00007FF620720000-0x00007FF620A71000-memory.dmp	upx
behavioral2/memory/2864-135-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp	upx
behavioral2/memory/4612-146-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	upx
behavioral2/memory/4856-136-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp	upx
behavioral2/memory/1172-145-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp	upx
behavioral2/memory/2532-140-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp	upx
behavioral2/memory/1648-138-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp	upx
behavioral2/memory/2192-150-0x00007FF620720000-0x00007FF620A71000-memory.dmp	upx
behavioral2/memory/3344-149-0x00007FF793310000-0x00007FF793661000-memory.dmp	upx
behavioral2/memory/2192-151-0x00007FF620720000-0x00007FF620A71000-memory.dmp	upx
behavioral2/memory/4148-212-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp	upx
behavioral2/memory/3148-214-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp	upx
behavioral2/memory/696-216-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp	upx
behavioral2/memory/2556-218-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp	upx
behavioral2/memory/2220-222-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp	upx
behavioral2/memory/8-221-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp	upx
behavioral2/memory/2864-225-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tBKjALJ.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEWBgbV.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\whcNfyo.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CWuCziQ.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYWzlje.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wIfQrZX.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bHcSAPn.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WhZhxOq.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wisbVaR.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEsQEIi.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auKKHKn.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMQVszy.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCZuZlf.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxYlhLi.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpxKBeC.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gBpvNls.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oABKUtF.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HXUVtiV.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWzMOuO.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jfJQAXr.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtbzKyb.exe	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 4148	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2192 wrote to memory of 4148	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2192 wrote to memory of 3148	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2192 wrote to memory of 3148	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2192 wrote to memory of 696	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2192 wrote to memory of 696	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2192 wrote to memory of 2556	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2192 wrote to memory of 2556	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2192 wrote to memory of 2220	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2192 wrote to memory of 2220	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2192 wrote to memory of 8	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2192 wrote to memory of 8	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2192 wrote to memory of 2864	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2192 wrote to memory of 2864	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2192 wrote to memory of 4856	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2192 wrote to memory of 4856	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2192 wrote to memory of 3428	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2192 wrote to memory of 3428	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2192 wrote to memory of 1648	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2192 wrote to memory of 1648	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2192 wrote to memory of 1160	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2192 wrote to memory of 1160	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2192 wrote to memory of 2532	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2192 wrote to memory of 2532	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2192 wrote to memory of 848	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2192 wrote to memory of 848	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2192 wrote to memory of 2104	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2192 wrote to memory of 2104	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2192 wrote to memory of 3808	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2192 wrote to memory of 3808	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2192 wrote to memory of 952	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2192 wrote to memory of 952	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2192 wrote to memory of 1172	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2192 wrote to memory of 1172	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2192 wrote to memory of 4612	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2192 wrote to memory of 4612	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2192 wrote to memory of 3528	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2192 wrote to memory of 3528	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2192 wrote to memory of 1360	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2192 wrote to memory of 1360	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2192 wrote to memory of 3344	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2192 wrote to memory of 3344	2192	2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_55045cb019e83416f884e16d9890dcb5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\System\oABKUtF.exe
  C:\Windows\System\oABKUtF.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\bHcSAPn.exe
  C:\Windows\System\bHcSAPn.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\TMQVszy.exe
  C:\Windows\System\TMQVszy.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\HXUVtiV.exe
  C:\Windows\System\HXUVtiV.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\tBKjALJ.exe
  C:\Windows\System\tBKjALJ.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\WhZhxOq.exe
  C:\Windows\System\WhZhxOq.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\zEWBgbV.exe
  C:\Windows\System\zEWBgbV.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\DCZuZlf.exe
  C:\Windows\System\DCZuZlf.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\mWzMOuO.exe
  C:\Windows\System\mWzMOuO.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\whcNfyo.exe
  C:\Windows\System\whcNfyo.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\jfJQAXr.exe
  C:\Windows\System\jfJQAXr.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\xtbzKyb.exe
  C:\Windows\System\xtbzKyb.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\RxYlhLi.exe
  C:\Windows\System\RxYlhLi.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System\CWuCziQ.exe
  C:\Windows\System\CWuCziQ.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\wisbVaR.exe
  C:\Windows\System\wisbVaR.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\yEsQEIi.exe
  C:\Windows\System\yEsQEIi.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\gpxKBeC.exe
  C:\Windows\System\gpxKBeC.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\gBpvNls.exe
  C:\Windows\System\gBpvNls.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\auKKHKn.exe
  C:\Windows\System\auKKHKn.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\wIfQrZX.exe
  C:\Windows\System\wIfQrZX.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\QYWzlje.exe
  C:\Windows\System\QYWzlje.exe
  2⤵
  - Executes dropped EXE
  PID:3344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CWuCziQ.exe

Filesize
5.2MB

MD5
33f4423ad2ad76a9e88e97f38b951e79

SHA1
da30c8794a2d956836ba92e48bf60c9d3f670cc3

SHA256
6de6cdbb779eb494b32f2a8c9fccc8e5cb3c11c838123a7ad5b5d41c5127907d

SHA512
a33aedd0aaeb5c38dab85da50920b27238f4dd553318cff9db55e1a906db354e61fff660b4823c5e66c73fda0f3df07c3edda4d5d111f6e00f2d9aa3db8e763b

Download Submit
C:\Windows\System\DCZuZlf.exe

Filesize
5.2MB

MD5
dc2f63c4fa38c874a1cdc82f82917e81

SHA1
96290b00cf8f4867b8e47543682a2f224c21bf7d

SHA256
22f823b84e4bf2de8d6f2835020578b217dece8b51124484593aa1b8304e227b

SHA512
e5ac66170ecabdadae55274069409407fd45648302a78382ce6cd52ad91d715d52f758d041be3ddcd364708c386be8c93cb909bf38a7bf236d3307d3b4b9cc75

Download Submit
C:\Windows\System\HXUVtiV.exe

Filesize
5.2MB

MD5
13e0ec3e3879258ad4d152103c01d800

SHA1
4396825f1875c1442c0ad446d28bc666de74750a

SHA256
1de6ac9d52460596e953dcff72c454fa6a351ef431a7583ae536ba00970bee7e

SHA512
dfc60191b41d992e333d98803e3abb03fa046e89232c554341cee8bfc5406de971b3dc1e9ce5c8ac4a8f468cdebd407a555d87b0051e166fdc15cc8eddb922de

Download Submit
C:\Windows\System\QYWzlje.exe

Filesize
5.2MB

MD5
a1f51e56f867612ee7622128c5fff634

SHA1
454829c64ac353a0cf916c95d4f1683b45a51322

SHA256
200ec93a4c72eac08adafe511e876eaaa919c5a1ea6da36ff665b49b24006c86

SHA512
b9c696b8e12655d96b76afd642aeeae12425c3166e7d4be426b42135f9e8c12f747e039e8bdba211d4710bcf45d9692cbfa89ba87b51a83fa31f68842f8076b8

Download Submit
C:\Windows\System\RxYlhLi.exe

Filesize
5.2MB

MD5
b1cc377a19710055c6bb37806b514d9b

SHA1
fd23d4e78da32b1f9deaa0946e88757e3c4e8e60

SHA256
4c9aa7638b1923885296526d6fc180cc83236526295fd8e9396ba72e268f2db5

SHA512
ea5b31aaa764f6361951d50a1ff7fa6432df7fd2f852e87f61726ab6ec76ea122f32ac62e088383c09a1fb4cf2c90c345f9b7cbbb9de563f715e34fc1843dc15

Download Submit
C:\Windows\System\TMQVszy.exe

Filesize
5.2MB

MD5
6eec70d6f54b40ccfd7f83fae56f2237

SHA1
5bda9215b5c01fbf6c9bc9416d5cf88a0af2de50

SHA256
14c8a3f6b5ba9eba05161b0ebc44b0d10345c54c989dae606786d2fd07044c8b

SHA512
dbd5ede10e0e5588c725f65af75d968df9b12cd6b260140a1e3a7a9f63f8060b104bfa6c0c2fb81b2befc681687cea730c5f62d9dc7841213edbba070ad39745

Download Submit
C:\Windows\System\WhZhxOq.exe

Filesize
5.2MB

MD5
0295a9a246d7968bdeacf530f29070a6

SHA1
e0c2d82b234e109030b9de6f3e32c20f10ca7914

SHA256
fa59b059f1ad31e4159ad17239d41f3290d7077dbac9094126039f0fd46d39f7

SHA512
16ed2206356e702f028df3f241655d31c5528c655c3b398ce4bc15430cc9a4bf2fc9385ede1d72bdd5c3b08d228457a14061993552419a89362e04f0629d4e62

Download Submit
C:\Windows\System\auKKHKn.exe

Filesize
5.2MB

MD5
54867a50d5cf2387ba7465090f12abb5

SHA1
8df75106d14ed209db6d0f85767692d0dc19b8a6

SHA256
d01f9ebf23d34b8410b1253e55d1307a758d2280cd0a610860133fc4556fe6d6

SHA512
7d980d14056cecc702157d854ac0523645d53451acb470b242ff020b8bb8b22e6fe167cdbd0cb33aa2e44354b4d438423f0767d2a9f6112bee4961085d3e42aa

Download Submit
C:\Windows\System\bHcSAPn.exe

Filesize
5.2MB

MD5
82cf63e8c8bc273a98a5c14f88f88ccf

SHA1
3959665584ded7ebf32864607c47c62d21a5723f

SHA256
7beefbd4e2c9f1e3f60d043139c13d9c262a7bb8dd56b22c6d503cbff8bced20

SHA512
aaaf158184ae1fdc264d53156939ddaea6829ff5cca302d7c56d4c8f99231c2cdd776860aa8283b6ee165c516370325f691e0b33da67f2edf11ccce039cba9b3

Download Submit
C:\Windows\System\gBpvNls.exe

Filesize
5.2MB

MD5
683a2f02f2c2d99936915b9bc5eff019

SHA1
5f0f8d768addf3265c413ff81b41ade5fb698024

SHA256
cbbbc7d8ec014dcb7bf95ca9b1f587908334e5943328b2b72ab81194460ba50f

SHA512
1667f5c208d69ada9b6deea1cfccbc1890a4b318f4ffde5618dc33ad2f3ac50074657234b44c1d45e277e6cd366d5adf4255dd8dfd8a622fc3745573bd759d45

Download Submit
C:\Windows\System\gpxKBeC.exe

Filesize
5.2MB

MD5
de318839f8c7e21a6f0610af2dfe3545

SHA1
3d06083f285161d6b3ae18d705a8d99d39b95b32

SHA256
6f1d6bb6e140436517d8b2203fa911dff89492a3c754cf1f2e441e994eab3cf0

SHA512
69be6ecc443851ba53bd870f8eb690ea624c525c95ca42aa15c2fc66ca35a9bc8bba9cd77e31ef34d9fd40082881458c8b7620762365232911457caf5e46d84e

Download Submit
C:\Windows\System\jfJQAXr.exe

Filesize
5.2MB

MD5
feae5d38056a235689916570c50626ab

SHA1
a95f61cb3786c52ee3835f57299eab914726258a

SHA256
8e078f1413a5d2827691254d191c38758992c393a121e67ab2104cd9a830e458

SHA512
145735e297ca8b41660bdce5cfc906a80d65d08af062a8a1faf6b3e8d05f4207a866e2111caa6542cf4524c025309f8489ea0bf4b6872e685b78fdf6d2ccbadb

Download Submit
C:\Windows\System\mWzMOuO.exe

Filesize
5.2MB

MD5
aadb3a804c56a82aa4bf021ac7c3e8ac

SHA1
dd14c3105b50fffc192ce75e965fa76a6a892527

SHA256
e5d19a2d12983e49c5113eb33576dadbadf721474e0b18c62f3a5b117daa1a58

SHA512
a62d203c45e1e1c1c4b7de1d547944bea7cc71661f6c8adbbc9189ed61516aaf9067eed70acdcf7e69adee6449aee69e78a47f7e85be1908964827d1be408ce6

Download Submit
C:\Windows\System\oABKUtF.exe

Filesize
5.2MB

MD5
0b3f8e4533d06bc76614f19f0aa6c781

SHA1
52a7b49882185ec868af40867e7c939961b4ea58

SHA256
74c3394e65d1da86c084d2c284167855b11aefa33a3b85fef54153ab36aa3f66

SHA512
e5b5fc3fd4c022e26f2128d2594025875be52d609e5c02510993837897df30c45c4b87596e09f7dc9ce4c857d64eea7dc620262bd39bae18e39bb9452c7cc9a7

Download Submit
C:\Windows\System\tBKjALJ.exe

Filesize
5.2MB

MD5
1d0321cc91b10d7c338b7bcee7f1b9cf

SHA1
4f55b17065eb7031269b48108a3067c5d9d9b126

SHA256
4e38e6f966b7584d3d382c6fe9fac684244094bc947c31e4c3e4a509fc984768

SHA512
46e1e4c6b6dc7d19fe3adceda4296629e33df8a24635851d570309d3c4b93fe0ed5460f83ab6bb877f5770279a262c14fbb27e32b8dac281f1c7a907531f4970

Download Submit
C:\Windows\System\wIfQrZX.exe

Filesize
5.2MB

MD5
693f2568b8b5b8776ad8a24959e6dbb2

SHA1
db670336a8cb7bd7560f063c7f632d490a7d94ab

SHA256
ab77fe99ab0abcfd26b4b47ef4261fb78b7ed9e7983d0e58671c9369b1e48c55

SHA512
fbbfe02953d4838c423e6d38b004a6af784885e65d8cf9b5df9e6ac61be79eb676339fc6e7990f599e43f18a3159f2d7351751458ae20f659f143ef4818b54ff

Download Submit
C:\Windows\System\whcNfyo.exe

Filesize
5.2MB

MD5
34d7b26d0ef71de8aae084c335e76e39

SHA1
b884e4c07970fab38189ab2daf7977052f84673e

SHA256
e0a8f989a7e8287417509b92635f0812a6f2a153ffc2266c494a778ef36a115b

SHA512
fb1c7c88a8e8d87413fc3e6ce9598406eca6d4b5482684119bf7ea9e314c0dc1dca185a65e88dd9ffa8bc455e86d3088f2821e3645d0824243c115415787336e

Download Submit
C:\Windows\System\wisbVaR.exe

Filesize
5.2MB

MD5
d2ca1b09ba293b64f3cb2e479db6dfc2

SHA1
3e31c64e360bb64b1737d6d0158fc9ef1efb1589

SHA256
f1e9319de4a027d11bd6d61ec83dccab6e3b92d98941a40bef1768e6a9f5b158

SHA512
fe4206467cb36dfbe824b608387760ab1a82d05a827cae2b28d42044fb627fd285c4e1ca6ce3836f5193fa72d0058930b291ae281ad34f27f0ffb89fe6dd01b0

Download Submit
C:\Windows\System\xtbzKyb.exe

Filesize
5.2MB

MD5
51b7c2e88a3d3a3acb21dbd3f6e8d130

SHA1
bb37ea3ff5d890051c14a2af48bcb0ed7e485ce1

SHA256
8a7a9ace64faecd3981f6111c94ee51d5aab0af185e5f142f377cdd0352de8c6

SHA512
411477b018e85c3cac08d531fc3fede3a6b9b90221d9695a5140106de4c11187439274eccbc3041784b0a0ad4ecd8ea8cd8f542b3d65fb64ce74a4ae1529d1b8

Download Submit
C:\Windows\System\yEsQEIi.exe

Filesize
5.2MB

MD5
b7533a3041f125530fa6d3f00fab208e

SHA1
3c62d3c49a51bbacba2fbe36cdb3258d4a7f0ad1

SHA256
2f1deb91756e8eda23fc6c198dd27eaab3fb0f04498c8dc5512b9e10586cb625

SHA512
4f97768f645437b25044b0a6467726b0e64403a7da81b9422632661d77e1eac9c0050b9343024a4998fc87287ea87f28297b4223b49e2144a3c5831fc705bab7

Download Submit
C:\Windows\System\zEWBgbV.exe

Filesize
5.2MB

MD5
ab66e51090d8f5109b4eb45051cf70d2

SHA1
5b0fb6ef5e5263437eb60ccb1aba5b534e45b256

SHA256
5af1c71954cb586065a5f6c2055eada7217adff216eb118a198b949b6880092d

SHA512
56a1a35fa7180fc433e7b8cdcd05d493fac11b09a0b250e03b3dd45bb511b3044f6a4ee3a1e9d9f9b567b80e34d6c7f7d7dcf82f803601c96fb2e69a363f557a

Download Submit
memory/8-113-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp

Filesize
3.3MB

Download
memory/8-221-0x00007FF7D1F30000-0x00007FF7D2281000-memory.dmp

Filesize
3.3MB

Download
memory/696-43-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp

Filesize
3.3MB

Download
memory/696-216-0x00007FF76AEF0000-0x00007FF76B241000-memory.dmp

Filesize
3.3MB

Download
memory/848-258-0x00007FF7876D0000-0x00007FF787A21000-memory.dmp

Filesize
3.3MB

Download
memory/848-116-0x00007FF7876D0000-0x00007FF787A21000-memory.dmp

Filesize
3.3MB

Download
memory/952-118-0x00007FF61A380000-0x00007FF61A6D1000-memory.dmp

Filesize
3.3MB

Download
memory/952-253-0x00007FF61A380000-0x00007FF61A6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-85-0x00007FF79F4C0000-0x00007FF79F811000-memory.dmp

Filesize
3.3MB

Download
memory/1160-239-0x00007FF79F4C0000-0x00007FF79F811000-memory.dmp

Filesize
3.3MB

Download
memory/1172-244-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp

Filesize
3.3MB

Download
memory/1172-145-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp

Filesize
3.3MB

Download
memory/1172-101-0x00007FF7B0110000-0x00007FF7B0461000-memory.dmp

Filesize
3.3MB

Download
memory/1360-122-0x00007FF73B3F0000-0x00007FF73B741000-memory.dmp

Filesize
3.3MB

Download
memory/1360-248-0x00007FF73B3F0000-0x00007FF73B741000-memory.dmp

Filesize
3.3MB

Download
memory/1648-240-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp

Filesize
3.3MB

Download
memory/1648-138-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp

Filesize
3.3MB

Download
memory/1648-83-0x00007FF7E2A20000-0x00007FF7E2D71000-memory.dmp

Filesize
3.3MB

Download
memory/2104-234-0x00007FF6D8810000-0x00007FF6D8B61000-memory.dmp

Filesize
3.3MB

Download
memory/2104-97-0x00007FF6D8810000-0x00007FF6D8B61000-memory.dmp

Filesize
3.3MB

Download
memory/2192-0-0x00007FF620720000-0x00007FF620A71000-memory.dmp

Filesize
3.3MB

Download
memory/2192-150-0x00007FF620720000-0x00007FF620A71000-memory.dmp

Filesize
3.3MB

Download
memory/2192-151-0x00007FF620720000-0x00007FF620A71000-memory.dmp

Filesize
3.3MB

Download
memory/2192-1-0x0000024592860000-0x0000024592870000-memory.dmp

Filesize
64KB

Download
memory/2192-128-0x00007FF620720000-0x00007FF620A71000-memory.dmp

Filesize
3.3MB

Download
memory/2220-55-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2220-222-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2220-133-0x00007FF7C8B90000-0x00007FF7C8EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-257-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-140-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-96-0x00007FF638F90000-0x00007FF6392E1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-218-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp

Filesize
3.3MB

Download
memory/2556-29-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp

Filesize
3.3MB

Download
memory/2556-132-0x00007FF72D3F0000-0x00007FF72D741000-memory.dmp

Filesize
3.3MB

Download
memory/2864-225-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-135-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-58-0x00007FF6DF480000-0x00007FF6DF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-24-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp

Filesize
3.3MB

Download
memory/3148-130-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp

Filesize
3.3MB

Download
memory/3148-214-0x00007FF6E0B10000-0x00007FF6E0E61000-memory.dmp

Filesize
3.3MB

Download
memory/3344-149-0x00007FF793310000-0x00007FF793661000-memory.dmp

Filesize
3.3MB

Download
memory/3344-246-0x00007FF793310000-0x00007FF793661000-memory.dmp

Filesize
3.3MB

Download
memory/3344-125-0x00007FF793310000-0x00007FF793661000-memory.dmp

Filesize
3.3MB

Download
memory/3428-226-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

Filesize
3.3MB

Download
memory/3428-114-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-121-0x00007FF761B40000-0x00007FF761E91000-memory.dmp

Filesize
3.3MB

Download
memory/3528-250-0x00007FF761B40000-0x00007FF761E91000-memory.dmp

Filesize
3.3MB

Download
memory/3808-117-0x00007FF68AAB0000-0x00007FF68AE01000-memory.dmp

Filesize
3.3MB

Download
memory/3808-255-0x00007FF68AAB0000-0x00007FF68AE01000-memory.dmp

Filesize
3.3MB

Download
memory/4148-7-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp

Filesize
3.3MB

Download
memory/4148-129-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp

Filesize
3.3MB

Download
memory/4148-212-0x00007FF679DD0000-0x00007FF67A121000-memory.dmp

Filesize
3.3MB

Download
memory/4612-251-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-108-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-146-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-71-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-236-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-136-0x00007FF7D9060000-0x00007FF7D93B1000-memory.dmp

Filesize
3.3MB

Download