cobaltstrike | 6b04d88e211747e105b910cbda4153477ab6613dbab87ef5cd24f78020e912ac

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f8ab2ddf99e97da64b99e5b6433e786c
SHA1

f2c3ebdda9ba882cd6daaa21d3811e2ace368e06
SHA256

6b04d88e211747e105b910cbda4153477ab6613dbab87ef5cd24f78020e912ac
SHA512

61ee7c611bdd479a221611b4d1473ed148192fa37c66b47d90fcae7e6faded0f40986b3f3291d9282fa1c490e0f8f2bdd60870586324a395a1bac78e21a94845
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibj56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234ab-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-102.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a9-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4000-82-0x00007FF740370000-0x00007FF7406C1000-memory.dmp	xmrig
behavioral2/memory/4824-83-0x00007FF7AEC90000-0x00007FF7AEFE1000-memory.dmp	xmrig
behavioral2/memory/1052-80-0x00007FF65B640000-0x00007FF65B991000-memory.dmp	xmrig
behavioral2/memory/2068-123-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp	xmrig
behavioral2/memory/5008-117-0x00007FF7E0210000-0x00007FF7E0561000-memory.dmp	xmrig
behavioral2/memory/4104-113-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	xmrig
behavioral2/memory/5056-129-0x00007FF6DCFD0000-0x00007FF6DD321000-memory.dmp	xmrig
behavioral2/memory/3440-130-0x00007FF743810000-0x00007FF743B61000-memory.dmp	xmrig
behavioral2/memory/2372-131-0x00007FF622B20000-0x00007FF622E71000-memory.dmp	xmrig
behavioral2/memory/1776-132-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	xmrig
behavioral2/memory/2696-133-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp	xmrig
behavioral2/memory/5092-134-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp	xmrig
behavioral2/memory/3688-135-0x00007FF68B000000-0x00007FF68B351000-memory.dmp	xmrig
behavioral2/memory/1008-136-0x00007FF741840000-0x00007FF741B91000-memory.dmp	xmrig
behavioral2/memory/3464-137-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp	xmrig
behavioral2/memory/3576-151-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp	xmrig
behavioral2/memory/1160-153-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp	xmrig
behavioral2/memory/4104-138-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	xmrig
behavioral2/memory/3800-156-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp	xmrig
behavioral2/memory/1268-155-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp	xmrig
behavioral2/memory/4504-157-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp	xmrig
behavioral2/memory/2264-159-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp	xmrig
behavioral2/memory/1924-160-0x00007FF692130000-0x00007FF692481000-memory.dmp	xmrig
behavioral2/memory/4104-162-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	xmrig
behavioral2/memory/2068-212-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp	xmrig
behavioral2/memory/3440-226-0x00007FF743810000-0x00007FF743B61000-memory.dmp	xmrig
behavioral2/memory/2372-228-0x00007FF622B20000-0x00007FF622E71000-memory.dmp	xmrig
behavioral2/memory/1776-230-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	xmrig
behavioral2/memory/1052-232-0x00007FF65B640000-0x00007FF65B991000-memory.dmp	xmrig
behavioral2/memory/5092-234-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp	xmrig
behavioral2/memory/2696-236-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp	xmrig
behavioral2/memory/3688-238-0x00007FF68B000000-0x00007FF68B351000-memory.dmp	xmrig
behavioral2/memory/3576-243-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp	xmrig
behavioral2/memory/4824-241-0x00007FF7AEC90000-0x00007FF7AEFE1000-memory.dmp	xmrig
behavioral2/memory/4000-240-0x00007FF740370000-0x00007FF7406C1000-memory.dmp	xmrig
behavioral2/memory/1008-250-0x00007FF741840000-0x00007FF741B91000-memory.dmp	xmrig
behavioral2/memory/1268-252-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp	xmrig
behavioral2/memory/3464-258-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp	xmrig
behavioral2/memory/1160-260-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp	xmrig
behavioral2/memory/4504-257-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp	xmrig
behavioral2/memory/5008-255-0x00007FF7E0210000-0x00007FF7E0561000-memory.dmp	xmrig
behavioral2/memory/2264-265-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp	xmrig
behavioral2/memory/3800-263-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp	xmrig
behavioral2/memory/1924-266-0x00007FF692130000-0x00007FF692481000-memory.dmp	xmrig
behavioral2/memory/5056-268-0x00007FF6DCFD0000-0x00007FF6DD321000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2068	UjNWcpf.exe
3440	YaZXLhP.exe
2372	vghXSxT.exe
1776	GMmlUoQ.exe
5092	ilYwUyU.exe
2696	PMFyAob.exe
1052	CZAxmEN.exe
3688	CuyIQZY.exe
3576	xQlZAdg.exe
4000	rzVwUPA.exe
1008	AYdLKcl.exe
4824	TPbhEsU.exe
3464	YqzDpjX.exe
1160	kBPRwHZ.exe
1268	LeWkzWH.exe
3800	GaOmnRr.exe
4504	HLXlhND.exe
5008	QKvXNtt.exe
2264	WoOPkWi.exe
1924	OVsOlUY.exe
5056	rOHhVNs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	upx
behavioral2/files/0x00080000000234ab-5.dat	upx
behavioral2/memory/2068-6-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-10.dat	upx
behavioral2/memory/3440-14-0x00007FF743810000-0x00007FF743B61000-memory.dmp	upx
behavioral2/memory/2372-18-0x00007FF622B20000-0x00007FF622E71000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-42.dat	upx
behavioral2/files/0x00070000000234b2-55.dat	upx
behavioral2/files/0x00070000000234b6-68.dat	upx
behavioral2/files/0x00070000000234b4-75.dat	upx
behavioral2/memory/4000-82-0x00007FF740370000-0x00007FF7406C1000-memory.dmp	upx
behavioral2/memory/1160-84-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp	upx
behavioral2/memory/4824-83-0x00007FF7AEC90000-0x00007FF7AEFE1000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-81.dat	upx
behavioral2/memory/1052-80-0x00007FF65B640000-0x00007FF65B991000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-78.dat	upx
behavioral2/files/0x00070000000234b8-73.dat	upx
behavioral2/memory/3464-71-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp	upx
behavioral2/memory/1008-70-0x00007FF741840000-0x00007FF741B91000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-69.dat	upx
behavioral2/memory/3576-63-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp	upx
behavioral2/files/0x00070000000234af-52.dat	upx
behavioral2/files/0x00070000000234b0-50.dat	upx
behavioral2/memory/3688-48-0x00007FF68B000000-0x00007FF68B351000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-43.dat	upx
behavioral2/memory/5092-47-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp	upx
behavioral2/memory/2696-37-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp	upx
behavioral2/memory/1776-36-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-32.dat	upx
behavioral2/memory/1268-85-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-24.dat	upx
behavioral2/files/0x00070000000234ba-95.dat	upx
behavioral2/files/0x00070000000234bb-102.dat	upx
behavioral2/files/0x00080000000234a9-107.dat	upx
behavioral2/files/0x00070000000234bd-115.dat	upx
behavioral2/memory/2264-121-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp	upx
behavioral2/memory/2068-123-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp	upx
behavioral2/files/0x00070000000234be-127.dat	upx
behavioral2/memory/1924-125-0x00007FF692130000-0x00007FF692481000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-118.dat	upx
behavioral2/memory/5008-117-0x00007FF7E0210000-0x00007FF7E0561000-memory.dmp	upx
behavioral2/memory/4104-113-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	upx
behavioral2/memory/4504-112-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp	upx
behavioral2/memory/3800-104-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp	upx
behavioral2/memory/5056-129-0x00007FF6DCFD0000-0x00007FF6DD321000-memory.dmp	upx
behavioral2/memory/3440-130-0x00007FF743810000-0x00007FF743B61000-memory.dmp	upx
behavioral2/memory/2372-131-0x00007FF622B20000-0x00007FF622E71000-memory.dmp	upx
behavioral2/memory/1776-132-0x00007FF790190000-0x00007FF7904E1000-memory.dmp	upx
behavioral2/memory/2696-133-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp	upx
behavioral2/memory/5092-134-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp	upx
behavioral2/memory/3688-135-0x00007FF68B000000-0x00007FF68B351000-memory.dmp	upx
behavioral2/memory/1008-136-0x00007FF741840000-0x00007FF741B91000-memory.dmp	upx
behavioral2/memory/3464-137-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp	upx
behavioral2/memory/3576-151-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp	upx
behavioral2/memory/1160-153-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp	upx
behavioral2/memory/4104-138-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	upx
behavioral2/memory/3800-156-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp	upx
behavioral2/memory/1268-155-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp	upx
behavioral2/memory/4504-157-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp	upx
behavioral2/memory/2264-159-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp	upx
behavioral2/memory/1924-160-0x00007FF692130000-0x00007FF692481000-memory.dmp	upx
behavioral2/memory/4104-162-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp	upx
behavioral2/memory/2068-212-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp	upx
behavioral2/memory/3440-226-0x00007FF743810000-0x00007FF743B61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rzVwUPA.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LeWkzWH.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YaZXLhP.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZAxmEN.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xQlZAdg.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqzDpjX.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kBPRwHZ.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaOmnRr.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vghXSxT.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuyIQZY.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVsOlUY.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOHhVNs.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilYwUyU.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLXlhND.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PMFyAob.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYdLKcl.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPbhEsU.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QKvXNtt.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WoOPkWi.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UjNWcpf.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMmlUoQ.exe	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2068	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4104 wrote to memory of 2068	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4104 wrote to memory of 3440	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 3440	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 2372	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 2372	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 1776	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4104 wrote to memory of 1776	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4104 wrote to memory of 2696	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4104 wrote to memory of 2696	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4104 wrote to memory of 5092	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 5092	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 1052	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 1052	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 3688	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 3688	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 3576	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 3576	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 4000	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4104 wrote to memory of 4000	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4104 wrote to memory of 1008	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 1008	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 4824	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 4824	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 3464	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 3464	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 1160	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4104 wrote to memory of 1160	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4104 wrote to memory of 1268	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4104 wrote to memory of 1268	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4104 wrote to memory of 3800	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 3800	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 4504	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 4504	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 5008	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4104 wrote to memory of 5008	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4104 wrote to memory of 2264	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 2264	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 1924	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 1924	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 5056	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4104 wrote to memory of 5056	4104	2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_f8ab2ddf99e97da64b99e5b6433e786c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System\UjNWcpf.exe
  C:\Windows\System\UjNWcpf.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\YaZXLhP.exe
  C:\Windows\System\YaZXLhP.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\vghXSxT.exe
  C:\Windows\System\vghXSxT.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\GMmlUoQ.exe
  C:\Windows\System\GMmlUoQ.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\PMFyAob.exe
  C:\Windows\System\PMFyAob.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\ilYwUyU.exe
  C:\Windows\System\ilYwUyU.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\CZAxmEN.exe
  C:\Windows\System\CZAxmEN.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\CuyIQZY.exe
  C:\Windows\System\CuyIQZY.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\xQlZAdg.exe
  C:\Windows\System\xQlZAdg.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\rzVwUPA.exe
  C:\Windows\System\rzVwUPA.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\AYdLKcl.exe
  C:\Windows\System\AYdLKcl.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\TPbhEsU.exe
  C:\Windows\System\TPbhEsU.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\YqzDpjX.exe
  C:\Windows\System\YqzDpjX.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\kBPRwHZ.exe
  C:\Windows\System\kBPRwHZ.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\LeWkzWH.exe
  C:\Windows\System\LeWkzWH.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\GaOmnRr.exe
  C:\Windows\System\GaOmnRr.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\HLXlhND.exe
  C:\Windows\System\HLXlhND.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\QKvXNtt.exe
  C:\Windows\System\QKvXNtt.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\WoOPkWi.exe
  C:\Windows\System\WoOPkWi.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\OVsOlUY.exe
  C:\Windows\System\OVsOlUY.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\rOHhVNs.exe
  C:\Windows\System\rOHhVNs.exe
  2⤵
  - Executes dropped EXE
  PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYdLKcl.exe

Filesize
5.2MB

MD5
fa346fdb28c996df2c6a63e17dce4052

SHA1
31338cc33c4126737cd5af312d6c70e92174c1a3

SHA256
ce5d26c5abd258bffae62c7ff01437477b5d1b98db8b6d3e7fcfa5841415a8ec

SHA512
651d58cfab704c0f719f21d698c3a6f1a80850cb1d89ab7ffc14bf891cd6bfa48bf67488b0c207482d5de15f5783f60810dd086951bd00d778a075df50c3f0ae

Download Submit
C:\Windows\System\CZAxmEN.exe

Filesize
5.2MB

MD5
13b0809f67bc61523f8bf6d317738831

SHA1
965c77b47c9009dbdc6f11fbb2cf543d140ebf30

SHA256
f7a7dd2dc020001d615bbb00a451e506b4507a758e64fdfc03f520f05267b5f7

SHA512
e01115a093cdd616bcf8bf7e22773046088db88a011011b5ce056617778c12d77c8c30c8f0bd571b79e9eab424be6e3c27e654611913d975a027ed2cef067071

Download Submit
C:\Windows\System\CuyIQZY.exe

Filesize
5.2MB

MD5
7cdd7d662172cbb4faffba8e9c2db449

SHA1
978889ac3a7a4d6ff003b3c0846e3f3ea47e5ab4

SHA256
1b8406ea7810077cc76327ae0eeba32dd482e66b367a9b1058af050bb6d2765e

SHA512
4bc17b4c1b0c4abb2e61cd7cfa1dd8a1fba20d85973df130fc9d30af6cb97745a1f807fb8db8a4e03017fddaf6f6b7d1cbfd895c850d61a114579c31cce1cca7

Download Submit
C:\Windows\System\GMmlUoQ.exe

Filesize
5.2MB

MD5
5a448497fa032c21dab36ff76bdc6eea

SHA1
fcd8d23501178548f8753009c8bd751a2b2cf9ef

SHA256
967cecdcb9961b7a87b3eda618be3c44cdd5cc29a61e3de08a52796b467e0462

SHA512
a5ca1151c0f810eedf670ad58918678bc02beae77725a658b6c0c374e269caecc9db3afc5c66ae592ad2a1b3f85bf01ae2543d04c6b02accd406656c32b96c41

Download Submit
C:\Windows\System\GaOmnRr.exe

Filesize
5.2MB

MD5
1e654b38f713e6a029b75182db3fb78b

SHA1
8aad3b6a6ebc8671a42179b2f3b02f13e65f48c9

SHA256
b447bcb3c73d00fb40e8533bb7dd635c5ae073b8fb9c975e39850b492a899bf3

SHA512
7ea2a232b1122bee36a3278848e4c7ec9778818380c1c320c5fd6ba65bbb958368e18fe317a74454577d059caebcf8aa99db50c2b2f3f4e9160566b5220bb14a

Download Submit
C:\Windows\System\HLXlhND.exe

Filesize
5.2MB

MD5
3735fde2ab9dd1edb3b633bcd1453721

SHA1
110818fb78640db15a2ffd15caeee38b3ab3082e

SHA256
8a3ad6b8c620d675f872746da438878de3cbeb9d687019c8284285a149407635

SHA512
76beba91ca7c9e8b2135d67fe08dd6a681636812f7b63e9e807ff10e294dccc7952e9b5716d7b0b61d98b141ce9ab10c7441ac4b43b361672d2ac8ce9e1befa9

Download Submit
C:\Windows\System\LeWkzWH.exe

Filesize
5.2MB

MD5
f0324cbbc16bf07e05e9dfcb2b5f7b05

SHA1
5f7b04792764539a6c9c5d735bb95d212792a7a4

SHA256
e4000312112404eacc2b8f82b61377277b32479edfe8f1346d616b87367bbbbb

SHA512
11890256aa0fa97d4850729e827f50b646441cab5316acb92af133a9839e316cc5f319a9fdff20fdb78eb30e34b35cb7bb3083101679e1ab0de40ed36ec275b2

Download Submit
C:\Windows\System\OVsOlUY.exe

Filesize
5.2MB

MD5
7a83762a82941ae079aeb2c0ba993bc8

SHA1
794bf3bb2ad8a1d2ebe6491e102b06b05414717a

SHA256
1f951c3b411670a2c7e4cf3f89800b15e3b667b44122b18ac5eb6c5cbed8b2a3

SHA512
3b879a1c754d609eeb7515596ab90c42980c7a09c5d6db636508c7064980f8eeb447499b7fc1d1c6874d826d31633cfc630b7ef79c9fdd98d7ef4c697ea55ff4

Download Submit
C:\Windows\System\PMFyAob.exe

Filesize
5.2MB

MD5
c99d9679b13f9a47c771257bd26fb3b4

SHA1
1f2bcdab2148233f547cd0f97194d0e23644ba61

SHA256
26f62523631838f2de60eb3c78aab123b12434371c72ad9eaffdd1342acabd0e

SHA512
2ac2d9821982c0fdf9ec43e04989e27fe99ce0446d182fc46bf74bcc4071be172c979b1a3cb59d35a0a4878b0c521b51523eb9ced1c5a8ff972b14329ca1f20e

Download Submit
C:\Windows\System\QKvXNtt.exe

Filesize
5.2MB

MD5
ade283458c3617b7d423434fb7ca1d30

SHA1
58e16773d0cb30cbb2262a792ba4b3af181a7a71

SHA256
1fff4007d439697f85a768180f3be53ccf898506073b0a42dfee5cff6feddc13

SHA512
3846f4f7c218ec91dd8621d10ef40625706e7fc99b351a09b89b42d0f43bc664cff5be04e7144bd5f64aa7e706e34e5169892cb06f139445fa8114207893aa15

Download Submit
C:\Windows\System\TPbhEsU.exe

Filesize
5.2MB

MD5
14c74b4534957569ecb4ccc26e425e92

SHA1
b5383b9cb35124497a08a51746d54615c7b263dc

SHA256
05682e59d41ac50acdb7289f1a2a0238248eee04dc95ec9f473dca66ed82573b

SHA512
fd8868ac1892be829ae4be911e620a0f3832ac93e6f233b35e6a14e306dc2e4e74d1424f5ee748e0305f22548cdf64dabba9da4d01119a19c3ab641157ef0b78

Download Submit
C:\Windows\System\UjNWcpf.exe

Filesize
5.2MB

MD5
ec46eb6574309ff467dd84be1d2a5845

SHA1
00dec5cbe98c299bb754ed3c72f54abd1259c832

SHA256
16942456bbce8a3a0963dc02b39f71aee39dfef65d7983338a206bea2c1f5b15

SHA512
5348ae608cfa3ea1e2491a6911b82823390f962ef46a7b8d548d762f9c84fd3307153e820737409a08fb553f4aacf3a90bb695cc7bfc6b1a4412c53859369f70

Download Submit
C:\Windows\System\WoOPkWi.exe

Filesize
5.2MB

MD5
6e4163d8748b416541ba2bb06c77c331

SHA1
d875a5eaea0c49c724a3ec18e0d536c7c2f91225

SHA256
9e27067730ea94bc80cf414575a80717e7ded7791070a5e43a8ddceadff31a25

SHA512
2ead475cee7f5974e871977c160843192b5a4864542fd5cfdd27aca4d308c42b45f11cb5692516cb9358528a9c8a52b6ef09b3a66ec9d07c20696570dae34694

Download Submit
C:\Windows\System\YaZXLhP.exe

Filesize
5.2MB

MD5
2d544a9316643ceae31ee3ebcc4bdec3

SHA1
bd2575e645295e2b82f463e336775a36d2f3513a

SHA256
8ed18ec271cfc5895bb7c349cda5c94776b31e2604bc570af51479901ce0d819

SHA512
0c33b89bc0f084393ae8f5b79b9cb7919d47293425d21cc6597ce84b52defdc3fbe25391c67bf0f91dd63bf8e5da2a641684650e7077daf67ce58fd9dbafdbc8

Download Submit
C:\Windows\System\YqzDpjX.exe

Filesize
5.2MB

MD5
e491c7d6a219693ec1c37500b850bbae

SHA1
51e5aaa417be4f6d06253073eb36974bdc229317

SHA256
42ed6b0967159cd70d879c2613fafe3fb8197b60e2f2fc65ab26de389fafe4dc

SHA512
76ff1806c39c16c89005b9d2c88c20f7afac4277b1bb17af52668b1cadec228875103246c4d78c7f2cabefaf9ad9bede9037a20d86d5f0561d823bfa631b3223

Download Submit
C:\Windows\System\ilYwUyU.exe

Filesize
5.2MB

MD5
8b73f74d8f0f5af967454eb08ede8fb6

SHA1
a2d946517ebd07eb79bf7eb8846f5f1f1530676f

SHA256
4ecb719bccec5f4d9c16fc115d98461947bbf9c5bfc5183a80fcc72a1dcbee63

SHA512
38debb566243a93bba7c4fe25846124b7f005c257d14682bbdb0f677a8830da893eea5fd07ebca349d5bc1e4aeb7430eb2059b551b9f52813f29a52b4fe9bbe4

Download Submit
C:\Windows\System\kBPRwHZ.exe

Filesize
5.2MB

MD5
80caa85f6d2033374dcead48dfc6d384

SHA1
793e179578a552f8364eaf2d44bc966e01a83d86

SHA256
e7fc2da83a77118fe295b9e60bd1b3503e214159d87939c9332d955da8ac0f99

SHA512
1f4444bbb619d94e8ada3248d974ca504ff51407409f45a714cf01c39fecfaf2da82cd8038c1e1506a9447d1f0318a014aabac99300ab57c2e4a4b04946f6c2b

Download Submit
C:\Windows\System\rOHhVNs.exe

Filesize
5.2MB

MD5
3809f0ebf8cc06b1a4dc7574386c2b34

SHA1
a07a12e57d1df275245a6c8596831190d623d5ce

SHA256
6570d1f23e403d92ad044cb38a4aac6a27e54fa3ac0211ac112227170fe8cb8a

SHA512
8fd694f9cf2f09cfbe04866406b6b9701197ecdec6e6b52c900789c592a4e9ecfa0831f79f4f5078b6a9cd989235e3bffe592c821a830da3ba0ed45da006e6c4

Download Submit
C:\Windows\System\rzVwUPA.exe

Filesize
5.2MB

MD5
c24424c8b371b1fad3c9414e6df87bf1

SHA1
d1ac3f51d26caf04f828590c2c65c57a3fdd46a1

SHA256
3379121899368e41cd7a2d732d4e09f46bb21052c4027f288225c5176a0187ea

SHA512
f755c0cd11c18cb6fb9225e17096a625cf3cec394a8ee78d9f023c698750c51037ac9288b23b6bd7224d5d41e6a039a1d96cf816eda9b1237bdc56a0109c4e92

Download Submit
C:\Windows\System\vghXSxT.exe

Filesize
5.2MB

MD5
1b8230d0f24e29469a0f568bb2a919bd

SHA1
5bcc7a28572cd79c7ba43505cb60163bd0c91771

SHA256
07f94e538c8d61ad9ec442afababe7291872a0736a0d6f8a5456f133534e111d

SHA512
8eda6fb8a421ea5339e09d486281e04889374983af01a7f08ab2a6e67c7b45a925b187240d8b3c3900960aade208eab20291b7181ee85f7f3a64af101b669d23

Download Submit
C:\Windows\System\xQlZAdg.exe

Filesize
5.2MB

MD5
ce691931b33fca6ec71943dcde7094c3

SHA1
f664c0317f76a4ebc0c2cbc8514105176ea8f90e

SHA256
1bd59bd06ef728f062577b0b770d42a088cd77a0ca7b86fc1d41252ec1923825

SHA512
b5f03c6ac93daf032d1505dcc39e3e312eb0358379da0e9ffd6ae65dff1f6dae3e787f17d83416d157b00b837ccb2997d1ce81b2204a48f4dd34a13053c934c2

Download Submit
memory/1008-136-0x00007FF741840000-0x00007FF741B91000-memory.dmp

Filesize
3.3MB

Download
memory/1008-70-0x00007FF741840000-0x00007FF741B91000-memory.dmp

Filesize
3.3MB

Download
memory/1008-250-0x00007FF741840000-0x00007FF741B91000-memory.dmp

Filesize
3.3MB

Download
memory/1052-232-0x00007FF65B640000-0x00007FF65B991000-memory.dmp

Filesize
3.3MB

Download
memory/1052-80-0x00007FF65B640000-0x00007FF65B991000-memory.dmp

Filesize
3.3MB

Download
memory/1160-84-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp

Filesize
3.3MB

Download
memory/1160-260-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp

Filesize
3.3MB

Download
memory/1160-153-0x00007FF64E2C0000-0x00007FF64E611000-memory.dmp

Filesize
3.3MB

Download
memory/1268-85-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-252-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-155-0x00007FF6F2CA0000-0x00007FF6F2FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-36-0x00007FF790190000-0x00007FF7904E1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-230-0x00007FF790190000-0x00007FF7904E1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-132-0x00007FF790190000-0x00007FF7904E1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-125-0x00007FF692130000-0x00007FF692481000-memory.dmp

Filesize
3.3MB

Download
memory/1924-160-0x00007FF692130000-0x00007FF692481000-memory.dmp

Filesize
3.3MB

Download
memory/1924-266-0x00007FF692130000-0x00007FF692481000-memory.dmp

Filesize
3.3MB

Download
memory/2068-123-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-6-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-212-0x00007FF7E39F0000-0x00007FF7E3D41000-memory.dmp

Filesize
3.3MB

Download
memory/2264-121-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-159-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-265-0x00007FF6AB280000-0x00007FF6AB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-228-0x00007FF622B20000-0x00007FF622E71000-memory.dmp

Filesize
3.3MB

Download
memory/2372-18-0x00007FF622B20000-0x00007FF622E71000-memory.dmp

Filesize
3.3MB

Download
memory/2372-131-0x00007FF622B20000-0x00007FF622E71000-memory.dmp

Filesize
3.3MB

Download
memory/2696-37-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp

Filesize
3.3MB

Download
memory/2696-236-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp

Filesize
3.3MB

Download
memory/2696-133-0x00007FF7B3BD0000-0x00007FF7B3F21000-memory.dmp

Filesize
3.3MB

Download
memory/3440-226-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/3440-130-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/3440-14-0x00007FF743810000-0x00007FF743B61000-memory.dmp

Filesize
3.3MB

Download
memory/3464-258-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3464-137-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3464-71-0x00007FF66FAF0000-0x00007FF66FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3576-151-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp

Filesize
3.3MB

Download
memory/3576-243-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp

Filesize
3.3MB

Download
memory/3576-63-0x00007FF70D0D0000-0x00007FF70D421000-memory.dmp

Filesize
3.3MB

Download
memory/3688-135-0x00007FF68B000000-0x00007FF68B351000-memory.dmp

Filesize
3.3MB

Download
memory/3688-238-0x00007FF68B000000-0x00007FF68B351000-memory.dmp

Filesize
3.3MB

Download
memory/3688-48-0x00007FF68B000000-0x00007FF68B351000-memory.dmp

Filesize
3.3MB

Download
memory/3800-156-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3800-263-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3800-104-0x00007FF63D9A0000-0x00007FF63DCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-240-0x00007FF740370000-0x00007FF7406C1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-82-0x00007FF740370000-0x00007FF7406C1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-0-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp

Filesize
3.3MB

Download
memory/4104-113-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp

Filesize
3.3MB

Download
memory/4104-162-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp

Filesize
3.3MB

Download
memory/4104-1-0x0000018347B90000-0x0000018347BA0000-memory.dmp

Filesize
64KB

Download
memory/4104-138-0x00007FF60C1E0000-0x00007FF60C531000-memory.dmp

Filesize
3.3MB

Download
memory/4504-157-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp

Filesize
3.3MB

Download
memory/4504-257-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp

Filesize
3.3MB

Download
memory/4504-112-0x00007FF6D3310000-0x00007FF6D3661000-memory.dmp

Filesize
3.3MB

Download
memory/4824-241-0x00007FF7AEC90000-0x00007FF7AEFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-83-0x00007FF7AEC90000-0x00007FF7AEFE1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-117-0x00007FF7E0210000-0x00007FF7E0561000-memory.dmp

Filesize
3.3MB

Download
memory/5008-255-0x00007FF7E0210000-0x00007FF7E0561000-memory.dmp

Filesize
3.3MB

Download
memory/5056-129-0x00007FF6DCFD0000-0x00007FF6DD321000-memory.dmp

Filesize
3.3MB

Download
memory/5056-268-0x00007FF6DCFD0000-0x00007FF6DD321000-memory.dmp

Filesize
3.3MB

Download
memory/5092-234-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-47-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-134-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp

Filesize
3.3MB

Download