cobaltstrike | fb164d6166e820bdb884a5e7790a4595707dc506bf71efe88d4a99ab18331ebe

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4c271af3ec921ac4a0a1dfa3c7a57a60
SHA1

03c8546a16b0148f4065a118753613f60da70334
SHA256

fb164d6166e820bdb884a5e7790a4595707dc506bf71efe88d4a99ab18331ebe
SHA512

b34b015d222cd7cb339561da947c7d9f44be8582779c4c72df5782d1ab5f5a0e16d3728a9c2064143ce22800291a697a1d3d204d407196ccc7cc4e56afda95e7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lUa

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b84-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c76-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c74-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2288-59-0x00007FF6C7EC0000-0x00007FF6C8211000-memory.dmp	xmrig
behavioral2/memory/4180-88-0x00007FF79CCE0000-0x00007FF79D031000-memory.dmp	xmrig
behavioral2/memory/2216-119-0x00007FF6BD2D0000-0x00007FF6BD621000-memory.dmp	xmrig
behavioral2/memory/5068-118-0x00007FF79F4B0000-0x00007FF79F801000-memory.dmp	xmrig
behavioral2/memory/4816-117-0x00007FF6F8A40000-0x00007FF6F8D91000-memory.dmp	xmrig
behavioral2/memory/3056-102-0x00007FF7D0CA0000-0x00007FF7D0FF1000-memory.dmp	xmrig
behavioral2/memory/844-67-0x00007FF733530000-0x00007FF733881000-memory.dmp	xmrig
behavioral2/memory/4496-41-0x00007FF7D8400000-0x00007FF7D8751000-memory.dmp	xmrig
behavioral2/memory/1720-132-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp	xmrig
behavioral2/memory/4936-133-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp	xmrig
behavioral2/memory/1984-131-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp	xmrig
behavioral2/memory/3264-140-0x00007FF648780000-0x00007FF648AD1000-memory.dmp	xmrig
behavioral2/memory/1636-138-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	xmrig
behavioral2/memory/4452-135-0x00007FF6921C0000-0x00007FF692511000-memory.dmp	xmrig
behavioral2/memory/4508-130-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp	xmrig
behavioral2/memory/4296-129-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp	xmrig
behavioral2/memory/1636-128-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	xmrig
behavioral2/memory/1576-144-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp	xmrig
behavioral2/memory/2512-147-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp	xmrig
behavioral2/memory/4800-149-0x00007FF754A10000-0x00007FF754D61000-memory.dmp	xmrig
behavioral2/memory/3244-141-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp	xmrig
behavioral2/memory/4044-143-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp	xmrig
behavioral2/memory/3928-150-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	xmrig
behavioral2/memory/1636-151-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	xmrig
behavioral2/memory/4296-201-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp	xmrig
behavioral2/memory/4508-220-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp	xmrig
behavioral2/memory/1720-223-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp	xmrig
behavioral2/memory/1984-224-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp	xmrig
behavioral2/memory/4936-226-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp	xmrig
behavioral2/memory/4496-228-0x00007FF7D8400000-0x00007FF7D8751000-memory.dmp	xmrig
behavioral2/memory/2288-232-0x00007FF6C7EC0000-0x00007FF6C8211000-memory.dmp	xmrig
behavioral2/memory/4452-234-0x00007FF6921C0000-0x00007FF692511000-memory.dmp	xmrig
behavioral2/memory/844-231-0x00007FF733530000-0x00007FF733881000-memory.dmp	xmrig
behavioral2/memory/3244-241-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp	xmrig
behavioral2/memory/4044-244-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp	xmrig
behavioral2/memory/4180-242-0x00007FF79CCE0000-0x00007FF79D031000-memory.dmp	xmrig
behavioral2/memory/3264-238-0x00007FF648780000-0x00007FF648AD1000-memory.dmp	xmrig
behavioral2/memory/3056-237-0x00007FF7D0CA0000-0x00007FF7D0FF1000-memory.dmp	xmrig
behavioral2/memory/4800-249-0x00007FF754A10000-0x00007FF754D61000-memory.dmp	xmrig
behavioral2/memory/4816-250-0x00007FF6F8A40000-0x00007FF6F8D91000-memory.dmp	xmrig
behavioral2/memory/5068-256-0x00007FF79F4B0000-0x00007FF79F801000-memory.dmp	xmrig
behavioral2/memory/2216-255-0x00007FF6BD2D0000-0x00007FF6BD621000-memory.dmp	xmrig
behavioral2/memory/1576-253-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp	xmrig
behavioral2/memory/3928-247-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	xmrig
behavioral2/memory/2512-259-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4296	BAjcJCU.exe
4508	odykZuq.exe
1984	wprDhxr.exe
1720	nrzQJfp.exe
4936	btcXxiu.exe
4496	ggjLZgy.exe
4452	dkEdBFd.exe
2288	artVFvq.exe
4180	YoZnMva.exe
844	lLFrlMv.exe
3264	vomhtVm.exe
3244	hxnzkrP.exe
3056	ZpkVJlG.exe
4044	MaRuwTf.exe
4816	rDHBbsw.exe
5068	bduQNrT.exe
1576	TpHpsvW.exe
2512	pdkEQdX.exe
2216	ywxVTwR.exe
3928	RgxLORk.exe
4800	ltRbMVL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-0-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	upx
behavioral2/files/0x000c000000023b84-5.dat	upx
behavioral2/memory/4296-7-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-9.dat	upx
behavioral2/files/0x0008000000023c76-11.dat	upx
behavioral2/files/0x0007000000023c79-31.dat	upx
behavioral2/files/0x0007000000023c7a-32.dat	upx
behavioral2/files/0x0007000000023c7c-44.dat	upx
behavioral2/files/0x0007000000023c7d-53.dat	upx
behavioral2/memory/2288-59-0x00007FF6C7EC0000-0x00007FF6C8211000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-76.dat	upx
behavioral2/memory/4180-88-0x00007FF79CCE0000-0x00007FF79D031000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-99.dat	upx
behavioral2/memory/1576-108-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-114.dat	upx
behavioral2/files/0x0007000000023c88-123.dat	upx
behavioral2/files/0x0007000000023c87-125.dat	upx
behavioral2/files/0x0007000000023c83-121.dat	upx
behavioral2/memory/4800-120-0x00007FF754A10000-0x00007FF754D61000-memory.dmp	upx
behavioral2/memory/2216-119-0x00007FF6BD2D0000-0x00007FF6BD621000-memory.dmp	upx
behavioral2/memory/5068-118-0x00007FF79F4B0000-0x00007FF79F801000-memory.dmp	upx
behavioral2/memory/4816-117-0x00007FF6F8A40000-0x00007FF6F8D91000-memory.dmp	upx
behavioral2/memory/3928-113-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	upx
behavioral2/files/0x0008000000023c74-110.dat	upx
behavioral2/memory/2512-109-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-105.dat	upx
behavioral2/memory/3056-102-0x00007FF7D0CA0000-0x00007FF7D0FF1000-memory.dmp	upx
behavioral2/memory/3264-89-0x00007FF648780000-0x00007FF648AD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-84.dat	upx
behavioral2/files/0x0007000000023c7f-83.dat	upx
behavioral2/files/0x0007000000023c81-82.dat	upx
behavioral2/memory/4044-79-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp	upx
behavioral2/memory/3244-71-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp	upx
behavioral2/memory/844-67-0x00007FF733530000-0x00007FF733881000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-57.dat	upx
behavioral2/files/0x0007000000023c7b-51.dat	upx
behavioral2/memory/4452-49-0x00007FF6921C0000-0x00007FF692511000-memory.dmp	upx
behavioral2/memory/4496-41-0x00007FF7D8400000-0x00007FF7D8751000-memory.dmp	upx
behavioral2/memory/4936-39-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-26.dat	upx
behavioral2/memory/1720-23-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp	upx
behavioral2/memory/1984-21-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp	upx
behavioral2/memory/4508-16-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp	upx
behavioral2/memory/1720-132-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp	upx
behavioral2/memory/4936-133-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp	upx
behavioral2/memory/1984-131-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp	upx
behavioral2/memory/3264-140-0x00007FF648780000-0x00007FF648AD1000-memory.dmp	upx
behavioral2/memory/1636-138-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	upx
behavioral2/memory/4452-135-0x00007FF6921C0000-0x00007FF692511000-memory.dmp	upx
behavioral2/memory/4508-130-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp	upx
behavioral2/memory/4296-129-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp	upx
behavioral2/memory/1636-128-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	upx
behavioral2/memory/1576-144-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp	upx
behavioral2/memory/2512-147-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp	upx
behavioral2/memory/4800-149-0x00007FF754A10000-0x00007FF754D61000-memory.dmp	upx
behavioral2/memory/3244-141-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp	upx
behavioral2/memory/4044-143-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp	upx
behavioral2/memory/3928-150-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	upx
behavioral2/memory/1636-151-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp	upx
behavioral2/memory/4296-201-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp	upx
behavioral2/memory/4508-220-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp	upx
behavioral2/memory/1720-223-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp	upx
behavioral2/memory/1984-224-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp	upx
behavioral2/memory/4936-226-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BAjcJCU.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wprDhxr.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vomhtVm.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MaRuwTf.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltRbMVL.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odykZuq.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nrzQJfp.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lLFrlMv.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RgxLORk.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dkEdBFd.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\artVFvq.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxnzkrP.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZpkVJlG.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TpHpsvW.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bduQNrT.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pdkEQdX.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywxVTwR.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\btcXxiu.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggjLZgy.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YoZnMva.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDHBbsw.exe	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4296	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1636 wrote to memory of 4296	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1636 wrote to memory of 4508	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1636 wrote to memory of 4508	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1636 wrote to memory of 1984	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1636 wrote to memory of 1984	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1636 wrote to memory of 1720	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1636 wrote to memory of 1720	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1636 wrote to memory of 4936	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1636 wrote to memory of 4936	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1636 wrote to memory of 4496	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1636 wrote to memory of 4496	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1636 wrote to memory of 4452	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1636 wrote to memory of 4452	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1636 wrote to memory of 2288	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1636 wrote to memory of 2288	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1636 wrote to memory of 4180	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1636 wrote to memory of 4180	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1636 wrote to memory of 844	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1636 wrote to memory of 844	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1636 wrote to memory of 3264	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1636 wrote to memory of 3264	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1636 wrote to memory of 3244	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1636 wrote to memory of 3244	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1636 wrote to memory of 3056	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1636 wrote to memory of 3056	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1636 wrote to memory of 4044	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1636 wrote to memory of 4044	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1636 wrote to memory of 1576	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1636 wrote to memory of 1576	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1636 wrote to memory of 4816	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1636 wrote to memory of 4816	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1636 wrote to memory of 5068	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1636 wrote to memory of 5068	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1636 wrote to memory of 2512	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1636 wrote to memory of 2512	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1636 wrote to memory of 2216	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1636 wrote to memory of 2216	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1636 wrote to memory of 4800	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1636 wrote to memory of 4800	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1636 wrote to memory of 3928	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1636 wrote to memory of 3928	1636	2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_4c271af3ec921ac4a0a1dfa3c7a57a60_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\System\BAjcJCU.exe
  C:\Windows\System\BAjcJCU.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\odykZuq.exe
  C:\Windows\System\odykZuq.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\wprDhxr.exe
  C:\Windows\System\wprDhxr.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\nrzQJfp.exe
  C:\Windows\System\nrzQJfp.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\btcXxiu.exe
  C:\Windows\System\btcXxiu.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\ggjLZgy.exe
  C:\Windows\System\ggjLZgy.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\dkEdBFd.exe
  C:\Windows\System\dkEdBFd.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\artVFvq.exe
  C:\Windows\System\artVFvq.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\YoZnMva.exe
  C:\Windows\System\YoZnMva.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\lLFrlMv.exe
  C:\Windows\System\lLFrlMv.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\vomhtVm.exe
  C:\Windows\System\vomhtVm.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\hxnzkrP.exe
  C:\Windows\System\hxnzkrP.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\ZpkVJlG.exe
  C:\Windows\System\ZpkVJlG.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\MaRuwTf.exe
  C:\Windows\System\MaRuwTf.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\TpHpsvW.exe
  C:\Windows\System\TpHpsvW.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\rDHBbsw.exe
  C:\Windows\System\rDHBbsw.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\bduQNrT.exe
  C:\Windows\System\bduQNrT.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\pdkEQdX.exe
  C:\Windows\System\pdkEQdX.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\ywxVTwR.exe
  C:\Windows\System\ywxVTwR.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\ltRbMVL.exe
  C:\Windows\System\ltRbMVL.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\RgxLORk.exe
  C:\Windows\System\RgxLORk.exe
  2⤵
  - Executes dropped EXE
  PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BAjcJCU.exe

Filesize
5.2MB

MD5
fef57bb90b9eeee37245e10ae7fb85f9

SHA1
f7f130963e8493b8704a49fd63b85f60fd34bd56

SHA256
ef3540ff08dede97b921a9d4155af90d9e4d15e9a602d6562e65f99706fff86d

SHA512
5fed82d27f881bc2580654dd1a3580f1fa7a805923b977bc466bbe2f17c241530a09ec09e35ab84df37fd24e44df601a91f5d04e1427f6b8e5af5bad96a94519

Download Submit
C:\Windows\System\MaRuwTf.exe

Filesize
5.2MB

MD5
5bc9f8ce3e3bef364c2dce8b6950245f

SHA1
d6f7e4c0979808ed8620ae7094b2f6ff285338ea

SHA256
1d0677ae52079885c5a8214b0258e51a204c7686dc9defd4ed8448ae9d89ac57

SHA512
ec4292e3fd80b4e268df8a5b0318121236c4971f619ca61215295629f1bdcb4a9a4429d5515a545c2d187a548fe57b824b86e567ef7b68914523d0108720c87c

Download Submit
C:\Windows\System\RgxLORk.exe

Filesize
5.2MB

MD5
c48e91ee45287ea28e1fbf518ce58fc9

SHA1
fdcfa0d874ae5284a08bed49b2ad9e9871ea32d2

SHA256
3a8f619b25c46faef62576c44b5528587902c48fd5f89d3cded454bca8c637a6

SHA512
bec08a0ce67374043c7fe376fe6d8a826ab4e1e7bc7f405a17a685c1baa8ee6bba373050f7bfc2e8f66fab3ff37561cf62151319cf875b0421a7beae18646c25

Download Submit
C:\Windows\System\TpHpsvW.exe

Filesize
5.2MB

MD5
f29149cc696dc82e562e918e620f83cd

SHA1
4245375b571eb71c3e173f15028ac90e4b7d61a2

SHA256
5c493d94102f5829cbbb8bf49bc8d12356210c7614a8ce7a07add6157b597cff

SHA512
f7406730f8358245e10b7d65b03a69501e1d32b9dd20235e84916479ebc982fd427e298e7d85ca8cbf5e0429b6315536227621922e18be7ad9698e2498f181e2

Download Submit
C:\Windows\System\YoZnMva.exe

Filesize
5.2MB

MD5
f3030ae7ae507c4c62bf5526f1990e06

SHA1
c962aa18176f73cb9bfa2f1999f512669a61e492

SHA256
9893e98af3f47136b41f8d2b9b5ebb835238489ed36a64276d8acc78d330990d

SHA512
43a1a994a7f59a1d787bf512c66a81f838088b78764401cb48d9ccf8ae3cd0dc5330f5c4d2ad171cef7e55f920b6944a84e8e215ebb55de19c473497bfb44c74

Download Submit
C:\Windows\System\ZpkVJlG.exe

Filesize
5.2MB

MD5
f6bd10253422d8544bc68fc5192c0450

SHA1
de02a67add548d662ada578ad8ec407b93efabb8

SHA256
4b3a0f200e464503f0fb8204733dd8d944f6e0d0c69a0b75af02ee308d35b945

SHA512
7d2cdd56edb92bd6b5c93ca93412f500f47376caa781d2e337b2ec764c3e4a5c9de16b2b5c3c7eb30d944cf2b3a06e4baeeb3a53ab675c32cc2a5f59c822310f

Download Submit
C:\Windows\System\artVFvq.exe

Filesize
5.2MB

MD5
12539ba868886e20aeaa8d80c8280d3b

SHA1
58fd6aed3d31778ab2541147147c66a15b3b6c31

SHA256
934ed8e1817bb86b9cd47f5a255fb056bed208bdd30c919341ee16d3687b88a6

SHA512
cf7b5ed05cc651c9484b953b04a430208ecf6d3388326ce250eafc4b435c4b064e47d164b79b4242c1f261488002240cb8c32c40ea2650a7d4bb5feca4e9a3ac

Download Submit
C:\Windows\System\bduQNrT.exe

Filesize
5.2MB

MD5
a47de3fb9e1d83b56835b4ab54651a75

SHA1
f25bbadc0964549baa967de973da7aa9c20998a5

SHA256
ba0964a0cadc960d606c57b1f201c4050651bb19325fc1ae2200635230c36e5e

SHA512
bb416b61ed3fdcabd9689a0d7d434570ba768fc9f9e26401f6a5f3bbe515814f11ecb1688823a7fd4b03753943f3f99596f31babc85d129f0215fc9cab7b9623

Download Submit
C:\Windows\System\btcXxiu.exe

Filesize
5.2MB

MD5
33659e8070dd0c04bd1025b80fa4761e

SHA1
bff1bea5502a2a3c271d60adad43487697030fde

SHA256
a5b5864f7819c69b1edeaaa4b887d276f0d4594ebc1692b7034fa1538046f7fa

SHA512
df4ccc30ada81a7f69e23b1ad45730453506a33335370795d3dbb291eec89011c92ae8fdc3ddb2f2a8ea7af1e3e934c501722b477d8250aedb4b02535de1f171

Download Submit
C:\Windows\System\dkEdBFd.exe

Filesize
5.2MB

MD5
89a0cd17573b3ba029f8cca41784ce2e

SHA1
85b8571b4be4e23dfd12282be2fc358eedea49af

SHA256
bf2b0a7a3f1918a8249d50104e62389356d45769c607ab7cbeeff8ecfad3654c

SHA512
bbe07e639384d690f8207af80ed27311c1a45ae4c9e7344d0368006ec785cd8a6b1c46b8e82dc42c268028a5a99e4c49a014cbaff6c3fdf43050723a27d1e849

Download Submit
C:\Windows\System\ggjLZgy.exe

Filesize
5.2MB

MD5
8ea292abdec6a76b4a1585697190d8df

SHA1
d3af19c09b7c1c1d87e6f4f3ce5c934796a30df3

SHA256
cfcfd6bd745724089abc4fda061fd74909894a6ec976a7c69edd05665371ff24

SHA512
4c87932377810dade31813c5a2b3840241e8a202d66768343c35da8d5b04be48801489382e6bda724a13c9185cb5908317162161a84e1f9d69605a228ffa150d

Download Submit
C:\Windows\System\hxnzkrP.exe

Filesize
5.2MB

MD5
a3fb5994a292e68fe72d977e3aee2272

SHA1
9cffb1397fb88789e45429608dc301b1231e9740

SHA256
b76ff5a70623fff82ce6fa68ed34f9082519fa311ef270bcd9b31725f0677aca

SHA512
21da520560b0031457e65d02c37be13382f054c36cb89eeba3a474d142186d4d39f63a745ea2acd8a08670b6523540aad99b91545e116564ca9aded56bd6aaf5

Download Submit
C:\Windows\System\lLFrlMv.exe

Filesize
5.2MB

MD5
1656287fffc65c73be908aa830739918

SHA1
713e56bbfe3a80c79fc2e79fb7afda0454b8ac31

SHA256
48b84dfac78eca050b1bc21f84e3d99e06e01010c8e8ec317e4b12009a83199b

SHA512
d9c195d36ccdc0450ba08a14714856306f0c3e07a630f496df532741c6a7a8959cbbbbd34b1c48398a7d733207116097c3b3870cfc41bbc8a041aa8068a3b7e3

Download Submit
C:\Windows\System\ltRbMVL.exe

Filesize
5.2MB

MD5
ecce46a7d2bb7be2478bf12fada2261b

SHA1
5634838acbbe21fe40724840997d8988d6c7467a

SHA256
efed67297c6cd0a964995fcc339b6e738aee13a3290279705ecbae2773896980

SHA512
7dc33d07b9cdbea699d79fce1319df86fee1d4f44b416651eb75f039141fceee433eb10f5124c9ebe5bfc474f75b14b38d346680a7500dd80fa9be5b694f0337

Download Submit
C:\Windows\System\nrzQJfp.exe

Filesize
5.2MB

MD5
42977bcaa473ae347f6bd0f9617cb32d

SHA1
7c8e538f72dc622cf4e13f2b491686c7fcd374d6

SHA256
7504b5bc47bb91fde98e4e39bd2f95425bf7ee970ca47423497b9849c1369fe1

SHA512
7799af31610fb86233774f56acca4c0614414708f35a5da2ee188051ac3d855b6ce8162c2cf7293634d665d009502d705442f1c8704e62df7b1c4ba3ee68242d

Download Submit
C:\Windows\System\odykZuq.exe

Filesize
5.2MB

MD5
cbdaba241b9a52103319d0ef4eda2d70

SHA1
78432ca55d35b476e94b732331eb234c677db6a7

SHA256
8085b0190af6338439e6add0f9dbbfa5f7c471721d4f6509498103d314c5c967

SHA512
501971f900f8716c76ca66aec47275d874cb02700b6796fefbc0e7794396fd0f477fa780846d9326ce2b6f8fe222c02de9a27ce563b2c76ce1accfd0c7f51f1c

Download Submit
C:\Windows\System\pdkEQdX.exe

Filesize
5.2MB

MD5
546b5fef86de4bd4009f83420f390e82

SHA1
8218afee875cad1472a2a309c3e94927c4ff9639

SHA256
9991c32a2a9822a503fa4fbab5e574e02715ea9a22a76d9eca41e839ddcbc2e5

SHA512
a8d87d1b3725cfc8bc8db404473d68b53e728048aaef941ce2667f0d637a9ba8b556e89c1fbebdd00710d45c24b246d241736bc5dae0ff26db2f29c9d312a478

Download Submit
C:\Windows\System\rDHBbsw.exe

Filesize
5.2MB

MD5
f62e8fdc80f730e2b6c270461fde540f

SHA1
fb333371320cc0fc9cbb8bb44cdbc1a1517fa3a8

SHA256
b159ddf27d99b01c1e986744902d1c94ea9d7cd27d00724d1adb3f7211cc651b

SHA512
24572a3c15f4bf84bfb1120e9b7725ec0e38c2eb4323ce21212a6b7bbbacd574918f9dec56ce0b7b1d06ea386f324369be77c43d65b75313a7ace054d5027087

Download Submit
C:\Windows\System\vomhtVm.exe

Filesize
5.2MB

MD5
d5985baa058176c7f88eb568af1a6306

SHA1
4568f86b366616946aa89f96aa9ca3f407237bf3

SHA256
c361060e7d5ed3f54f755a38c2b42649ecee5582cd6eb9825640ddb118fca2fd

SHA512
93fcec3ae19cf423effec55c5c33168df23e13942c0f955b69e1b38171a8e7603cf56841373aabc5e65c26fe3a82b38cf50a28e8ae9fd2ad96fb377ad7c25acf

Download Submit
C:\Windows\System\wprDhxr.exe

Filesize
5.2MB

MD5
8aa5d98a2945684135e8fb4ace210520

SHA1
27299f1c23fb099a70d54693b2a0651cd1abec67

SHA256
371efbe11fa285156782be1797efb2ed5c241e5d2580af8a9ee9481a3bfdb9be

SHA512
49b287b3161ed45e4ab819eedc2d85f800102994c372cd1565f8293637a515d2d34269c8ec9f3a9b2ee2a339e7e2630ed03686aceaa0d698ae1696281c6c20e4

Download Submit
C:\Windows\System\ywxVTwR.exe

Filesize
5.2MB

MD5
4475f3b11253ce5bd3f23579bc694430

SHA1
1ba39554d6c4bae91f45546970a2f030efcbc034

SHA256
3f1f16b98355b3308e46c563385d10ad3468fe4f331bf0a8bbae62f87da178e8

SHA512
aa631e2dd0235632794ffe9d802351145823be9ebc15e9fda39c616bf2ccbe97a587cd7c5b189265686e81930cd0eb6af30ddfcba21188c4458d430452bf60b2

Download Submit
memory/844-231-0x00007FF733530000-0x00007FF733881000-memory.dmp

Filesize
3.3MB

Download
memory/844-67-0x00007FF733530000-0x00007FF733881000-memory.dmp

Filesize
3.3MB

Download
memory/1576-108-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp

Filesize
3.3MB

Download
memory/1576-144-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp

Filesize
3.3MB

Download
memory/1576-253-0x00007FF6CCCF0000-0x00007FF6CD041000-memory.dmp

Filesize
3.3MB

Download
memory/1636-138-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp

Filesize
3.3MB

Download
memory/1636-1-0x0000020F6A270000-0x0000020F6A280000-memory.dmp

Filesize
64KB

Download
memory/1636-151-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp

Filesize
3.3MB

Download
memory/1636-0-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp

Filesize
3.3MB

Download
memory/1636-128-0x00007FF7CDD20000-0x00007FF7CE071000-memory.dmp

Filesize
3.3MB

Download
memory/1720-223-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-132-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-23-0x00007FF7EEB70000-0x00007FF7EEEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-224-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-131-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-21-0x00007FF68D490000-0x00007FF68D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-255-0x00007FF6BD2D0000-0x00007FF6BD621000-memory.dmp

Filesize
3.3MB

Download
memory/2216-119-0x00007FF6BD2D0000-0x00007FF6BD621000-memory.dmp

Filesize
3.3MB

Download
memory/2288-59-0x00007FF6C7EC0000-0x00007FF6C8211000-memory.dmp

Filesize
3.3MB

Download
memory/2288-232-0x00007FF6C7EC0000-0x00007FF6C8211000-memory.dmp

Filesize
3.3MB

Download
memory/2512-147-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp

Filesize
3.3MB

Download
memory/2512-259-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp

Filesize
3.3MB

Download
memory/2512-109-0x00007FF7FB230000-0x00007FF7FB581000-memory.dmp

Filesize
3.3MB

Download
memory/3056-102-0x00007FF7D0CA0000-0x00007FF7D0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-237-0x00007FF7D0CA0000-0x00007FF7D0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-241-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp

Filesize
3.3MB

Download
memory/3244-71-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp

Filesize
3.3MB

Download
memory/3244-141-0x00007FF6A8920000-0x00007FF6A8C71000-memory.dmp

Filesize
3.3MB

Download
memory/3264-89-0x00007FF648780000-0x00007FF648AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-140-0x00007FF648780000-0x00007FF648AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-238-0x00007FF648780000-0x00007FF648AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-247-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/3928-113-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/3928-150-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/4044-244-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp

Filesize
3.3MB

Download
memory/4044-143-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp

Filesize
3.3MB

Download
memory/4044-79-0x00007FF6CB1B0000-0x00007FF6CB501000-memory.dmp

Filesize
3.3MB

Download
memory/4180-88-0x00007FF79CCE0000-0x00007FF79D031000-memory.dmp

Filesize
3.3MB

Download
memory/4180-242-0x00007FF79CCE0000-0x00007FF79D031000-memory.dmp

Filesize
3.3MB

Download
memory/4296-201-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-129-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-7-0x00007FF7AB070000-0x00007FF7AB3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-234-0x00007FF6921C0000-0x00007FF692511000-memory.dmp

Filesize
3.3MB

Download
memory/4452-135-0x00007FF6921C0000-0x00007FF692511000-memory.dmp

Filesize
3.3MB

Download
memory/4452-49-0x00007FF6921C0000-0x00007FF692511000-memory.dmp

Filesize
3.3MB

Download
memory/4496-228-0x00007FF7D8400000-0x00007FF7D8751000-memory.dmp

Filesize
3.3MB

Download
memory/4496-41-0x00007FF7D8400000-0x00007FF7D8751000-memory.dmp

Filesize
3.3MB

Download
memory/4508-130-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-16-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-220-0x00007FF79BA80000-0x00007FF79BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-149-0x00007FF754A10000-0x00007FF754D61000-memory.dmp

Filesize
3.3MB

Download
memory/4800-120-0x00007FF754A10000-0x00007FF754D61000-memory.dmp

Filesize
3.3MB

Download
memory/4800-249-0x00007FF754A10000-0x00007FF754D61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-117-0x00007FF6F8A40000-0x00007FF6F8D91000-memory.dmp

Filesize
3.3MB

Download
memory/4816-250-0x00007FF6F8A40000-0x00007FF6F8D91000-memory.dmp

Filesize
3.3MB

Download
memory/4936-39-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-133-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-226-0x00007FF766B60000-0x00007FF766EB1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-256-0x00007FF79F4B0000-0x00007FF79F801000-memory.dmp

Filesize
3.3MB

Download
memory/5068-118-0x00007FF79F4B0000-0x00007FF79F801000-memory.dmp

Filesize
3.3MB

Download