cobaltstrike | 162ced74c4ae4c8285a82916dbcad4fe096406ac2f3e9198833c0250e2d482f0

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ff9d5ab19e89511563d98f6d225ac57f
SHA1

21eed279acabe8a28037433255d51372ba3a9c13
SHA256

162ced74c4ae4c8285a82916dbcad4fe096406ac2f3e9198833c0250e2d482f0
SHA512

c40ac1a14bfe27beb965bbef82f4fd619d5fad5d35bbc4025ad038f252a0650d4023f21760c3cf7845f0956799b71efa5aafb1a20d43aaf01dc264d2341f2ae9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023c7b-8.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c77-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c74-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c78-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1720-86-0x00007FF6ED700000-0x00007FF6EDA51000-memory.dmp	xmrig
behavioral2/memory/1900-96-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp	xmrig
behavioral2/memory/1644-89-0x00007FF703DB0000-0x00007FF704101000-memory.dmp	xmrig
behavioral2/memory/620-85-0x00007FF62CE70000-0x00007FF62D1C1000-memory.dmp	xmrig
behavioral2/memory/3412-67-0x00007FF75D400000-0x00007FF75D751000-memory.dmp	xmrig
behavioral2/memory/4216-53-0x00007FF7A3410000-0x00007FF7A3761000-memory.dmp	xmrig
behavioral2/memory/1864-26-0x00007FF762DE0000-0x00007FF763131000-memory.dmp	xmrig
behavioral2/memory/4488-123-0x00007FF619940000-0x00007FF619C91000-memory.dmp	xmrig
behavioral2/memory/4656-122-0x00007FF6193F0000-0x00007FF619741000-memory.dmp	xmrig
behavioral2/memory/2040-114-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	xmrig
behavioral2/memory/1108-128-0x00007FF717FC0000-0x00007FF718311000-memory.dmp	xmrig
behavioral2/memory/4660-127-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp	xmrig
behavioral2/memory/972-141-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp	xmrig
behavioral2/memory/1420-146-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp	xmrig
behavioral2/memory/1944-145-0x00007FF657460000-0x00007FF6577B1000-memory.dmp	xmrig
behavioral2/memory/2040-133-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	xmrig
behavioral2/memory/4500-149-0x00007FF6142C0000-0x00007FF614611000-memory.dmp	xmrig
behavioral2/memory/3520-152-0x00007FF737850000-0x00007FF737BA1000-memory.dmp	xmrig
behavioral2/memory/4764-151-0x00007FF747240000-0x00007FF747591000-memory.dmp	xmrig
behavioral2/memory/696-150-0x00007FF657990000-0x00007FF657CE1000-memory.dmp	xmrig
behavioral2/memory/1900-148-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp	xmrig
behavioral2/memory/3784-153-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp	xmrig
behavioral2/memory/2776-156-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp	xmrig
behavioral2/memory/3568-157-0x00007FF772090000-0x00007FF7723E1000-memory.dmp	xmrig
behavioral2/memory/2040-158-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	xmrig
behavioral2/memory/4656-221-0x00007FF6193F0000-0x00007FF619741000-memory.dmp	xmrig
behavioral2/memory/1864-223-0x00007FF762DE0000-0x00007FF763131000-memory.dmp	xmrig
behavioral2/memory/4488-226-0x00007FF619940000-0x00007FF619C91000-memory.dmp	xmrig
behavioral2/memory/4216-229-0x00007FF7A3410000-0x00007FF7A3761000-memory.dmp	xmrig
behavioral2/memory/4660-228-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp	xmrig
behavioral2/memory/1108-231-0x00007FF717FC0000-0x00007FF718311000-memory.dmp	xmrig
behavioral2/memory/3412-233-0x00007FF75D400000-0x00007FF75D751000-memory.dmp	xmrig
behavioral2/memory/620-237-0x00007FF62CE70000-0x00007FF62D1C1000-memory.dmp	xmrig
behavioral2/memory/972-235-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp	xmrig
behavioral2/memory/1420-247-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp	xmrig
behavioral2/memory/1900-248-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp	xmrig
behavioral2/memory/696-252-0x00007FF657990000-0x00007FF657CE1000-memory.dmp	xmrig
behavioral2/memory/4764-254-0x00007FF747240000-0x00007FF747591000-memory.dmp	xmrig
behavioral2/memory/4500-250-0x00007FF6142C0000-0x00007FF614611000-memory.dmp	xmrig
behavioral2/memory/1644-245-0x00007FF703DB0000-0x00007FF704101000-memory.dmp	xmrig
behavioral2/memory/1944-240-0x00007FF657460000-0x00007FF6577B1000-memory.dmp	xmrig
behavioral2/memory/1720-243-0x00007FF6ED700000-0x00007FF6EDA51000-memory.dmp	xmrig
behavioral2/memory/3520-259-0x00007FF737850000-0x00007FF737BA1000-memory.dmp	xmrig
behavioral2/memory/3784-261-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp	xmrig
behavioral2/memory/3568-263-0x00007FF772090000-0x00007FF7723E1000-memory.dmp	xmrig
behavioral2/memory/2776-265-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4656	EVZHdGM.exe
4488	zpLEEos.exe
4660	PgGvCeB.exe
1864	SQscPWi.exe
4216	RJfjkqn.exe
1108	oTSLaEq.exe
972	iIIovmT.exe
1420	QwfDLtG.exe
620	pWFziMX.exe
3412	zFtSCuq.exe
1720	NFSllQH.exe
1944	EPbmrhh.exe
1644	QhYhWGe.exe
1900	aeczDxu.exe
4500	wXpdJIc.exe
696	jJrYiaF.exe
4764	eQgMLMO.exe
3520	vfUzHXj.exe
3784	KcnEJaM.exe
3568	gsYeruq.exe
2776	EQqBVpI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-0-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-8.dat	upx
behavioral2/files/0x0008000000023c77-9.dat	upx
behavioral2/memory/4656-6-0x00007FF6193F0000-0x00007FF619741000-memory.dmp	upx
behavioral2/files/0x0008000000023c74-5.dat	upx
behavioral2/memory/4660-33-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-42.dat	upx
behavioral2/files/0x0007000000023c7f-68.dat	upx
behavioral2/memory/1944-75-0x00007FF657460000-0x00007FF6577B1000-memory.dmp	upx
behavioral2/memory/1720-86-0x00007FF6ED700000-0x00007FF6EDA51000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-93.dat	upx
behavioral2/files/0x0007000000023c87-97.dat	upx
behavioral2/files/0x0008000000023c78-103.dat	upx
behavioral2/memory/4764-102-0x00007FF747240000-0x00007FF747591000-memory.dmp	upx
behavioral2/memory/4500-101-0x00007FF6142C0000-0x00007FF614611000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-99.dat	upx
behavioral2/memory/1900-96-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp	upx
behavioral2/memory/696-90-0x00007FF657990000-0x00007FF657CE1000-memory.dmp	upx
behavioral2/memory/1644-89-0x00007FF703DB0000-0x00007FF704101000-memory.dmp	upx
behavioral2/memory/620-85-0x00007FF62CE70000-0x00007FF62D1C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-83.dat	upx
behavioral2/files/0x0007000000023c85-76.dat	upx
behavioral2/files/0x0007000000023c83-70.dat	upx
behavioral2/memory/3412-67-0x00007FF75D400000-0x00007FF75D751000-memory.dmp	upx
behavioral2/memory/972-66-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp	upx
behavioral2/files/0x0007000000023c81-58.dat	upx
behavioral2/files/0x0007000000023c82-54.dat	upx
behavioral2/memory/4216-53-0x00007FF7A3410000-0x00007FF7A3761000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-45.dat	upx
behavioral2/memory/1420-44-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp	upx
behavioral2/memory/1108-37-0x00007FF717FC0000-0x00007FF718311000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-28.dat	upx
behavioral2/memory/1864-26-0x00007FF762DE0000-0x00007FF763131000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-22.dat	upx
behavioral2/memory/4488-21-0x00007FF619940000-0x00007FF619C91000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-106.dat	upx
behavioral2/memory/3520-111-0x00007FF737850000-0x00007FF737BA1000-memory.dmp	upx
behavioral2/memory/3784-117-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-119.dat	upx
behavioral2/memory/4488-123-0x00007FF619940000-0x00007FF619C91000-memory.dmp	upx
behavioral2/memory/4656-122-0x00007FF6193F0000-0x00007FF619741000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-118.dat	upx
behavioral2/memory/2040-114-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-124.dat	upx
behavioral2/memory/3568-125-0x00007FF772090000-0x00007FF7723E1000-memory.dmp	upx
behavioral2/memory/2776-130-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp	upx
behavioral2/memory/1108-128-0x00007FF717FC0000-0x00007FF718311000-memory.dmp	upx
behavioral2/memory/4660-127-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp	upx
behavioral2/memory/972-141-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp	upx
behavioral2/memory/1420-146-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp	upx
behavioral2/memory/1944-145-0x00007FF657460000-0x00007FF6577B1000-memory.dmp	upx
behavioral2/memory/2040-133-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/memory/4500-149-0x00007FF6142C0000-0x00007FF614611000-memory.dmp	upx
behavioral2/memory/3520-152-0x00007FF737850000-0x00007FF737BA1000-memory.dmp	upx
behavioral2/memory/4764-151-0x00007FF747240000-0x00007FF747591000-memory.dmp	upx
behavioral2/memory/696-150-0x00007FF657990000-0x00007FF657CE1000-memory.dmp	upx
behavioral2/memory/1900-148-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp	upx
behavioral2/memory/3784-153-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp	upx
behavioral2/memory/2776-156-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp	upx
behavioral2/memory/3568-157-0x00007FF772090000-0x00007FF7723E1000-memory.dmp	upx
behavioral2/memory/2040-158-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/memory/4656-221-0x00007FF6193F0000-0x00007FF619741000-memory.dmp	upx
behavioral2/memory/1864-223-0x00007FF762DE0000-0x00007FF763131000-memory.dmp	upx
behavioral2/memory/4488-226-0x00007FF619940000-0x00007FF619C91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pWFziMX.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFSllQH.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KcnEJaM.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTSLaEq.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QwfDLtG.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zFtSCuq.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aeczDxu.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXpdJIc.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQgMLMO.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVZHdGM.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jJrYiaF.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfUzHXj.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsYeruq.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQqBVpI.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpLEEos.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgGvCeB.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SQscPWi.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJfjkqn.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIIovmT.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPbmrhh.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhYhWGe.exe	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4656	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2040 wrote to memory of 4656	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2040 wrote to memory of 4488	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2040 wrote to memory of 4488	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2040 wrote to memory of 4660	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2040 wrote to memory of 4660	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2040 wrote to memory of 1864	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2040 wrote to memory of 1864	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2040 wrote to memory of 1108	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2040 wrote to memory of 1108	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2040 wrote to memory of 4216	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2040 wrote to memory of 4216	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2040 wrote to memory of 1420	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2040 wrote to memory of 1420	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2040 wrote to memory of 972	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2040 wrote to memory of 972	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2040 wrote to memory of 620	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2040 wrote to memory of 620	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2040 wrote to memory of 3412	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2040 wrote to memory of 3412	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2040 wrote to memory of 1720	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2040 wrote to memory of 1720	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2040 wrote to memory of 1944	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2040 wrote to memory of 1944	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2040 wrote to memory of 1644	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2040 wrote to memory of 1644	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2040 wrote to memory of 1900	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2040 wrote to memory of 1900	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2040 wrote to memory of 4500	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2040 wrote to memory of 4500	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2040 wrote to memory of 696	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2040 wrote to memory of 696	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2040 wrote to memory of 4764	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2040 wrote to memory of 4764	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2040 wrote to memory of 3520	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2040 wrote to memory of 3520	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2040 wrote to memory of 3784	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2040 wrote to memory of 3784	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2040 wrote to memory of 3568	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2040 wrote to memory of 3568	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2040 wrote to memory of 2776	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2040 wrote to memory of 2776	2040	2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff9d5ab19e89511563d98f6d225ac57f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System\EVZHdGM.exe
  C:\Windows\System\EVZHdGM.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\zpLEEos.exe
  C:\Windows\System\zpLEEos.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\PgGvCeB.exe
  C:\Windows\System\PgGvCeB.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\SQscPWi.exe
  C:\Windows\System\SQscPWi.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\oTSLaEq.exe
  C:\Windows\System\oTSLaEq.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\RJfjkqn.exe
  C:\Windows\System\RJfjkqn.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\QwfDLtG.exe
  C:\Windows\System\QwfDLtG.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\iIIovmT.exe
  C:\Windows\System\iIIovmT.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\pWFziMX.exe
  C:\Windows\System\pWFziMX.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\zFtSCuq.exe
  C:\Windows\System\zFtSCuq.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\NFSllQH.exe
  C:\Windows\System\NFSllQH.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\EPbmrhh.exe
  C:\Windows\System\EPbmrhh.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\QhYhWGe.exe
  C:\Windows\System\QhYhWGe.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\aeczDxu.exe
  C:\Windows\System\aeczDxu.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\wXpdJIc.exe
  C:\Windows\System\wXpdJIc.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\jJrYiaF.exe
  C:\Windows\System\jJrYiaF.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\eQgMLMO.exe
  C:\Windows\System\eQgMLMO.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\vfUzHXj.exe
  C:\Windows\System\vfUzHXj.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\KcnEJaM.exe
  C:\Windows\System\KcnEJaM.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\gsYeruq.exe
  C:\Windows\System\gsYeruq.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\EQqBVpI.exe
  C:\Windows\System\EQqBVpI.exe
  2⤵
  - Executes dropped EXE
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EPbmrhh.exe

Filesize
5.2MB

MD5
dda91d3e972dd58a3c55b7539810955b

SHA1
49930ae49091e62cd7de642f76c6e05ea3369d6b

SHA256
f77e991de23fa3f9b76a51626d0c96bfd8a2c6810d84c0e834db9c72eac184f7

SHA512
310edc808d37b2932e3affd982f710e05af20d1dcf314a7b50cb7c85064e193c56f4c7bc970f0517c6852493116461a7e202a338efa08c338fd5c77970965fdc

Download Submit
C:\Windows\System\EQqBVpI.exe

Filesize
5.2MB

MD5
4ad42059ed9c2bfebf40cf3420d08f39

SHA1
8de1cc25198cbdbbee8cbe4b6b7c3e458c0059ce

SHA256
a87b9e1ce0864deb6d6a905686c7ae482bdda122b8e50aa8a2b1f882ca70bae8

SHA512
67bb06d1c682363443f11e8cba55579eb6ea958bb33eff72a59a6d2961025ff45ef124e6839139e65da1d3f647f6f8771d71a81eda0f9b86b7040000b9ea9eaa

Download Submit
C:\Windows\System\EVZHdGM.exe

Filesize
5.2MB

MD5
80f8e73308c2d5323828c7f44e164ba1

SHA1
c0030010a27bc5911f9a294a42d31eb7b3ad1a83

SHA256
a236120974b93baf77d097f262568172741d9226bf1b3b075cde0de80f9d4873

SHA512
3d4ac44fa3d68b941add07b79bed830e564451b84cb385a5feb0703501f19a6eb18fed6490fa98a451fb1985e603210eeb2a52f1ebfa09c8dbbbe8cb6ca5e682

Download Submit
C:\Windows\System\KcnEJaM.exe

Filesize
5.2MB

MD5
c6499173b7baa78e5656811437e9a899

SHA1
23e11f2950ac8bd6181009adff744c46b58c7b90

SHA256
4b0a29f4e044dbe5b3ac44e50e7db00d3b401c73e72bf220faf8c7e67645aac7

SHA512
d5390b5c85293c0d67186bafa764e0e52fc03ed31f4c52bcafb85c95463e6c6591a2e840ce384a29e90ab51b7e99a37edb396020cc421ae65cdfc8f4a6cf02c6

Download Submit
C:\Windows\System\NFSllQH.exe

Filesize
5.2MB

MD5
a4385283080408663dbdaa7d7af85582

SHA1
6eaa02305912a065ef926adc934bd20a42572cd6

SHA256
79f30af1a87988fad6345bd74c74ccf0e92c80a96e4da54bcaff4356ee387973

SHA512
8dc9fde49b241c9334bea8a003b503dc9c3de8e237baf4af3dee9db889494912aeee84fd8df65254fedc60216e80f9b757a7914b5844b3c866b2938e58f2d7f9

Download Submit
C:\Windows\System\PgGvCeB.exe

Filesize
5.2MB

MD5
ad61f165547d3809c5604f72330bc815

SHA1
9a5f24e2dff5286c260b9db0f29e4dcebf7a37b1

SHA256
670215153b7e628b929a8326ab57e0fb0993a1d15de6fdfce60a263b875945dd

SHA512
b16c19dcebe35b1d3a92e5288dcced1197df07f014d34e493e7cda2294239945a4f48e69d45e4ba3818389f6d1dcee290119df881701fd46e94973a01b48dff0

Download Submit
C:\Windows\System\QhYhWGe.exe

Filesize
5.2MB

MD5
4103e92ab6d298ff5b9f1a35908c33da

SHA1
a58de937146164acf5c4407d92d2c0dfbf3f464f

SHA256
ac0524366f6f5702babf556d22b616f329e8036c4c9a4fdd597aa1209d5c7393

SHA512
2547092cc9e292fa2f91fb1bd6accc178580cd276a8afc42a2bb0b2b4ee0f84b5edecd0888af254783cebf2b8f0f39ea0e96192939a3990fa37e3ea34f120114

Download Submit
C:\Windows\System\QwfDLtG.exe

Filesize
5.2MB

MD5
5addcc4f5ae5d01fd98245ce6b7a3578

SHA1
a141a8e8cd032ed11b89e360176883ab50b2d1ce

SHA256
e7397056e0aa93a7299a674fe5ca527ea45fba5f9fea6ef297a33e2f37450706

SHA512
8b8ca948d66ee1d2077562c623af38f68d0a7f40ab3304bd5eead864bab27cc4d0bcb30da5bd0b44169f892baf89c9cb8302dc5853e05cb5a7e05e572c1b7d70

Download Submit
C:\Windows\System\RJfjkqn.exe

Filesize
5.2MB

MD5
9c2408a2ead9871d4ba1359393d8e198

SHA1
972f70782cadea9ba42c85436eedb8200ece7d33

SHA256
e37f00dedbee568e55cdd79d954d1188ad89afa4182a690a09595ffdf46a2f78

SHA512
30af3420debf1cf2f5fbe389330fd50c99509275faa1e0716fc1fe90aa166363d5591f850df9d1df657fa854626bb13e1774e6b8fafed9db5cb079c5a4ae15d8

Download Submit
C:\Windows\System\SQscPWi.exe

Filesize
5.2MB

MD5
b0f578e1be13d80534c262ab7d8fdc2e

SHA1
c209a33812316f820f39a6064c95c920ab26002d

SHA256
1ea48a5573750e9d3fcd2ec39d9e37ab46f113eece676aea9ff9a7a664e434b0

SHA512
2f2f048a14c472ce021e2d9172e8b379031ba3269f0e4e5b50db6a0e37b7e69e2182a72cab73ab832b7a05b22b36ba34f03326ba9814416ec48982647c8e269a

Download Submit
C:\Windows\System\aeczDxu.exe

Filesize
5.2MB

MD5
639db858a671678bc1d7fa2c770016a5

SHA1
c4155788cf93b420f050f036eeb3d5edfc14c3d9

SHA256
46c0eff73a1540bf50be0f1ed7a8100c6b13a5630927f8fa901bc07e08aebbe0

SHA512
19d05a0e1d1df0c4715f2b3d6f2489a137f13cc6a7bc171640ae87794663d2de953dc06b91eefe808152a0b3312e30d154d50e71ba0a128bd09a595d1be3fec0

Download Submit
C:\Windows\System\eQgMLMO.exe

Filesize
5.2MB

MD5
9b90c2f0eedbded6a3233b5e837ba007

SHA1
fc0b30692524428605d31535b8ea11819580eb91

SHA256
7bf987738b5c773905423eb38f6c94fc9b80f8f3f02bbd07fc9c31f4fb44039b

SHA512
817cbfdcc37178e9826019343deb2c790b6c6fa44b58a7cd89104fb8e69f450b180e3e8fa30e0d6189c12ab5c985296a304d7a63fe267e5687ecd0c07801fd8d

Download Submit
C:\Windows\System\gsYeruq.exe

Filesize
5.2MB

MD5
8f6ea67558995505087f7017896bec7d

SHA1
bdfa73a9a21a08fb65f8a86748577b0c842f9601

SHA256
56d9b3b61fd40ff868eb7a9f66d42cd47ccddcc3ecd87e1b4f8770d09d501930

SHA512
d82380ffe6e58e6d6d35ac9e2fb91dccfcf20e568feb1fe0912b52d98cdffb929cc46a51b11883a875dc16ee94ffa962a8dbddb93fe1eb18554ecbdb6834065b

Download Submit
C:\Windows\System\iIIovmT.exe

Filesize
5.2MB

MD5
6a5d0b059e6c49322e31a2f8daca8b9d

SHA1
61fc58ac59ee8dac782ad931db6c8beda704fb42

SHA256
0e8e6fe241ca164353ba17b415b32e2514af4d95ebbead53beaebe16515fa47d

SHA512
1a176514a6820b61b854abb4fa7241757135c0a84b53c9f19aa663b58525b2b19d9d2a00bad18cb37477dffa17342c5d9cacd6af569dcc4d3e85cc54fcd6c8ce

Download Submit
C:\Windows\System\jJrYiaF.exe

Filesize
5.2MB

MD5
e167efac3424ee234ad21f5e7ba2c2ea

SHA1
6f286150b41c78b23cb2f94e58d2e07ba56ebd5d

SHA256
3d6d05b7bc8cb0ec81b2316393e63537b5b482e4bab9055faead3b687e6e051f

SHA512
6d259edf2a5c2583a45711a2c59b15d4533584402e1fcb1b6ed8b1611f1fbd1905f47175c675bc9b8e20d8a27bae8378d519da91978944f2e78b67432c1b9f81

Download Submit
C:\Windows\System\oTSLaEq.exe

Filesize
5.2MB

MD5
8d286bf2592d9bac289abb27b363b835

SHA1
87ff604cb0f35ce224215e04abc5820a7b117e32

SHA256
3758f5cc670005939ccab28fe101ca798c83525b3e3c4226e60fd3bee5c788f0

SHA512
0e273873847115b2e7bd9954d17b1541a935a0209d869308b4a7ba0b4ff915b7f77042871a4821e6d0276e40a9920fafac8474ca3fe51ace04cb8fbbd85a80b5

Download Submit
C:\Windows\System\pWFziMX.exe

Filesize
5.2MB

MD5
fb49f91bf2afa41dabdfd90a27a4dd71

SHA1
0a6a68dd14e45ce4f1a2063807e9c5e4351885f2

SHA256
c231a310a5304a55438c60b8fa36dc78c53494d607124b3a58022fa70271de9e

SHA512
3327777438e6587a3339f017466ef36edf33d349cfb83932fb710d52580ce76b858f5a8685275bfeb095fcb96e3e7f4617b2c2bad739a26711a0a63f03d41f7d

Download Submit
C:\Windows\System\vfUzHXj.exe

Filesize
5.2MB

MD5
c59a133090a1b54371fc8c30f0e36c71

SHA1
8a9a33dc81173525066e79163216c63d280270de

SHA256
0cf418c70330bb78bf4d8b01ba4eb73047b2010c78aa2dc76cfe605179233d65

SHA512
9f1a49ae44d40b228573ee5814293c05d223cdf608c4407217da1eb54ebd1dad3ab28800d8c521cb4e074d5d3b289cbc491d3344f5ee79ec00893323f86f58ea

Download Submit
C:\Windows\System\wXpdJIc.exe

Filesize
5.2MB

MD5
cec225b1d4ad88d2117c69488560c061

SHA1
751a0078931597576d513f5a073530a7401ca0dd

SHA256
4c0bd2927324b83a8d4521b96872e1da3890d10f1cbf00348ab0eedc74aacbfd

SHA512
41a720b16d392633da06dec8d2201d95ab651c542d2eab99c6fccfeea1e0a903e9df276e74882858a2e01a95d4c46c1a9a5746c41b97da5ef75e0cc532247925

Download Submit
C:\Windows\System\zFtSCuq.exe

Filesize
5.2MB

MD5
83b34ea9abb16d7b4710bf783454518c

SHA1
1a81fe7590c1675bb25ca63bf0432513ebcb759c

SHA256
ca0ae106479beb61f28b41bc64c932e666cb4f1b6bbd959de83a405da7d7f2cd

SHA512
ee2969c4fe04034957bcf2c5750101f7694130a406694649ee14071453c903ef8831ef97860e4dc7ca2dfb8502d87adce36bf8e51876b689eaa2cc3910f89f8e

Download Submit
C:\Windows\System\zpLEEos.exe

Filesize
5.2MB

MD5
185fc36d9480aa0e69b4bdbf0c0a366c

SHA1
86b873be441d6388667a6fd708411ef765caf19c

SHA256
411575a193916e3f1d8fd1905479a3c9da54890568f276bd4883dd4ea26ff397

SHA512
4ca2d51de495c5fd8a9e16b25ffa91e218b8953a1e6c786701676b6b3e33b33b886b283b95bce4cb3cbbd481bd8be5343dc339299f1a3a7f3bda6e821245eb8e

Download Submit
memory/620-237-0x00007FF62CE70000-0x00007FF62D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/620-85-0x00007FF62CE70000-0x00007FF62D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/696-90-0x00007FF657990000-0x00007FF657CE1000-memory.dmp

Filesize
3.3MB

Download
memory/696-150-0x00007FF657990000-0x00007FF657CE1000-memory.dmp

Filesize
3.3MB

Download
memory/696-252-0x00007FF657990000-0x00007FF657CE1000-memory.dmp

Filesize
3.3MB

Download
memory/972-141-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp

Filesize
3.3MB

Download
memory/972-66-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp

Filesize
3.3MB

Download
memory/972-235-0x00007FF7A75F0000-0x00007FF7A7941000-memory.dmp

Filesize
3.3MB

Download
memory/1108-231-0x00007FF717FC0000-0x00007FF718311000-memory.dmp

Filesize
3.3MB

Download
memory/1108-37-0x00007FF717FC0000-0x00007FF718311000-memory.dmp

Filesize
3.3MB

Download
memory/1108-128-0x00007FF717FC0000-0x00007FF718311000-memory.dmp

Filesize
3.3MB

Download
memory/1420-44-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1420-247-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1420-146-0x00007FF66CA90000-0x00007FF66CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-89-0x00007FF703DB0000-0x00007FF704101000-memory.dmp

Filesize
3.3MB

Download
memory/1644-245-0x00007FF703DB0000-0x00007FF704101000-memory.dmp

Filesize
3.3MB

Download
memory/1720-243-0x00007FF6ED700000-0x00007FF6EDA51000-memory.dmp

Filesize
3.3MB

Download
memory/1720-86-0x00007FF6ED700000-0x00007FF6EDA51000-memory.dmp

Filesize
3.3MB

Download
memory/1864-223-0x00007FF762DE0000-0x00007FF763131000-memory.dmp

Filesize
3.3MB

Download
memory/1864-26-0x00007FF762DE0000-0x00007FF763131000-memory.dmp

Filesize
3.3MB

Download
memory/1900-148-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp

Filesize
3.3MB

Download
memory/1900-248-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp

Filesize
3.3MB

Download
memory/1900-96-0x00007FF6A9ED0000-0x00007FF6AA221000-memory.dmp

Filesize
3.3MB

Download
memory/1944-240-0x00007FF657460000-0x00007FF6577B1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-75-0x00007FF657460000-0x00007FF6577B1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-145-0x00007FF657460000-0x00007FF6577B1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-0-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-1-0x00000272A44D0000-0x00000272A44E0000-memory.dmp

Filesize
64KB

Download
memory/2040-114-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-158-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-133-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-156-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp

Filesize
3.3MB

Download
memory/2776-265-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp

Filesize
3.3MB

Download
memory/2776-130-0x00007FF7F7AC0000-0x00007FF7F7E11000-memory.dmp

Filesize
3.3MB

Download
memory/3412-233-0x00007FF75D400000-0x00007FF75D751000-memory.dmp

Filesize
3.3MB

Download
memory/3412-67-0x00007FF75D400000-0x00007FF75D751000-memory.dmp

Filesize
3.3MB

Download
memory/3520-152-0x00007FF737850000-0x00007FF737BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-259-0x00007FF737850000-0x00007FF737BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-111-0x00007FF737850000-0x00007FF737BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-263-0x00007FF772090000-0x00007FF7723E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-125-0x00007FF772090000-0x00007FF7723E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-157-0x00007FF772090000-0x00007FF7723E1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-117-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp

Filesize
3.3MB

Download
memory/3784-261-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp

Filesize
3.3MB

Download
memory/3784-153-0x00007FF6C96B0000-0x00007FF6C9A01000-memory.dmp

Filesize
3.3MB

Download
memory/4216-229-0x00007FF7A3410000-0x00007FF7A3761000-memory.dmp

Filesize
3.3MB

Download
memory/4216-53-0x00007FF7A3410000-0x00007FF7A3761000-memory.dmp

Filesize
3.3MB

Download
memory/4488-123-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/4488-21-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/4488-226-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/4500-250-0x00007FF6142C0000-0x00007FF614611000-memory.dmp

Filesize
3.3MB

Download
memory/4500-149-0x00007FF6142C0000-0x00007FF614611000-memory.dmp

Filesize
3.3MB

Download
memory/4500-101-0x00007FF6142C0000-0x00007FF614611000-memory.dmp

Filesize
3.3MB

Download
memory/4656-122-0x00007FF6193F0000-0x00007FF619741000-memory.dmp

Filesize
3.3MB

Download
memory/4656-6-0x00007FF6193F0000-0x00007FF619741000-memory.dmp

Filesize
3.3MB

Download
memory/4656-221-0x00007FF6193F0000-0x00007FF619741000-memory.dmp

Filesize
3.3MB

Download
memory/4660-33-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-228-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4660-127-0x00007FF7BBF50000-0x00007FF7BC2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-254-0x00007FF747240000-0x00007FF747591000-memory.dmp

Filesize
3.3MB

Download
memory/4764-102-0x00007FF747240000-0x00007FF747591000-memory.dmp

Filesize
3.3MB

Download
memory/4764-151-0x00007FF747240000-0x00007FF747591000-memory.dmp

Filesize
3.3MB

Download