cobaltstrike | 3f88f4ec32724d5083df9e5d1903e158ef530ed4d61929acdca1406e5b94827a

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

91c131688c9ea3f4c774dd2a4710d2fe
SHA1

2089b2b4835ee7809020722d38851e5d002976a9
SHA256

3f88f4ec32724d5083df9e5d1903e158ef530ed4d61929acdca1406e5b94827a
SHA512

9056d2b9658f0fe306f30cb6e90a4a864e28b52d96a165eaa4f78de2f29ba1bcf140a92dbbb8954257f1a31438db38040f4b07176737134cf2e3f367a7716b74
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023ba8-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb3-11.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bba-7.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc3-24.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ba9-40.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bce-48.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bca-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd4-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c06-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd6-95.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd3-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd0-73.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc9-52.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc8-31.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c07-107.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-130.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-129.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c08-120.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3092-76-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	xmrig
behavioral2/memory/1368-101-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp	xmrig
behavioral2/memory/3660-99-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp	xmrig
behavioral2/memory/1320-94-0x00007FF687230000-0x00007FF687581000-memory.dmp	xmrig
behavioral2/memory/3312-77-0x00007FF679920000-0x00007FF679C71000-memory.dmp	xmrig
behavioral2/memory/656-104-0x00007FF726290000-0x00007FF7265E1000-memory.dmp	xmrig
behavioral2/memory/3060-108-0x00007FF765540000-0x00007FF765891000-memory.dmp	xmrig
behavioral2/memory/852-109-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp	xmrig
behavioral2/memory/428-139-0x00007FF728540000-0x00007FF728891000-memory.dmp	xmrig
behavioral2/memory/3736-138-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp	xmrig
behavioral2/memory/4848-127-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	xmrig
behavioral2/memory/336-125-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp	xmrig
behavioral2/memory/3588-116-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp	xmrig
behavioral2/memory/3092-140-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	xmrig
behavioral2/memory/824-154-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp	xmrig
behavioral2/memory/2872-156-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp	xmrig
behavioral2/memory/1428-157-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp	xmrig
behavioral2/memory/3264-155-0x00007FF622720000-0x00007FF622A71000-memory.dmp	xmrig
behavioral2/memory/2016-153-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp	xmrig
behavioral2/memory/4968-151-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp	xmrig
behavioral2/memory/4044-158-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp	xmrig
behavioral2/memory/4984-161-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp	xmrig
behavioral2/memory/980-162-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp	xmrig
behavioral2/memory/3092-163-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	xmrig
behavioral2/memory/1320-213-0x00007FF687230000-0x00007FF687581000-memory.dmp	xmrig
behavioral2/memory/3312-215-0x00007FF679920000-0x00007FF679C71000-memory.dmp	xmrig
behavioral2/memory/1368-222-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp	xmrig
behavioral2/memory/656-225-0x00007FF726290000-0x00007FF7265E1000-memory.dmp	xmrig
behavioral2/memory/3660-226-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp	xmrig
behavioral2/memory/3060-228-0x00007FF765540000-0x00007FF765891000-memory.dmp	xmrig
behavioral2/memory/3588-238-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp	xmrig
behavioral2/memory/852-242-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp	xmrig
behavioral2/memory/336-240-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp	xmrig
behavioral2/memory/3736-245-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp	xmrig
behavioral2/memory/428-248-0x00007FF728540000-0x00007FF728891000-memory.dmp	xmrig
behavioral2/memory/4968-247-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp	xmrig
behavioral2/memory/3264-251-0x00007FF622720000-0x00007FF622A71000-memory.dmp	xmrig
behavioral2/memory/2016-254-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp	xmrig
behavioral2/memory/824-253-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp	xmrig
behavioral2/memory/2872-256-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp	xmrig
behavioral2/memory/1428-262-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp	xmrig
behavioral2/memory/4848-264-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	xmrig
behavioral2/memory/980-267-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp	xmrig
behavioral2/memory/4984-268-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp	xmrig
behavioral2/memory/4044-270-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3312	JnpAQrI.exe
1320	YvQKdNM.exe
1368	kAZZdZR.exe
3660	YukkQYz.exe
656	EVVCqPt.exe
3060	aqwGRFI.exe
3588	xAWSKRe.exe
852	LsBRgce.exe
336	OboiJxd.exe
3736	FsAfchF.exe
4968	cMUIfyW.exe
428	wqbHQmG.exe
2016	nsSYCJS.exe
824	aHLGlrS.exe
3264	TwRqPpO.exe
2872	oaAjiXp.exe
1428	agsKXnN.exe
4044	OsxYsRO.exe
4848	hFOOqep.exe
4984	odNkloG.exe
980	FrFpFDd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3092-0-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	upx
behavioral2/files/0x000b000000023ba8-5.dat	upx
behavioral2/memory/1320-14-0x00007FF687230000-0x00007FF687581000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-11.dat	upx
behavioral2/memory/3312-9-0x00007FF679920000-0x00007FF679C71000-memory.dmp	upx
behavioral2/files/0x000e000000023bba-7.dat	upx
behavioral2/files/0x0008000000023bc3-24.dat	upx
behavioral2/files/0x000c000000023ba9-40.dat	upx
behavioral2/memory/3588-42-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp	upx
behavioral2/files/0x000e000000023bce-48.dat	upx
behavioral2/files/0x0009000000023bca-56.dat	upx
behavioral2/memory/336-58-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd4-68.dat	upx
behavioral2/memory/3092-76-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	upx
behavioral2/memory/4968-83-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-86.dat	upx
behavioral2/memory/3264-93-0x00007FF622720000-0x00007FF622A71000-memory.dmp	upx
behavioral2/memory/1368-101-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp	upx
behavioral2/files/0x0008000000023c06-102.dat	upx
behavioral2/memory/2872-100-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp	upx
behavioral2/memory/3660-99-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp	upx
behavioral2/files/0x0008000000023c05-97.dat	upx
behavioral2/files/0x0008000000023bd6-95.dat	upx
behavioral2/memory/1320-94-0x00007FF687230000-0x00007FF687581000-memory.dmp	upx
behavioral2/memory/2016-91-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp	upx
behavioral2/memory/824-84-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp	upx
behavioral2/files/0x0008000000023bd3-78.dat	upx
behavioral2/memory/3312-77-0x00007FF679920000-0x00007FF679C71000-memory.dmp	upx
behavioral2/files/0x0008000000023bd0-73.dat	upx
behavioral2/memory/428-69-0x00007FF728540000-0x00007FF728891000-memory.dmp	upx
behavioral2/memory/3736-61-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp	upx
behavioral2/files/0x0009000000023bc9-52.dat	upx
behavioral2/memory/852-51-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp	upx
behavioral2/memory/3060-37-0x00007FF765540000-0x00007FF765891000-memory.dmp	upx
behavioral2/files/0x0009000000023bc8-31.dat	upx
behavioral2/memory/656-28-0x00007FF726290000-0x00007FF7265E1000-memory.dmp	upx
behavioral2/memory/1368-21-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp	upx
behavioral2/memory/3660-23-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp	upx
behavioral2/memory/656-104-0x00007FF726290000-0x00007FF7265E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-107.dat	upx
behavioral2/memory/3060-108-0x00007FF765540000-0x00007FF765891000-memory.dmp	upx
behavioral2/memory/852-109-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp	upx
behavioral2/memory/4044-119-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-122.dat	upx
behavioral2/files/0x0008000000023c0f-130.dat	upx
behavioral2/files/0x0008000000023c0a-129.dat	upx
behavioral2/memory/428-139-0x00007FF728540000-0x00007FF728891000-memory.dmp	upx
behavioral2/memory/3736-138-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp	upx
behavioral2/memory/980-132-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp	upx
behavioral2/memory/4984-131-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp	upx
behavioral2/memory/4848-127-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	upx
behavioral2/memory/336-125-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp	upx
behavioral2/files/0x0008000000023c08-120.dat	upx
behavioral2/memory/3588-116-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp	upx
behavioral2/memory/1428-114-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp	upx
behavioral2/memory/3092-140-0x00007FF70B230000-0x00007FF70B581000-memory.dmp	upx
behavioral2/memory/824-154-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp	upx
behavioral2/memory/2872-156-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp	upx
behavioral2/memory/1428-157-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp	upx
behavioral2/memory/3264-155-0x00007FF622720000-0x00007FF622A71000-memory.dmp	upx
behavioral2/memory/2016-153-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp	upx
behavioral2/memory/4968-151-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp	upx
behavioral2/memory/4044-158-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp	upx
behavioral2/memory/4984-161-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EVVCqPt.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LsBRgce.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cMUIfyW.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqbHQmG.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHLGlrS.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\agsKXnN.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OsxYsRO.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FrFpFDd.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aqwGRFI.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OboiJxd.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FsAfchF.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaAjiXp.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odNkloG.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvQKdNM.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YukkQYz.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xAWSKRe.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TwRqPpO.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JnpAQrI.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAZZdZR.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsSYCJS.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hFOOqep.exe	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3312	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3092 wrote to memory of 3312	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3092 wrote to memory of 1320	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3092 wrote to memory of 1320	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3092 wrote to memory of 3660	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3092 wrote to memory of 3660	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3092 wrote to memory of 1368	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3092 wrote to memory of 1368	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3092 wrote to memory of 656	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3092 wrote to memory of 656	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3092 wrote to memory of 3060	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3092 wrote to memory of 3060	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3092 wrote to memory of 3588	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3092 wrote to memory of 3588	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3092 wrote to memory of 852	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3092 wrote to memory of 852	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3092 wrote to memory of 336	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3092 wrote to memory of 336	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3092 wrote to memory of 3736	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3092 wrote to memory of 3736	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3092 wrote to memory of 4968	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3092 wrote to memory of 4968	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3092 wrote to memory of 428	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3092 wrote to memory of 428	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3092 wrote to memory of 2016	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3092 wrote to memory of 2016	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3092 wrote to memory of 824	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3092 wrote to memory of 824	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3092 wrote to memory of 3264	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3092 wrote to memory of 3264	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3092 wrote to memory of 2872	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3092 wrote to memory of 2872	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3092 wrote to memory of 1428	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3092 wrote to memory of 1428	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3092 wrote to memory of 4044	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3092 wrote to memory of 4044	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3092 wrote to memory of 4848	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3092 wrote to memory of 4848	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3092 wrote to memory of 4984	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3092 wrote to memory of 4984	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3092 wrote to memory of 980	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3092 wrote to memory of 980	3092	2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_91c131688c9ea3f4c774dd2a4710d2fe_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\System\JnpAQrI.exe
  C:\Windows\System\JnpAQrI.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\YvQKdNM.exe
  C:\Windows\System\YvQKdNM.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\YukkQYz.exe
  C:\Windows\System\YukkQYz.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\kAZZdZR.exe
  C:\Windows\System\kAZZdZR.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\EVVCqPt.exe
  C:\Windows\System\EVVCqPt.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\aqwGRFI.exe
  C:\Windows\System\aqwGRFI.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\xAWSKRe.exe
  C:\Windows\System\xAWSKRe.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\LsBRgce.exe
  C:\Windows\System\LsBRgce.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\OboiJxd.exe
  C:\Windows\System\OboiJxd.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\FsAfchF.exe
  C:\Windows\System\FsAfchF.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\cMUIfyW.exe
  C:\Windows\System\cMUIfyW.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\wqbHQmG.exe
  C:\Windows\System\wqbHQmG.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\nsSYCJS.exe
  C:\Windows\System\nsSYCJS.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\aHLGlrS.exe
  C:\Windows\System\aHLGlrS.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\TwRqPpO.exe
  C:\Windows\System\TwRqPpO.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\oaAjiXp.exe
  C:\Windows\System\oaAjiXp.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\agsKXnN.exe
  C:\Windows\System\agsKXnN.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\OsxYsRO.exe
  C:\Windows\System\OsxYsRO.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\hFOOqep.exe
  C:\Windows\System\hFOOqep.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\odNkloG.exe
  C:\Windows\System\odNkloG.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\FrFpFDd.exe
  C:\Windows\System\FrFpFDd.exe
  2⤵
  - Executes dropped EXE
  PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EVVCqPt.exe

Filesize
5.2MB

MD5
89ac15e09f9fd429acf967217f59115c

SHA1
653391f39cf0b79557a99bdda4cda91dfe9d27c5

SHA256
4c0d5028261867f63d67959b7b1a49e68f3c0a10fc5ad5bb9ef4b8e584526059

SHA512
4a71b9ab6acd637a0727101e6d1ad585d41f0db400378742f8bd9eed4fea75a402778833b6d5ee7fbf004bdde24d04e2af522fee8a5ecdecd1bfc4e6029f0718

Download Submit
C:\Windows\System\FrFpFDd.exe

Filesize
5.2MB

MD5
2f029b0f17348c3afffbeab95ca5c238

SHA1
b1e2a2909a3bd03b5def43439e8fc3686dd99f49

SHA256
046ff0db3ff14261e6ce1a24bcef08d3443e649be9644020c1ca35ce3e9a1e3a

SHA512
dfe3fb8a900e44289f45df9c461b1eb84ba8b15640fdbaf043e3e8086bb838723361459bbd0c6be57eb65f9ffe5f0551e2ba7ae0fc31ca3f9e66b9d6b4115475

Download Submit
C:\Windows\System\FsAfchF.exe

Filesize
5.2MB

MD5
ade90ddc87cd8dc29450299c12de1384

SHA1
f5d2a9f909d7478036d49038e6580d692a855a00

SHA256
e4003da74964693df1fad632ce38cc62252c10db52f507839576e5a18f9902d6

SHA512
13e6ae4265aa5692299117e5b79a02d1b5bd3fc3a26cb6e848977d576c9952173daf7db4eef75030231293c132913dd724a311c53a5a3dba059d3c408cad6e33

Download Submit
C:\Windows\System\JnpAQrI.exe

Filesize
5.2MB

MD5
f5b1d5d704850e9c55929d1973c134b4

SHA1
f7eaf1b38804324b89498cdd79d35cfa33bc92cf

SHA256
25f7557e44557406c0c57c7007ed47bccb6ea25bb6336a5ac95cd3c4f095781d

SHA512
b41459fa4c5f6dcaed40fd7d09e8157f66449e76c715237c3a6d7d4bfef90e0d24852b328a4f35d1fd698657a81d90f3dfbdcf1055d63d2f7193d5d192731ac4

Download Submit
C:\Windows\System\LsBRgce.exe

Filesize
5.2MB

MD5
3890142e6d7f3aa0f8a8e4c26c391051

SHA1
f28ddaa44197ad42099f6331fb43cbda2801192b

SHA256
bffdea2ca50fb7616bfaf7f44c6f4da413f8f15891c8a7f4e4937e67bb8a701e

SHA512
b0e51a9e6f32638d66cf10d2d95a104cbaae6cd9c141f2a2c9779d6d137c195c86ea17658c915280bde8d3cc876b72764452e88c989ca87a862f62e23def174d

Download Submit
C:\Windows\System\OboiJxd.exe

Filesize
5.2MB

MD5
9d4f1265622e256bce1570da66947945

SHA1
157143a206ee74d8c86d9dcf78c0c36af9c43911

SHA256
e31638f428708f05685dbab12848f2cb44c0a9d8cf5b2a07c0c27d570587ab6d

SHA512
62650d6c941ac4a24090d2c98fa3f3c2405bf27339c156221027216f3aa9210dd612d35db6d3dca7b1b57da561473994b2dc38921c0cd0cb629e3722e1e94f27

Download Submit
C:\Windows\System\OsxYsRO.exe

Filesize
5.2MB

MD5
54fd181962770c6295db4d33b80b05c7

SHA1
ac7d808091a32efab35595db6f019e70fb601a69

SHA256
10c99cc8900d95df298b3469b47bd64170efbdaa6deebd6cef6baa14047171c1

SHA512
4e0766a7fcbbeebada9a2531b02ec7af5fe499b890a8718d77acc75105276a1cd39f45a0b9e2ebb95d1f25518c83b178d75d933f508992b533196853a4f04435

Download Submit
C:\Windows\System\TwRqPpO.exe

Filesize
5.2MB

MD5
ea6bc1ca751f4ad2c56dd55a298da55f

SHA1
a8a288b82838ad03efbce470a7771ce0184c6743

SHA256
e46101a7e00b0446f1529498896c328f5cd8848d0e0a82155dbd47628ed22812

SHA512
5fc247c057ff4bda7d5980864564424373a7fa796bb4a70b9f60998b77ec329b3f7b2cfa67366f21cf0fb186c789bcb7d60030ed5f88e40c75243e0eb3291582

Download Submit
C:\Windows\System\YukkQYz.exe

Filesize
5.2MB

MD5
d5562b6b878cdd8c4194eb5e48b2fc01

SHA1
d87b59478f1b22686dac1426823c17ebbdc5c53d

SHA256
104bfb1f6bf5602a916904a9d3088a5b1d37b37ddf60efc5eebd4f8b005fd3c6

SHA512
a470a19291bdc02e36be762ae3638e4b9e673566624d156d0f193f492bae3616b83b3c965759f563aa0f460cba7ecb72d0581781882122ef1e0638c70928a1c9

Download Submit
C:\Windows\System\YvQKdNM.exe

Filesize
5.2MB

MD5
6dd65acc4c6cafdeea7fef32e143eed5

SHA1
34b61f5e8535d21e1bdf0d6bba1255576680480b

SHA256
8cfe00a456e84efea0329f0667e74b4cd400daef3ba7bc8fc2c94cc9c970190a

SHA512
c2be96d472e92551b5cd23dba1d827e451b2c4c04e57aa6396672f0b39ba32d2f5075b56cf61bf2c13add7ef21102b7ad95c04c926e6b16de94eebc7ab85c352

Download Submit
C:\Windows\System\aHLGlrS.exe

Filesize
5.2MB

MD5
1af0501e7e36d0e8f6e747abb7e36f7c

SHA1
265710aba37b183b4f7f2d1e2bf07a44ae489683

SHA256
dbf9666e63c5b5d949db91a60b230852203cc33be5f11263e1020e0f982e8534

SHA512
d479122ec2adc3d0fe819e1e652a5a444b70816c864db609faa915774a12e00c1b7f03c6e26c622f202b54774e2deb2f6b259099eb3e293873ba93c77d4d8e8c

Download Submit
C:\Windows\System\agsKXnN.exe

Filesize
5.2MB

MD5
82ce7f34966f3f50572ea926baf998bd

SHA1
c294850ef0c4982c6ced5412033dac2a3c37981f

SHA256
46bdfb40c4d58a473eaefb3de66dba4d35c05bd47ff8070f3570a1d7a6fee64c

SHA512
52c84e075f7e0fc638130a14995d79e4a7785389e79542194bb5d6f544933e4a1f6dfa90ed2271f2afbdaf8d7d469346b8c3fe14a7facedafc2a772011e67e4d

Download Submit
C:\Windows\System\aqwGRFI.exe

Filesize
5.2MB

MD5
b75cf1660395d0c2420669ea1c200d84

SHA1
0d01eab35f6d6713ffad52a66709c2bcaf5be76a

SHA256
d69b7d0a9bce5974fd97e20df40cae310c4546f919bd91bf84291081533e7743

SHA512
7bb6c6f5e46099bf76ae27b2a556953085ef751e21b3f1757ae0ff32faef95b9f6ce2e9e6159131c29e57679e6d2a95f5b293606031491fe6b09e9879a9e3926

Download Submit
C:\Windows\System\cMUIfyW.exe

Filesize
5.2MB

MD5
0745cfdf01f76759574318d37b93ac6f

SHA1
a80aaf9fe5a28087d3bad1bc8bc6cc557bff7ba3

SHA256
4c00637f352b32cdde894979cbb2ab0d9d846d80bf97168fea4fd90f9e2583c2

SHA512
2c725e82b2ab857802344c3a0257c44c7b092a0cd992e8f0b1f020f83bd797bd45d7e9f8e7270ac19f419d14af95fc3b8ae4cd05b74f3657bf445c5c414424f7

Download Submit
C:\Windows\System\hFOOqep.exe

Filesize
5.2MB

MD5
66c070e917c1b4ccd279ec99c9306e19

SHA1
48601edc90daa727514c74fa6c154d2370316b06

SHA256
14b08e8016fa7e447c324535c130529568da85f22a67679c9310593cfa40aeb4

SHA512
149be886c21dc306320b07cb9135dccfadef67dc45481e6a2719f4a39c77ad0112a496f0ec788b53410053cb220d23be4b31eed03f55a7bf7e24f4817b2342d4

Download Submit
C:\Windows\System\kAZZdZR.exe

Filesize
5.2MB

MD5
4c5ee392a6e2b1dae5465e0c7f985ee4

SHA1
10d0e09e88fe719b05bfa86406b8350f807f403f

SHA256
ebd5f468641eb55ed245737f84368160771d6f8ae9f9a26b0ff28f254a2de586

SHA512
18a275499cc19090920f5199410fadebe574a6a17de550c09ef8d9b037b5794d4150f2bbd505e8118f960d1e9b18a907bc08f0d1ba4a87bf42d816921c16ff68

Download Submit
C:\Windows\System\nsSYCJS.exe

Filesize
5.2MB

MD5
f2d653f9d4d271b50685b903a806c62e

SHA1
09c7667359d1ce74088d88b2066c2300776b7f58

SHA256
307126cbbd44c160e19b332da8d9e5ae3034a4e5ff0688f3397e0aee39976211

SHA512
cade60269da59f1da64f6af6a97d3a1e6eb0ee8fca5076eab2634b3c4299cced2dd2574f2bdaeb17d5ab5285796349ea51180feb9687e0d1c85edc290586f1bc

Download Submit
C:\Windows\System\oaAjiXp.exe

Filesize
5.2MB

MD5
554958bca5ca1c6f19b7da80c6dafb03

SHA1
258e59b47a5ebc393569f13cf420563360d56049

SHA256
e9043e07cbd558d91a6f318e8a04e1d71e39fd3d47fe53622a1876ce2b7e991b

SHA512
eeda35799113efdcc302735f1c49d10a72ff3a8236ae0ca79c53164c6eb04b20d1698bc215131a63c3e5232c63e1809e463a110c6916326930833926bdf737d6

Download Submit
C:\Windows\System\odNkloG.exe

Filesize
5.2MB

MD5
dc2a2966b423b6293f9f6e8757fcd56a

SHA1
372a899a5b83acf0feac0055334afbc372190930

SHA256
edf9a72a48fc14b79018ab58fd08925ec235c91ff2bb4cb34536102d19b3acab

SHA512
144d60613be4b449c5f916eb01f4c91d29684d8a370586d4e084931a6e3ff11aa705e909f6cf9375ac3f407ab1b7a9ccaa65446679fe77ad32a22488b846db3a

Download Submit
C:\Windows\System\wqbHQmG.exe

Filesize
5.2MB

MD5
cb5afa617950a4a3a99850706aa4ecff

SHA1
511795e201fb3dda77dc509e294db9b6179f64d7

SHA256
df6b3099e82b53e11c7e3aec4525640343e367217d3bb2295eb18d5f8925a9b0

SHA512
65672b3b56a82e4c7ce072454068c058ae8d40823e9dfed2f3470cc934094ea5b4c4c40551418476efeb0ca410463aeb1fe7c3a9f4d0285394b0353f21de90d2

Download Submit
C:\Windows\System\xAWSKRe.exe

Filesize
5.2MB

MD5
e4a97490e2f5c7f40f22fd9d4b43acce

SHA1
990eeb2e04498770f8ea6a5ee075261c9eea9c4c

SHA256
529a298bfa19d355d7a75a9d6382b8fcc83f641d061f19d7194f841bdd7ddeb6

SHA512
841d765cd586ed4c9fefb535ae1e69b93b7329e2a39945252b8639d4e83a48c93d9deb4291a59959b0e7dbefb9b74df9a238b08c69e7364fd3b5baf9b096d112

Download Submit
memory/336-58-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/336-125-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/336-240-0x00007FF6BBA90000-0x00007FF6BBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/428-139-0x00007FF728540000-0x00007FF728891000-memory.dmp

Filesize
3.3MB

Download
memory/428-69-0x00007FF728540000-0x00007FF728891000-memory.dmp

Filesize
3.3MB

Download
memory/428-248-0x00007FF728540000-0x00007FF728891000-memory.dmp

Filesize
3.3MB

Download
memory/656-104-0x00007FF726290000-0x00007FF7265E1000-memory.dmp

Filesize
3.3MB

Download
memory/656-225-0x00007FF726290000-0x00007FF7265E1000-memory.dmp

Filesize
3.3MB

Download
memory/656-28-0x00007FF726290000-0x00007FF7265E1000-memory.dmp

Filesize
3.3MB

Download
memory/824-84-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp

Filesize
3.3MB

Download
memory/824-253-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp

Filesize
3.3MB

Download
memory/824-154-0x00007FF6B54F0000-0x00007FF6B5841000-memory.dmp

Filesize
3.3MB

Download
memory/852-109-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp

Filesize
3.3MB

Download
memory/852-51-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp

Filesize
3.3MB

Download
memory/852-242-0x00007FF6D3370000-0x00007FF6D36C1000-memory.dmp

Filesize
3.3MB

Download
memory/980-162-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp

Filesize
3.3MB

Download
memory/980-132-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp

Filesize
3.3MB

Download
memory/980-267-0x00007FF7518E0000-0x00007FF751C31000-memory.dmp

Filesize
3.3MB

Download
memory/1320-213-0x00007FF687230000-0x00007FF687581000-memory.dmp

Filesize
3.3MB

Download
memory/1320-94-0x00007FF687230000-0x00007FF687581000-memory.dmp

Filesize
3.3MB

Download
memory/1320-14-0x00007FF687230000-0x00007FF687581000-memory.dmp

Filesize
3.3MB

Download
memory/1368-222-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp

Filesize
3.3MB

Download
memory/1368-21-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp

Filesize
3.3MB

Download
memory/1368-101-0x00007FF61CC40000-0x00007FF61CF91000-memory.dmp

Filesize
3.3MB

Download
memory/1428-114-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-262-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-157-0x00007FF70CF70000-0x00007FF70D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-254-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/2016-91-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/2016-153-0x00007FF7D3C20000-0x00007FF7D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/2872-256-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-100-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-156-0x00007FF6D3A70000-0x00007FF6D3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-108-0x00007FF765540000-0x00007FF765891000-memory.dmp

Filesize
3.3MB

Download
memory/3060-228-0x00007FF765540000-0x00007FF765891000-memory.dmp

Filesize
3.3MB

Download
memory/3060-37-0x00007FF765540000-0x00007FF765891000-memory.dmp

Filesize
3.3MB

Download
memory/3092-0-0x00007FF70B230000-0x00007FF70B581000-memory.dmp

Filesize
3.3MB

Download
memory/3092-1-0x00000247F1280000-0x00000247F1290000-memory.dmp

Filesize
64KB

Download
memory/3092-76-0x00007FF70B230000-0x00007FF70B581000-memory.dmp

Filesize
3.3MB

Download
memory/3092-163-0x00007FF70B230000-0x00007FF70B581000-memory.dmp

Filesize
3.3MB

Download
memory/3092-140-0x00007FF70B230000-0x00007FF70B581000-memory.dmp

Filesize
3.3MB

Download
memory/3264-93-0x00007FF622720000-0x00007FF622A71000-memory.dmp

Filesize
3.3MB

Download
memory/3264-155-0x00007FF622720000-0x00007FF622A71000-memory.dmp

Filesize
3.3MB

Download
memory/3264-251-0x00007FF622720000-0x00007FF622A71000-memory.dmp

Filesize
3.3MB

Download
memory/3312-77-0x00007FF679920000-0x00007FF679C71000-memory.dmp

Filesize
3.3MB

Download
memory/3312-9-0x00007FF679920000-0x00007FF679C71000-memory.dmp

Filesize
3.3MB

Download
memory/3312-215-0x00007FF679920000-0x00007FF679C71000-memory.dmp

Filesize
3.3MB

Download
memory/3588-42-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-116-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-238-0x00007FF67A080000-0x00007FF67A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-226-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp

Filesize
3.3MB

Download
memory/3660-99-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp

Filesize
3.3MB

Download
memory/3660-23-0x00007FF75ECB0000-0x00007FF75F001000-memory.dmp

Filesize
3.3MB

Download
memory/3736-245-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-138-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-61-0x00007FF7299A0000-0x00007FF729CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-119-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-270-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-158-0x00007FF724D50000-0x00007FF7250A1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-127-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-264-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-83-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp

Filesize
3.3MB

Download
memory/4968-247-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp

Filesize
3.3MB

Download
memory/4968-151-0x00007FF6A1E40000-0x00007FF6A2191000-memory.dmp

Filesize
3.3MB

Download
memory/4984-131-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-268-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-161-0x00007FF64C4A0000-0x00007FF64C7F1000-memory.dmp

Filesize
3.3MB

Download