cobaltstrike | 8aecbd294377851b00c0929d44252aa2ee0fa0a16a0effc4a6e8746ff220a97e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6c18a2b853ce2293145749434d6dc4f5
SHA1

381243435db07785c21e9622c3540f3b081e4d90
SHA256

8aecbd294377851b00c0929d44252aa2ee0fa0a16a0effc4a6e8746ff220a97e
SHA512

54dc5f65c051b2e0a3fb32276a7980eb6dae5752eadde84324b4c252c0b11391315602b86aec1a5cd1ec2bdd5527bf8ec65e2a2a9f7f9cbae2bfa186588a8d40
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b6d-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c50-16.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c44-17.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c51-19.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c52-27.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c53-31.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c57-49.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c56-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c58-65.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c55-64.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c54-48.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023c39-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c63-82.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c5a-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c64-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2132-28-0x00007FF7DA050000-0x00007FF7DA3A1000-memory.dmp	xmrig
behavioral2/memory/228-74-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	xmrig
behavioral2/memory/4352-92-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp	xmrig
behavioral2/memory/4020-100-0x00007FF706250000-0x00007FF7065A1000-memory.dmp	xmrig
behavioral2/memory/5012-89-0x00007FF779B50000-0x00007FF779EA1000-memory.dmp	xmrig
behavioral2/memory/5088-88-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp	xmrig
behavioral2/memory/2900-81-0x00007FF67FC10000-0x00007FF67FF61000-memory.dmp	xmrig
behavioral2/memory/556-77-0x00007FF707150000-0x00007FF7074A1000-memory.dmp	xmrig
behavioral2/memory/2428-114-0x00007FF650960000-0x00007FF650CB1000-memory.dmp	xmrig
behavioral2/memory/1772-120-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp	xmrig
behavioral2/memory/4728-142-0x00007FF6002D0000-0x00007FF600621000-memory.dmp	xmrig
behavioral2/memory/1612-127-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp	xmrig
behavioral2/memory/536-121-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp	xmrig
behavioral2/memory/924-113-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp	xmrig
behavioral2/memory/3260-147-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp	xmrig
behavioral2/memory/4584-148-0x00007FF780260000-0x00007FF7805B1000-memory.dmp	xmrig
behavioral2/memory/4208-151-0x00007FF650540000-0x00007FF650891000-memory.dmp	xmrig
behavioral2/memory/4316-154-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp	xmrig
behavioral2/memory/1376-155-0x00007FF7963C0000-0x00007FF796711000-memory.dmp	xmrig
behavioral2/memory/3976-156-0x00007FF7143F0000-0x00007FF714741000-memory.dmp	xmrig
behavioral2/memory/228-157-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	xmrig
behavioral2/memory/1960-166-0x00007FF65C430000-0x00007FF65C781000-memory.dmp	xmrig
behavioral2/memory/1420-175-0x00007FF713DF0000-0x00007FF714141000-memory.dmp	xmrig
behavioral2/memory/228-180-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	xmrig
behavioral2/memory/5088-217-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp	xmrig
behavioral2/memory/556-219-0x00007FF707150000-0x00007FF7074A1000-memory.dmp	xmrig
behavioral2/memory/2132-221-0x00007FF7DA050000-0x00007FF7DA3A1000-memory.dmp	xmrig
behavioral2/memory/4020-224-0x00007FF706250000-0x00007FF7065A1000-memory.dmp	xmrig
behavioral2/memory/4352-225-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp	xmrig
behavioral2/memory/2428-231-0x00007FF650960000-0x00007FF650CB1000-memory.dmp	xmrig
behavioral2/memory/924-233-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp	xmrig
behavioral2/memory/536-235-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp	xmrig
behavioral2/memory/1612-237-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp	xmrig
behavioral2/memory/4728-239-0x00007FF6002D0000-0x00007FF600621000-memory.dmp	xmrig
behavioral2/memory/1772-241-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp	xmrig
behavioral2/memory/2900-247-0x00007FF67FC10000-0x00007FF67FF61000-memory.dmp	xmrig
behavioral2/memory/5012-249-0x00007FF779B50000-0x00007FF779EA1000-memory.dmp	xmrig
behavioral2/memory/3260-252-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp	xmrig
behavioral2/memory/4584-253-0x00007FF780260000-0x00007FF7805B1000-memory.dmp	xmrig
behavioral2/memory/4208-261-0x00007FF650540000-0x00007FF650891000-memory.dmp	xmrig
behavioral2/memory/4316-263-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp	xmrig
behavioral2/memory/1960-267-0x00007FF65C430000-0x00007FF65C781000-memory.dmp	xmrig
behavioral2/memory/1376-269-0x00007FF7963C0000-0x00007FF796711000-memory.dmp	xmrig
behavioral2/memory/3976-265-0x00007FF7143F0000-0x00007FF714741000-memory.dmp	xmrig
behavioral2/memory/1420-271-0x00007FF713DF0000-0x00007FF714141000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5088	uQGUsRb.exe
556	RKgeCeY.exe
2132	rNCjGoc.exe
4352	cEgJWTI.exe
4020	maDwfGV.exe
2428	XFNdWcO.exe
924	bmubtSW.exe
536	nCIglQp.exe
1612	GoYczFg.exe
1772	IrWftqt.exe
4728	XtpgmDe.exe
2900	AhPWJYs.exe
5012	zpNBcAq.exe
3260	WVsumeh.exe
4584	nkJAHPS.exe
4208	gwujFWN.exe
4316	eWarQdQ.exe
3976	kVEExIN.exe
1376	HAiGSlw.exe
1960	OdDAdmz.exe
1420	QoWLNTA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/228-0-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	upx
behavioral2/files/0x000c000000023b6d-4.dat	upx
behavioral2/memory/5088-7-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c50-16.dat	upx
behavioral2/files/0x0008000000023c44-17.dat	upx
behavioral2/files/0x0008000000023c51-19.dat	upx
behavioral2/files/0x0008000000023c52-27.dat	upx
behavioral2/files/0x0008000000023c53-31.dat	upx
behavioral2/files/0x0008000000023c57-49.dat	upx
behavioral2/files/0x0008000000023c56-56.dat	upx
behavioral2/files/0x0008000000023c58-65.dat	upx
behavioral2/memory/4728-67-0x00007FF6002D0000-0x00007FF600621000-memory.dmp	upx
behavioral2/files/0x0008000000023c55-64.dat	upx
behavioral2/memory/1612-63-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp	upx
behavioral2/memory/1772-60-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp	upx
behavioral2/memory/536-53-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c54-48.dat	upx
behavioral2/memory/924-47-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp	upx
behavioral2/memory/2428-41-0x00007FF650960000-0x00007FF650CB1000-memory.dmp	upx
behavioral2/memory/4020-32-0x00007FF706250000-0x00007FF7065A1000-memory.dmp	upx
behavioral2/memory/2132-28-0x00007FF7DA050000-0x00007FF7DA3A1000-memory.dmp	upx
behavioral2/memory/4352-25-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp	upx
behavioral2/memory/556-15-0x00007FF707150000-0x00007FF7074A1000-memory.dmp	upx
behavioral2/files/0x000c000000023c39-70.dat	upx
behavioral2/memory/228-74-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	upx
behavioral2/files/0x0007000000023c63-82.dat	upx
behavioral2/files/0x0008000000023c5a-86.dat	upx
behavioral2/memory/4352-92-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp	upx
behavioral2/files/0x0007000000023c64-91.dat	upx
behavioral2/files/0x0007000000023c65-99.dat	upx
behavioral2/memory/4208-101-0x00007FF650540000-0x00007FF650891000-memory.dmp	upx
behavioral2/memory/4020-100-0x00007FF706250000-0x00007FF7065A1000-memory.dmp	upx
behavioral2/memory/4584-94-0x00007FF780260000-0x00007FF7805B1000-memory.dmp	upx
behavioral2/memory/5012-89-0x00007FF779B50000-0x00007FF779EA1000-memory.dmp	upx
behavioral2/memory/5088-88-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp	upx
behavioral2/memory/2900-81-0x00007FF67FC10000-0x00007FF67FF61000-memory.dmp	upx
behavioral2/memory/3260-83-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp	upx
behavioral2/memory/556-77-0x00007FF707150000-0x00007FF7074A1000-memory.dmp	upx
behavioral2/memory/2428-114-0x00007FF650960000-0x00007FF650CB1000-memory.dmp	upx
behavioral2/memory/1772-120-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-122.dat	upx
behavioral2/files/0x0007000000023c68-123.dat	upx
behavioral2/files/0x0007000000023c69-131.dat	upx
behavioral2/files/0x0007000000023c6a-135.dat	upx
behavioral2/memory/4728-142-0x00007FF6002D0000-0x00007FF600621000-memory.dmp	upx
behavioral2/memory/1420-143-0x00007FF713DF0000-0x00007FF714141000-memory.dmp	upx
behavioral2/memory/1960-141-0x00007FF65C430000-0x00007FF65C781000-memory.dmp	upx
behavioral2/memory/3976-132-0x00007FF7143F0000-0x00007FF714741000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-129.dat	upx
behavioral2/memory/1376-128-0x00007FF7963C0000-0x00007FF796711000-memory.dmp	upx
behavioral2/memory/1612-127-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp	upx
behavioral2/memory/4316-126-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp	upx
behavioral2/memory/536-121-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp	upx
behavioral2/memory/924-113-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp	upx
behavioral2/memory/3260-147-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp	upx
behavioral2/memory/4584-148-0x00007FF780260000-0x00007FF7805B1000-memory.dmp	upx
behavioral2/memory/4208-151-0x00007FF650540000-0x00007FF650891000-memory.dmp	upx
behavioral2/memory/4316-154-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp	upx
behavioral2/memory/1376-155-0x00007FF7963C0000-0x00007FF796711000-memory.dmp	upx
behavioral2/memory/3976-156-0x00007FF7143F0000-0x00007FF714741000-memory.dmp	upx
behavioral2/memory/228-157-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	upx
behavioral2/memory/1960-166-0x00007FF65C430000-0x00007FF65C781000-memory.dmp	upx
behavioral2/memory/1420-175-0x00007FF713DF0000-0x00007FF714141000-memory.dmp	upx
behavioral2/memory/228-180-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bmubtSW.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWarQdQ.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAiGSlw.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\maDwfGV.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rNCjGoc.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCIglQp.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GoYczFg.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhPWJYs.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QoWLNTA.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uQGUsRb.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFNdWcO.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XtpgmDe.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kVEExIN.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OdDAdmz.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cEgJWTI.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IrWftqt.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpNBcAq.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WVsumeh.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkJAHPS.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gwujFWN.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RKgeCeY.exe	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 5088	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 228 wrote to memory of 5088	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 228 wrote to memory of 556	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 228 wrote to memory of 556	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 228 wrote to memory of 2132	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 228 wrote to memory of 2132	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 228 wrote to memory of 4352	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 228 wrote to memory of 4352	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 228 wrote to memory of 4020	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 228 wrote to memory of 4020	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 228 wrote to memory of 2428	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 228 wrote to memory of 2428	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 228 wrote to memory of 924	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 228 wrote to memory of 924	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 228 wrote to memory of 1772	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 228 wrote to memory of 1772	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 228 wrote to memory of 536	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 228 wrote to memory of 536	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 228 wrote to memory of 1612	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 228 wrote to memory of 1612	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 228 wrote to memory of 4728	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 228 wrote to memory of 4728	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 228 wrote to memory of 2900	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 228 wrote to memory of 2900	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 228 wrote to memory of 5012	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 228 wrote to memory of 5012	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 228 wrote to memory of 3260	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 228 wrote to memory of 3260	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 228 wrote to memory of 4584	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 228 wrote to memory of 4584	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 228 wrote to memory of 4208	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 228 wrote to memory of 4208	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 228 wrote to memory of 4316	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 228 wrote to memory of 4316	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 228 wrote to memory of 3976	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 228 wrote to memory of 3976	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 228 wrote to memory of 1376	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 228 wrote to memory of 1376	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 228 wrote to memory of 1960	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 228 wrote to memory of 1960	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 228 wrote to memory of 1420	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 228 wrote to memory of 1420	228	2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_6c18a2b853ce2293145749434d6dc4f5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\System\uQGUsRb.exe
  C:\Windows\System\uQGUsRb.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\RKgeCeY.exe
  C:\Windows\System\RKgeCeY.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\rNCjGoc.exe
  C:\Windows\System\rNCjGoc.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\cEgJWTI.exe
  C:\Windows\System\cEgJWTI.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\maDwfGV.exe
  C:\Windows\System\maDwfGV.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\XFNdWcO.exe
  C:\Windows\System\XFNdWcO.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\bmubtSW.exe
  C:\Windows\System\bmubtSW.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\IrWftqt.exe
  C:\Windows\System\IrWftqt.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\nCIglQp.exe
  C:\Windows\System\nCIglQp.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\GoYczFg.exe
  C:\Windows\System\GoYczFg.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\XtpgmDe.exe
  C:\Windows\System\XtpgmDe.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\AhPWJYs.exe
  C:\Windows\System\AhPWJYs.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\zpNBcAq.exe
  C:\Windows\System\zpNBcAq.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\WVsumeh.exe
  C:\Windows\System\WVsumeh.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\nkJAHPS.exe
  C:\Windows\System\nkJAHPS.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\gwujFWN.exe
  C:\Windows\System\gwujFWN.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\eWarQdQ.exe
  C:\Windows\System\eWarQdQ.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\kVEExIN.exe
  C:\Windows\System\kVEExIN.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\HAiGSlw.exe
  C:\Windows\System\HAiGSlw.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\OdDAdmz.exe
  C:\Windows\System\OdDAdmz.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\QoWLNTA.exe
  C:\Windows\System\QoWLNTA.exe
  2⤵
  - Executes dropped EXE
  PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AhPWJYs.exe

Filesize
5.2MB

MD5
43788fbe62de2d5405323e6ffe47870d

SHA1
a612dd05cfa061ecf4f1cb1ce67f4fccf31ee75a

SHA256
f1ea64f6e7166d9b640195bcff49db4f76c8a27ff249f6cd65fddd63710ce512

SHA512
b5284ea9952ef8f40d622efba06c82e523d6d0a1143a0c3e561e411ef69d3b2f015cce6a0137393bf5665747e7d15663000fafb1f995283ee2f66478df32d0fb

Download Submit
C:\Windows\System\GoYczFg.exe

Filesize
5.2MB

MD5
37448c0c232a4b0d34fc0d4eb64965c7

SHA1
0a202d91f99d5d6bf61bcb225eac9902f2ed36ea

SHA256
362c15f43ce9810e1183c603490efc4af4526b80869dc8520ae4572b151d3289

SHA512
c2cdaada1c8aa92650a5d29b454f4de646bc0a925c557eb3dbfdf8699a9155b114453123825443d316d50a68f89d9b5da0c5393a556492627bfcd1b13596b259

Download Submit
C:\Windows\System\HAiGSlw.exe

Filesize
5.2MB

MD5
dda8d3b9e280c87af8ffc17af65c2b1b

SHA1
392a9c0640216b3ec47b2f125e00f738e7aab7ba

SHA256
d93723ad0e3700935e898d06146a36cba2e131b62afef56a6920b2549f378be6

SHA512
30bf03dcf3a6ab6876994441694f92d50056f9e0d992830a2824530c27e368d802de921f242d03d4d82fec70b6c9e227e1fc91e1f12c35e79be987236a246ac6

Download Submit
C:\Windows\System\IrWftqt.exe

Filesize
5.2MB

MD5
66e094638494b69a5ba60726c9df0721

SHA1
c6adb2a6cfcd94399b9de9b69cbf362336d4e5ed

SHA256
5789ba60dc624ec8ecd6748b3e351fd5ca4fc30410ffa0d353a548b8a68a0c75

SHA512
81904724d9a87f96240f700a2388573507a94f88867391dfd052cbfa76d1f35d5471997e53945e9813faa9fe7e427175364c2000cc4ec03db65d548194530af0

Download Submit
C:\Windows\System\OdDAdmz.exe

Filesize
5.2MB

MD5
ea25916cb706d4b78bc17fc4841f9953

SHA1
9dc1a29c9b1530328209ab7c4f6ff1b6c89d94e7

SHA256
7ea78a65134bb483a69fca06f5de080f5d1b16468d1e89dc95d96a2fbc46269e

SHA512
b13451d64bdb0a7697fb59932b12307db3517de6ada1b9046350c0374ac080939b4a6a3dca293788035c66685c45e23baa4329620bbe553e1bb6d3efcbc3778d

Download Submit
C:\Windows\System\QoWLNTA.exe

Filesize
5.2MB

MD5
86d5e49357f7c0cd44f0f3a89f155477

SHA1
f5b780eb587955b047d532fd840caa974a51f23a

SHA256
0830402f788f18bf5b4d9e8d0a289b1b5729dd6bd5c36c88a1fe181757803220

SHA512
ac1134c429bc8d62c1cfcdfe923331ccca36020d10e9721ccf7ee78ed1731b9361531dd8d282f00034edc4f0ee71c9602facb3ad48aaa0708dfc570d32bf97aa

Download Submit
C:\Windows\System\RKgeCeY.exe

Filesize
5.2MB

MD5
d4fb00b07b6daf8476276cfe379e5eea

SHA1
9679c1dce81b2be019685952c314dd8d4ffde5b1

SHA256
903833ece59168d7849c08a70ff5af5d9e425ae00a9e7510deb8847bf838bc1c

SHA512
b87ef25fd5dbcb95878c9bb94418ef4258e2d05bee6dfdb08294cb3a4c1f9e1f209ea9e89b819d2261fedd6599c604b284bea36db46697bc99d951c838d1265d

Download Submit
C:\Windows\System\WVsumeh.exe

Filesize
5.2MB

MD5
19b611c816685714f7740945907c1200

SHA1
f620c363cc2be41e0137d402b7ac189c93bf64bc

SHA256
179e2854fd7f57df1654915fbdffe5ca04099c69096d64ea0036eae3d740cf0f

SHA512
f89ee1045127bd0d0f976b0e82a855faad1c5c18c225c9e8f65329eb976d6cbf27316d55faa539e70edd7fb9be2f745c92fa54a42fbc1368f032c2eafeb7b1bb

Download Submit
C:\Windows\System\XFNdWcO.exe

Filesize
5.2MB

MD5
c6af0d76c70c5effad5e3d9bea591ae0

SHA1
4407d92812a7ca8e8f82d3daeaf1ea77616e4030

SHA256
95f4a0d9f49a1c4b08bc87a1d889e7a3be8ceffc8cfc08a570a86c3c602acd0d

SHA512
e0f8b39e2425dbc4814095a66670d1ef1fcc70611f3b27657287bf686e4e3e72864ed8c041cf547dcb2b64dc5c14132b90e5fc8cf2dc4c73a03cec70196f3b28

Download Submit
C:\Windows\System\XtpgmDe.exe

Filesize
5.2MB

MD5
4f4d071227e2aaea248f4633b73de05d

SHA1
27569dade78a71fab23784e01c58e0033f2dde43

SHA256
d8139a7ed1f7f6b671f662ddc1be09735f3e2e4ea4530e30e4ea8e5d9e4f2040

SHA512
a5fe0a0e274a21e1535947d8d1b3bfad53f0faec62a8587004dcf5c75023bd9a0ff16eb01205c562ae55416aa0e05fa319335dfc1eab14ef2c90552c2ebdeb2d

Download Submit
C:\Windows\System\bmubtSW.exe

Filesize
5.2MB

MD5
4d1ade437fac23b89ba66fbf4bfb27bd

SHA1
1227b03f2074f49360338e893c0f69ee63d5564c

SHA256
7e9f82925d0cc46c2cc67eff635e660163ba846c921105d9f15c0b98db90addc

SHA512
97710ef314fd63712bb19c117c6971a64b093e7c5cfc64280b48caaf76128c3c5f675811bde94c129b74faa38394473549a2d949c9a5dba7355001eb839ee1f1

Download Submit
C:\Windows\System\cEgJWTI.exe

Filesize
5.2MB

MD5
998a2ad4795049d3ec02a94684d27669

SHA1
d0f44174a95682bdc1caa41220f8c13e12fd5f61

SHA256
8099a20195b3c5fc9d1844f6830ed725da22d8d69824f875924a41d23dc86f8d

SHA512
d9ea18dd7a96f699e01d849829a73935add3b1f995e33a454c8469f8dd9022208388b730eb5754e6239ffce219d8583d84a2d97e21c377446ae327a8ff618ad3

Download Submit
C:\Windows\System\eWarQdQ.exe

Filesize
5.2MB

MD5
c1e80a0c8b973134d71009d1eb360b4d

SHA1
82d401a0f6559c16020527fd6135df2c22cd4f6d

SHA256
6ed3c4af126157249a0d4734ebb0ed3839108f47263a28511d40954c48d8b855

SHA512
4fe24d6b75d5d0085a15557aa94cc37ce9fd6e3e6abdd778fba1bdcbd89180bfa564bf8cbb72fb7f37d892727487cd728a21dd0849902bc81743eafd5cc641c2

Download Submit
C:\Windows\System\gwujFWN.exe

Filesize
5.2MB

MD5
4c67463697520a7f05ccaf272d18df61

SHA1
e3bb0d4388190ee16770453fe91db61249e888b7

SHA256
3f42a4af93e2dbaef2d3ff12516a8c125e1230e792caa3457f51cebea5553cc3

SHA512
ac5f42dc645cc42c2cbe82c5706ab005bb5e5ddb2b8d61a2a73bd771820b425f9cd1b94dfc01f0d3c63a8399c32dc3ed501682bfb0264e5c03f56d43cf59bee7

Download Submit
C:\Windows\System\kVEExIN.exe

Filesize
5.2MB

MD5
10284af51440d5023dceae5737d71005

SHA1
136a6320e886e203d95df700c53b8fc766f34e82

SHA256
d3da649603323309ad88d0ce3d4987f07d550642c71297a64ecdd3331cc4508d

SHA512
4f24c9fc058332a492cc03bbb3de7c152bdd5b3a3af5303298c05ce0fa713f54ff3f8dc260dd4f8b3b31243918601b1bc8cdab2dedc25b3d997e5bd92271a6a9

Download Submit
C:\Windows\System\maDwfGV.exe

Filesize
5.2MB

MD5
cd667422ef4862d01c2f9a2690d53859

SHA1
57c9f6169510632bc4778ded9598396e6cd5d6b0

SHA256
e3b3079f64068af8ec8c513a96a1eb1870ef2c2de58a46a7afa49cd680b4ba27

SHA512
ac3a59a96160b6de1dfacba528f98e68243a476408802f0cda0b29e4ec1e63c5f6770fb0a07793684f1fbc9679cdb10e92969951583e221e1fd9f4eeab4077a6

Download Submit
C:\Windows\System\nCIglQp.exe

Filesize
5.2MB

MD5
7e345272dcdbb4f7a0545d3cc7e83120

SHA1
0b37985c33421bdda56ac34024a428ef99e7f5db

SHA256
1e03ac0538cd287b25a776bd4c5b019d89310d9507515ca20dcd99c3ed729791

SHA512
c6d970e5d0ec7c9baf0f61bd0c2701a0958a498a134c6151bfecc8fc4372974f66e510d588cb47ad57a083fcde856eab37527cfab2397325d0d52664fbbdf858

Download Submit
C:\Windows\System\nkJAHPS.exe

Filesize
5.2MB

MD5
be9d51619a6f39b062c1e44136a3d20e

SHA1
9d619fed0a550061e934c7fdbd232513069bb766

SHA256
e2cca5a87e063fe0f0716eef2610ff539cdf7df740016db452a7e45c8ace3ccd

SHA512
49b5da8933ba31a58099f0298257d64357ba770f2edae48a62b33ef74dfc8c19578e021916f2f3f2c5b0654a04a83ae812a9ed51b4ccc9047a06fa8c726ef036

Download Submit
C:\Windows\System\rNCjGoc.exe

Filesize
5.2MB

MD5
f5e12af57908b4bf518beccac6432dd1

SHA1
10d304cf177c392b827178392a42de5159646129

SHA256
82560ef03a9b89ff90b3494534a5626a0efb8adaa92a45551198241015403cae

SHA512
e5c4e28f20bc7cb5a8f4aff6e2309f990690c13a43b34b2c872e69f360584ab8276b3913fab9645731a09e7c99ea91d7118d67a03ed7249fcfed34b078fabce6

Download Submit
C:\Windows\System\uQGUsRb.exe

Filesize
5.2MB

MD5
21ce7500c78d6bf6e22ac484707b9173

SHA1
fd8d56e4bb89165ccefbfde8fc6064e9ae08e055

SHA256
3f7b6f67b9ee8cb1e3d989e0afb0cd10afa2626557a9c7d096dc6ec44694e26b

SHA512
ecf07a84ea51aae4b61e4db955ea6c2ba819cc675df23b98636093173166bf323ca0f5f0ecca6b3fc1c037d1d2efaf051b242703d9b0fffb1bd76c8c533593d1

Download Submit
C:\Windows\System\zpNBcAq.exe

Filesize
5.2MB

MD5
56f7592e8dcf4a46f779fb7be150ecb8

SHA1
627f9dd5cbe5b141df89691e6d9a271972fbb57b

SHA256
ab3e55e1bdf564366743f63d1339de11d2e4993e4ee86451d6af0f5e3de0c4be

SHA512
336c68f73be0cb5ff6a8215e3f673750972d38b9bbaf6a87d82b880b682ddfe3174e281612d5bfd7ec443cfc456571980284202cb4434699416f4c9f93542738

Download Submit
memory/228-1-0x000001E5DB790000-0x000001E5DB7A0000-memory.dmp

Filesize
64KB

Download
memory/228-0-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp

Filesize
3.3MB

Download
memory/228-74-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp

Filesize
3.3MB

Download
memory/228-180-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp

Filesize
3.3MB

Download
memory/228-157-0x00007FF61FEF0000-0x00007FF620241000-memory.dmp

Filesize
3.3MB

Download
memory/536-53-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/536-235-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/536-121-0x00007FF79DD50000-0x00007FF79E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-219-0x00007FF707150000-0x00007FF7074A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-77-0x00007FF707150000-0x00007FF7074A1000-memory.dmp

Filesize
3.3MB

Download
memory/556-15-0x00007FF707150000-0x00007FF7074A1000-memory.dmp

Filesize
3.3MB

Download
memory/924-47-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp

Filesize
3.3MB

Download
memory/924-113-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp

Filesize
3.3MB

Download
memory/924-233-0x00007FF6D1310000-0x00007FF6D1661000-memory.dmp

Filesize
3.3MB

Download
memory/1376-128-0x00007FF7963C0000-0x00007FF796711000-memory.dmp

Filesize
3.3MB

Download
memory/1376-269-0x00007FF7963C0000-0x00007FF796711000-memory.dmp

Filesize
3.3MB

Download
memory/1376-155-0x00007FF7963C0000-0x00007FF796711000-memory.dmp

Filesize
3.3MB

Download
memory/1420-175-0x00007FF713DF0000-0x00007FF714141000-memory.dmp

Filesize
3.3MB

Download
memory/1420-271-0x00007FF713DF0000-0x00007FF714141000-memory.dmp

Filesize
3.3MB

Download
memory/1420-143-0x00007FF713DF0000-0x00007FF714141000-memory.dmp

Filesize
3.3MB

Download
memory/1612-127-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp

Filesize
3.3MB

Download
memory/1612-63-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp

Filesize
3.3MB

Download
memory/1612-237-0x00007FF7B4400000-0x00007FF7B4751000-memory.dmp

Filesize
3.3MB

Download
memory/1772-120-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1772-60-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1772-241-0x00007FF70FC10000-0x00007FF70FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-267-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

Filesize
3.3MB

Download
memory/1960-166-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

Filesize
3.3MB

Download
memory/1960-141-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

Filesize
3.3MB

Download
memory/2132-221-0x00007FF7DA050000-0x00007FF7DA3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-28-0x00007FF7DA050000-0x00007FF7DA3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-231-0x00007FF650960000-0x00007FF650CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-41-0x00007FF650960000-0x00007FF650CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-114-0x00007FF650960000-0x00007FF650CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-81-0x00007FF67FC10000-0x00007FF67FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2900-247-0x00007FF67FC10000-0x00007FF67FF61000-memory.dmp

Filesize
3.3MB

Download
memory/3260-147-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3260-83-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3260-252-0x00007FF7FEF80000-0x00007FF7FF2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3976-265-0x00007FF7143F0000-0x00007FF714741000-memory.dmp

Filesize
3.3MB

Download
memory/3976-132-0x00007FF7143F0000-0x00007FF714741000-memory.dmp

Filesize
3.3MB

Download
memory/3976-156-0x00007FF7143F0000-0x00007FF714741000-memory.dmp

Filesize
3.3MB

Download
memory/4020-100-0x00007FF706250000-0x00007FF7065A1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-224-0x00007FF706250000-0x00007FF7065A1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-32-0x00007FF706250000-0x00007FF7065A1000-memory.dmp

Filesize
3.3MB

Download
memory/4208-101-0x00007FF650540000-0x00007FF650891000-memory.dmp

Filesize
3.3MB

Download
memory/4208-151-0x00007FF650540000-0x00007FF650891000-memory.dmp

Filesize
3.3MB

Download
memory/4208-261-0x00007FF650540000-0x00007FF650891000-memory.dmp

Filesize
3.3MB

Download
memory/4316-263-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp

Filesize
3.3MB

Download
memory/4316-154-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp

Filesize
3.3MB

Download
memory/4316-126-0x00007FF6EB1E0000-0x00007FF6EB531000-memory.dmp

Filesize
3.3MB

Download
memory/4352-25-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp

Filesize
3.3MB

Download
memory/4352-225-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp

Filesize
3.3MB

Download
memory/4352-92-0x00007FF6AEF10000-0x00007FF6AF261000-memory.dmp

Filesize
3.3MB

Download
memory/4584-253-0x00007FF780260000-0x00007FF7805B1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-94-0x00007FF780260000-0x00007FF7805B1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-148-0x00007FF780260000-0x00007FF7805B1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-239-0x00007FF6002D0000-0x00007FF600621000-memory.dmp

Filesize
3.3MB

Download
memory/4728-67-0x00007FF6002D0000-0x00007FF600621000-memory.dmp

Filesize
3.3MB

Download
memory/4728-142-0x00007FF6002D0000-0x00007FF600621000-memory.dmp

Filesize
3.3MB

Download
memory/5012-249-0x00007FF779B50000-0x00007FF779EA1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-89-0x00007FF779B50000-0x00007FF779EA1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-217-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-7-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-88-0x00007FF63C490000-0x00007FF63C7E1000-memory.dmp

Filesize
3.3MB

Download