cobaltstrike | 6dff815adc9ce1e46582cbcdceedbcccaf3c838a4ab19ad6a0e8e220b8f1e22d

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d398893307b4557dd895e0be662b8f71
SHA1

6a2d2e8c6938e7fc11e4414fcd42c2690cb2f7ad
SHA256

6dff815adc9ce1e46582cbcdceedbcccaf3c838a4ab19ad6a0e8e220b8f1e22d
SHA512

a793428c18a6df511854eeedb23217c2ce2792149c2ba661fd40ec9dd9ff7b6b4ec8944d97d33f555e719cd6eebbaad9cc902237dac8b6f7ab86a5aa68992d65
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibf56utgpPFotBER/mQ32lUI

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bfc-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-84.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c9d-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-110.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3016-54-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	xmrig
behavioral2/memory/2684-77-0x00007FF758100000-0x00007FF758451000-memory.dmp	xmrig
behavioral2/memory/2852-71-0x00007FF645510000-0x00007FF645861000-memory.dmp	xmrig
behavioral2/memory/4300-63-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	xmrig
behavioral2/memory/4004-91-0x00007FF655480000-0x00007FF6557D1000-memory.dmp	xmrig
behavioral2/memory/4856-113-0x00007FF68EEF0000-0x00007FF68F241000-memory.dmp	xmrig
behavioral2/memory/1428-133-0x00007FF67D380000-0x00007FF67D6D1000-memory.dmp	xmrig
behavioral2/memory/1620-136-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	xmrig
behavioral2/memory/4824-132-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp	xmrig
behavioral2/memory/5112-129-0x00007FF7ABD20000-0x00007FF7AC071000-memory.dmp	xmrig
behavioral2/memory/3408-128-0x00007FF7D64D0000-0x00007FF7D6821000-memory.dmp	xmrig
behavioral2/memory/1968-119-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	xmrig
behavioral2/memory/2900-118-0x00007FF6D22D0000-0x00007FF6D2621000-memory.dmp	xmrig
behavioral2/memory/2044-107-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp	xmrig
behavioral2/memory/1392-137-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp	xmrig
behavioral2/memory/1828-102-0x00007FF6F36B0000-0x00007FF6F3A01000-memory.dmp	xmrig
behavioral2/memory/3180-99-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp	xmrig
behavioral2/memory/3016-139-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	xmrig
behavioral2/memory/4496-149-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp	xmrig
behavioral2/memory/4864-150-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp	xmrig
behavioral2/memory/2704-158-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	xmrig
behavioral2/memory/3088-157-0x00007FF79D120000-0x00007FF79D471000-memory.dmp	xmrig
behavioral2/memory/4288-164-0x00007FF661FE0000-0x00007FF662331000-memory.dmp	xmrig
behavioral2/memory/3016-165-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	xmrig
behavioral2/memory/4300-214-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	xmrig
behavioral2/memory/2852-221-0x00007FF645510000-0x00007FF645861000-memory.dmp	xmrig
behavioral2/memory/2684-224-0x00007FF758100000-0x00007FF758451000-memory.dmp	xmrig
behavioral2/memory/4004-226-0x00007FF655480000-0x00007FF6557D1000-memory.dmp	xmrig
behavioral2/memory/3180-228-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp	xmrig
behavioral2/memory/2044-230-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp	xmrig
behavioral2/memory/1968-234-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	xmrig
behavioral2/memory/4824-233-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp	xmrig
behavioral2/memory/1620-242-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	xmrig
behavioral2/memory/1392-244-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp	xmrig
behavioral2/memory/4864-247-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp	xmrig
behavioral2/memory/3088-248-0x00007FF79D120000-0x00007FF79D471000-memory.dmp	xmrig
behavioral2/memory/2704-250-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	xmrig
behavioral2/memory/4496-252-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp	xmrig
behavioral2/memory/1828-260-0x00007FF6F36B0000-0x00007FF6F3A01000-memory.dmp	xmrig
behavioral2/memory/4856-262-0x00007FF68EEF0000-0x00007FF68F241000-memory.dmp	xmrig
behavioral2/memory/2900-264-0x00007FF6D22D0000-0x00007FF6D2621000-memory.dmp	xmrig
behavioral2/memory/3408-270-0x00007FF7D64D0000-0x00007FF7D6821000-memory.dmp	xmrig
behavioral2/memory/1428-269-0x00007FF67D380000-0x00007FF67D6D1000-memory.dmp	xmrig
behavioral2/memory/5112-267-0x00007FF7ABD20000-0x00007FF7AC071000-memory.dmp	xmrig
behavioral2/memory/4288-273-0x00007FF661FE0000-0x00007FF662331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4300	IdmrvkE.exe
2852	jGjtzCt.exe
2684	cPeQjPU.exe
4004	PQGxUVc.exe
3180	WTMLkWF.exe
2044	llBphgt.exe
1968	VoNOayT.exe
4824	yAqqPXe.exe
1620	ooRmErK.exe
1392	KcWUGts.exe
4864	wHCrfhq.exe
3088	tBfAupA.exe
4496	lETtwZa.exe
2704	SDqTREG.exe
1828	ohfPNps.exe
4856	WYABWKz.exe
2900	qyibtbz.exe
3408	FnvEadf.exe
1428	qeuXgJA.exe
5112	eZZTuaE.exe
4288	atpWkuJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3016-0-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	upx
behavioral2/files/0x000a000000023bfc-6.dat	upx
behavioral2/files/0x0007000000023ca0-12.dat	upx
behavioral2/files/0x0007000000023ca1-17.dat	upx
behavioral2/memory/2684-23-0x00007FF758100000-0x00007FF758451000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-28.dat	upx
behavioral2/files/0x0007000000023ca5-41.dat	upx
behavioral2/memory/1968-42-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-48.dat	upx
behavioral2/memory/4824-50-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-37.dat	upx
behavioral2/memory/2044-36-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-34.dat	upx
behavioral2/memory/3180-32-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp	upx
behavioral2/memory/4004-26-0x00007FF655480000-0x00007FF6557D1000-memory.dmp	upx
behavioral2/memory/2852-14-0x00007FF645510000-0x00007FF645861000-memory.dmp	upx
behavioral2/memory/4300-8-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	upx
behavioral2/memory/3016-54-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	upx
behavioral2/memory/1620-61-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-75.dat	upx
behavioral2/files/0x0007000000023caa-81.dat	upx
behavioral2/files/0x0007000000023cac-89.dat	upx
behavioral2/memory/2704-86-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-84.dat	upx
behavioral2/memory/3088-83-0x00007FF79D120000-0x00007FF79D471000-memory.dmp	upx
behavioral2/memory/4496-79-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp	upx
behavioral2/memory/4864-78-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp	upx
behavioral2/memory/2684-77-0x00007FF758100000-0x00007FF758451000-memory.dmp	upx
behavioral2/memory/2852-71-0x00007FF645510000-0x00007FF645861000-memory.dmp	upx
behavioral2/memory/1392-70-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp	upx
behavioral2/files/0x0009000000023c9d-69.dat	upx
behavioral2/memory/4300-63-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-58.dat	upx
behavioral2/memory/4004-91-0x00007FF655480000-0x00007FF6557D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-95.dat	upx
behavioral2/files/0x0007000000023cae-105.dat	upx
behavioral2/memory/4856-113-0x00007FF68EEF0000-0x00007FF68F241000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-123.dat	upx
behavioral2/memory/1428-133-0x00007FF67D380000-0x00007FF67D6D1000-memory.dmp	upx
behavioral2/memory/4288-134-0x00007FF661FE0000-0x00007FF662331000-memory.dmp	upx
behavioral2/memory/1620-136-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-135.dat	upx
behavioral2/memory/4824-132-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp	upx
behavioral2/memory/5112-129-0x00007FF7ABD20000-0x00007FF7AC071000-memory.dmp	upx
behavioral2/memory/3408-128-0x00007FF7D64D0000-0x00007FF7D6821000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-122.dat	upx
behavioral2/memory/1968-119-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	upx
behavioral2/memory/2900-118-0x00007FF6D22D0000-0x00007FF6D2621000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-116.dat	upx
behavioral2/files/0x0007000000023caf-110.dat	upx
behavioral2/memory/2044-107-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp	upx
behavioral2/memory/1392-137-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp	upx
behavioral2/memory/1828-102-0x00007FF6F36B0000-0x00007FF6F3A01000-memory.dmp	upx
behavioral2/memory/3180-99-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp	upx
behavioral2/memory/3016-139-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	upx
behavioral2/memory/4496-149-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp	upx
behavioral2/memory/4864-150-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp	upx
behavioral2/memory/2704-158-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	upx
behavioral2/memory/3088-157-0x00007FF79D120000-0x00007FF79D471000-memory.dmp	upx
behavioral2/memory/4288-164-0x00007FF661FE0000-0x00007FF662331000-memory.dmp	upx
behavioral2/memory/3016-165-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp	upx
behavioral2/memory/4300-214-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp	upx
behavioral2/memory/2852-221-0x00007FF645510000-0x00007FF645861000-memory.dmp	upx
behavioral2/memory/2684-224-0x00007FF758100000-0x00007FF758451000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IdmrvkE.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jGjtzCt.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PQGxUVc.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llBphgt.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VoNOayT.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDqTREG.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZZTuaE.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cPeQjPU.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lETtwZa.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBfAupA.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohfPNps.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyibtbz.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FnvEadf.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atpWkuJ.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yAqqPXe.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ooRmErK.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WYABWKz.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qeuXgJA.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WTMLkWF.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KcWUGts.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wHCrfhq.exe	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4300	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3016 wrote to memory of 4300	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3016 wrote to memory of 2852	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3016 wrote to memory of 2852	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3016 wrote to memory of 2684	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3016 wrote to memory of 2684	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3016 wrote to memory of 4004	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3016 wrote to memory of 4004	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3016 wrote to memory of 3180	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3016 wrote to memory of 3180	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3016 wrote to memory of 2044	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3016 wrote to memory of 2044	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3016 wrote to memory of 1968	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3016 wrote to memory of 1968	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3016 wrote to memory of 4824	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3016 wrote to memory of 4824	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3016 wrote to memory of 1620	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3016 wrote to memory of 1620	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3016 wrote to memory of 1392	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3016 wrote to memory of 1392	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3016 wrote to memory of 4496	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3016 wrote to memory of 4496	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3016 wrote to memory of 4864	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3016 wrote to memory of 4864	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3016 wrote to memory of 3088	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3016 wrote to memory of 3088	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3016 wrote to memory of 2704	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3016 wrote to memory of 2704	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3016 wrote to memory of 1828	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3016 wrote to memory of 1828	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3016 wrote to memory of 4856	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3016 wrote to memory of 4856	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3016 wrote to memory of 2900	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3016 wrote to memory of 2900	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3016 wrote to memory of 3408	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3016 wrote to memory of 3408	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3016 wrote to memory of 1428	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3016 wrote to memory of 1428	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3016 wrote to memory of 5112	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3016 wrote to memory of 5112	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3016 wrote to memory of 4288	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3016 wrote to memory of 4288	3016	2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_d398893307b4557dd895e0be662b8f71_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System\IdmrvkE.exe
  C:\Windows\System\IdmrvkE.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\jGjtzCt.exe
  C:\Windows\System\jGjtzCt.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\cPeQjPU.exe
  C:\Windows\System\cPeQjPU.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\PQGxUVc.exe
  C:\Windows\System\PQGxUVc.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\WTMLkWF.exe
  C:\Windows\System\WTMLkWF.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\llBphgt.exe
  C:\Windows\System\llBphgt.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\VoNOayT.exe
  C:\Windows\System\VoNOayT.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\yAqqPXe.exe
  C:\Windows\System\yAqqPXe.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\ooRmErK.exe
  C:\Windows\System\ooRmErK.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\KcWUGts.exe
  C:\Windows\System\KcWUGts.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\lETtwZa.exe
  C:\Windows\System\lETtwZa.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\wHCrfhq.exe
  C:\Windows\System\wHCrfhq.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\tBfAupA.exe
  C:\Windows\System\tBfAupA.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\SDqTREG.exe
  C:\Windows\System\SDqTREG.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ohfPNps.exe
  C:\Windows\System\ohfPNps.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\WYABWKz.exe
  C:\Windows\System\WYABWKz.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\qyibtbz.exe
  C:\Windows\System\qyibtbz.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\FnvEadf.exe
  C:\Windows\System\FnvEadf.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\qeuXgJA.exe
  C:\Windows\System\qeuXgJA.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\eZZTuaE.exe
  C:\Windows\System\eZZTuaE.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\atpWkuJ.exe
  C:\Windows\System\atpWkuJ.exe
  2⤵
  - Executes dropped EXE
  PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FnvEadf.exe

Filesize
5.2MB

MD5
b217567b8f0d9e323908be0b5cca5d74

SHA1
edd7cf57548f6a0cf8afccb1070881845980f033

SHA256
d6895cb85bcabc5739b6a47c305907b8e829bced279712fb4ad247270b91330f

SHA512
5041d4b76af2105b427f5d4a240a3c89566cece03555cc0f8c471bdea57762191bf37646f47b31029b0fceedcbf43a6fc1954ca6b8dec2975dd93b155491648b

Download Submit
C:\Windows\System\IdmrvkE.exe

Filesize
5.2MB

MD5
0bb337b4df2128696e56bfc184a3cd03

SHA1
e273c77eec82f6cb6769c4d6477c20ef09bb3cea

SHA256
c339d85f545737ee57c2419d4567fad8b462fc72408240b17c54bcc79bb6b9fb

SHA512
74525c48c8760258d4673c9a4996f93b116cd49fdc96bb933b4956dc7fed31b19e59f0c6667aa8628a16269d3c95ad9da6d94f6f040b57af32e59a9d22b28403

Download Submit
C:\Windows\System\KcWUGts.exe

Filesize
5.2MB

MD5
aebf3bc9f3976d28a62a41269d8daf31

SHA1
fdb1c5167278ae37a626563949745f604adb3359

SHA256
65a000f931c3afa6bb71f30d00b53208e0522ef845afaa63020cec86bbaf11e4

SHA512
969e58536e151cd275e3901b0e0e6471d24a467ac68daf77a5f7f3ed31be80ef9eb777c57ce955f982d28f047d2b986f314b57f3487835383612d3522c42c0e1

Download Submit
C:\Windows\System\PQGxUVc.exe

Filesize
5.2MB

MD5
1c7e3248d6596dc9212126cc7b230bf8

SHA1
2a85b066525c5d474e6ee18e16a0f2946270b2af

SHA256
5d6d06aa23ec7c19c612872f2ba92e432ac140c28790e9b368b82c2f691182e8

SHA512
119397a273f87b7daaed27a734f094233e11ea81f4488857575cc1956446992abd1ba7d4706cdcf9f808cab00a69f6c4a99c3f14c1695963ba00326c62be416b

Download Submit
C:\Windows\System\SDqTREG.exe

Filesize
5.2MB

MD5
09c1b7a25bea2f17d7a7a534339d4ba9

SHA1
5cb022369bc2981fcb64bdb29fe078ad54b7c9f2

SHA256
bacc3295ed87cda98571cce0697abc705b61b098448f8091dd6a87d603c6c190

SHA512
70edad0509512a2199dc75522e6a12ee04276417e3f9299b1793388a5df2baba846641974f668bb7cb0c4d7f2ff9d70fb906b3162ea6479bc36b31f188ea614e

Download Submit
C:\Windows\System\VoNOayT.exe

Filesize
5.2MB

MD5
9b6ebd5cdd452dfe449d6afcb8b97ee5

SHA1
fce6b271ff61918f052790a3d03ab7d6a00b51d6

SHA256
c630706f0d53d629ed0cc8909e2585ef9daf148de5ddf7a616d9545e14735a18

SHA512
65b6ee752bf2ff7bbdae0082f75f82e3a711742b6f5cdb9fa8384053685de7448681fc87d7bf70a8c1fc67e35dd8bba1a29c29aa2471b4aa8213c911ca6bcb3b

Download Submit
C:\Windows\System\WTMLkWF.exe

Filesize
5.2MB

MD5
73d0650308259d69bd1b57ecabeea5f7

SHA1
5194d35f6eb03e3b1913c6881e4199b80c5c348c

SHA256
113d88101d572e8df3e94b239615c034de73863fd9296554c6fc23c587655518

SHA512
2dc515c883334d6a6a475fb8ebd2b94a8342a38d4746bffc7a4c9e0d0e12be65e4b6fd6e4501e5466ca9412d9c9a55bfb336d8c3285d187697b4f9e099560e0d

Download Submit
C:\Windows\System\WYABWKz.exe

Filesize
5.2MB

MD5
56b159b443f6f9b2fa9374b86d8bfbcd

SHA1
ea023e9019f53fbb2ef7b497cc6e520af9255c86

SHA256
72cdfbe16e3953f37a78f0138f271f524ba1b0ab0bd2b56bb5630461ccce1bcb

SHA512
8ceadddb8eafc34ae740e08eebfbd9a64b4b3f2f4347b09cd3ca78b19271a4ddc273914ba2d224225840f36e3ccc127cd2104b3403c6d573e2508ab44ef0f19c

Download Submit
C:\Windows\System\atpWkuJ.exe

Filesize
5.2MB

MD5
8d454c5b0ff84753eba7f0d52d34294d

SHA1
cda744ddd92ff75b587da5f233ba541707a2d10c

SHA256
2da6fd77ec36d86b8f49283a2985549ed675fd071a5f226270c233a611597711

SHA512
b2b3f8180c424102fd851951e4419d2abd9f486b2cd2d6ce3e64b02667b6f68f10abfd246c765bc28d30732a01ee3843f19c05fcd14030beb4282eef38262134

Download Submit
C:\Windows\System\cPeQjPU.exe

Filesize
5.2MB

MD5
12d9ecb03f4236eea4d36555ca62e73a

SHA1
c753e87630d03eb5a788ce69494410e8077693e7

SHA256
90d30bc00a3580721dac888500b400d086c85ee9c547de845b31f64f465c55d7

SHA512
c1f74bfe71e349a4bba592e827b208f996f0febe42164259a6126dee7ebedc7b2f81d33c2c6197a680855d2e3e90572eddc1363cc3077433fafbd4e682b90c3b

Download Submit
C:\Windows\System\eZZTuaE.exe

Filesize
5.2MB

MD5
93d8b4d357cea195cbd3634a4297e3a9

SHA1
669989cf2ef5b4966b7a6688303b3bafb84bed24

SHA256
d260811da9c973b99b8aa3fe62402a7efc77725f271a69b3875903c7addb89a7

SHA512
0dbf97099b94c83b9ff67f5551b838b5b3175033d22ace65d6246fb10223fe18ad5f305548dfe5861586dd0ddaa52c3bb8661be409f3ff5be2641d903e4e3e8b

Download Submit
C:\Windows\System\jGjtzCt.exe

Filesize
5.2MB

MD5
ac8b85d72e2c6ad5c48db32be622096a

SHA1
4b322eed9af85964842e55af6a0b6a44c28fa3fa

SHA256
94278c5064a41cb76f5e8eb97d6a0571ec41de4b52fcdd1b386daa07eccc0748

SHA512
62b7bca120b1021d20d17c6218d0f8fbd428e23ff8b8b5ff321023cd2b1b733323e294893eecf26a6978ea0c5ce29464f86f4649f204eac2d4ab4f302021b0d1

Download Submit
C:\Windows\System\lETtwZa.exe

Filesize
5.2MB

MD5
cb0abf2dce5da1f1e27d09f32a990ba7

SHA1
e13edd6c9091841c2d35f838720356836380f325

SHA256
0fde85a0710c2706a0def53877afc76d9e0a7f390c657332e3b04aa9d7367d9a

SHA512
dfafc7d91fa78b3d98834f15ea92122a0e5b8b58d7cbf6b837efc9541888ff43c4ec35bf9e621301cc463cb7006f22772ed7968c58b0f9db2966651aedf36eeb

Download Submit
C:\Windows\System\llBphgt.exe

Filesize
5.2MB

MD5
6db74132847244665e243bacffc3674f

SHA1
2fa21adeb858b71c559db7918fa62166e3c0f7eb

SHA256
a32fcdc1d5e2c9b4d975bebc070cb65f88f616ac015225d91c5383f3ef712c4f

SHA512
ec745f7ef1eac55c880fda848fd7c2db14ea02ac1917c007c2bfd92289eb9aec1b98de83be8a67a28fc0ffc0fd51ed21f058d3f4bb170837473e64ad88c215a2

Download Submit
C:\Windows\System\ohfPNps.exe

Filesize
5.2MB

MD5
42d5f63d7371a4c9bb8518ff0cf8972a

SHA1
55c861a80630eb0f1f9401937cb03ece48ad247a

SHA256
6223eb03dbac75f00f79b2ac0629e04d3169b43a475cd4df9c072b6711cb1bf6

SHA512
085b2cbf71189016965dd65e17b2a710516d7a7b458e5ea4260e6d7611d57f9f0afa4fb0c9282fb3a6863656b3797ada7788edce32a52eddb4a1e2075a5bb39b

Download Submit
C:\Windows\System\ooRmErK.exe

Filesize
5.2MB

MD5
346bb706dbb01075344ae6cd015b314c

SHA1
3a03c7f39b9b0a6a2cda543ba0ff693461613e90

SHA256
dee2a658f7f5fe1f07860166d601c5380e975a6978aeccd5935d46fed5cb2e8e

SHA512
030fb5ea7a65dfad67ba705cfcf99995ac3fa6faa58f35dba0df57a0a2a7c1f9e7e7a6b4dbce748f03781ce7d51bd4163b8ba83724a2071d128cb102e7f19591

Download Submit
C:\Windows\System\qeuXgJA.exe

Filesize
5.2MB

MD5
2777e8ad158de7fa982fe516e4be0a75

SHA1
c3c3cdca175f9e9d8f91db71761bd76095eeb82b

SHA256
9ade6befb905cdcc3b702e2c9970a911883b357c9b1dbc35e5f8678a31af6e08

SHA512
8d8269115f6a79c9e017a12394ca153e9ec9e368d990a4bf4996b8a84afd38f994b30f8d5bde6f8e24659bbecfa275f52c5525036e633bacce6aa4abb9b04730

Download Submit
C:\Windows\System\qyibtbz.exe

Filesize
5.2MB

MD5
f6dbc3378f9a024178c2474c0c5f6c9a

SHA1
5f55d425c3ea283b55f44ad0a7b523806dd865dd

SHA256
7aa74de999487ed7497ef8ebf1097148d104eec883e41b522b9facd5916c6676

SHA512
8083858264ee8be27645b3db0244dae16e845f0af6208c4398c75d429408386fd3a345531a3ce6b932886ba87d790b4bd883e7c750d11f35c95c26da35e224b9

Download Submit
C:\Windows\System\tBfAupA.exe

Filesize
5.2MB

MD5
5fe8c3221eab32ae8c78f3c02519e7db

SHA1
03b4372dbee6299d75dda94a4679e99944c099f0

SHA256
4554a339c1fdb4dd0496b621b50ab8ee2fea3f81fa30ce74d5395933f1e1a435

SHA512
490d013cc3d13074066ba61013c4fddc1217e99a81a4943d47935d333089823b39463fb7643f571b0006d3ae489e622c205530dcd2988c48c174242eaf0a8d99

Download Submit
C:\Windows\System\wHCrfhq.exe

Filesize
5.2MB

MD5
d1d641a7a3f0715de5f85105d53127a7

SHA1
0e02a2b9c111fae13e81a1490407a324cb85332c

SHA256
ef10906533a67aea7857b5343d355578d8da03fb85a52fe051689b549908647e

SHA512
c21cb550e3548edd17e6a125224bbd2100fedab3b11f6ced5d30e33469f8749e9e82125cfe8c9073ef0b38c9f3c9eab28d9e0d1bd5f51f9bf9eaa0be2b068210

Download Submit
C:\Windows\System\yAqqPXe.exe

Filesize
5.2MB

MD5
12af47b24b8e49e6c022ecb69a018d70

SHA1
30dbd7387d297eb7e7f3b2f7d0a8fe6817dc0978

SHA256
83226a05185c2b0ce8e6b66ff7f5fa8b2354315747382cae29b02b80aa5c780e

SHA512
8f056489a8f54ddb78ae033c4595947470951bfeb9743e0ded96122f09d356ca720f680d06577875b46767c85ec1fd75079f09be2cdb307a90ac5b0b6a2d177b

Download Submit
memory/1392-137-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp

Filesize
3.3MB

Download
memory/1392-70-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp

Filesize
3.3MB

Download
memory/1392-244-0x00007FF7DF440000-0x00007FF7DF791000-memory.dmp

Filesize
3.3MB

Download
memory/1428-133-0x00007FF67D380000-0x00007FF67D6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-269-0x00007FF67D380000-0x00007FF67D6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-136-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1620-242-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1620-61-0x00007FF70ABC0000-0x00007FF70AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1828-260-0x00007FF6F36B0000-0x00007FF6F3A01000-memory.dmp

Filesize
3.3MB

Download
memory/1828-102-0x00007FF6F36B0000-0x00007FF6F3A01000-memory.dmp

Filesize
3.3MB

Download
memory/1968-42-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/1968-234-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/1968-119-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/2044-230-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-36-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-107-0x00007FF7EDE80000-0x00007FF7EE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-23-0x00007FF758100000-0x00007FF758451000-memory.dmp

Filesize
3.3MB

Download
memory/2684-224-0x00007FF758100000-0x00007FF758451000-memory.dmp

Filesize
3.3MB

Download
memory/2684-77-0x00007FF758100000-0x00007FF758451000-memory.dmp

Filesize
3.3MB

Download
memory/2704-158-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-250-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-86-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-14-0x00007FF645510000-0x00007FF645861000-memory.dmp

Filesize
3.3MB

Download
memory/2852-71-0x00007FF645510000-0x00007FF645861000-memory.dmp

Filesize
3.3MB

Download
memory/2852-221-0x00007FF645510000-0x00007FF645861000-memory.dmp

Filesize
3.3MB

Download
memory/2900-118-0x00007FF6D22D0000-0x00007FF6D2621000-memory.dmp

Filesize
3.3MB

Download
memory/2900-264-0x00007FF6D22D0000-0x00007FF6D2621000-memory.dmp

Filesize
3.3MB

Download
memory/3016-0-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp

Filesize
3.3MB

Download
memory/3016-54-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp

Filesize
3.3MB

Download
memory/3016-165-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp

Filesize
3.3MB

Download
memory/3016-1-0x00000264EBA20000-0x00000264EBA30000-memory.dmp

Filesize
64KB

Download
memory/3016-139-0x00007FF7E48C0000-0x00007FF7E4C11000-memory.dmp

Filesize
3.3MB

Download
memory/3088-248-0x00007FF79D120000-0x00007FF79D471000-memory.dmp

Filesize
3.3MB

Download
memory/3088-83-0x00007FF79D120000-0x00007FF79D471000-memory.dmp

Filesize
3.3MB

Download
memory/3088-157-0x00007FF79D120000-0x00007FF79D471000-memory.dmp

Filesize
3.3MB

Download
memory/3180-99-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-228-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-32-0x00007FF6C6280000-0x00007FF6C65D1000-memory.dmp

Filesize
3.3MB

Download
memory/3408-270-0x00007FF7D64D0000-0x00007FF7D6821000-memory.dmp

Filesize
3.3MB

Download
memory/3408-128-0x00007FF7D64D0000-0x00007FF7D6821000-memory.dmp

Filesize
3.3MB

Download
memory/4004-226-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-26-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-91-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-164-0x00007FF661FE0000-0x00007FF662331000-memory.dmp

Filesize
3.3MB

Download
memory/4288-273-0x00007FF661FE0000-0x00007FF662331000-memory.dmp

Filesize
3.3MB

Download
memory/4288-134-0x00007FF661FE0000-0x00007FF662331000-memory.dmp

Filesize
3.3MB

Download
memory/4300-63-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/4300-214-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/4300-8-0x00007FF659FB0000-0x00007FF65A301000-memory.dmp

Filesize
3.3MB

Download
memory/4496-252-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-79-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-149-0x00007FF70E0A0000-0x00007FF70E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-233-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-132-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-50-0x00007FF69B580000-0x00007FF69B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-113-0x00007FF68EEF0000-0x00007FF68F241000-memory.dmp

Filesize
3.3MB

Download
memory/4856-262-0x00007FF68EEF0000-0x00007FF68F241000-memory.dmp

Filesize
3.3MB

Download
memory/4864-247-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp

Filesize
3.3MB

Download
memory/4864-150-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp

Filesize
3.3MB

Download
memory/4864-78-0x00007FF6FBBF0000-0x00007FF6FBF41000-memory.dmp

Filesize
3.3MB

Download
memory/5112-129-0x00007FF7ABD20000-0x00007FF7AC071000-memory.dmp

Filesize
3.3MB

Download
memory/5112-267-0x00007FF7ABD20000-0x00007FF7AC071000-memory.dmp

Filesize
3.3MB

Download