cobaltstrike | 5b2ff3d35d1840383524e2cf1ea932e1154dac81d56e948a4df3442c90fc429d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6b644b34cb4dace4ab654aec2d112036
SHA1

c30895f800c0a211d6a151db64c361022d755da2
SHA256

5b2ff3d35d1840383524e2cf1ea932e1154dac81d56e948a4df3442c90fc429d
SHA512

3a0434db696574299d1746fb02d393ba0aa8f5a03fca6aefa21ed5b962323e142f936852c1f1f48ef36c3d05ba6b89f16ae1efdf5cffce3a2e444b36c5a5bc29
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibd56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b91-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-13.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba3-56.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-74.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc3-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-102.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc4-112.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc8-115.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc2-107.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-104.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-99.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-98.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b93-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2060-120-0x00007FF7873F0000-0x00007FF787741000-memory.dmp	xmrig
behavioral2/memory/4780-126-0x00007FF7DD970000-0x00007FF7DDCC1000-memory.dmp	xmrig
behavioral2/memory/3028-125-0x00007FF7C7020000-0x00007FF7C7371000-memory.dmp	xmrig
behavioral2/memory/1628-124-0x00007FF7ACB40000-0x00007FF7ACE91000-memory.dmp	xmrig
behavioral2/memory/2440-123-0x00007FF65D790000-0x00007FF65DAE1000-memory.dmp	xmrig
behavioral2/memory/2936-122-0x00007FF619FB0000-0x00007FF61A301000-memory.dmp	xmrig
behavioral2/memory/1364-119-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp	xmrig
behavioral2/memory/3036-118-0x00007FF792EF0000-0x00007FF793241000-memory.dmp	xmrig
behavioral2/memory/2736-114-0x00007FF7ECB10000-0x00007FF7ECE61000-memory.dmp	xmrig
behavioral2/memory/4516-86-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp	xmrig
behavioral2/memory/3640-69-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp	xmrig
behavioral2/memory/3512-22-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp	xmrig
behavioral2/memory/4516-139-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp	xmrig
behavioral2/memory/4080-132-0x00007FF628B00000-0x00007FF628E51000-memory.dmp	xmrig
behavioral2/memory/3892-130-0x00007FF7813D0000-0x00007FF781721000-memory.dmp	xmrig
behavioral2/memory/1228-129-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp	xmrig
behavioral2/memory/5092-142-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp	xmrig
behavioral2/memory/1044-141-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp	xmrig
behavioral2/memory/1212-136-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp	xmrig
behavioral2/memory/3296-135-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp	xmrig
behavioral2/memory/5116-134-0x00007FF7664B0000-0x00007FF766801000-memory.dmp	xmrig
behavioral2/memory/2428-133-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp	xmrig
behavioral2/memory/1604-128-0x00007FF677B00000-0x00007FF677E51000-memory.dmp	xmrig
behavioral2/memory/1604-172-0x00007FF677B00000-0x00007FF677E51000-memory.dmp	xmrig
behavioral2/memory/1228-203-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp	xmrig
behavioral2/memory/3512-205-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp	xmrig
behavioral2/memory/3892-219-0x00007FF7813D0000-0x00007FF781721000-memory.dmp	xmrig
behavioral2/memory/2428-224-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp	xmrig
behavioral2/memory/3640-227-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp	xmrig
behavioral2/memory/3296-228-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp	xmrig
behavioral2/memory/5116-232-0x00007FF7664B0000-0x00007FF766801000-memory.dmp	xmrig
behavioral2/memory/1212-230-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp	xmrig
behavioral2/memory/1364-238-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp	xmrig
behavioral2/memory/2440-255-0x00007FF65D790000-0x00007FF65DAE1000-memory.dmp	xmrig
behavioral2/memory/4780-256-0x00007FF7DD970000-0x00007FF7DDCC1000-memory.dmp	xmrig
behavioral2/memory/4080-253-0x00007FF628B00000-0x00007FF628E51000-memory.dmp	xmrig
behavioral2/memory/2736-249-0x00007FF7ECB10000-0x00007FF7ECE61000-memory.dmp	xmrig
behavioral2/memory/3028-246-0x00007FF7C7020000-0x00007FF7C7371000-memory.dmp	xmrig
behavioral2/memory/1628-244-0x00007FF7ACB40000-0x00007FF7ACE91000-memory.dmp	xmrig
behavioral2/memory/4516-251-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp	xmrig
behavioral2/memory/3036-242-0x00007FF792EF0000-0x00007FF793241000-memory.dmp	xmrig
behavioral2/memory/2060-237-0x00007FF7873F0000-0x00007FF787741000-memory.dmp	xmrig
behavioral2/memory/2936-235-0x00007FF619FB0000-0x00007FF61A301000-memory.dmp	xmrig
behavioral2/memory/5092-240-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp	xmrig
behavioral2/memory/1044-260-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1228	TtvmODL.exe
3892	rjxFijl.exe
3512	mUBFSmo.exe
2428	SLhflok.exe
4080	AaYFqDK.exe
5116	nWzjEyO.exe
3296	MVfNvbP.exe
1212	eKZjHBV.exe
3640	gsIGVFU.exe
2440	IfrHhFS.exe
4516	UOePENi.exe
1628	AqvLmKS.exe
1044	YsWIKOi.exe
5092	hFJCyoi.exe
2736	qEyiZGj.exe
3028	ShmAaSD.exe
3036	sxJCfQr.exe
1364	oHIPAny.exe
2060	SiNhIlf.exe
4780	qzeKBgq.exe
2936	BCnnzoo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1604-0-0x00007FF677B00000-0x00007FF677E51000-memory.dmp	upx
behavioral2/files/0x000c000000023b91-5.dat	upx
behavioral2/memory/1228-11-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-13.dat	upx
behavioral2/files/0x000a000000023b9c-17.dat	upx
behavioral2/files/0x000a000000023b9d-24.dat	upx
behavioral2/files/0x000a000000023b9f-37.dat	upx
behavioral2/files/0x000a000000023ba2-49.dat	upx
behavioral2/files/0x000b000000023ba3-56.dat	upx
behavioral2/files/0x000b000000023ba4-74.dat	upx
behavioral2/files/0x0009000000023bc3-89.dat	upx
behavioral2/files/0x0008000000023bca-102.dat	upx
behavioral2/files/0x0009000000023bc4-112.dat	upx
behavioral2/memory/2060-120-0x00007FF7873F0000-0x00007FF787741000-memory.dmp	upx
behavioral2/memory/4780-126-0x00007FF7DD970000-0x00007FF7DDCC1000-memory.dmp	upx
behavioral2/memory/3028-125-0x00007FF7C7020000-0x00007FF7C7371000-memory.dmp	upx
behavioral2/memory/1628-124-0x00007FF7ACB40000-0x00007FF7ACE91000-memory.dmp	upx
behavioral2/memory/2440-123-0x00007FF65D790000-0x00007FF65DAE1000-memory.dmp	upx
behavioral2/memory/2936-122-0x00007FF619FB0000-0x00007FF61A301000-memory.dmp	upx
behavioral2/memory/1364-119-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp	upx
behavioral2/memory/3036-118-0x00007FF792EF0000-0x00007FF793241000-memory.dmp	upx
behavioral2/files/0x000e000000023bc8-115.dat	upx
behavioral2/memory/2736-114-0x00007FF7ECB10000-0x00007FF7ECE61000-memory.dmp	upx
behavioral2/files/0x0009000000023bc2-107.dat	upx
behavioral2/files/0x0008000000023bbd-104.dat	upx
behavioral2/memory/5092-103-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-99.dat	upx
behavioral2/files/0x000b000000023ba5-97.dat	upx
behavioral2/files/0x000a000000023bad-98.dat	upx
behavioral2/memory/1044-95-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp	upx
behavioral2/memory/4516-86-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp	upx
behavioral2/files/0x000d000000023b93-83.dat	upx
behavioral2/memory/3640-69-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp	upx
behavioral2/memory/5116-60-0x00007FF7664B0000-0x00007FF766801000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-47.dat	upx
behavioral2/files/0x000a000000023ba0-46.dat	upx
behavioral2/memory/1212-44-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp	upx
behavioral2/memory/3296-40-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp	upx
behavioral2/memory/4080-34-0x00007FF628B00000-0x00007FF628E51000-memory.dmp	upx
behavioral2/memory/2428-32-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-31.dat	upx
behavioral2/memory/3512-22-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp	upx
behavioral2/memory/3892-14-0x00007FF7813D0000-0x00007FF781721000-memory.dmp	upx
behavioral2/memory/4516-139-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp	upx
behavioral2/memory/4080-132-0x00007FF628B00000-0x00007FF628E51000-memory.dmp	upx
behavioral2/memory/3892-130-0x00007FF7813D0000-0x00007FF781721000-memory.dmp	upx
behavioral2/memory/1228-129-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp	upx
behavioral2/memory/5092-142-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp	upx
behavioral2/memory/1044-141-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp	upx
behavioral2/memory/1212-136-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp	upx
behavioral2/memory/3296-135-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp	upx
behavioral2/memory/5116-134-0x00007FF7664B0000-0x00007FF766801000-memory.dmp	upx
behavioral2/memory/2428-133-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp	upx
behavioral2/memory/1604-128-0x00007FF677B00000-0x00007FF677E51000-memory.dmp	upx
behavioral2/memory/1604-172-0x00007FF677B00000-0x00007FF677E51000-memory.dmp	upx
behavioral2/memory/1228-203-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp	upx
behavioral2/memory/3512-205-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp	upx
behavioral2/memory/3892-219-0x00007FF7813D0000-0x00007FF781721000-memory.dmp	upx
behavioral2/memory/2428-224-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp	upx
behavioral2/memory/3640-227-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp	upx
behavioral2/memory/3296-228-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp	upx
behavioral2/memory/5116-232-0x00007FF7664B0000-0x00007FF766801000-memory.dmp	upx
behavioral2/memory/1212-230-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp	upx
behavioral2/memory/1364-238-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TtvmODL.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVfNvbP.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hFJCyoi.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qEyiZGj.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oHIPAny.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qzeKBgq.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfrHhFS.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ShmAaSD.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SiNhIlf.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUBFSmo.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLhflok.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWzjEyO.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eKZjHBV.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsIGVFU.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UOePENi.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AqvLmKS.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YsWIKOi.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rjxFijl.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AaYFqDK.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sxJCfQr.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BCnnzoo.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1228	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1604 wrote to memory of 1228	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1604 wrote to memory of 3892	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1604 wrote to memory of 3892	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1604 wrote to memory of 3512	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1604 wrote to memory of 3512	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1604 wrote to memory of 4080	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1604 wrote to memory of 4080	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1604 wrote to memory of 2428	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1604 wrote to memory of 2428	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1604 wrote to memory of 5116	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1604 wrote to memory of 5116	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1604 wrote to memory of 3296	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1604 wrote to memory of 3296	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1604 wrote to memory of 1212	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1604 wrote to memory of 1212	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1604 wrote to memory of 3640	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1604 wrote to memory of 3640	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1604 wrote to memory of 2440	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1604 wrote to memory of 2440	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1604 wrote to memory of 4516	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1604 wrote to memory of 4516	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1604 wrote to memory of 1628	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1604 wrote to memory of 1628	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1604 wrote to memory of 1044	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1604 wrote to memory of 1044	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1604 wrote to memory of 5092	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1604 wrote to memory of 5092	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1604 wrote to memory of 2736	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1604 wrote to memory of 2736	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1604 wrote to memory of 3028	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1604 wrote to memory of 3028	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1604 wrote to memory of 3036	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1604 wrote to memory of 3036	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1604 wrote to memory of 1364	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1604 wrote to memory of 1364	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1604 wrote to memory of 2060	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1604 wrote to memory of 2060	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1604 wrote to memory of 4780	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1604 wrote to memory of 4780	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1604 wrote to memory of 2936	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1604 wrote to memory of 2936	1604	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System\TtvmODL.exe
  C:\Windows\System\TtvmODL.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\rjxFijl.exe
  C:\Windows\System\rjxFijl.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\mUBFSmo.exe
  C:\Windows\System\mUBFSmo.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\AaYFqDK.exe
  C:\Windows\System\AaYFqDK.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\SLhflok.exe
  C:\Windows\System\SLhflok.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\nWzjEyO.exe
  C:\Windows\System\nWzjEyO.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\MVfNvbP.exe
  C:\Windows\System\MVfNvbP.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\eKZjHBV.exe
  C:\Windows\System\eKZjHBV.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\gsIGVFU.exe
  C:\Windows\System\gsIGVFU.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\IfrHhFS.exe
  C:\Windows\System\IfrHhFS.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\UOePENi.exe
  C:\Windows\System\UOePENi.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\AqvLmKS.exe
  C:\Windows\System\AqvLmKS.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\YsWIKOi.exe
  C:\Windows\System\YsWIKOi.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\hFJCyoi.exe
  C:\Windows\System\hFJCyoi.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\qEyiZGj.exe
  C:\Windows\System\qEyiZGj.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\ShmAaSD.exe
  C:\Windows\System\ShmAaSD.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\sxJCfQr.exe
  C:\Windows\System\sxJCfQr.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\oHIPAny.exe
  C:\Windows\System\oHIPAny.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\SiNhIlf.exe
  C:\Windows\System\SiNhIlf.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\qzeKBgq.exe
  C:\Windows\System\qzeKBgq.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\BCnnzoo.exe
  C:\Windows\System\BCnnzoo.exe
  2⤵
  - Executes dropped EXE
  PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AaYFqDK.exe

Filesize
5.2MB

MD5
34ac18319dac02895839b03cc6e9e02b

SHA1
92b11c9b78140862e59ddde52c9c16665461ae63

SHA256
b34ae026c5bdb7ea36edef775fc1e0f7952d01f57990a86ef03c449aa848694f

SHA512
48a5571e5a3b10473e4e03785679436cf8d322c8198d6a7cfb9c179bf7faaeaca776cb74fb65d63e266d5ee9eb9bd661caa735dbb91792aa5d7b6d0a77d1f825

Download Submit
C:\Windows\System\AqvLmKS.exe

Filesize
5.2MB

MD5
8f1e76f2b54fcd7b5692274c41cba4f8

SHA1
099b34117e3040eba25a9f33e89ba360f5b231f0

SHA256
80aa37171e9ffff89dfe65be6d32aad9ea67735e90d38d804aa10813e219feb5

SHA512
78f4af6d4b588b139685e80dd39baa506ab8f6f53030f845d27a9ae5845541bfbf5c3549613d4d77241eac612875608a1b4ca3d0a69a48d4d0d289768e2da18e

Download Submit
C:\Windows\System\BCnnzoo.exe

Filesize
5.2MB

MD5
f2a8f2001bcfb54e149ffc6faae40184

SHA1
38ef679217a7377ece929fca790dd625d4ef1482

SHA256
1cb802887758e75b962db398c73cfc89cf387389d0bb898c639ff53df975ec6b

SHA512
fb1d63d594ad565fdd2344ac76d2381069a32b67a6881d47f4b39d164af029d9b4fe717140aecf305812e83a650de515086eb25a257ce7b21858547b25556b15

Download Submit
C:\Windows\System\IfrHhFS.exe

Filesize
5.2MB

MD5
965035a423b6fba022eaecb5edcd2754

SHA1
5143e26d646eeb4e3a71b1b59bf7bdc8f5cad806

SHA256
449fef97252b81c4fb923d7c670d02a6f11a20ca6e7df0737bde7178c0803e88

SHA512
ce3f1a91e8ac7a6a99ebc297112ddea191313f1cdad07d3a9748950df161cd7e4dd0be5cf02c9ced1d2da5e0c83ef03a2d991836cf41cc2301ce7b85a7415fc5

Download Submit
C:\Windows\System\MVfNvbP.exe

Filesize
5.2MB

MD5
65aa90cc8ca447de96aef7432b8c1946

SHA1
86c3f59ccd8f09b3e8bc26e884fb17c0e007ec81

SHA256
5576f22306e19038266701a5da406b562037ea2155e518b9ea5547a4d87ef8e9

SHA512
00f8ae2f7bb99da80767aea140c79209254aa982ef74b848d4ea4a3b3de579fca0ef27a857b22e0e5c789c48efbea21fa896ac598ca5e97d3f521316c4337227

Download Submit
C:\Windows\System\SLhflok.exe

Filesize
5.2MB

MD5
98f49823e225675bcea4215da1c2a651

SHA1
8100fb92ced1770f83659d887d7533d674dd1824

SHA256
bd8dd3d35ec3846ababc81ec72761e892ae71729c2e875d54f44b03b35ddd9a0

SHA512
c5fdce2ba71402de4d5d8f124653bed51905e8c097b9f1f311f64cc63255edf1e6bcd1c3240892a6059c41e209431de8a05b74eac0406abb2f56e55843877bd9

Download Submit
C:\Windows\System\ShmAaSD.exe

Filesize
5.2MB

MD5
bc072fd2c70ec6e3fd49763ad7d2a796

SHA1
b47d917ebe26f798d670324eb9436800a6c1279c

SHA256
4f305bb99f7190645421c05c541a5f8130e30a6ac4337fb4848094e348dbb6a4

SHA512
5d5f62b16c3c4fd39b0105bfb5eb02544dc609b8d9eb25c35bf46aa21832f07dfd303de3d2544deff75d16ac9b0b55dde7f17302195dcff2e2dd06107bfce18e

Download Submit
C:\Windows\System\SiNhIlf.exe

Filesize
5.2MB

MD5
4d45b60369b2b7f622577ffec93230ac

SHA1
48a967490bc06bbd3bb826762277331fd80c39e0

SHA256
e919c8491de6e1841a8d05ebc4eee341f0a9e93ac681b9245536c2dcd22102b4

SHA512
a1106dcddec1ad56b35f0bbc3fbed352c2178852199da0b924e0519942c30f6d3bd2edaf589b85fbbfc9faa040fe56afd8d8a20ec42c1caa18437749fff608db

Download Submit
C:\Windows\System\TtvmODL.exe

Filesize
5.2MB

MD5
1cf9f5ba07710cd3975d850e66e9bf02

SHA1
77ee69d421b45510a38f724055ac7f79dbdf050d

SHA256
46d2affe6cf047c2a5a39f913fa7ca2d04bd889be5fa840df676db52835530ac

SHA512
b18e4342ce16f28938213c7a2ed327b14cb50f7c93de033ff02195c4b72eb1dfb99debe7070fdc3170364c5339c0b6e2c4f06ab3ade88a15de73155076c65c27

Download Submit
C:\Windows\System\UOePENi.exe

Filesize
5.2MB

MD5
65717bbd28f2c2e3aa31e5b35cf4348f

SHA1
ea87faba514ba66df4a75928fe1f8c514e433cf7

SHA256
bfda004941127a1f7aa394d03e124e89ae250f914b0ce918589b3f5c6905f113

SHA512
1e46aa2244d1b10617323c56e9a55b5999ef5e2524922dea1c5d09fd209b9de06a2805256a4b2fe234fc30bcd9622876f2387836facf7e1318940336e577f3ed

Download Submit
C:\Windows\System\YsWIKOi.exe

Filesize
5.2MB

MD5
8bd742ef78d6910445831723f53c1b8c

SHA1
c862cd8801ca4bbe90b844d3432aa80e1605dc48

SHA256
a5d098b865f1d755f9982686e4c2470535f53f7e85d9ce83ab4eb186257c92c3

SHA512
e589ce7bedc01de588402360aaf8da544907d7d5aebc1f5d6b65cbacaa13788fafe8a71425025602edc9e9d083981fd0df14ea43e914edb5aaead40682f46707

Download Submit
C:\Windows\System\eKZjHBV.exe

Filesize
5.2MB

MD5
c0a8a64fdfd8f493b6516257f949f7a5

SHA1
dec8024737d56f09199792b84d67789f90d21cd4

SHA256
d10522ca86f988fcfab99a58691bc0fdb7fbd482dad2003f9faa5233c1ae665e

SHA512
030425d7d637f70b674783b61410248d11c241a3587f363afd6cea2b793a6fc4cc5b17d7177a9f735bd1011f8c95e907880cfc2b077f6d8f65406fed603083e9

Download Submit
C:\Windows\System\gsIGVFU.exe

Filesize
5.2MB

MD5
57aedb8c3ae5ae1eb7418ab7e3f7c836

SHA1
8035bafa7edf6f294928bb75afbda8a8c97b781a

SHA256
e0dc7aa4209402754d385b4398e97532706a3ac22682722d2d4caa22c59f15be

SHA512
3f96b6b5b69e2a96087a10fe7222e13a01115a1ed946c89f3473b9da0d375408f0ccf38ccd906a4d4e9575278a79984cc2db2f8306ffd2a6cf00a5d4d1590480

Download Submit
C:\Windows\System\hFJCyoi.exe

Filesize
5.2MB

MD5
9c08a305393427d9fffc554ee607302c

SHA1
6d63b1cec629c0e1af6421b4df72ea77e3464b5f

SHA256
2136e30d8f7c12b837620d0cfdb72a6e5e0e1e5422769c04e66d32ec339600e3

SHA512
9afa0f6d67ae68fbe74902daf542f042ee7580acc871f34b2d00077a2fed25bb6197f652b9ed92a9b2d9932e7aecd13bffcc680c3ea5fb3b7b62c9ff6e0d02a7

Download Submit
C:\Windows\System\mUBFSmo.exe

Filesize
5.2MB

MD5
d1108b209ddb2c8aebab09564da9ff52

SHA1
a78b783111049f5eb23456feef28994bcc77d446

SHA256
5c3a65f3434c4e37ba92cbf02308c4cb3ed5b61919ad1c98e87300a9f5955214

SHA512
af12ca5ff94b481a38315877c70ed3b6975e38af178407309a6c2b7547d0618cf8d35756be66db0ec11d87ea88b28da06e8559824bd721735eca2ad6de36bc1a

Download Submit
C:\Windows\System\nWzjEyO.exe

Filesize
5.2MB

MD5
be2bc210846604741562a4d1336fc9ee

SHA1
a35b53519249cab71e39408754b4034891ef1255

SHA256
5eb14c8765c67118bfefb3e51bbbc6e58b3644e52b97ac04b8213a405eacd490

SHA512
381e3633af1853dea8e9c16f7de1f381aef4769139ca8d515bb474c10f4d711c55d8a11a586ab68f8f1e615bdfb42ca50dd3b64201bec8edfaa2bd53c7f941fa

Download Submit
C:\Windows\System\oHIPAny.exe

Filesize
5.2MB

MD5
dc2b8841c4c464bd8fd46bd7f6a849fc

SHA1
2fdb32357f56dd6f46cf9060feb15f3040d15637

SHA256
ebb633619e477596d6116b87a6613e50500bc52ac81cf2992f69b1f997224194

SHA512
3eb618969fe0c54041753179c6c2560bf91162c569e33b5fcaf18c46f794c194d543d74c670079740b2b6c2e3a17503698b022cc85edbfce9d53f5d97603f493

Download Submit
C:\Windows\System\qEyiZGj.exe

Filesize
5.2MB

MD5
2680a28e92f018b2e6f614a74c550daf

SHA1
b5bd6a7e3a87c422ee205f93b762efc3dc70f808

SHA256
319774e540e6ee89837b6aa200e3e1ffe3c7272c6951945f12b949bc5d705df7

SHA512
4bde2b8b349deaf790b5f1cdce36199f7b5f5fe53c05f5931cb7c9d474bbb186bbc2f7f28309c6e410e3ad1c5229f7adf1b901d950986daf0a8c6377b7c61ec6

Download Submit
C:\Windows\System\qzeKBgq.exe

Filesize
5.2MB

MD5
605b2d627be06ccf0d88a9618c9e72d2

SHA1
c35aca31ffabe88d3258147cf69690318d7198f7

SHA256
870ef775162aa2013e13748f7a5055436ddebd9f9d1a5e6da44c73575b2701fb

SHA512
72a9e402a941aed1215b5e7b1b08fe7651589a830339178c25b37183a7ed6116e28dda4b4e41b14e3df40851e4bda9cb3d963e7bf82550d26d24943e2bbe03aa

Download Submit
C:\Windows\System\rjxFijl.exe

Filesize
5.2MB

MD5
a1dd5273fa076e1289982dcc784c26c4

SHA1
4a8e50b416a0a86e05bd882b3c54b98762e1a0ad

SHA256
9459620f47b97f7cbf61bdd896f7ac729992d6e27d4272edf171468a94469e95

SHA512
daf6fa146cdf4f49cfb39ccd763128127522c1133132b081dfda414328dea23cb81d42a86fb90f77fec968aa75cd999b5a1c871f21bb467e81b93bff07c7f7e2

Download Submit
C:\Windows\System\sxJCfQr.exe

Filesize
5.2MB

MD5
89dbe43aad371e4ed5fff3df59a5bbf1

SHA1
dc9fbfd3a1cb6cd93df1d7cda8abd4ea34713af4

SHA256
08f265a4f51f70d2797c604b87b3a8021ba6cbce0d9e74928c097e5f4ee81aa4

SHA512
c105412c967c79821bd79b1dac3a332a4bd622453989bbacc80e0480451024b3eed7dc638a31934fa155016dee0ff2c6586450a142db1b3e53280c178df2da53

Download Submit
memory/1044-95-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp

Filesize
3.3MB

Download
memory/1044-141-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp

Filesize
3.3MB

Download
memory/1044-260-0x00007FF7D31D0000-0x00007FF7D3521000-memory.dmp

Filesize
3.3MB

Download
memory/1212-230-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-136-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-44-0x00007FF67DC60000-0x00007FF67DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-129-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-203-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-11-0x00007FF7E8680000-0x00007FF7E89D1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-119-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp

Filesize
3.3MB

Download
memory/1364-238-0x00007FF7EEBC0000-0x00007FF7EEF11000-memory.dmp

Filesize
3.3MB

Download
memory/1604-1-0x000001DA90600000-0x000001DA90610000-memory.dmp

Filesize
64KB

Download
memory/1604-172-0x00007FF677B00000-0x00007FF677E51000-memory.dmp

Filesize
3.3MB

Download
memory/1604-128-0x00007FF677B00000-0x00007FF677E51000-memory.dmp

Filesize
3.3MB

Download
memory/1604-0-0x00007FF677B00000-0x00007FF677E51000-memory.dmp

Filesize
3.3MB

Download
memory/1628-244-0x00007FF7ACB40000-0x00007FF7ACE91000-memory.dmp

Filesize
3.3MB

Download
memory/1628-124-0x00007FF7ACB40000-0x00007FF7ACE91000-memory.dmp

Filesize
3.3MB

Download
memory/2060-120-0x00007FF7873F0000-0x00007FF787741000-memory.dmp

Filesize
3.3MB

Download
memory/2060-237-0x00007FF7873F0000-0x00007FF787741000-memory.dmp

Filesize
3.3MB

Download
memory/2428-224-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-32-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-133-0x00007FF75B490000-0x00007FF75B7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-123-0x00007FF65D790000-0x00007FF65DAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-255-0x00007FF65D790000-0x00007FF65DAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-249-0x00007FF7ECB10000-0x00007FF7ECE61000-memory.dmp

Filesize
3.3MB

Download
memory/2736-114-0x00007FF7ECB10000-0x00007FF7ECE61000-memory.dmp

Filesize
3.3MB

Download
memory/2936-235-0x00007FF619FB0000-0x00007FF61A301000-memory.dmp

Filesize
3.3MB

Download
memory/2936-122-0x00007FF619FB0000-0x00007FF61A301000-memory.dmp

Filesize
3.3MB

Download
memory/3028-246-0x00007FF7C7020000-0x00007FF7C7371000-memory.dmp

Filesize
3.3MB

Download
memory/3028-125-0x00007FF7C7020000-0x00007FF7C7371000-memory.dmp

Filesize
3.3MB

Download
memory/3036-242-0x00007FF792EF0000-0x00007FF793241000-memory.dmp

Filesize
3.3MB

Download
memory/3036-118-0x00007FF792EF0000-0x00007FF793241000-memory.dmp

Filesize
3.3MB

Download
memory/3296-40-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-135-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-228-0x00007FF62B350000-0x00007FF62B6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-205-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp

Filesize
3.3MB

Download
memory/3512-22-0x00007FF6669C0000-0x00007FF666D11000-memory.dmp

Filesize
3.3MB

Download
memory/3640-69-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp

Filesize
3.3MB

Download
memory/3640-227-0x00007FF663AE0000-0x00007FF663E31000-memory.dmp

Filesize
3.3MB

Download
memory/3892-14-0x00007FF7813D0000-0x00007FF781721000-memory.dmp

Filesize
3.3MB

Download
memory/3892-219-0x00007FF7813D0000-0x00007FF781721000-memory.dmp

Filesize
3.3MB

Download
memory/3892-130-0x00007FF7813D0000-0x00007FF781721000-memory.dmp

Filesize
3.3MB

Download
memory/4080-34-0x00007FF628B00000-0x00007FF628E51000-memory.dmp

Filesize
3.3MB

Download
memory/4080-253-0x00007FF628B00000-0x00007FF628E51000-memory.dmp

Filesize
3.3MB

Download
memory/4080-132-0x00007FF628B00000-0x00007FF628E51000-memory.dmp

Filesize
3.3MB

Download
memory/4516-86-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp

Filesize
3.3MB

Download
memory/4516-251-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp

Filesize
3.3MB

Download
memory/4516-139-0x00007FF7996D0000-0x00007FF799A21000-memory.dmp

Filesize
3.3MB

Download
memory/4780-256-0x00007FF7DD970000-0x00007FF7DDCC1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-126-0x00007FF7DD970000-0x00007FF7DDCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-142-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp

Filesize
3.3MB

Download
memory/5092-103-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp

Filesize
3.3MB

Download
memory/5092-240-0x00007FF7F7FD0000-0x00007FF7F8321000-memory.dmp

Filesize
3.3MB

Download
memory/5116-232-0x00007FF7664B0000-0x00007FF766801000-memory.dmp

Filesize
3.3MB

Download
memory/5116-134-0x00007FF7664B0000-0x00007FF766801000-memory.dmp

Filesize
3.3MB

Download
memory/5116-60-0x00007FF7664B0000-0x00007FF766801000-memory.dmp

Filesize
3.3MB

Download