cobaltstrike | 80a40177f56f98c9afb5c2a5bc0c8211c455be62649065f5c3a12eeee939e72c

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3fea0dddf6745de4fd49e91754345bf8
SHA1

574788e037072fb5f36ec0cb632b6c4462ec6c19
SHA256

80a40177f56f98c9afb5c2a5bc0c8211c455be62649065f5c3a12eeee939e72c
SHA512

c5cecdcae033ebca1ae6af0c0e08eb76969d8643ef6e10218ed129499cc5e7a3c10357c1150c34664e2275bf7973d991200bf192ac4460aa0ac32aa8da7d7e38
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca1-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca2-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2216-113-0x00007FF647890000-0x00007FF647BE1000-memory.dmp	xmrig
behavioral2/memory/1936-102-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	xmrig
behavioral2/memory/4276-100-0x00007FF7C8220000-0x00007FF7C8571000-memory.dmp	xmrig
behavioral2/memory/4848-99-0x00007FF672D50000-0x00007FF6730A1000-memory.dmp	xmrig
behavioral2/memory/4776-94-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp	xmrig
behavioral2/memory/3292-87-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp	xmrig
behavioral2/memory/1756-46-0x00007FF6E5540000-0x00007FF6E5891000-memory.dmp	xmrig
behavioral2/memory/3640-128-0x00007FF78A0A0000-0x00007FF78A3F1000-memory.dmp	xmrig
behavioral2/memory/1696-129-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	xmrig
behavioral2/memory/2696-127-0x00007FF68A9C0000-0x00007FF68AD11000-memory.dmp	xmrig
behavioral2/memory/4656-130-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp	xmrig
behavioral2/memory/768-131-0x00007FF65B780000-0x00007FF65BAD1000-memory.dmp	xmrig
behavioral2/memory/1216-137-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp	xmrig
behavioral2/memory/3292-144-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp	xmrig
behavioral2/memory/3180-146-0x00007FF779B10000-0x00007FF779E61000-memory.dmp	xmrig
behavioral2/memory/5060-143-0x00007FF7394B0000-0x00007FF739801000-memory.dmp	xmrig
behavioral2/memory/3448-141-0x00007FF6441B0000-0x00007FF644501000-memory.dmp	xmrig
behavioral2/memory/3692-139-0x00007FF768C40000-0x00007FF768F91000-memory.dmp	xmrig
behavioral2/memory/2916-136-0x00007FF651790000-0x00007FF651AE1000-memory.dmp	xmrig
behavioral2/memory/1388-142-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp	xmrig
behavioral2/memory/5064-140-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	xmrig
behavioral2/memory/1936-132-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	xmrig
behavioral2/memory/868-149-0x00007FF6183E0000-0x00007FF618731000-memory.dmp	xmrig
behavioral2/memory/1124-150-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	xmrig
behavioral2/memory/1936-154-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	xmrig
behavioral2/memory/2216-205-0x00007FF647890000-0x00007FF647BE1000-memory.dmp	xmrig
behavioral2/memory/1696-207-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	xmrig
behavioral2/memory/4656-224-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp	xmrig
behavioral2/memory/2916-225-0x00007FF651790000-0x00007FF651AE1000-memory.dmp	xmrig
behavioral2/memory/1216-229-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp	xmrig
behavioral2/memory/1756-228-0x00007FF6E5540000-0x00007FF6E5891000-memory.dmp	xmrig
behavioral2/memory/3692-231-0x00007FF768C40000-0x00007FF768F91000-memory.dmp	xmrig
behavioral2/memory/5064-233-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	xmrig
behavioral2/memory/3448-235-0x00007FF6441B0000-0x00007FF644501000-memory.dmp	xmrig
behavioral2/memory/1388-237-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp	xmrig
behavioral2/memory/5060-239-0x00007FF7394B0000-0x00007FF739801000-memory.dmp	xmrig
behavioral2/memory/3292-241-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp	xmrig
behavioral2/memory/3180-244-0x00007FF779B10000-0x00007FF779E61000-memory.dmp	xmrig
behavioral2/memory/4848-247-0x00007FF672D50000-0x00007FF6730A1000-memory.dmp	xmrig
behavioral2/memory/4276-249-0x00007FF7C8220000-0x00007FF7C8571000-memory.dmp	xmrig
behavioral2/memory/4776-246-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp	xmrig
behavioral2/memory/3640-261-0x00007FF78A0A0000-0x00007FF78A3F1000-memory.dmp	xmrig
behavioral2/memory/768-259-0x00007FF65B780000-0x00007FF65BAD1000-memory.dmp	xmrig
behavioral2/memory/2696-257-0x00007FF68A9C0000-0x00007FF68AD11000-memory.dmp	xmrig
behavioral2/memory/868-255-0x00007FF6183E0000-0x00007FF618731000-memory.dmp	xmrig
behavioral2/memory/1124-254-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2216	ueajFwF.exe
1696	lrefxIs.exe
4656	xzabvJD.exe
2916	LyePBoy.exe
1216	JXaoiQo.exe
1756	OVoPMhn.exe
3692	xNKGbZu.exe
5064	qaDAqdh.exe
3448	ZEZERmO.exe
1388	NNfIGIX.exe
5060	elUOvKp.exe
3292	FBzUolR.exe
4848	GXdintB.exe
3180	GgewAYW.exe
4276	rXaMMUE.exe
4776	rthHAXD.exe
868	CoGgNcJ.exe
1124	nqrkaoU.exe
768	VWUSYbb.exe
2696	rYHHjSR.exe
3640	PMknqPL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-0-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	upx
behavioral2/files/0x0008000000023ca1-6.dat	upx
behavioral2/memory/2216-8-0x00007FF647890000-0x00007FF647BE1000-memory.dmp	upx
behavioral2/memory/1696-12-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-13.dat	upx
behavioral2/files/0x0007000000023ca6-11.dat	upx
behavioral2/files/0x0007000000023ca7-21.dat	upx
behavioral2/files/0x0007000000023ca8-27.dat	upx
behavioral2/files/0x0007000000023ca9-35.dat	upx
behavioral2/files/0x0007000000023cad-52.dat	upx
behavioral2/memory/3692-53-0x00007FF768C40000-0x00007FF768F91000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-55.dat	upx
behavioral2/files/0x0007000000023cac-61.dat	upx
behavioral2/files/0x0007000000023cb0-72.dat	upx
behavioral2/files/0x0007000000023cae-81.dat	upx
behavioral2/files/0x0007000000023cb1-89.dat	upx
behavioral2/files/0x0007000000023cb2-95.dat	upx
behavioral2/files/0x0007000000023cb4-104.dat	upx
behavioral2/files/0x0008000000023ca2-108.dat	upx
behavioral2/files/0x0007000000023cb5-120.dat	upx
behavioral2/files/0x0007000000023cb7-124.dat	upx
behavioral2/files/0x0007000000023cb6-122.dat	upx
behavioral2/memory/2216-113-0x00007FF647890000-0x00007FF647BE1000-memory.dmp	upx
behavioral2/memory/868-103-0x00007FF6183E0000-0x00007FF618731000-memory.dmp	upx
behavioral2/memory/1936-102-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	upx
behavioral2/memory/4276-100-0x00007FF7C8220000-0x00007FF7C8571000-memory.dmp	upx
behavioral2/memory/4848-99-0x00007FF672D50000-0x00007FF6730A1000-memory.dmp	upx
behavioral2/memory/4776-94-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp	upx
behavioral2/memory/3180-93-0x00007FF779B10000-0x00007FF779E61000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-91.dat	upx
behavioral2/memory/3292-87-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-83.dat	upx
behavioral2/memory/5060-77-0x00007FF7394B0000-0x00007FF739801000-memory.dmp	upx
behavioral2/memory/3448-59-0x00007FF6441B0000-0x00007FF644501000-memory.dmp	upx
behavioral2/memory/5064-57-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	upx
behavioral2/memory/1388-54-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-50.dat	upx
behavioral2/memory/1756-46-0x00007FF6E5540000-0x00007FF6E5891000-memory.dmp	upx
behavioral2/memory/1216-34-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp	upx
behavioral2/memory/2916-31-0x00007FF651790000-0x00007FF651AE1000-memory.dmp	upx
behavioral2/memory/4656-20-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp	upx
behavioral2/memory/1124-126-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	upx
behavioral2/memory/3640-128-0x00007FF78A0A0000-0x00007FF78A3F1000-memory.dmp	upx
behavioral2/memory/1696-129-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	upx
behavioral2/memory/2696-127-0x00007FF68A9C0000-0x00007FF68AD11000-memory.dmp	upx
behavioral2/memory/4656-130-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp	upx
behavioral2/memory/768-131-0x00007FF65B780000-0x00007FF65BAD1000-memory.dmp	upx
behavioral2/memory/1216-137-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp	upx
behavioral2/memory/3292-144-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp	upx
behavioral2/memory/3180-146-0x00007FF779B10000-0x00007FF779E61000-memory.dmp	upx
behavioral2/memory/5060-143-0x00007FF7394B0000-0x00007FF739801000-memory.dmp	upx
behavioral2/memory/3448-141-0x00007FF6441B0000-0x00007FF644501000-memory.dmp	upx
behavioral2/memory/3692-139-0x00007FF768C40000-0x00007FF768F91000-memory.dmp	upx
behavioral2/memory/2916-136-0x00007FF651790000-0x00007FF651AE1000-memory.dmp	upx
behavioral2/memory/1388-142-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp	upx
behavioral2/memory/5064-140-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	upx
behavioral2/memory/1936-132-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	upx
behavioral2/memory/868-149-0x00007FF6183E0000-0x00007FF618731000-memory.dmp	upx
behavioral2/memory/1124-150-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	upx
behavioral2/memory/1936-154-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp	upx
behavioral2/memory/2216-205-0x00007FF647890000-0x00007FF647BE1000-memory.dmp	upx
behavioral2/memory/1696-207-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	upx
behavioral2/memory/4656-224-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp	upx
behavioral2/memory/2916-225-0x00007FF651790000-0x00007FF651AE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\elUOvKp.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rXaMMUE.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rthHAXD.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CoGgNcJ.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xzabvJD.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBzUolR.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VWUSYbb.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYHHjSR.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lrefxIs.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JXaoiQo.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNfIGIX.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GXdintB.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GgewAYW.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyePBoy.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVoPMhn.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNKGbZu.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qaDAqdh.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZEZERmO.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqrkaoU.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PMknqPL.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ueajFwF.exe	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2216	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1936 wrote to memory of 2216	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1936 wrote to memory of 1696	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1936 wrote to memory of 1696	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1936 wrote to memory of 4656	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1936 wrote to memory of 4656	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1936 wrote to memory of 2916	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1936 wrote to memory of 2916	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1936 wrote to memory of 1216	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1936 wrote to memory of 1216	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1936 wrote to memory of 1756	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1936 wrote to memory of 1756	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1936 wrote to memory of 3692	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1936 wrote to memory of 3692	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1936 wrote to memory of 5064	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1936 wrote to memory of 5064	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1936 wrote to memory of 3448	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1936 wrote to memory of 3448	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1936 wrote to memory of 1388	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1936 wrote to memory of 1388	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1936 wrote to memory of 5060	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1936 wrote to memory of 5060	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1936 wrote to memory of 3292	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1936 wrote to memory of 3292	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1936 wrote to memory of 4848	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1936 wrote to memory of 4848	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1936 wrote to memory of 3180	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1936 wrote to memory of 3180	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1936 wrote to memory of 4276	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1936 wrote to memory of 4276	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1936 wrote to memory of 4776	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1936 wrote to memory of 4776	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1936 wrote to memory of 868	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1936 wrote to memory of 868	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1936 wrote to memory of 1124	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1936 wrote to memory of 1124	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1936 wrote to memory of 768	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1936 wrote to memory of 768	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1936 wrote to memory of 2696	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1936 wrote to memory of 2696	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1936 wrote to memory of 3640	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1936 wrote to memory of 3640	1936	2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_3fea0dddf6745de4fd49e91754345bf8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System\ueajFwF.exe
  C:\Windows\System\ueajFwF.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\lrefxIs.exe
  C:\Windows\System\lrefxIs.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\xzabvJD.exe
  C:\Windows\System\xzabvJD.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\LyePBoy.exe
  C:\Windows\System\LyePBoy.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\JXaoiQo.exe
  C:\Windows\System\JXaoiQo.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\OVoPMhn.exe
  C:\Windows\System\OVoPMhn.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\xNKGbZu.exe
  C:\Windows\System\xNKGbZu.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\qaDAqdh.exe
  C:\Windows\System\qaDAqdh.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\ZEZERmO.exe
  C:\Windows\System\ZEZERmO.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\NNfIGIX.exe
  C:\Windows\System\NNfIGIX.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\elUOvKp.exe
  C:\Windows\System\elUOvKp.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\FBzUolR.exe
  C:\Windows\System\FBzUolR.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\GXdintB.exe
  C:\Windows\System\GXdintB.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\GgewAYW.exe
  C:\Windows\System\GgewAYW.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\rXaMMUE.exe
  C:\Windows\System\rXaMMUE.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\rthHAXD.exe
  C:\Windows\System\rthHAXD.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\CoGgNcJ.exe
  C:\Windows\System\CoGgNcJ.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\nqrkaoU.exe
  C:\Windows\System\nqrkaoU.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\VWUSYbb.exe
  C:\Windows\System\VWUSYbb.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\rYHHjSR.exe
  C:\Windows\System\rYHHjSR.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\PMknqPL.exe
  C:\Windows\System\PMknqPL.exe
  2⤵
  - Executes dropped EXE
  PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CoGgNcJ.exe

Filesize
5.2MB

MD5
16ee8510ed2056bfbd53ae92a6c12b14

SHA1
aed1cf5e662da09bfbdf2d0a9d36a69472df7d32

SHA256
eb576d3f687f77b4b4263528ec2cbeb04173d6e4d9a6b91885037e81c3075381

SHA512
e32f88749b4448b625892fc225c0a1e4e36e6152c1a0936f3b260a10617a6ddbf38393c729c850ed3a0f5835f4b327343fd1595a67eef77d66b99b5384f383d8

Download Submit
C:\Windows\System\FBzUolR.exe

Filesize
5.2MB

MD5
45aeca456e3520fd8ef504ba44529918

SHA1
edc45d22cae2e4e10f7a89a6bd3178226e6c78c4

SHA256
db0a2febf6160e328dcfe89605c2336df81064b8737291d15428772979451b59

SHA512
96b160094ca3b171ff17e59eca5e53cd04895fece31745fdbac24fea4dde096caa0f51bfc559c2471405b53ccc33fa8153d45fd776ac08b088ed5609237bec87

Download Submit
C:\Windows\System\GXdintB.exe

Filesize
5.2MB

MD5
10c8428af4f2aa6ae3c9490bd3236f99

SHA1
dc8cc12db5b180f033591b12ab3a5791c8d7c88e

SHA256
ac3782af44da8de854384b87374cde9053cb9258b0590baf340e1024c6e4c2b3

SHA512
ba23489232f97faee5fa9cd334cc13ca5db867308db22636f1004528002bb22d334b12903089825a9491a0b2400c1268e23e9a24bb03ee58528856a7d3c68186

Download Submit
C:\Windows\System\GgewAYW.exe

Filesize
5.2MB

MD5
6ca651647feaf46de5752a1b624deb08

SHA1
eea9f879ddbee03ed72b0491a0ecdf5c0737f6f7

SHA256
89d7f52b0ca9f561be594fca4cf4f9f944ca516c3a3dbf1dc4e6fb63ba93327a

SHA512
0d72f8d68f6f4fcc2fd5f0edbc9e53155f45c57359dd8158dd80f92954f3ddb50f97e503229050effa529ae50bd60360f119dbbe23b2f39bcc5ce3a89978d7f2

Download Submit
C:\Windows\System\JXaoiQo.exe

Filesize
5.2MB

MD5
0fab7a00ccb227238a984440cc6aa195

SHA1
27e5377493b0257981b995f068cb3fecc2a26cf7

SHA256
2d9160bf093af5daaa5b31a40ec3fa7d6f2ac8c53cc35c6759d91a04519a078f

SHA512
3f08300e445f2f2adf87ada42533fac6b904e1572c209dbabf01bb6595c6ab7799126180f84de288bbd20cd746db1f468e4bec8eb2b6ebc39c8f9b78680d1f74

Download Submit
C:\Windows\System\LyePBoy.exe

Filesize
5.2MB

MD5
44f3c3965dbb837431d3f64fccaf4793

SHA1
c8948dedb9ea108b6da83a2268f9967fbf740e16

SHA256
c5250178487f7e615cb6a64133f6f0a5fda875983786a00705a58df55206a5ca

SHA512
bc39634ccef0bf5df3a950989d329d5479bb44d1c35c70ac07f25f493c72ad7492bba8cffaf37901095bca73907ff2c2bc1a58af55aad1a4ef50c6e66662d557

Download Submit
C:\Windows\System\NNfIGIX.exe

Filesize
5.2MB

MD5
d81beee16ebf70128fb9e20aa15aeaf8

SHA1
1d83c9ece9629738b39c36aca5d2568ad56484cb

SHA256
d66c5cdcdccbc1f5389612137547b0c3d36523cdf624e83c7787ad2a130f47b9

SHA512
6b86f12469334ea68874320a5c6227c72e80db3341a744b4b56d5b5c7863d20b3c92546d29a9d41c6999aca0fdbc14b537c3f2e6b7b2d9e805b3c2241cd87b0e

Download Submit
C:\Windows\System\OVoPMhn.exe

Filesize
5.2MB

MD5
cf41047a3dd7bd2232ba0edfa32e1d1a

SHA1
560089a941600554e6d454b259ec20824cf4c428

SHA256
02071f317325611aa7a2ae4c46d3a4d31c983aa514a6fea7b26cd74a184fadd2

SHA512
9cc94e5319a9d9a56de2c43746b5192afe70439df729e94f6a490de758da57b1ba08c52faaefc3847dc56d91762b15774487e806afd0d13692eee96f1e4d4048

Download Submit
C:\Windows\System\PMknqPL.exe

Filesize
5.2MB

MD5
cb07f8c499715c14c7fed22f22bb8e97

SHA1
eb8956c90459de9130486bcd1081799fd7e1b417

SHA256
2584e1478cf7985b82ad42604f42fb7705f40530d8ea62d9e33a4ec7c4a2caa5

SHA512
a2b57920bad0b05638d92ea77b48a0b25065682c49e9478ad5a4f1b99ac5ee510c9b9c3ca6ad733ad168edd53cf040e3544a5cfe0f6c0a11b0a87e473ac8f63f

Download Submit
C:\Windows\System\VWUSYbb.exe

Filesize
5.2MB

MD5
787c1557b4e918c8c75c6407adb6a4ff

SHA1
bce79a428ae45ea6da2f8b6095ed1691b75b5c50

SHA256
4e4b913082447d0b1e963ad24e255051453fda0d8c0115cc0d1f769fa9deb56c

SHA512
9e0724e79d995a77c890b4101c3a365a2385e0541aec7a2560c1052b925f27bdc0f5fa32d4d715830102ede49e6d53036c29519ec7c232f870698ec9adf4b885

Download Submit
C:\Windows\System\ZEZERmO.exe

Filesize
5.2MB

MD5
b2e0d75714ece5fc5d8e6eb062cc431a

SHA1
f88e837223a252cb153c2260c69c77c3f734cce3

SHA256
9ea52d76e0edd2eea18a48f3f60b658ea1f3cd0d59bc6f2734ed6aa32fdcb302

SHA512
4614bc58b5c82026c399e632168d30b48dce5bb36d7f7160d62a043e623737824c7f2abc82aec93d4344cd344ba55ddfe8749ec89d1c571cea5c45a6ebcc02db

Download Submit
C:\Windows\System\elUOvKp.exe

Filesize
5.2MB

MD5
a92db4c79abe9183fce0bc8019eb1457

SHA1
f792c5dfffae30bc65a5f112c0dd66f5c6921d4f

SHA256
84e209957c07de488db0a2451cd36e6cb5abb43579dd3409587f12254d515370

SHA512
283618a8f34581e9d4cbcfbe8f6ccc3c954df1cee9164a591ed48f82420ccfbdb4fbddffe59a159af4ee43a305fe27b88e7f73b039190774a02a2a59b9b19388

Download Submit
C:\Windows\System\lrefxIs.exe

Filesize
5.2MB

MD5
67eaae72a37428c516b0ef2e93f5ab87

SHA1
69d0d3297d9936d24d19e650143ec97e3ce12596

SHA256
2cfb3ae33f180c2413f2e3d4c42792cbbd2bb2d8e87840c82eee644920695211

SHA512
2534c8d44fcc44944a080600840d55f2c90b5771b3efeada20376f9239a01bec77e85d84d8768b588bace6a69c8bd2ea8e83a5c739e1d5e57685691b3ed0d9b8

Download Submit
C:\Windows\System\nqrkaoU.exe

Filesize
5.2MB

MD5
7df44c60326a17b1778f02b773d0e6a4

SHA1
7edd823afc54a8e914862cdd6aec069ccff29d4a

SHA256
f55ee354ecece373129d8c076dfbc9b8da7252f02fafd81c9574df23b971c510

SHA512
d0b1f9c65142f531ae78a015458aad18b0e9192bf1be921404d20925f33235fe4fb9117e393a26db71e179fdd8796f04cf77acc215cd902a15ab28c7d1554b99

Download Submit
C:\Windows\System\qaDAqdh.exe

Filesize
5.2MB

MD5
76be6c347be3eb9ce3324dbdf805a8b6

SHA1
cd95da7980a278bbb6195fa4aaa6661cbc2fab4b

SHA256
4565166206289de1c0ce7a8b9c0ee28aaa96760f02553e5102b699c0f15a4357

SHA512
241ccb74de41ef5d6d687589076015b601f4b00cafb88df69d91441d6793aae3c5b7db824838a9746177bbc1f8580d851317206e3fa879e71976af5bd945386b

Download Submit
C:\Windows\System\rXaMMUE.exe

Filesize
5.2MB

MD5
e756b6a7275af6e71693ba3e57d5e951

SHA1
abfcc1f3938374d9c81e43484f45acec35d3a374

SHA256
73a61150f01c625555abc78da80bc40edf87fe7901c399dee8c9697019d1a169

SHA512
4c2a6f668ca6f16accda25acf5979f05df31c3130e09bc4cfc45fc85990ea3c725b2adc32e70a5da4393bd70497a5828523c4ec184cd623d07ac64700a2b94e9

Download Submit
C:\Windows\System\rYHHjSR.exe

Filesize
5.2MB

MD5
a203fa718b26ccf023ed9bfa10073686

SHA1
59f0c30da24c154122357cbaab771ce9ff7c57e9

SHA256
1ca57f226ae04ba189c80168956b3d16252f5c84265c10d2fadf256536792a61

SHA512
b4e290b01a7a5f36e2680eabf3c26cef21b5e581a27318fbb84fd25ccee2fd073bc586ea1672b0f4abf99b4ef6602f146916b01892e85f5801307c79d0620c34

Download Submit
C:\Windows\System\rthHAXD.exe

Filesize
5.2MB

MD5
368e7a6dc07c9b8696cf24a5ee667b45

SHA1
f41e19b34fe8889d9de93a12960e249365f97200

SHA256
b7e5692ca3cd888c5a5fab563ee13fc1006910ccd3c84ef262a606c39828bbdd

SHA512
f81345ceda7bf58cc8e18a282cc2555127d6009511d769fac18e1ad871202d011df59d51d907bbdef9aad422d52e3c607e0c5daf9893512ef9edbbfe11692008

Download Submit
C:\Windows\System\ueajFwF.exe

Filesize
5.2MB

MD5
f2130626605db5d70e6ffb51e1a54ece

SHA1
f42c6bcc379285aea8321792ef156d30a908c862

SHA256
19528d63beea45bd6cb6ec31dcd774556af4ea2096631d12c1072957a3f26192

SHA512
dc100b1a455be4ad929b45e1362463ba5594b61b6428386faceaa0fb691cdd97cbde3d53a82a33c62231e982a0538c88b5b41c3d433bcbcea63da2e581c698e4

Download Submit
C:\Windows\System\xNKGbZu.exe

Filesize
5.2MB

MD5
6aa73cf530875b544a5df34ac1a21cd2

SHA1
11d7a339e152003cb1f4cf36a76810f38ee56478

SHA256
b8a4e1fd83ee52990333ba94dd9acb811f2bf0e5e230cfb4c61b187e70ea37f9

SHA512
152bd106d36d8433da2112c9c031449f8132b69d4821e3db5ef618ce6323a6bf0a932a30b853e624be9ddb25071c58b105f90c6f63c4d4fd97821202ceae251f

Download Submit
C:\Windows\System\xzabvJD.exe

Filesize
5.2MB

MD5
11350b647a00f37e3af3c6589d1befa1

SHA1
4f2475f15a7fe5aae18d59b0e3f997eb78f0c3fa

SHA256
488d4dee6ee19dd5e892dffa37d6c198634afa8f55a5c6c4a45f5b31696b49e1

SHA512
d4ef70c6027f7a899570758ddb5d95a22eb283d255f3e4a24ce6a3973f7b370c079ecc9012dc817738bfc02421fe3d650a88262001b5d1b9f90a2aa76b32611f

Download Submit
memory/768-259-0x00007FF65B780000-0x00007FF65BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/768-131-0x00007FF65B780000-0x00007FF65BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/868-103-0x00007FF6183E0000-0x00007FF618731000-memory.dmp

Filesize
3.3MB

Download
memory/868-149-0x00007FF6183E0000-0x00007FF618731000-memory.dmp

Filesize
3.3MB

Download
memory/868-255-0x00007FF6183E0000-0x00007FF618731000-memory.dmp

Filesize
3.3MB

Download
memory/1124-254-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1124-126-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1124-150-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-137-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp

Filesize
3.3MB

Download
memory/1216-229-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp

Filesize
3.3MB

Download
memory/1216-34-0x00007FF6FC1D0000-0x00007FF6FC521000-memory.dmp

Filesize
3.3MB

Download
memory/1388-142-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp

Filesize
3.3MB

Download
memory/1388-237-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp

Filesize
3.3MB

Download
memory/1388-54-0x00007FF73FCB0000-0x00007FF740001000-memory.dmp

Filesize
3.3MB

Download
memory/1696-207-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/1696-129-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/1696-12-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/1756-228-0x00007FF6E5540000-0x00007FF6E5891000-memory.dmp

Filesize
3.3MB

Download
memory/1756-46-0x00007FF6E5540000-0x00007FF6E5891000-memory.dmp

Filesize
3.3MB

Download
memory/1936-154-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp

Filesize
3.3MB

Download
memory/1936-102-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp

Filesize
3.3MB

Download
memory/1936-132-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp

Filesize
3.3MB

Download
memory/1936-0-0x00007FF61DAB0000-0x00007FF61DE01000-memory.dmp

Filesize
3.3MB

Download
memory/1936-1-0x00000139D1B50000-0x00000139D1B60000-memory.dmp

Filesize
64KB

Download
memory/2216-113-0x00007FF647890000-0x00007FF647BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-8-0x00007FF647890000-0x00007FF647BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-205-0x00007FF647890000-0x00007FF647BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-127-0x00007FF68A9C0000-0x00007FF68AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2696-257-0x00007FF68A9C0000-0x00007FF68AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2916-225-0x00007FF651790000-0x00007FF651AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-136-0x00007FF651790000-0x00007FF651AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-31-0x00007FF651790000-0x00007FF651AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-146-0x00007FF779B10000-0x00007FF779E61000-memory.dmp

Filesize
3.3MB

Download
memory/3180-244-0x00007FF779B10000-0x00007FF779E61000-memory.dmp

Filesize
3.3MB

Download
memory/3180-93-0x00007FF779B10000-0x00007FF779E61000-memory.dmp

Filesize
3.3MB

Download
memory/3292-144-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3292-241-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3292-87-0x00007FF7AC160000-0x00007FF7AC4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-141-0x00007FF6441B0000-0x00007FF644501000-memory.dmp

Filesize
3.3MB

Download
memory/3448-235-0x00007FF6441B0000-0x00007FF644501000-memory.dmp

Filesize
3.3MB

Download
memory/3448-59-0x00007FF6441B0000-0x00007FF644501000-memory.dmp

Filesize
3.3MB

Download
memory/3640-128-0x00007FF78A0A0000-0x00007FF78A3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-261-0x00007FF78A0A0000-0x00007FF78A3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3692-231-0x00007FF768C40000-0x00007FF768F91000-memory.dmp

Filesize
3.3MB

Download
memory/3692-139-0x00007FF768C40000-0x00007FF768F91000-memory.dmp

Filesize
3.3MB

Download
memory/3692-53-0x00007FF768C40000-0x00007FF768F91000-memory.dmp

Filesize
3.3MB

Download
memory/4276-100-0x00007FF7C8220000-0x00007FF7C8571000-memory.dmp

Filesize
3.3MB

Download
memory/4276-249-0x00007FF7C8220000-0x00007FF7C8571000-memory.dmp

Filesize
3.3MB

Download
memory/4656-224-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp

Filesize
3.3MB

Download
memory/4656-130-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp

Filesize
3.3MB

Download
memory/4656-20-0x00007FF6DF720000-0x00007FF6DFA71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-246-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp

Filesize
3.3MB

Download
memory/4776-94-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp

Filesize
3.3MB

Download
memory/4848-99-0x00007FF672D50000-0x00007FF6730A1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-247-0x00007FF672D50000-0x00007FF6730A1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-143-0x00007FF7394B0000-0x00007FF739801000-memory.dmp

Filesize
3.3MB

Download
memory/5060-239-0x00007FF7394B0000-0x00007FF739801000-memory.dmp

Filesize
3.3MB

Download
memory/5060-77-0x00007FF7394B0000-0x00007FF739801000-memory.dmp

Filesize
3.3MB

Download
memory/5064-233-0x00007FF65FD20000-0x00007FF660071000-memory.dmp

Filesize
3.3MB

Download
memory/5064-140-0x00007FF65FD20000-0x00007FF660071000-memory.dmp

Filesize
3.3MB

Download
memory/5064-57-0x00007FF65FD20000-0x00007FF660071000-memory.dmp

Filesize
3.3MB

Download