cobaltstrike | 53552f32ac05d0d8ba13e6c6d0bfdbbbbeba9ee658bcb6890fd9452f93e3e79f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bb5c92d86ce7e9689dcf4d615121b041
SHA1

2524a8f60357e537e4bb0bc3da0b95a1361b11a5
SHA256

53552f32ac05d0d8ba13e6c6d0bfdbbbbeba9ee658bcb6890fd9452f93e3e79f
SHA512

0b5e872fbc97afe5130091574a7904efa5429e37a195a90dccf1c99e5b4b029e547b00be93475d580ba1227075ceb3f0998571d745704a2c07794511c68d8119
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b7d-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-66.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7f-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3876-31-0x00007FF77E930000-0x00007FF77EC81000-memory.dmp	xmrig
behavioral2/memory/212-59-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	xmrig
behavioral2/memory/1392-61-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp	xmrig
behavioral2/memory/1136-104-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp	xmrig
behavioral2/memory/4548-98-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp	xmrig
behavioral2/memory/116-83-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp	xmrig
behavioral2/memory/1516-71-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp	xmrig
behavioral2/memory/2680-69-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp	xmrig
behavioral2/memory/212-132-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	xmrig
behavioral2/memory/2400-140-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp	xmrig
behavioral2/memory/688-143-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	xmrig
behavioral2/memory/2720-145-0x00007FF6DB300000-0x00007FF6DB651000-memory.dmp	xmrig
behavioral2/memory/4636-144-0x00007FF7463B0000-0x00007FF746701000-memory.dmp	xmrig
behavioral2/memory/1924-142-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	xmrig
behavioral2/memory/1524-141-0x00007FF657D20000-0x00007FF658071000-memory.dmp	xmrig
behavioral2/memory/2120-146-0x00007FF757D20000-0x00007FF758071000-memory.dmp	xmrig
behavioral2/memory/756-148-0x00007FF677F20000-0x00007FF678271000-memory.dmp	xmrig
behavioral2/memory/2644-154-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	xmrig
behavioral2/memory/1032-155-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	xmrig
behavioral2/memory/4072-153-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp	xmrig
behavioral2/memory/5096-152-0x00007FF661100000-0x00007FF661451000-memory.dmp	xmrig
behavioral2/memory/3900-151-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp	xmrig
behavioral2/memory/4444-150-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp	xmrig
behavioral2/memory/212-159-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	xmrig
behavioral2/memory/1392-215-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp	xmrig
behavioral2/memory/2680-217-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp	xmrig
behavioral2/memory/3876-219-0x00007FF77E930000-0x00007FF77EC81000-memory.dmp	xmrig
behavioral2/memory/1516-221-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp	xmrig
behavioral2/memory/116-223-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp	xmrig
behavioral2/memory/4548-225-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp	xmrig
behavioral2/memory/2400-228-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp	xmrig
behavioral2/memory/1136-229-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp	xmrig
behavioral2/memory/1524-231-0x00007FF657D20000-0x00007FF658071000-memory.dmp	xmrig
behavioral2/memory/1924-240-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	xmrig
behavioral2/memory/2120-242-0x00007FF757D20000-0x00007FF758071000-memory.dmp	xmrig
behavioral2/memory/4444-244-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp	xmrig
behavioral2/memory/756-250-0x00007FF677F20000-0x00007FF678271000-memory.dmp	xmrig
behavioral2/memory/3900-252-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp	xmrig
behavioral2/memory/5096-254-0x00007FF661100000-0x00007FF661451000-memory.dmp	xmrig
behavioral2/memory/1032-256-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	xmrig
behavioral2/memory/4072-259-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp	xmrig
behavioral2/memory/2644-264-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	xmrig
behavioral2/memory/688-266-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	xmrig
behavioral2/memory/2720-262-0x00007FF6DB300000-0x00007FF6DB651000-memory.dmp	xmrig
behavioral2/memory/4636-261-0x00007FF7463B0000-0x00007FF746701000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1392	NJFlJdc.exe
2680	BIGKBfh.exe
1516	tIHhKHR.exe
3876	IBJZzCX.exe
116	ubwxkVG.exe
4548	iRaPthf.exe
1136	ijemIqU.exe
2400	serZTCP.exe
1524	yYqniGd.exe
1924	REUMAJF.exe
2120	ykZHmPs.exe
756	yibeAnS.exe
4444	DdYpLHq.exe
3900	EMbBeSd.exe
5096	VFOsKde.exe
4072	MFAcdoD.exe
2644	ufVyYSn.exe
1032	mWvybWZ.exe
4636	BuVWlzu.exe
2720	DiiUZEz.exe
688	LCNzzkR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/212-0-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	upx
behavioral2/files/0x000c000000023b7d-5.dat	upx
behavioral2/files/0x000a000000023b83-9.dat	upx
behavioral2/memory/1516-20-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-39.dat	upx
behavioral2/files/0x000a000000023b88-44.dat	upx
behavioral2/files/0x000a000000023b89-55.dat	upx
behavioral2/memory/1524-54-0x00007FF657D20000-0x00007FF658071000-memory.dmp	upx
behavioral2/memory/2400-50-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp	upx
behavioral2/memory/1136-45-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-41.dat	upx
behavioral2/files/0x000a000000023b85-35.dat	upx
behavioral2/memory/4548-34-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp	upx
behavioral2/memory/116-32-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp	upx
behavioral2/memory/3876-31-0x00007FF77E930000-0x00007FF77EC81000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-22.dat	upx
behavioral2/files/0x000a000000023b82-16.dat	upx
behavioral2/memory/2680-14-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp	upx
behavioral2/memory/1392-7-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp	upx
behavioral2/memory/212-59-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-60.dat	upx
behavioral2/memory/1924-62-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	upx
behavioral2/memory/1392-61-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-66.dat	upx
behavioral2/files/0x000b000000023b7f-72.dat	upx
behavioral2/files/0x000a000000023b8c-78.dat	upx
behavioral2/files/0x000a000000023b8d-82.dat	upx
behavioral2/files/0x000a000000023b8f-100.dat	upx
behavioral2/files/0x000a000000023b8e-106.dat	upx
behavioral2/files/0x000a000000023b90-113.dat	upx
behavioral2/files/0x000a000000023b92-124.dat	upx
behavioral2/files/0x000a000000023b94-129.dat	upx
behavioral2/files/0x000a000000023b91-122.dat	upx
behavioral2/files/0x000a000000023b93-121.dat	upx
behavioral2/memory/4072-118-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp	upx
behavioral2/memory/2644-110-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	upx
behavioral2/memory/1136-104-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp	upx
behavioral2/memory/5096-102-0x00007FF661100000-0x00007FF661451000-memory.dmp	upx
behavioral2/memory/4548-98-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp	upx
behavioral2/memory/3900-94-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp	upx
behavioral2/memory/4444-84-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp	upx
behavioral2/memory/116-83-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp	upx
behavioral2/memory/756-79-0x00007FF677F20000-0x00007FF678271000-memory.dmp	upx
behavioral2/memory/2120-75-0x00007FF757D20000-0x00007FF758071000-memory.dmp	upx
behavioral2/memory/1516-71-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp	upx
behavioral2/memory/2680-69-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp	upx
behavioral2/memory/1032-131-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	upx
behavioral2/memory/212-132-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	upx
behavioral2/memory/2400-140-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp	upx
behavioral2/memory/688-143-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	upx
behavioral2/memory/2720-145-0x00007FF6DB300000-0x00007FF6DB651000-memory.dmp	upx
behavioral2/memory/4636-144-0x00007FF7463B0000-0x00007FF746701000-memory.dmp	upx
behavioral2/memory/1924-142-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	upx
behavioral2/memory/1524-141-0x00007FF657D20000-0x00007FF658071000-memory.dmp	upx
behavioral2/memory/2120-146-0x00007FF757D20000-0x00007FF758071000-memory.dmp	upx
behavioral2/memory/756-148-0x00007FF677F20000-0x00007FF678271000-memory.dmp	upx
behavioral2/memory/2644-154-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp	upx
behavioral2/memory/1032-155-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp	upx
behavioral2/memory/4072-153-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp	upx
behavioral2/memory/5096-152-0x00007FF661100000-0x00007FF661451000-memory.dmp	upx
behavioral2/memory/3900-151-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp	upx
behavioral2/memory/4444-150-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp	upx
behavioral2/memory/212-159-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp	upx
behavioral2/memory/1392-215-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EMbBeSd.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWvybWZ.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BuVWlzu.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCNzzkR.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBJZzCX.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubwxkVG.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DdYpLHq.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DiiUZEz.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NJFlJdc.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYqniGd.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yibeAnS.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFAcdoD.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ykZHmPs.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VFOsKde.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BIGKBfh.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tIHhKHR.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRaPthf.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ijemIqU.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\serZTCP.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\REUMAJF.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ufVyYSn.exe	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1392	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 212 wrote to memory of 1392	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 212 wrote to memory of 2680	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 212 wrote to memory of 2680	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 212 wrote to memory of 1516	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 212 wrote to memory of 1516	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 212 wrote to memory of 3876	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 212 wrote to memory of 3876	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 212 wrote to memory of 116	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 212 wrote to memory of 116	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 212 wrote to memory of 4548	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 212 wrote to memory of 4548	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 212 wrote to memory of 1136	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 212 wrote to memory of 1136	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 212 wrote to memory of 2400	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 212 wrote to memory of 2400	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 212 wrote to memory of 1524	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 212 wrote to memory of 1524	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 212 wrote to memory of 1924	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 212 wrote to memory of 1924	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 212 wrote to memory of 2120	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 212 wrote to memory of 2120	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 212 wrote to memory of 756	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 212 wrote to memory of 756	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 212 wrote to memory of 4444	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 212 wrote to memory of 4444	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 212 wrote to memory of 3900	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 212 wrote to memory of 3900	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 212 wrote to memory of 5096	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 212 wrote to memory of 5096	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 212 wrote to memory of 4072	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 212 wrote to memory of 4072	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 212 wrote to memory of 2644	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 212 wrote to memory of 2644	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 212 wrote to memory of 1032	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 212 wrote to memory of 1032	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 212 wrote to memory of 4636	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 212 wrote to memory of 4636	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 212 wrote to memory of 2720	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 212 wrote to memory of 2720	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 212 wrote to memory of 688	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 212 wrote to memory of 688	212	2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_bb5c92d86ce7e9689dcf4d615121b041_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System\NJFlJdc.exe
  C:\Windows\System\NJFlJdc.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\BIGKBfh.exe
  C:\Windows\System\BIGKBfh.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\tIHhKHR.exe
  C:\Windows\System\tIHhKHR.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\IBJZzCX.exe
  C:\Windows\System\IBJZzCX.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\ubwxkVG.exe
  C:\Windows\System\ubwxkVG.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\iRaPthf.exe
  C:\Windows\System\iRaPthf.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\ijemIqU.exe
  C:\Windows\System\ijemIqU.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\serZTCP.exe
  C:\Windows\System\serZTCP.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\yYqniGd.exe
  C:\Windows\System\yYqniGd.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\REUMAJF.exe
  C:\Windows\System\REUMAJF.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\ykZHmPs.exe
  C:\Windows\System\ykZHmPs.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\yibeAnS.exe
  C:\Windows\System\yibeAnS.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\DdYpLHq.exe
  C:\Windows\System\DdYpLHq.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\EMbBeSd.exe
  C:\Windows\System\EMbBeSd.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\VFOsKde.exe
  C:\Windows\System\VFOsKde.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\MFAcdoD.exe
  C:\Windows\System\MFAcdoD.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\ufVyYSn.exe
  C:\Windows\System\ufVyYSn.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\mWvybWZ.exe
  C:\Windows\System\mWvybWZ.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\BuVWlzu.exe
  C:\Windows\System\BuVWlzu.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\DiiUZEz.exe
  C:\Windows\System\DiiUZEz.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\LCNzzkR.exe
  C:\Windows\System\LCNzzkR.exe
  2⤵
  - Executes dropped EXE
  PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BIGKBfh.exe

Filesize
5.2MB

MD5
12d018787b1f25d35b4afe8547fa2725

SHA1
23fcd23de8e5860e7e80c3177603514e580f309c

SHA256
12b5e4a41731eef293e246c7176c269eba55b634b02fa51c6a715639801b55ea

SHA512
cbfc3488a3047917e03007a9c711f5813faf96a86e673210af9d6f181091c990013ccf6c1cf915d04f2f337cd74c5eeb888d21d50fc3e4a374b8493a83edb93f

Download Submit
C:\Windows\System\BuVWlzu.exe

Filesize
5.2MB

MD5
8056c33fa1c16c8ddf3b9728c414d179

SHA1
d28137aaef7eba330c01519789e84fb86b149388

SHA256
dc5b2b82459ce10a030b01d1654fe0383ba2e29dbed08eb50dabef8b22afd6e6

SHA512
1f882de2069c81fc8078235ed1a051bddfcf3ed93a7dbc8d6f3aef4bbdbfb8fe9475ff850e7f491d37c4cebc3d795dc3591c94e74f720aaa58ca181b05d290af

Download Submit
C:\Windows\System\DdYpLHq.exe

Filesize
5.2MB

MD5
65011297ced2ae7bad2cda0e51f587f4

SHA1
5073e8784e898d12b17c1b3c335e9c45b911591e

SHA256
1384dab68f7fb8970226df7425ca31f22584d35bed24563f7450bccbda7bb490

SHA512
00d07b5b61e552895b9c6c9d54902916d01a8a3ca3eb68d7a5988281970b201fe034311feac05d24cb1d52dd37283ac6a8bd3fea28e4bb5e18434b5793f23d56

Download Submit
C:\Windows\System\DiiUZEz.exe

Filesize
5.2MB

MD5
9251bb153ccc45b120b219dd8aac3fb7

SHA1
92ad68a14855bd2bb88104654a219b4a3e81a713

SHA256
700de74bf63e21c34a67947b41acb28426091b512d2097857849753328a5cab7

SHA512
1346bf9da844236ab9e2d5492eb0791756ec70109b6e79c152f33eed768150484f99653527ba6e7ccc8ef67df0387ab2038c3e524fab8abca2616477d55c63bb

Download Submit
C:\Windows\System\EMbBeSd.exe

Filesize
5.2MB

MD5
0c8ae13a052b38b92faada742c70b279

SHA1
5d298f447141cc4fa1220a1eef7e277b9963b6ff

SHA256
d035536741474569d3d1e10f2168d610e21b578e94659ec95702594244ae3123

SHA512
e37b9da446b8b4eb38a97d9071fa3aa2e36ee556bc6ceda6f2d451c6b960484babedb231d1ed06dcbc824cd398bad6aafad8873e1da0efeed91c6d5c65c791cc

Download Submit
C:\Windows\System\IBJZzCX.exe

Filesize
5.2MB

MD5
fe43d3d993d61605dc9e85e9aae00004

SHA1
f53c1576c951a5060b4fa47d4116ea7d1be839e8

SHA256
cfaa91ddf87dd190652a3a92b7514f95e31608effb8b60a32f774991659b5c71

SHA512
e7391c7c2b81ddedec47b3579d2f203013e9e0ffe7fc9c04e351063fd6ad7884501e97923f27d0b56edcc82cda933365dfc572f0e4dc3af67d0a707873786a87

Download Submit
C:\Windows\System\LCNzzkR.exe

Filesize
5.2MB

MD5
a7a349931e9b458b1294c6fa977d2e48

SHA1
e6c848e5ef4db48c6c30b29976385be60ddb4222

SHA256
c1ada696883bfbb8a06f364c215fcf10597025089748c8c9f8cd3d000c8d4b34

SHA512
a30d049dbbd2550ddc45bf3bcc3317e0deab6eb17ccaed75d4d3b81106f76940109199595d04b8e254172096650f32162330c8eecc13fdb1c7bfaf6e348c1303

Download Submit
C:\Windows\System\MFAcdoD.exe

Filesize
5.2MB

MD5
ad1d84ef0ebaa316db1f99c232c102d2

SHA1
0f3188e6395c1fe478236940cb6e9cc537e32e42

SHA256
ca068f5dc609c11ad480c6fe7bcd42f0eb0272c2160871837319b96f63fdaffc

SHA512
d1ce5cc4d1d3e36c3c6a1be75cbe9ca7414e1848955f91dde5bfe34324d70d10bc4d4c0e72fce215b64141d194592d0add61acb06f5a9004f69c983bcf126877

Download Submit
C:\Windows\System\NJFlJdc.exe

Filesize
5.2MB

MD5
df6c0c37ac20d6028dba93c4a69d078f

SHA1
549fae585ce5b7d6df4b591eea25d73e9c32bafd

SHA256
1d7887c8d6fc666a95c87e4fd59c93dbd6f83532e654e7fc029af579a88daf5b

SHA512
67fe608e239618592c7de147db8d812a01ede1ab7ae37cd000104c8336c7c8174a2ba6547bca7b43f145ad258665276f2124fcfdef8e3af302e0fcf9e947c546

Download Submit
C:\Windows\System\REUMAJF.exe

Filesize
5.2MB

MD5
37f04926af1130517adab3d4956bec50

SHA1
b350526a25440a9997e7450f6ad91bf9f7d6d712

SHA256
ea2c9ff2d9d112e6b2e47026eccec40f77b95e9e7c9e1ba892239bb1512ef8f7

SHA512
5809f07b28a84b6fb470193160222d9d67eb3508382f0ec2ea89e36ff0d53771660547f1324b8fcbdad2584cf8ba5d7dd1dea2cfe6d1588925110c8f5da02a64

Download Submit
C:\Windows\System\VFOsKde.exe

Filesize
5.2MB

MD5
e1e13c5f0179e225ef6543e545c8d346

SHA1
6dcfa3fd0582c91ddede1e32932773460d8953d3

SHA256
c6978662f47d2d2aa5b666664202a717343efed011f451fb05a7e44a5521905c

SHA512
842f8d247ab5efecfe65fd4a017e616e38917f0874b235b2913786284b1d3d746afb1021cd5b20cf354dd3f05fd73728b68e503abc847c7fff8c5c288b068a71

Download Submit
C:\Windows\System\iRaPthf.exe

Filesize
5.2MB

MD5
a813e26ee4ac001454a71fbc7e134388

SHA1
6669ac7cd31b2e1aff104536ae8a8189238487da

SHA256
2bb44afb0a69b2978809a55ec16f60e6451ded9e0232ff07121fff3d0d72ff18

SHA512
82c9b4a2bd4649efd3a4b21a97e1202fdd309b2b90e3c44f3a98a2f449f523531471909e7072fd5e783920e692f527c5a4e38b7cd740b597bc172b139c53dc88

Download Submit
C:\Windows\System\ijemIqU.exe

Filesize
5.2MB

MD5
675990978c522ba70d21a42c6ba43eb9

SHA1
871e56219950b2f3fd313a5dae89c0680016c131

SHA256
e465de513cac5bc49a79d0cc5c325718f4362bc2022a8313ac23271b1e25120d

SHA512
4241b7e73c098fe6fe183b72d48244b1961ee848260aef6997311c9b2c44535344edcd1a3db579e740473dc0c337ea6f891e016099bed0315244f9f955c2a57c

Download Submit
C:\Windows\System\mWvybWZ.exe

Filesize
5.2MB

MD5
16db9789b6363c7d4ba7d1efe68923dc

SHA1
21a626507ef0956e9a66620e186fceeae746bb5a

SHA256
427e4ffebedf49d948d322dc3ebb79ac84caa341d08147e1f07165300d2eb04b

SHA512
19eb393cbf73056513e3ed7805465f147c85aabc389742497a02b521e50a87635a0850822f1d2ef3ff592cd8502109753073d9eec1bc75395431f597f4470421

Download Submit
C:\Windows\System\serZTCP.exe

Filesize
5.2MB

MD5
08875c93e65704b0dd87818bd2100966

SHA1
216230981b478260ac7b6598361d5469df831ae2

SHA256
4955df5efed7b079c5132285fc2fa5d60929298635d509887b358be76edcf5d1

SHA512
660ee0c84b5b4309866cab2e12425bea7fe13f446f411c4bee1fe3c74f39b834823d4b24795fde20078741dc8b25642a08d5af9d8fc10b85ce10c93d0644b327

Download Submit
C:\Windows\System\tIHhKHR.exe

Filesize
5.2MB

MD5
e936631b5e2f93a14e966bc687c6c711

SHA1
a0fee087bdf538ee28e768030960f15310c2d2c2

SHA256
e379d18acb50673390847f0ad379f8a4c6b7018064b47247a1e71221cfcde828

SHA512
168e562d4beedafb9fcfa4cd6f21597535452a4277ac5b02698292764159dfcb661768b7b8ce66aa4f875764951bbd744ed6d11490a590e6757dde70abbc3aa8

Download Submit
C:\Windows\System\ubwxkVG.exe

Filesize
5.2MB

MD5
d813f0bba1cc092ed6ff56ab42a149fd

SHA1
b2ca1e5b683cf035fadd0b03b63cd19aeb70b782

SHA256
06a8feb8e7575539dbac7bc03478ff7a8fbe7940dbc86a07c748992dd80abd8f

SHA512
7f91819b8bb8439f6f549e2b729cf47b492ceb32c7fd3838ef2e4207463035935620e535135ec88550ba0797a5e3142a63c4e9e40fa6599c1d2db6b044128f62

Download Submit
C:\Windows\System\ufVyYSn.exe

Filesize
5.2MB

MD5
95235de99577fbe433c0842745060497

SHA1
f7795f42ecbc1579b1ac4bfcfd0b51dd36bad2db

SHA256
cc3a42f42f5bd5064daaac88658547369b3dc8348fe86f05894fac8637c9d651

SHA512
a69fac0c9dc7775428c670550ba686c32a0477df69a23c249458d4597779143c1cdb4f710c14c64e387198ed74b81096ebc07242d30c448965b3713a5d93039c

Download Submit
C:\Windows\System\yYqniGd.exe

Filesize
5.2MB

MD5
ecf53dd78f5b96a306a229665b668af0

SHA1
ffb40ba7790d7dd585c5918681879026239e231d

SHA256
087b8c3fe48bdd3c925a37f145f3b7f73543db3866f1d5a5abe858616afbd9ce

SHA512
28d3c58544a5c50da7f4cce0532d8e314f6fb805be83cc3035f8e1351cb1f24a35aa0d593d6dbe292cd965ebe85946668544e74ea2870142777bb3c2dda0f67d

Download Submit
C:\Windows\System\yibeAnS.exe

Filesize
5.2MB

MD5
798633173a36a4490d7974d144586f0e

SHA1
5f31fe95b459386e9220c96261ff492ec3362de0

SHA256
e02ba5d86f15303463ba67996ce661c70b7e7c5c75ad877ffbd5bffae53bbb15

SHA512
5b3b98c4915376d9f79b44e632886a047ab8b0a4bce9ee90d0c003bf4d36b930b03d33d44532b3b9015d53d2cd2cdb17c1cd924acd31994566b369d8f956997e

Download Submit
C:\Windows\System\ykZHmPs.exe

Filesize
5.2MB

MD5
85175662554babbbe44f9177cbfd473e

SHA1
c0b921bc11190445cf8a58923331f8746c7eaec5

SHA256
f67efa20fd4b05279b1dc73d21f42e0cd4fa5afa1ec942867eac7e28ea449929

SHA512
d63a3441ab8558194b08c110931153ea26ca9d9f858ac95076d7628d6a3a89c8d991d31980af0d05df8b4fd205399ed26192cc16c9a0794acaf6132fdc4d42f6

Download Submit
memory/116-83-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

Filesize
3.3MB

Download
memory/116-32-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

Filesize
3.3MB

Download
memory/116-223-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp

Filesize
3.3MB

Download
memory/212-59-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-0-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-132-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-159-0x00007FF62B170000-0x00007FF62B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-1-0x000002EF877B0000-0x000002EF877C0000-memory.dmp

Filesize
64KB

Download
memory/688-143-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/688-266-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/756-79-0x00007FF677F20000-0x00007FF678271000-memory.dmp

Filesize
3.3MB

Download
memory/756-250-0x00007FF677F20000-0x00007FF678271000-memory.dmp

Filesize
3.3MB

Download
memory/756-148-0x00007FF677F20000-0x00007FF678271000-memory.dmp

Filesize
3.3MB

Download
memory/1032-155-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp

Filesize
3.3MB

Download
memory/1032-131-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp

Filesize
3.3MB

Download
memory/1032-256-0x00007FF67EAF0000-0x00007FF67EE41000-memory.dmp

Filesize
3.3MB

Download
memory/1136-104-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp

Filesize
3.3MB

Download
memory/1136-229-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp

Filesize
3.3MB

Download
memory/1136-45-0x00007FF6EC9C0000-0x00007FF6ECD11000-memory.dmp

Filesize
3.3MB

Download
memory/1392-61-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp

Filesize
3.3MB

Download
memory/1392-215-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp

Filesize
3.3MB

Download
memory/1392-7-0x00007FF70D6C0000-0x00007FF70DA11000-memory.dmp

Filesize
3.3MB

Download
memory/1516-221-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp

Filesize
3.3MB

Download
memory/1516-71-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp

Filesize
3.3MB

Download
memory/1516-20-0x00007FF7CD000000-0x00007FF7CD351000-memory.dmp

Filesize
3.3MB

Download
memory/1524-231-0x00007FF657D20000-0x00007FF658071000-memory.dmp

Filesize
3.3MB

Download
memory/1524-54-0x00007FF657D20000-0x00007FF658071000-memory.dmp

Filesize
3.3MB

Download
memory/1524-141-0x00007FF657D20000-0x00007FF658071000-memory.dmp

Filesize
3.3MB

Download
memory/1924-142-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/1924-62-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/1924-240-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/2120-75-0x00007FF757D20000-0x00007FF758071000-memory.dmp

Filesize
3.3MB

Download
memory/2120-146-0x00007FF757D20000-0x00007FF758071000-memory.dmp

Filesize
3.3MB

Download
memory/2120-242-0x00007FF757D20000-0x00007FF758071000-memory.dmp

Filesize
3.3MB

Download
memory/2400-228-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-140-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-50-0x00007FF6C0B70000-0x00007FF6C0EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-154-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/2644-264-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/2644-110-0x00007FF712BF0000-0x00007FF712F41000-memory.dmp

Filesize
3.3MB

Download
memory/2680-14-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-69-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-217-0x00007FF6B3FA0000-0x00007FF6B42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-262-0x00007FF6DB300000-0x00007FF6DB651000-memory.dmp

Filesize
3.3MB

Download
memory/2720-145-0x00007FF6DB300000-0x00007FF6DB651000-memory.dmp

Filesize
3.3MB

Download
memory/3876-219-0x00007FF77E930000-0x00007FF77EC81000-memory.dmp

Filesize
3.3MB

Download
memory/3876-31-0x00007FF77E930000-0x00007FF77EC81000-memory.dmp

Filesize
3.3MB

Download
memory/3900-252-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-94-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-151-0x00007FF7A0B50000-0x00007FF7A0EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-259-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-118-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-153-0x00007FF6749A0000-0x00007FF674CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-150-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-84-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-244-0x00007FF7BA2A0000-0x00007FF7BA5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-98-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp

Filesize
3.3MB

Download
memory/4548-225-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp

Filesize
3.3MB

Download
memory/4548-34-0x00007FF6B3EF0000-0x00007FF6B4241000-memory.dmp

Filesize
3.3MB

Download
memory/4636-144-0x00007FF7463B0000-0x00007FF746701000-memory.dmp

Filesize
3.3MB

Download
memory/4636-261-0x00007FF7463B0000-0x00007FF746701000-memory.dmp

Filesize
3.3MB

Download
memory/5096-254-0x00007FF661100000-0x00007FF661451000-memory.dmp

Filesize
3.3MB

Download
memory/5096-152-0x00007FF661100000-0x00007FF661451000-memory.dmp

Filesize
3.3MB

Download
memory/5096-102-0x00007FF661100000-0x00007FF661451000-memory.dmp

Filesize
3.3MB

Download