cobaltstrike | 65da0d0091a2110cb5bfcd14bc79f90f276025eb7828abe30165948f1bbffd3c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cf3430bf55fb33d664d2d8874c970901
SHA1

7897dd3b9e47707f2635724f40b57119fd47e3ab
SHA256

65da0d0091a2110cb5bfcd14bc79f90f276025eb7828abe30165948f1bbffd3c
SHA512

c86f2f8bef0ecb90467225e99de0974b0f13f2e50a19616760d7d6139246be5f7a444e77c057e1b83514da80531823b8c1307817c07dd5ca7870793e0f4748f0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023b9e-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-19.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b99-7.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bae-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-112.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9a-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/964-41-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	xmrig
behavioral2/memory/4656-118-0x00007FF6E66D0000-0x00007FF6E6A21000-memory.dmp	xmrig
behavioral2/memory/216-120-0x00007FF633DB0000-0x00007FF634101000-memory.dmp	xmrig
behavioral2/memory/1080-119-0x00007FF6C0200000-0x00007FF6C0551000-memory.dmp	xmrig
behavioral2/memory/436-117-0x00007FF704D90000-0x00007FF7050E1000-memory.dmp	xmrig
behavioral2/memory/1028-116-0x00007FF7E3420000-0x00007FF7E3771000-memory.dmp	xmrig
behavioral2/memory/4168-105-0x00007FF641440000-0x00007FF641791000-memory.dmp	xmrig
behavioral2/memory/4964-103-0x00007FF6ABD70000-0x00007FF6AC0C1000-memory.dmp	xmrig
behavioral2/memory/1100-92-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	xmrig
behavioral2/memory/3376-90-0x00007FF782270000-0x00007FF7825C1000-memory.dmp	xmrig
behavioral2/memory/1708-123-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	xmrig
behavioral2/memory/964-128-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	xmrig
behavioral2/memory/2756-143-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp	xmrig
behavioral2/memory/4796-140-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp	xmrig
behavioral2/memory/2596-134-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp	xmrig
behavioral2/memory/4900-132-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp	xmrig
behavioral2/memory/2796-130-0x00007FF778420000-0x00007FF778771000-memory.dmp	xmrig
behavioral2/memory/2552-129-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp	xmrig
behavioral2/memory/840-127-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp	xmrig
behavioral2/memory/2736-126-0x00007FF7200F0000-0x00007FF720441000-memory.dmp	xmrig
behavioral2/memory/3288-125-0x00007FF703490000-0x00007FF7037E1000-memory.dmp	xmrig
behavioral2/memory/2856-124-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	xmrig
behavioral2/memory/1708-149-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	xmrig
behavioral2/memory/1708-150-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	xmrig
behavioral2/memory/1580-172-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp	xmrig
behavioral2/memory/2856-202-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	xmrig
behavioral2/memory/3288-219-0x00007FF703490000-0x00007FF7037E1000-memory.dmp	xmrig
behavioral2/memory/964-221-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	xmrig
behavioral2/memory/840-223-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp	xmrig
behavioral2/memory/2736-225-0x00007FF7200F0000-0x00007FF720441000-memory.dmp	xmrig
behavioral2/memory/1100-227-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	xmrig
behavioral2/memory/2796-232-0x00007FF778420000-0x00007FF778771000-memory.dmp	xmrig
behavioral2/memory/4900-237-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp	xmrig
behavioral2/memory/4656-240-0x00007FF6E66D0000-0x00007FF6E6A21000-memory.dmp	xmrig
behavioral2/memory/1080-235-0x00007FF6C0200000-0x00007FF6C0551000-memory.dmp	xmrig
behavioral2/memory/3376-233-0x00007FF782270000-0x00007FF7825C1000-memory.dmp	xmrig
behavioral2/memory/2552-229-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp	xmrig
behavioral2/memory/4168-251-0x00007FF641440000-0x00007FF641791000-memory.dmp	xmrig
behavioral2/memory/436-253-0x00007FF704D90000-0x00007FF7050E1000-memory.dmp	xmrig
behavioral2/memory/1028-254-0x00007FF7E3420000-0x00007FF7E3771000-memory.dmp	xmrig
behavioral2/memory/4964-249-0x00007FF6ABD70000-0x00007FF6AC0C1000-memory.dmp	xmrig
behavioral2/memory/216-246-0x00007FF633DB0000-0x00007FF634101000-memory.dmp	xmrig
behavioral2/memory/4796-244-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp	xmrig
behavioral2/memory/2596-242-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp	xmrig
behavioral2/memory/2756-256-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp	xmrig
behavioral2/memory/1580-260-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2856	NoHJLPj.exe
3288	jXecyAK.exe
2736	ZnumsjT.exe
840	ZXNEEpt.exe
964	VENKUNF.exe
2552	lNDvExc.exe
2796	hHBTzAu.exe
3376	RdeIKDI.exe
4900	PziPpcl.exe
1100	DOSAyuO.exe
2596	vMkeUgM.exe
4656	HVZgHVw.exe
4964	fjKkVOH.exe
1080	KgJDqlg.exe
4168	OjIOoLz.exe
216	vjpDNUx.exe
4796	yoZqygf.exe
1028	CLVlDFo.exe
436	gekCvde.exe
2756	xTGBjui.exe
1580	KnbAHFY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1708-0-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	upx
behavioral2/memory/2856-6-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-9.dat	upx
behavioral2/files/0x000a000000023b9f-18.dat	upx
behavioral2/files/0x000a000000023ba5-50.dat	upx
behavioral2/files/0x000a000000023ba6-52.dat	upx
behavioral2/memory/2796-47-0x00007FF778420000-0x00007FF778771000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-44.dat	upx
behavioral2/memory/964-41-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-37.dat	upx
behavioral2/files/0x000a000000023ba4-45.dat	upx
behavioral2/memory/840-28-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-26.dat	upx
behavioral2/files/0x000a000000023ba1-33.dat	upx
behavioral2/memory/2736-22-0x00007FF7200F0000-0x00007FF720441000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-19.dat	upx
behavioral2/memory/3288-15-0x00007FF703490000-0x00007FF7037E1000-memory.dmp	upx
behavioral2/files/0x000b000000023b99-7.dat	upx
behavioral2/files/0x000a000000023ba9-76.dat	upx
behavioral2/files/0x000a000000023bac-96.dat	upx
behavioral2/files/0x000a000000023bae-104.dat	upx
behavioral2/memory/4656-118-0x00007FF6E66D0000-0x00007FF6E6A21000-memory.dmp	upx
behavioral2/memory/2756-121-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp	upx
behavioral2/memory/216-120-0x00007FF633DB0000-0x00007FF634101000-memory.dmp	upx
behavioral2/memory/1080-119-0x00007FF6C0200000-0x00007FF6C0551000-memory.dmp	upx
behavioral2/memory/436-117-0x00007FF704D90000-0x00007FF7050E1000-memory.dmp	upx
behavioral2/memory/1028-116-0x00007FF7E3420000-0x00007FF7E3771000-memory.dmp	upx
behavioral2/memory/4796-115-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-112.dat	upx
behavioral2/files/0x000b000000023b9a-110.dat	upx
behavioral2/files/0x000a000000023bab-106.dat	upx
behavioral2/memory/4168-105-0x00007FF641440000-0x00007FF641791000-memory.dmp	upx
behavioral2/memory/4964-103-0x00007FF6ABD70000-0x00007FF6AC0C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-100.dat	upx
behavioral2/files/0x000a000000023baa-98.dat	upx
behavioral2/memory/1100-92-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	upx
behavioral2/memory/3376-90-0x00007FF782270000-0x00007FF7825C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-83.dat	upx
behavioral2/memory/2552-71-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp	upx
behavioral2/memory/2596-58-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp	upx
behavioral2/memory/4900-53-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp	upx
behavioral2/memory/1708-123-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	upx
behavioral2/memory/964-128-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	upx
behavioral2/memory/2756-143-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-145.dat	upx
behavioral2/memory/1580-146-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp	upx
behavioral2/memory/4796-140-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp	upx
behavioral2/memory/2596-134-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp	upx
behavioral2/memory/4900-132-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp	upx
behavioral2/memory/2796-130-0x00007FF778420000-0x00007FF778771000-memory.dmp	upx
behavioral2/memory/2552-129-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp	upx
behavioral2/memory/840-127-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp	upx
behavioral2/memory/2736-126-0x00007FF7200F0000-0x00007FF720441000-memory.dmp	upx
behavioral2/memory/3288-125-0x00007FF703490000-0x00007FF7037E1000-memory.dmp	upx
behavioral2/memory/2856-124-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	upx
behavioral2/memory/1708-149-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	upx
behavioral2/memory/1708-150-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp	upx
behavioral2/memory/1580-172-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp	upx
behavioral2/memory/2856-202-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	upx
behavioral2/memory/3288-219-0x00007FF703490000-0x00007FF7037E1000-memory.dmp	upx
behavioral2/memory/964-221-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp	upx
behavioral2/memory/840-223-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp	upx
behavioral2/memory/2736-225-0x00007FF7200F0000-0x00007FF720441000-memory.dmp	upx
behavioral2/memory/1100-227-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CLVlDFo.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnbAHFY.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZXNEEpt.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HVZgHVw.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHBTzAu.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMkeUgM.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjIOoLz.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gekCvde.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jXecyAK.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VENKUNF.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjKkVOH.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjpDNUx.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xTGBjui.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lNDvExc.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOSAyuO.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdeIKDI.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PziPpcl.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KgJDqlg.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yoZqygf.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NoHJLPj.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZnumsjT.exe	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2856	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1708 wrote to memory of 2856	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1708 wrote to memory of 3288	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1708 wrote to memory of 3288	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1708 wrote to memory of 2736	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1708 wrote to memory of 2736	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1708 wrote to memory of 840	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1708 wrote to memory of 840	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1708 wrote to memory of 964	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1708 wrote to memory of 964	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1708 wrote to memory of 2552	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1708 wrote to memory of 2552	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1708 wrote to memory of 2796	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1708 wrote to memory of 2796	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1708 wrote to memory of 3376	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1708 wrote to memory of 3376	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1708 wrote to memory of 4900	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1708 wrote to memory of 4900	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1708 wrote to memory of 1100	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1708 wrote to memory of 1100	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1708 wrote to memory of 2596	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1708 wrote to memory of 2596	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1708 wrote to memory of 4656	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1708 wrote to memory of 4656	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1708 wrote to memory of 4964	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1708 wrote to memory of 4964	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1708 wrote to memory of 1080	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1708 wrote to memory of 1080	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1708 wrote to memory of 4168	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1708 wrote to memory of 4168	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1708 wrote to memory of 216	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1708 wrote to memory of 216	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1708 wrote to memory of 4796	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1708 wrote to memory of 4796	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1708 wrote to memory of 1028	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1708 wrote to memory of 1028	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1708 wrote to memory of 436	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1708 wrote to memory of 436	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1708 wrote to memory of 2756	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1708 wrote to memory of 2756	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1708 wrote to memory of 1580	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1708 wrote to memory of 1580	1708	2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_cf3430bf55fb33d664d2d8874c970901_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System\NoHJLPj.exe
  C:\Windows\System\NoHJLPj.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\jXecyAK.exe
  C:\Windows\System\jXecyAK.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\ZnumsjT.exe
  C:\Windows\System\ZnumsjT.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\ZXNEEpt.exe
  C:\Windows\System\ZXNEEpt.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\VENKUNF.exe
  C:\Windows\System\VENKUNF.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\lNDvExc.exe
  C:\Windows\System\lNDvExc.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\hHBTzAu.exe
  C:\Windows\System\hHBTzAu.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\RdeIKDI.exe
  C:\Windows\System\RdeIKDI.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\PziPpcl.exe
  C:\Windows\System\PziPpcl.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\DOSAyuO.exe
  C:\Windows\System\DOSAyuO.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\vMkeUgM.exe
  C:\Windows\System\vMkeUgM.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\HVZgHVw.exe
  C:\Windows\System\HVZgHVw.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\fjKkVOH.exe
  C:\Windows\System\fjKkVOH.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\KgJDqlg.exe
  C:\Windows\System\KgJDqlg.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\OjIOoLz.exe
  C:\Windows\System\OjIOoLz.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\vjpDNUx.exe
  C:\Windows\System\vjpDNUx.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\yoZqygf.exe
  C:\Windows\System\yoZqygf.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\CLVlDFo.exe
  C:\Windows\System\CLVlDFo.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\gekCvde.exe
  C:\Windows\System\gekCvde.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\xTGBjui.exe
  C:\Windows\System\xTGBjui.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\KnbAHFY.exe
  C:\Windows\System\KnbAHFY.exe
  2⤵
  - Executes dropped EXE
  PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLVlDFo.exe

Filesize
5.2MB

MD5
371f540ac87462eb94f73c982c7f7e1f

SHA1
748b978691625a339517a9abdfe455a084d5a354

SHA256
0e2f7f4975b5f4e9d31f9c6b0d86b402ba213f2de1bae0a32e65f0c28dcee25e

SHA512
f84ab98153050ef9920ff888dc52873fa80c4d9d3075bf9e50c50e15db484987bbd135ac839791ce4748fa284da87cdd2bd7d50ffdaf09be8b10ff61b5e191dc

Download Submit
C:\Windows\System\DOSAyuO.exe

Filesize
5.2MB

MD5
f2b004b9469d2a0ccf0b0e29b29b7ced

SHA1
1869a9c833000c6f659da8eaeecf876018b007b6

SHA256
5530b1b56c281f961a50ca2330b677ac0ac53d01c94759a671e07302ae1793ea

SHA512
4aaff52b8a50f9868281f9f28da4c3d7b400ee04849ce729ad65803f86b23e443c672f36ea8ca35eb774860070cf6a7bf4932368a4f69cbd8d6a5dab6f165544

Download Submit
C:\Windows\System\HVZgHVw.exe

Filesize
5.2MB

MD5
b5a7422d5f3a0f85718158032fe35e5a

SHA1
87b4303b326396650e4e956f2928a03966d5e441

SHA256
eb540e069760eafbe7d09f8dbba9483f5b4d2d4f45deb6019a81af5bca896e95

SHA512
5384e93b1961bf6df6cdc64ce9e9668aba07063e9a1484d2a34f82571ef6d9b1e98aead41e9707336cde77dd80e7f37b3c3f2deeb359c3bc09f7c1fb4a6f8686

Download Submit
C:\Windows\System\KgJDqlg.exe

Filesize
5.2MB

MD5
1060f8780d1a057565aeb2a0c644516b

SHA1
701a19c38564a116beb5cc16542ccdd78b61f3e4

SHA256
110b881d93fe238b3c178b8effdd3fc6e131272bae73ff878840bcced6fca69b

SHA512
c92b6871ed81fa62dd807ffa2e7fdfc4322458e092510aee40f7c5cfd1f4e69054a3d0ceac37e204b2ddf60f0fc0b376eaaf59cd55f813d171edc88669cc6064

Download Submit
C:\Windows\System\KnbAHFY.exe

Filesize
5.2MB

MD5
5bac9230b11e0f7a778670160243d507

SHA1
b9ed2ca28b4d7802befca9cc9415894ff8fde610

SHA256
3c73092174d8b5599f4aa6a6d0d1cc02dddd0610ffb56b3b1eb371f50eb87e50

SHA512
6e2b0ec221c2695468ce3f151a46e544dc39cce7760f115f979314fa70d4acea8451f75f338a08f93d597cd10f495779f553566e86dda7ae686b438161667346

Download Submit
C:\Windows\System\NoHJLPj.exe

Filesize
5.2MB

MD5
116843e72cd6e1e660b6a71b349153bc

SHA1
8ae76beac6b0a0b72236466048b3a60527035090

SHA256
42fa0217a8d89bad26693578756c12b978182d693078d81f47a5f12d7552868f

SHA512
5df55a0d7d68a2b39d491e01c20bd5435784e9cacc1a799971f2fe9ac81ccd5485790b2bcfa9d80c25fcf4b0e094f73870c4628dce4154c933aebba442cce16c

Download Submit
C:\Windows\System\OjIOoLz.exe

Filesize
5.2MB

MD5
25475762ddf3d785e3f167cbc6ab2b6e

SHA1
f7076895b7723da3b4c2b1101aab002e917ebe84

SHA256
4369c411b0e6c4d0f031f6e93498374cba5f487d66c01a7a239452a43b39322c

SHA512
f32abc1301ed4f33347af911fedeecc51d2c6e4128cc873345bb710d4c5abcbb6604a26b366a284848e56b80c12a627c1da5ddbf540baba975bad62dc222d791

Download Submit
C:\Windows\System\PziPpcl.exe

Filesize
5.2MB

MD5
4ebc3b83e2944aaa9c152708841610bd

SHA1
1ada93fb706d0a31560e137b589b71d800621d6b

SHA256
c6a2ce38e2c55407a76cfe6039858771e0299600b424ebb9a67660a613e6331b

SHA512
ac828f629e90308786cba1981db62d31f0b196114ba8550a742c6b0cca8f27551de2fecca8d0654374b5f673fddf7716f30b5ca3dfda47378f80582f9eb8d242

Download Submit
C:\Windows\System\RdeIKDI.exe

Filesize
5.2MB

MD5
e87746520983ace8cacf14acd31a1cd0

SHA1
dd19b64b7d89056e500f25a31bc0ca9094aa05e5

SHA256
8851b4e38b1f13d7d658950b766c71b10e1785b8ad2449e1a1092650da0ddec8

SHA512
1c68e42df0964b3eddd28c65975af4caf8d6173e89539bffe3254085d689ad20dbf28f261a64f4fd6041abd7d71bd1d494249a0995cec7a7bde8c70d2eb9d238

Download Submit
C:\Windows\System\VENKUNF.exe

Filesize
5.2MB

MD5
1c5129673029c6ed856bca495141d40a

SHA1
375b16a525f4a08a01ff3ba62224873eb6657fea

SHA256
0cd599a1d3ca9b4beea26c6a5eaeb39c5989c864f0ed00fe1a89bef0032e4cee

SHA512
f41b29f2d7e0ca98d889849f7ae3280d0ca8beeb981fd2c3eeb7bd8fc484746885d54bb6d4dd088241440a78b902c04edd14c92e57816ebb82839897f1c57ac5

Download Submit
C:\Windows\System\ZXNEEpt.exe

Filesize
5.2MB

MD5
ae5a2cb497a145da5702aae895dfcd9d

SHA1
9fc23bf268ef6f3297c1d4e92aa6993a5393e125

SHA256
00d64402dcc87d8bba57e71aafa0fed7ff25ed0f725729a78f5adc45aee4775b

SHA512
3f9c2f47da91c1a1a4ce16c2559eac37a2c8650a527680540351753c54ba2b42099b2d8161a943a62941b7ef62dce316690f0c73f00573727982e805521b1281

Download Submit
C:\Windows\System\ZnumsjT.exe

Filesize
5.2MB

MD5
03757fd47dd24dd2a6f7016c5908c0f7

SHA1
02bcb16a4d344fd1604b20710e6710f0de9d55ce

SHA256
693e13b5e86c142818456ef6fd410f1a332a54ff2f936f91221461318e7dc718

SHA512
6507246a7b082e54145e0c7abafbc1cb9db83fd07af99a8d9f38b1fa97f6a89309a477023d2344498d6cda78d1f35e1230e9ab03596109abf555022298a7d82e

Download Submit
C:\Windows\System\fjKkVOH.exe

Filesize
5.2MB

MD5
2ebb465987fb1f75027b52a5e9545346

SHA1
13cb3b5f5df80b43b074320844f804dd0ce8e1e0

SHA256
e8897804e5ca8937359d106cc62b8fd79508ff29cacee4386bbc60241de5b2d4

SHA512
423d1fb2856e87c2ee47fed781658611fed40b6928e948103830d323620e9f846374405713b79fe7500186cb344a5dcb6e39fb8d13e2e4771156a0eaad0e76d4

Download Submit
C:\Windows\System\gekCvde.exe

Filesize
5.2MB

MD5
ff99b92e2dc833c7506e0e061fed82de

SHA1
47c4381fee9d65eee09be6dd204859489b4082ed

SHA256
22bd6ba62e5deb40ef25479d2cb2f8add6bfb330a20d6b19564cb516658ac962

SHA512
1740ebd95433c8992399ddfa057404be75190b89e28184d34bfa118c1fe38587f2cfc20fe66455a0e4c4269b4ad67a78b38259628c42549f50f67f4dd44a93d1

Download Submit
C:\Windows\System\hHBTzAu.exe

Filesize
5.2MB

MD5
b59b90464c90238269ca5290453d3ec1

SHA1
1f43922971c0f1b32557202afcbd7e2eebe9672f

SHA256
6b7af3dd11e16946356f34d715c10197356f1620b75f74e7919e9d273ae04049

SHA512
6eae7c88ef08af3aea8ef62883bdf0fa9927c9296bc56088c6ba82025f269c68a7d961f909b14a8e8a143650415606d6d9c297b4b15532cc22eaa0cdc05712be

Download Submit
C:\Windows\System\jXecyAK.exe

Filesize
5.2MB

MD5
c6746c87e473efd201ee0543975a654a

SHA1
7f185a50a2ea82269a4ee772448f29dc35ba3a91

SHA256
54623febf5f1e983b87a5f72f766f744f98bd455eecf459a16048e4a4ff19fa2

SHA512
59943807f1953a46e3f4ed2f4a1b9174fbba6691adedf9960d15f2c42f506d0daf8bafbbb4b4e80aeceeb4bab7f0d8a34f3745b90c9e0d32a555db6e7313053a

Download Submit
C:\Windows\System\lNDvExc.exe

Filesize
5.2MB

MD5
2e76912de1b3136816c23a577d6b4fa9

SHA1
41d2b3fda91982c9e71ab5960d4c1c9c1ec5087f

SHA256
3abbc9e19e75b56e51b9ad95cd2544b90cf990ba6c6a07f0bb36c8ce162ba5b1

SHA512
9b6513de521022d65ea3333f799157e83fe21693282dfe29354c1a18122e413fccac2a7839fa6c26ca16390f1181c2e5f236e03e3e5f2a8dfbfdfd9f3f742c3c

Download Submit
C:\Windows\System\vMkeUgM.exe

Filesize
5.2MB

MD5
0f7a6b69fed6a812e96f75d85a2109ac

SHA1
7051bf9a84780a8e3d8aa379916ffc3f639fd449

SHA256
5cbaf42c5174e7d32aebd7e2884bfd1b9c10969fd979bce6d2082bdb43bdf058

SHA512
af9e8da87c9d13837e0899abf2688cdbc84c181efede8beafd79e44052164b358f4bde8f0e9a34829388ec2a132177c79cc571b97c8f37856b9741c90d5d04d3

Download Submit
C:\Windows\System\vjpDNUx.exe

Filesize
5.2MB

MD5
68b0338d153896eeb25dbaf605a9a881

SHA1
0ebbc89c357b376b457df7766cc571f69f59970f

SHA256
71488283c418ed22231fab6a9f8e622c9812f3b70bb328fa4d2cf53b1f340895

SHA512
967efbe4338c068baf9f1a2fd2044c096e7b06b614f7e423d48828b1f110dad987a934b9ca36860bf97ea25b787b0f1068023932b98dec558d463cebc01c4795

Download Submit
C:\Windows\System\xTGBjui.exe

Filesize
5.2MB

MD5
649a28807d7abeb17bfd1a98472ae6b7

SHA1
8836a944cd639147c8ce863fe95cd3750e79101f

SHA256
3c8a4f16d02fb13bf10f0edc9478509983fb85edbb9cd502663084ad69de2a7b

SHA512
e71512a8a5d1e1259741816fdbf894782b3d8377e70e9d9ca0b5759cbdf4134715d3171b819189fe4e58a42e8589b4307ab7c1814e167be2ce396d3dc16f5396

Download Submit
C:\Windows\System\yoZqygf.exe

Filesize
5.2MB

MD5
d0ecec2f11b9a9e188d980daa37066d3

SHA1
8889a48688d3f7d9ad07d289c81df29c1755a49b

SHA256
91d13a54fdcfd464a93b2502c5a6fbac77f189748d17b31cf020f4bc032d5dd6

SHA512
91843069391a9baa4762b82f9552c2d29465df86b04316ee062b19d026f283e41969946593d8b2b8623f68360027c6125c1a6af6e08491661452f7e0a873518e

Download Submit
memory/216-246-0x00007FF633DB0000-0x00007FF634101000-memory.dmp

Filesize
3.3MB

Download
memory/216-120-0x00007FF633DB0000-0x00007FF634101000-memory.dmp

Filesize
3.3MB

Download
memory/436-117-0x00007FF704D90000-0x00007FF7050E1000-memory.dmp

Filesize
3.3MB

Download
memory/436-253-0x00007FF704D90000-0x00007FF7050E1000-memory.dmp

Filesize
3.3MB

Download
memory/840-28-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp

Filesize
3.3MB

Download
memory/840-127-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp

Filesize
3.3MB

Download
memory/840-223-0x00007FF60E9E0000-0x00007FF60ED31000-memory.dmp

Filesize
3.3MB

Download
memory/964-41-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp

Filesize
3.3MB

Download
memory/964-128-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp

Filesize
3.3MB

Download
memory/964-221-0x00007FF6CC660000-0x00007FF6CC9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-116-0x00007FF7E3420000-0x00007FF7E3771000-memory.dmp

Filesize
3.3MB

Download
memory/1028-254-0x00007FF7E3420000-0x00007FF7E3771000-memory.dmp

Filesize
3.3MB

Download
memory/1080-235-0x00007FF6C0200000-0x00007FF6C0551000-memory.dmp

Filesize
3.3MB

Download
memory/1080-119-0x00007FF6C0200000-0x00007FF6C0551000-memory.dmp

Filesize
3.3MB

Download
memory/1100-92-0x00007FF61D440000-0x00007FF61D791000-memory.dmp

Filesize
3.3MB

Download
memory/1100-227-0x00007FF61D440000-0x00007FF61D791000-memory.dmp

Filesize
3.3MB

Download
memory/1580-172-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp

Filesize
3.3MB

Download
memory/1580-260-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp

Filesize
3.3MB

Download
memory/1580-146-0x00007FF7E8130000-0x00007FF7E8481000-memory.dmp

Filesize
3.3MB

Download
memory/1708-0-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp

Filesize
3.3MB

Download
memory/1708-150-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp

Filesize
3.3MB

Download
memory/1708-123-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp

Filesize
3.3MB

Download
memory/1708-149-0x00007FF79BF20000-0x00007FF79C271000-memory.dmp

Filesize
3.3MB

Download
memory/1708-1-0x0000027CC4970000-0x0000027CC4980000-memory.dmp

Filesize
64KB

Download
memory/2552-129-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp

Filesize
3.3MB

Download
memory/2552-71-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp

Filesize
3.3MB

Download
memory/2552-229-0x00007FF6DD030000-0x00007FF6DD381000-memory.dmp

Filesize
3.3MB

Download
memory/2596-58-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-242-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-134-0x00007FF74ABA0000-0x00007FF74AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-225-0x00007FF7200F0000-0x00007FF720441000-memory.dmp

Filesize
3.3MB

Download
memory/2736-22-0x00007FF7200F0000-0x00007FF720441000-memory.dmp

Filesize
3.3MB

Download
memory/2736-126-0x00007FF7200F0000-0x00007FF720441000-memory.dmp

Filesize
3.3MB

Download
memory/2756-143-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp

Filesize
3.3MB

Download
memory/2756-256-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp

Filesize
3.3MB

Download
memory/2756-121-0x00007FF7C6920000-0x00007FF7C6C71000-memory.dmp

Filesize
3.3MB

Download
memory/2796-47-0x00007FF778420000-0x00007FF778771000-memory.dmp

Filesize
3.3MB

Download
memory/2796-130-0x00007FF778420000-0x00007FF778771000-memory.dmp

Filesize
3.3MB

Download
memory/2796-232-0x00007FF778420000-0x00007FF778771000-memory.dmp

Filesize
3.3MB

Download
memory/2856-6-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/2856-202-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/2856-124-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/3288-125-0x00007FF703490000-0x00007FF7037E1000-memory.dmp

Filesize
3.3MB

Download
memory/3288-15-0x00007FF703490000-0x00007FF7037E1000-memory.dmp

Filesize
3.3MB

Download
memory/3288-219-0x00007FF703490000-0x00007FF7037E1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-90-0x00007FF782270000-0x00007FF7825C1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-233-0x00007FF782270000-0x00007FF7825C1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-105-0x00007FF641440000-0x00007FF641791000-memory.dmp

Filesize
3.3MB

Download
memory/4168-251-0x00007FF641440000-0x00007FF641791000-memory.dmp

Filesize
3.3MB

Download
memory/4656-240-0x00007FF6E66D0000-0x00007FF6E6A21000-memory.dmp

Filesize
3.3MB

Download
memory/4656-118-0x00007FF6E66D0000-0x00007FF6E6A21000-memory.dmp

Filesize
3.3MB

Download
memory/4796-140-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp

Filesize
3.3MB

Download
memory/4796-115-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp

Filesize
3.3MB

Download
memory/4796-244-0x00007FF7F6AE0000-0x00007FF7F6E31000-memory.dmp

Filesize
3.3MB

Download
memory/4900-237-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-53-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-132-0x00007FF6FE260000-0x00007FF6FE5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-249-0x00007FF6ABD70000-0x00007FF6AC0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-103-0x00007FF6ABD70000-0x00007FF6AC0C1000-memory.dmp

Filesize
3.3MB

Download