cobaltstrike | 213c149a7ee579171c88e684c093afb738ba44a1dc485ab8efd1322c16745299

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9be3c6e9880d4d488d47c929699d675a
SHA1

0e07a7c7e10956f75475b4de3acb07e6bf34f383
SHA256

213c149a7ee579171c88e684c093afb738ba44a1dc485ab8efd1322c16745299
SHA512

cb039a9128333bc9923f4615d84fbc67bf29c70f03fa73debb22644e1dde7c2fbda66df5bc2dade3c17af51aca87bcefde6d01d499e66e0bd9a25aa5a4e8cd44
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b3e-6.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8e-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-10.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-26.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-21.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ba9-35.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023baf-41.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb0-51.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b8f-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb6-83.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbb-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bec-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf0-129.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bef-125.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bee-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bed-113.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bba-98.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbc-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-78.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-61.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4560-70-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	xmrig
behavioral2/memory/2080-118-0x00007FF7A4930000-0x00007FF7A4C81000-memory.dmp	xmrig
behavioral2/memory/2468-128-0x00007FF7D3730000-0x00007FF7D3A81000-memory.dmp	xmrig
behavioral2/memory/2024-127-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp	xmrig
behavioral2/memory/112-120-0x00007FF6302E0000-0x00007FF630631000-memory.dmp	xmrig
behavioral2/memory/4584-119-0x00007FF65C870000-0x00007FF65CBC1000-memory.dmp	xmrig
behavioral2/memory/4268-112-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp	xmrig
behavioral2/memory/3324-71-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp	xmrig
behavioral2/memory/1496-54-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	xmrig
behavioral2/memory/4652-50-0x00007FF7DBA10000-0x00007FF7DBD61000-memory.dmp	xmrig
behavioral2/memory/3740-47-0x00007FF711230000-0x00007FF711581000-memory.dmp	xmrig
behavioral2/memory/4884-137-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp	xmrig
behavioral2/memory/4072-143-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp	xmrig
behavioral2/memory/2976-148-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp	xmrig
behavioral2/memory/2872-153-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp	xmrig
behavioral2/memory/2116-149-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp	xmrig
behavioral2/memory/4612-151-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp	xmrig
behavioral2/memory/3580-147-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp	xmrig
behavioral2/memory/3952-145-0x00007FF607140000-0x00007FF607491000-memory.dmp	xmrig
behavioral2/memory/2260-141-0x00007FF603460000-0x00007FF6037B1000-memory.dmp	xmrig
behavioral2/memory/3740-138-0x00007FF711230000-0x00007FF711581000-memory.dmp	xmrig
behavioral2/memory/2476-136-0x00007FF667900000-0x00007FF667C51000-memory.dmp	xmrig
behavioral2/memory/3576-142-0x00007FF6800F0000-0x00007FF680441000-memory.dmp	xmrig
behavioral2/memory/4560-131-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	xmrig
behavioral2/memory/4560-154-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	xmrig
behavioral2/memory/4268-206-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp	xmrig
behavioral2/memory/3324-208-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp	xmrig
behavioral2/memory/2024-210-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp	xmrig
behavioral2/memory/2476-212-0x00007FF667900000-0x00007FF667C51000-memory.dmp	xmrig
behavioral2/memory/4884-214-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp	xmrig
behavioral2/memory/4652-229-0x00007FF7DBA10000-0x00007FF7DBD61000-memory.dmp	xmrig
behavioral2/memory/3576-232-0x00007FF6800F0000-0x00007FF680441000-memory.dmp	xmrig
behavioral2/memory/1496-237-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	xmrig
behavioral2/memory/2260-236-0x00007FF603460000-0x00007FF6037B1000-memory.dmp	xmrig
behavioral2/memory/3740-234-0x00007FF711230000-0x00007FF711581000-memory.dmp	xmrig
behavioral2/memory/2080-239-0x00007FF7A4930000-0x00007FF7A4C81000-memory.dmp	xmrig
behavioral2/memory/4584-247-0x00007FF65C870000-0x00007FF65CBC1000-memory.dmp	xmrig
behavioral2/memory/4072-245-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp	xmrig
behavioral2/memory/3580-243-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp	xmrig
behavioral2/memory/2116-256-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp	xmrig
behavioral2/memory/2976-257-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp	xmrig
behavioral2/memory/2872-259-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp	xmrig
behavioral2/memory/2468-254-0x00007FF7D3730000-0x00007FF7D3A81000-memory.dmp	xmrig
behavioral2/memory/3952-252-0x00007FF607140000-0x00007FF607491000-memory.dmp	xmrig
behavioral2/memory/112-250-0x00007FF6302E0000-0x00007FF630631000-memory.dmp	xmrig
behavioral2/memory/4612-263-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4268	wdscHZn.exe
3324	hhRwsVB.exe
2024	afEhFOR.exe
2476	wnTHfgS.exe
4884	ubSVcKb.exe
3740	dyxRJCA.exe
4652	xUvWOOa.exe
1496	CEfvEJj.exe
2260	wDSXXmk.exe
3576	MgKvymi.exe
4072	NlANZgF.exe
2080	PlCgLXb.exe
3952	HAAAOwY.exe
4584	MxPksKI.exe
3580	djGsWCA.exe
2976	okSJxIg.exe
112	AIxRNHB.exe
4612	QJtUnjx.exe
2116	NNmfGNk.exe
2468	IVFNxpi.exe
2872	wNxiIXA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	upx
behavioral2/files/0x000c000000023b3e-6.dat	upx
behavioral2/memory/4268-7-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-9.dat	upx
behavioral2/files/0x000a000000023b99-10.dat	upx
behavioral2/files/0x0012000000023ba7-26.dat	upx
behavioral2/files/0x000b000000023b9b-21.dat	upx
behavioral2/memory/3324-18-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp	upx
behavioral2/files/0x0008000000023ba9-35.dat	upx
behavioral2/files/0x0009000000023baf-41.dat	upx
behavioral2/files/0x0009000000023bb0-51.dat	upx
behavioral2/files/0x000c000000023b8f-56.dat	upx
behavioral2/memory/4560-70-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	upx
behavioral2/memory/4072-77-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp	upx
behavioral2/files/0x0008000000023bb6-83.dat	upx
behavioral2/files/0x0008000000023bbb-93.dat	upx
behavioral2/files/0x0008000000023bec-105.dat	upx
behavioral2/memory/2080-118-0x00007FF7A4930000-0x00007FF7A4C81000-memory.dmp	upx
behavioral2/memory/2468-128-0x00007FF7D3730000-0x00007FF7D3A81000-memory.dmp	upx
behavioral2/files/0x0008000000023bf0-129.dat	upx
behavioral2/memory/2024-127-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bef-125.dat	upx
behavioral2/memory/2872-124-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp	upx
behavioral2/memory/2116-121-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp	upx
behavioral2/memory/112-120-0x00007FF6302E0000-0x00007FF630631000-memory.dmp	upx
behavioral2/memory/4584-119-0x00007FF65C870000-0x00007FF65CBC1000-memory.dmp	upx
behavioral2/files/0x0008000000023bee-115.dat	upx
behavioral2/files/0x0008000000023bed-113.dat	upx
behavioral2/memory/4268-112-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp	upx
behavioral2/memory/4612-111-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp	upx
behavioral2/memory/2976-104-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp	upx
behavioral2/memory/3580-103-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp	upx
behavioral2/files/0x0009000000023bbd-99.dat	upx
behavioral2/files/0x0008000000023bba-98.dat	upx
behavioral2/files/0x0008000000023bbc-97.dat	upx
behavioral2/memory/3952-87-0x00007FF607140000-0x00007FF607491000-memory.dmp	upx
behavioral2/files/0x0008000000023bb9-78.dat	upx
behavioral2/memory/3324-71-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-61.dat	upx
behavioral2/memory/3576-60-0x00007FF6800F0000-0x00007FF680441000-memory.dmp	upx
behavioral2/memory/1496-54-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	upx
behavioral2/memory/2260-53-0x00007FF603460000-0x00007FF6037B1000-memory.dmp	upx
behavioral2/memory/4652-50-0x00007FF7DBA10000-0x00007FF7DBD61000-memory.dmp	upx
behavioral2/memory/3740-47-0x00007FF711230000-0x00007FF711581000-memory.dmp	upx
behavioral2/memory/4884-34-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp	upx
behavioral2/memory/2476-27-0x00007FF667900000-0x00007FF667C51000-memory.dmp	upx
behavioral2/memory/2024-24-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp	upx
behavioral2/memory/4884-137-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp	upx
behavioral2/memory/4072-143-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp	upx
behavioral2/memory/2976-148-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp	upx
behavioral2/memory/2872-153-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp	upx
behavioral2/memory/2116-149-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp	upx
behavioral2/memory/4612-151-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp	upx
behavioral2/memory/3580-147-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp	upx
behavioral2/memory/3952-145-0x00007FF607140000-0x00007FF607491000-memory.dmp	upx
behavioral2/memory/2260-141-0x00007FF603460000-0x00007FF6037B1000-memory.dmp	upx
behavioral2/memory/3740-138-0x00007FF711230000-0x00007FF711581000-memory.dmp	upx
behavioral2/memory/2476-136-0x00007FF667900000-0x00007FF667C51000-memory.dmp	upx
behavioral2/memory/3576-142-0x00007FF6800F0000-0x00007FF680441000-memory.dmp	upx
behavioral2/memory/4560-131-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	upx
behavioral2/memory/4560-154-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp	upx
behavioral2/memory/4268-206-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp	upx
behavioral2/memory/3324-208-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp	upx
behavioral2/memory/2024-210-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IVFNxpi.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlANZgF.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PlCgLXb.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wnTHfgS.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CEfvEJj.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxPksKI.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhRwsVB.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\afEhFOR.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNmfGNk.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AIxRNHB.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wNxiIXA.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubSVcKb.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dyxRJCA.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDSXXmk.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MgKvymi.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAAAOwY.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\djGsWCA.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\okSJxIg.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QJtUnjx.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wdscHZn.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUvWOOa.exe	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4268	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4560 wrote to memory of 4268	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4560 wrote to memory of 3324	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4560 wrote to memory of 3324	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4560 wrote to memory of 2024	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4560 wrote to memory of 2024	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4560 wrote to memory of 2476	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4560 wrote to memory of 2476	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4560 wrote to memory of 4884	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4560 wrote to memory of 4884	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4560 wrote to memory of 3740	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4560 wrote to memory of 3740	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4560 wrote to memory of 4652	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4560 wrote to memory of 4652	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4560 wrote to memory of 1496	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4560 wrote to memory of 1496	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4560 wrote to memory of 2260	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4560 wrote to memory of 2260	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4560 wrote to memory of 3576	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4560 wrote to memory of 3576	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4560 wrote to memory of 4072	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4560 wrote to memory of 4072	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4560 wrote to memory of 2080	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4560 wrote to memory of 2080	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4560 wrote to memory of 3952	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4560 wrote to memory of 3952	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4560 wrote to memory of 4584	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4560 wrote to memory of 4584	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4560 wrote to memory of 3580	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4560 wrote to memory of 3580	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4560 wrote to memory of 2976	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4560 wrote to memory of 2976	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4560 wrote to memory of 2116	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4560 wrote to memory of 2116	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4560 wrote to memory of 112	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4560 wrote to memory of 112	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4560 wrote to memory of 4612	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4560 wrote to memory of 4612	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4560 wrote to memory of 2468	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4560 wrote to memory of 2468	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4560 wrote to memory of 2872	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4560 wrote to memory of 2872	4560	2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_9be3c6e9880d4d488d47c929699d675a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\System\wdscHZn.exe
  C:\Windows\System\wdscHZn.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\hhRwsVB.exe
  C:\Windows\System\hhRwsVB.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\afEhFOR.exe
  C:\Windows\System\afEhFOR.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\wnTHfgS.exe
  C:\Windows\System\wnTHfgS.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\ubSVcKb.exe
  C:\Windows\System\ubSVcKb.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\dyxRJCA.exe
  C:\Windows\System\dyxRJCA.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\xUvWOOa.exe
  C:\Windows\System\xUvWOOa.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\CEfvEJj.exe
  C:\Windows\System\CEfvEJj.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\wDSXXmk.exe
  C:\Windows\System\wDSXXmk.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\MgKvymi.exe
  C:\Windows\System\MgKvymi.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\NlANZgF.exe
  C:\Windows\System\NlANZgF.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\PlCgLXb.exe
  C:\Windows\System\PlCgLXb.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\HAAAOwY.exe
  C:\Windows\System\HAAAOwY.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\MxPksKI.exe
  C:\Windows\System\MxPksKI.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\djGsWCA.exe
  C:\Windows\System\djGsWCA.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\okSJxIg.exe
  C:\Windows\System\okSJxIg.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\NNmfGNk.exe
  C:\Windows\System\NNmfGNk.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\AIxRNHB.exe
  C:\Windows\System\AIxRNHB.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System\QJtUnjx.exe
  C:\Windows\System\QJtUnjx.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\IVFNxpi.exe
  C:\Windows\System\IVFNxpi.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\wNxiIXA.exe
  C:\Windows\System\wNxiIXA.exe
  2⤵
  - Executes dropped EXE
  PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AIxRNHB.exe

Filesize
5.2MB

MD5
75d891d0adec6a9181d9b99bd423d121

SHA1
fda7196d66756290381a224de2fe157424907f29

SHA256
383f0113118c9c2d0d3fb5f82cae191ba04a92c7a3df028f78ab3b15a6aee0e9

SHA512
7d65b128bd9b3e7b44e4bb5de86225a7af0fe1e216cf931ff81d7b7c13ed52304e6cdb7ee7630c12785d2924ee6724603834d642b9ac985447a1aa5344825c7a

Download Submit
C:\Windows\System\CEfvEJj.exe

Filesize
5.2MB

MD5
dc2c3f5336d1b1ece8a7ca1196096f42

SHA1
f2f9722ac82abb3930daa75bedfde1ea2104c487

SHA256
39f279b68e02f79cf0e6a2d83004d1cefb577c5b2e3b82cdad565c3035b52090

SHA512
e6cacec6244b9e016de194a1f037ef88990b752dc6cffb60b30bcaca21804d21a17f0b1c014e979db61bf53581cbf701a4926bce609fb92d0d87b4fe67563be4

Download Submit
C:\Windows\System\HAAAOwY.exe

Filesize
5.2MB

MD5
50148498fc314e48aba29da4c412f8fc

SHA1
93b8cc303d0a966d0077c81f826a5adb838351a8

SHA256
f1b4f1e424a467c1e8058eba143487dfcaa4fadf5d4af5200e16e5eff0243069

SHA512
43459931800fd576c46c127eb1efde2e272bac14407dd8692429473cbdb71618bcbb309a0830e2302115a2328b25772d7126493a79299320b76e9ac6ac727681

Download Submit
C:\Windows\System\IVFNxpi.exe

Filesize
5.2MB

MD5
03e22452a59835f1346e15163751d8ce

SHA1
5e726456488a6013d9a40dc709665838b6d71932

SHA256
6ddc6af419b7c9d7c51a247618ead86363c22a6bf460d27354db84d1ebe0afaa

SHA512
1f7124354b1999904a161b3e2b51a6419dfb774ed6c90b7bd1d0832d83dd66951f20f6d5e5314a54ef02db09f10a7eb1fae1168e1ed7d2289459f09102514e26

Download Submit
C:\Windows\System\MgKvymi.exe

Filesize
5.2MB

MD5
524caae4b91503d6bf09bbf3a837450d

SHA1
cc02afa7bd1b0c2957379d898799a89ed44380a0

SHA256
5b7717d22c15ad4436131407c744b8e4879460bbd0f23ec814a91acc8e3aab4b

SHA512
51744b08b855aac1e5a43f47c672ae21ac4e9e3ee1ce884336563843f7e1900f9930ef8127e81ee8005f64e02c16b648693e4f77a069a93f3da9ae07fb92bccc

Download Submit
C:\Windows\System\MxPksKI.exe

Filesize
5.2MB

MD5
0ccee1fb7292829c61e26adf48d3ad2e

SHA1
095d26e077599852a0b0aac7b3bfab69a928a82f

SHA256
4f4d87395f401097395ca0999ae6e175162efc792fbbb29d70248fd1545a3b19

SHA512
139577a98ed27d402b5eef708c06fe75483c4b7cb5caf2b6e9d31d220e80c7c2bdf6405584c768ea2d40bfeabcf658e70136cc4529c3d10f73e6376d727651ed

Download Submit
C:\Windows\System\NNmfGNk.exe

Filesize
5.2MB

MD5
2ef6065583ec4dae32c4472402d5f469

SHA1
60dd7939abd86d94e9dc0971ac6de7fb3fc89d6d

SHA256
dbc9fa742ce201e3494897049e355447235215318e1f836a9e3e5b4b721865db

SHA512
7578ecd075f9e54586785f9f3c2981fd67ae32f4309399573fd760511478138443c89581b46f1254d8e7c037bf77732b1990ed6b2e091557118803d55e7d063b

Download Submit
C:\Windows\System\NlANZgF.exe

Filesize
5.2MB

MD5
b85e4e91bd065d1974bba1d96644783d

SHA1
a1a411452695ab80b0a4253f01dea5d23aff70f8

SHA256
edd72b6c42fda7094060701c7f450690b6b5dbaf0178b259c7431b3773e066e3

SHA512
6c5125665a6a2fff4def75e59075e8a90d9fc8caadf64eee1bd47c2960ec5ec733bb8609f6293c4909594e0aa0252237f1259d01c0d5330e30637130a8c50154

Download Submit
C:\Windows\System\PlCgLXb.exe

Filesize
5.2MB

MD5
1634877322ebf203d0d6e0bc4fd0d786

SHA1
ec76423052c9fc41c731de8059784ca6122bc83b

SHA256
5fbb10c5d838c1f1f65f257c38342646196ce799b0e31bc0ee0868ba875571f9

SHA512
1400f60c05d5a014829420bf3c9525b8a0e63d2fc6f1c80f8328160ddccb3bebce471953a643942538e41ecda603b2287256fdfd5d8e3a42651c2d00a9f20e52

Download Submit
C:\Windows\System\QJtUnjx.exe

Filesize
5.2MB

MD5
b72b2eaf9a18d54370541632e0021f19

SHA1
3c09486facdf307ddafb2841b332ac9f19fd7025

SHA256
9eb3836195e3d6d0f4c601c4f59b561347d911ca9453265f498d937f148cab09

SHA512
eedc24b22b2c9976350d07ebb71ad1665d6a4f51bc84021e47e9ac68d6dac74dbb8b0ba5cd117ea5b791706c1bc2d737a5895a1f124e6c728c3915f228747161

Download Submit
C:\Windows\System\afEhFOR.exe

Filesize
5.2MB

MD5
d62c7de10f5b012d2cd953e8e35298b6

SHA1
410a14bee6389a7f31f660b63c0cb378067bfc78

SHA256
16594dd877e8fd465370c76ab3d8a0a1df5bd41a787f5efcd78899aa1ca7fa8d

SHA512
03cff383b0acc729b86fcd45a4449787541ce0719a0003a3ed5675e87c6745571813cd443b3c5833dc0278bf6a0c60c783e4336fa89a2c36eb19de22129ada62

Download Submit
C:\Windows\System\djGsWCA.exe

Filesize
5.2MB

MD5
bb4e975e76405165c127e5cb0e575317

SHA1
32554b4515ab096149f42463d935e56a551f5533

SHA256
dff02a5e0e4476f2229720788a04f1a064eede952eebcdd1405226bc29f75ac3

SHA512
d65f9616754e36767988e8495ce3103839a211ee482897e653b4c8a9817986d09a96924dc79cfe2b90231cfdcde8c0ae3cf1ed4429c5d4be7ddc917cff75d131

Download Submit
C:\Windows\System\dyxRJCA.exe

Filesize
5.2MB

MD5
8926af614ccf2f1504aaf9c144d8dca4

SHA1
517dbb6787fb2e8fc098cb991cdfef9fe1de5e4d

SHA256
a89b04f092fd49f6057cc1a010b4eb68e6719c7c6fae568f74d66f54a4429466

SHA512
789a7686a0aec1ad8a29f15027957135cb93f8c7aea1f87cc31b9d7c58c728581f6d253c424002df0034232e44dd24832790d1f6f1502f4681bf49c290564b19

Download Submit
C:\Windows\System\hhRwsVB.exe

Filesize
5.2MB

MD5
942b0a627ccd9adf24f9faca694893a6

SHA1
1d44ac65b31163f908454a757c1ac834b66bac1c

SHA256
befc54342449fc713b4912c08021279c7c35f95af8216a4ae67f2fd3d9d17d7f

SHA512
9223503720d9504df62365a6f71999897548020669b01b9c0ea5437a1a021271dcc4b22d3cb234629dd20ebc9a9aff92b1054a7ffea8bf54bd365a91fd301c50

Download Submit
C:\Windows\System\okSJxIg.exe

Filesize
5.2MB

MD5
de9d16265b35dd2632259cec0ee39440

SHA1
8b8b46f1923459668dc4eeaf336c4e397c550545

SHA256
61132183bfe396ae091120171dafb421715aaa7af22feb2744b412e1916c6ad6

SHA512
6a9dd3db03d68057eacf70df7eb5fbcdcd642028555a04c29feaae44dd23321e0c73bf9f8579822c5ddcbbabdc587b477783c55bf013c567f2e2b1564cb6144a

Download Submit
C:\Windows\System\ubSVcKb.exe

Filesize
5.2MB

MD5
363b60704de7312cc2086dda19823e26

SHA1
3580476cabe1136f4624822f47bd3bec006350a2

SHA256
2bf644b292297d566b9645ac38f2eed4d07ab4255762311915913d3cfb7f7fd9

SHA512
e8274ca7f87bd625c5a5af1d78ac2af559d9160186ef109735fcae1234535f333b5680ab500f46da70f627cee9fc5c21fa90721bb7c79c54aadef2be61a4d98a

Download Submit
C:\Windows\System\wDSXXmk.exe

Filesize
5.2MB

MD5
b7566ec1419bf80c0d50874ea53277c0

SHA1
078cd61107d7113fb4a6c5c056a097148840ad33

SHA256
c3ac44ca45b242ef03c8d01916d20f9241b8111d4754aebf4e891b899c5d05b9

SHA512
960a606073ae8ea01473b34abff0ff84ff7ce59122086ff186d55517000cdf12916a4e6cf3d8379ccbb756692ceed4535f6691d07d85430a357c0374c6999b32

Download Submit
C:\Windows\System\wNxiIXA.exe

Filesize
5.2MB

MD5
02fef3ecd346cf6be83f08c857af900e

SHA1
9733b8aedb3dfec4428fd930ff6fa03129b916ab

SHA256
febc69f08f2afbd9275885c56a150807457572f3c1994b68834f11d76319a925

SHA512
1f3bc86039166d45ee69d71be6331c2e98f38dc3160aeaac49f86ab87935d169cf60f8c5e7d671fb491a7a87842f5aea4cef9cb22f9738b426f4f327bcbf846a

Download Submit
C:\Windows\System\wdscHZn.exe

Filesize
5.2MB

MD5
65e3a6b668372d4eb8383969196a3180

SHA1
2b5557e802de6d60c8ed01570aa62eca777674c1

SHA256
04bd0bfb92b5cc5621b09b43986be8c4e47c04d327309ee2b096ce652b644d20

SHA512
6dded429f89f815a46e7d39ed9ff6ad4b436ab0932c6d158630abfe6452dae61d0c2723b33ad382f5c1049db35e04b9be44a4b548e69f6094f9af3bdce5a9db5

Download Submit
C:\Windows\System\wnTHfgS.exe

Filesize
5.2MB

MD5
1e0011d77ce39e12ddfc0571b38a0e9d

SHA1
0834a2b169a796d43424562af58e692799ad51d6

SHA256
04298354b278a9dd57550c56eff99647b9faecd0eff231d1b714030814641143

SHA512
b7e69bff886dc0c65b2d4f95f1ef1fd077c9c8adf937c114b39f58ed8c6ca5ff1ebf682e1b3cab5d8883757cf7e2570edfc173d6582c6978cbcf36068f5e5ee0

Download Submit
C:\Windows\System\xUvWOOa.exe

Filesize
5.2MB

MD5
b66abbb2de5f499d445a899358064f63

SHA1
4c1ecafc2bd3d56e7f928e6c0e0c96724b13d177

SHA256
c142a35d9af0aa68ba0d86cdc6df1b792597930cd2b74c872951f2c563e3ba95

SHA512
758e14156623e4897692b52f3cb1a901dd905ad3ca9d6f5ba08e87114867518ec249b7f168ab4e1b68cf239db6ff911e8103c6683f6648ab136827396eaf8ed4

Download Submit
memory/112-120-0x00007FF6302E0000-0x00007FF630631000-memory.dmp

Filesize
3.3MB

Download
memory/112-250-0x00007FF6302E0000-0x00007FF630631000-memory.dmp

Filesize
3.3MB

Download
memory/1496-54-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp

Filesize
3.3MB

Download
memory/1496-237-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp

Filesize
3.3MB

Download
memory/2024-127-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-210-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-24-0x00007FF6D6D50000-0x00007FF6D70A1000-memory.dmp

Filesize
3.3MB

Download
memory/2080-239-0x00007FF7A4930000-0x00007FF7A4C81000-memory.dmp

Filesize
3.3MB

Download
memory/2080-118-0x00007FF7A4930000-0x00007FF7A4C81000-memory.dmp

Filesize
3.3MB

Download
memory/2116-256-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-121-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-149-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-141-0x00007FF603460000-0x00007FF6037B1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-236-0x00007FF603460000-0x00007FF6037B1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-53-0x00007FF603460000-0x00007FF6037B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-128-0x00007FF7D3730000-0x00007FF7D3A81000-memory.dmp

Filesize
3.3MB

Download
memory/2468-254-0x00007FF7D3730000-0x00007FF7D3A81000-memory.dmp

Filesize
3.3MB

Download
memory/2476-27-0x00007FF667900000-0x00007FF667C51000-memory.dmp

Filesize
3.3MB

Download
memory/2476-136-0x00007FF667900000-0x00007FF667C51000-memory.dmp

Filesize
3.3MB

Download
memory/2476-212-0x00007FF667900000-0x00007FF667C51000-memory.dmp

Filesize
3.3MB

Download
memory/2872-124-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-259-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-153-0x00007FF6B6E50000-0x00007FF6B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-257-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-104-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-148-0x00007FF781A70000-0x00007FF781DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-71-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp

Filesize
3.3MB

Download
memory/3324-208-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp

Filesize
3.3MB

Download
memory/3324-18-0x00007FF6F81F0000-0x00007FF6F8541000-memory.dmp

Filesize
3.3MB

Download
memory/3576-60-0x00007FF6800F0000-0x00007FF680441000-memory.dmp

Filesize
3.3MB

Download
memory/3576-232-0x00007FF6800F0000-0x00007FF680441000-memory.dmp

Filesize
3.3MB

Download
memory/3576-142-0x00007FF6800F0000-0x00007FF680441000-memory.dmp

Filesize
3.3MB

Download
memory/3580-243-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3580-147-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3580-103-0x00007FF61D5A0000-0x00007FF61D8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-234-0x00007FF711230000-0x00007FF711581000-memory.dmp

Filesize
3.3MB

Download
memory/3740-138-0x00007FF711230000-0x00007FF711581000-memory.dmp

Filesize
3.3MB

Download
memory/3740-47-0x00007FF711230000-0x00007FF711581000-memory.dmp

Filesize
3.3MB

Download
memory/3952-145-0x00007FF607140000-0x00007FF607491000-memory.dmp

Filesize
3.3MB

Download
memory/3952-87-0x00007FF607140000-0x00007FF607491000-memory.dmp

Filesize
3.3MB

Download
memory/3952-252-0x00007FF607140000-0x00007FF607491000-memory.dmp

Filesize
3.3MB

Download
memory/4072-77-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-143-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-245-0x00007FF68CA90000-0x00007FF68CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-112-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp

Filesize
3.3MB

Download
memory/4268-7-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp

Filesize
3.3MB

Download
memory/4268-206-0x00007FF731BE0000-0x00007FF731F31000-memory.dmp

Filesize
3.3MB

Download
memory/4560-131-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

Filesize
3.3MB

Download
memory/4560-1-0x00000232BC390000-0x00000232BC3A0000-memory.dmp

Filesize
64KB

Download
memory/4560-154-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

Filesize
3.3MB

Download
memory/4560-0-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

Filesize
3.3MB

Download
memory/4560-70-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

Filesize
3.3MB

Download
memory/4584-119-0x00007FF65C870000-0x00007FF65CBC1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-247-0x00007FF65C870000-0x00007FF65CBC1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-111-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp

Filesize
3.3MB

Download
memory/4612-151-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp

Filesize
3.3MB

Download
memory/4612-263-0x00007FF6EBEF0000-0x00007FF6EC241000-memory.dmp

Filesize
3.3MB

Download
memory/4652-50-0x00007FF7DBA10000-0x00007FF7DBD61000-memory.dmp

Filesize
3.3MB

Download
memory/4652-229-0x00007FF7DBA10000-0x00007FF7DBD61000-memory.dmp

Filesize
3.3MB

Download
memory/4884-34-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp

Filesize
3.3MB

Download
memory/4884-137-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp

Filesize
3.3MB

Download
memory/4884-214-0x00007FF7E8310000-0x00007FF7E8661000-memory.dmp

Filesize
3.3MB

Download