cobaltstrike | 01764a155109e5e22d1e389edac1b2a4cec1726a90e3991a4b8c6a44353fc340

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2f291a8936d0483f047cc05135ae09e9
SHA1

66f1ff017db77abc096823aa1164aedfd23ad1e4
SHA256

01764a155109e5e22d1e389edac1b2a4cec1726a90e3991a4b8c6a44353fc340
SHA512

51562e9d85969a77be87450ea117c8b43be4221bf58c142a61eae3bf433cc562d18f3549cf0dd921cd42134e1435aa40b8f1f3e26d32aba09f66e4ff9377610d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibf56utgpPFotBER/mQ32lUB

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8b-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-64.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022ef8-70.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023aab-76.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023acc-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ad1-89.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023ad0-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-113.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022efc-87.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3184-52-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	xmrig
behavioral2/memory/2712-58-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp	xmrig
behavioral2/memory/2772-82-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp	xmrig
behavioral2/memory/1376-62-0x00007FF702DC0000-0x00007FF703111000-memory.dmp	xmrig
behavioral2/memory/3184-124-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	xmrig
behavioral2/memory/3812-131-0x00007FF655DB0000-0x00007FF656101000-memory.dmp	xmrig
behavioral2/memory/2468-135-0x00007FF7DB970000-0x00007FF7DBCC1000-memory.dmp	xmrig
behavioral2/memory/3000-137-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	xmrig
behavioral2/memory/3600-140-0x00007FF677F50000-0x00007FF6782A1000-memory.dmp	xmrig
behavioral2/memory/4904-141-0x00007FF7D7CB0000-0x00007FF7D8001000-memory.dmp	xmrig
behavioral2/memory/4120-142-0x00007FF619A40000-0x00007FF619D91000-memory.dmp	xmrig
behavioral2/memory/4704-139-0x00007FF6E3BD0000-0x00007FF6E3F21000-memory.dmp	xmrig
behavioral2/memory/4992-138-0x00007FF691B30000-0x00007FF691E81000-memory.dmp	xmrig
behavioral2/memory/5020-136-0x00007FF76BF00000-0x00007FF76C251000-memory.dmp	xmrig
behavioral2/memory/4996-134-0x00007FF798540000-0x00007FF798891000-memory.dmp	xmrig
behavioral2/memory/3784-133-0x00007FF66A020000-0x00007FF66A371000-memory.dmp	xmrig
behavioral2/memory/1988-130-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp	xmrig
behavioral2/memory/4772-128-0x00007FF723140000-0x00007FF723491000-memory.dmp	xmrig
behavioral2/memory/3128-132-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp	xmrig
behavioral2/memory/1892-129-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp	xmrig
behavioral2/memory/3532-143-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp	xmrig
behavioral2/memory/2740-144-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp	xmrig
behavioral2/memory/1604-145-0x00007FF797400000-0x00007FF797751000-memory.dmp	xmrig
behavioral2/memory/3184-154-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	xmrig
behavioral2/memory/2712-202-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp	xmrig
behavioral2/memory/1376-204-0x00007FF702DC0000-0x00007FF703111000-memory.dmp	xmrig
behavioral2/memory/2772-209-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp	xmrig
behavioral2/memory/4772-215-0x00007FF723140000-0x00007FF723491000-memory.dmp	xmrig
behavioral2/memory/1892-217-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp	xmrig
behavioral2/memory/1988-219-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp	xmrig
behavioral2/memory/3812-222-0x00007FF655DB0000-0x00007FF656101000-memory.dmp	xmrig
behavioral2/memory/3784-225-0x00007FF66A020000-0x00007FF66A371000-memory.dmp	xmrig
behavioral2/memory/3128-226-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp	xmrig
behavioral2/memory/4996-237-0x00007FF798540000-0x00007FF798891000-memory.dmp	xmrig
behavioral2/memory/3532-239-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp	xmrig
behavioral2/memory/2740-241-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp	xmrig
behavioral2/memory/4904-243-0x00007FF7D7CB0000-0x00007FF7D8001000-memory.dmp	xmrig
behavioral2/memory/1604-248-0x00007FF797400000-0x00007FF797751000-memory.dmp	xmrig
behavioral2/memory/5020-250-0x00007FF76BF00000-0x00007FF76C251000-memory.dmp	xmrig
behavioral2/memory/4992-255-0x00007FF691B30000-0x00007FF691E81000-memory.dmp	xmrig
behavioral2/memory/3000-259-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	xmrig
behavioral2/memory/3600-261-0x00007FF677F50000-0x00007FF6782A1000-memory.dmp	xmrig
behavioral2/memory/4704-257-0x00007FF6E3BD0000-0x00007FF6E3F21000-memory.dmp	xmrig
behavioral2/memory/4120-254-0x00007FF619A40000-0x00007FF619D91000-memory.dmp	xmrig
behavioral2/memory/2468-251-0x00007FF7DB970000-0x00007FF7DBCC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2712	KVMKbMm.exe
1376	HbiPZxE.exe
2772	dNaneIz.exe
4772	HROlPwR.exe
1892	mUBLYzX.exe
1988	AsKOvlE.exe
3812	UFtLZPA.exe
3128	VrWerBd.exe
3784	FbAOERw.exe
4996	PdpdFJO.exe
3532	SftcBTS.exe
2740	SkQMvIh.exe
1604	JsTQeLB.exe
4904	ETzUtBx.exe
2468	vPlGLBk.exe
5020	TAlvBtv.exe
4120	XhVxBoa.exe
3000	MxgvLvR.exe
4992	tGQmgkK.exe
4704	drEqkcY.exe
3600	ryYUNIi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3184-0-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	upx
behavioral2/files/0x000b000000023b8a-5.dat	upx
behavioral2/files/0x000a000000023b8e-10.dat	upx
behavioral2/memory/2712-8-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-11.dat	upx
behavioral2/memory/1376-12-0x00007FF702DC0000-0x00007FF703111000-memory.dmp	upx
behavioral2/memory/4772-24-0x00007FF723140000-0x00007FF723491000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-25.dat	upx
behavioral2/memory/2772-18-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-28.dat	upx
behavioral2/memory/1892-30-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-33.dat	upx
behavioral2/files/0x000a000000023b94-44.dat	upx
behavioral2/memory/3128-51-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-56.dat	upx
behavioral2/memory/3784-53-0x00007FF66A020000-0x00007FF66A371000-memory.dmp	upx
behavioral2/memory/3184-52-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-49.dat	upx
behavioral2/memory/3812-43-0x00007FF655DB0000-0x00007FF656101000-memory.dmp	upx
behavioral2/memory/1988-36-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp	upx
behavioral2/memory/2712-58-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp	upx
behavioral2/memory/4996-63-0x00007FF798540000-0x00007FF798891000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-64.dat	upx
behavioral2/files/0x0002000000022ef8-70.dat	upx
behavioral2/files/0x000f000000023aab-76.dat	upx
behavioral2/files/0x000d000000023acc-83.dat	upx
behavioral2/files/0x000a000000023ad1-89.dat	upx
behavioral2/files/0x000e000000023ad0-95.dat	upx
behavioral2/files/0x000a000000023b99-103.dat	upx
behavioral2/files/0x000a000000023b9a-106.dat	upx
behavioral2/files/0x000a000000023b9b-121.dat	upx
behavioral2/files/0x000a000000023b98-115.dat	upx
behavioral2/files/0x000a000000023b97-113.dat	upx
behavioral2/memory/2740-90-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp	upx
behavioral2/files/0x0002000000022efc-87.dat	upx
behavioral2/memory/2772-82-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp	upx
behavioral2/memory/3532-69-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp	upx
behavioral2/memory/1376-62-0x00007FF702DC0000-0x00007FF703111000-memory.dmp	upx
behavioral2/memory/1604-123-0x00007FF797400000-0x00007FF797751000-memory.dmp	upx
behavioral2/memory/3184-124-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	upx
behavioral2/memory/3812-131-0x00007FF655DB0000-0x00007FF656101000-memory.dmp	upx
behavioral2/memory/2468-135-0x00007FF7DB970000-0x00007FF7DBCC1000-memory.dmp	upx
behavioral2/memory/3000-137-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp	upx
behavioral2/memory/3600-140-0x00007FF677F50000-0x00007FF6782A1000-memory.dmp	upx
behavioral2/memory/4904-141-0x00007FF7D7CB0000-0x00007FF7D8001000-memory.dmp	upx
behavioral2/memory/4120-142-0x00007FF619A40000-0x00007FF619D91000-memory.dmp	upx
behavioral2/memory/4704-139-0x00007FF6E3BD0000-0x00007FF6E3F21000-memory.dmp	upx
behavioral2/memory/4992-138-0x00007FF691B30000-0x00007FF691E81000-memory.dmp	upx
behavioral2/memory/5020-136-0x00007FF76BF00000-0x00007FF76C251000-memory.dmp	upx
behavioral2/memory/4996-134-0x00007FF798540000-0x00007FF798891000-memory.dmp	upx
behavioral2/memory/3784-133-0x00007FF66A020000-0x00007FF66A371000-memory.dmp	upx
behavioral2/memory/1988-130-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp	upx
behavioral2/memory/4772-128-0x00007FF723140000-0x00007FF723491000-memory.dmp	upx
behavioral2/memory/3128-132-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp	upx
behavioral2/memory/1892-129-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp	upx
behavioral2/memory/3532-143-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp	upx
behavioral2/memory/2740-144-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp	upx
behavioral2/memory/1604-145-0x00007FF797400000-0x00007FF797751000-memory.dmp	upx
behavioral2/memory/3184-154-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp	upx
behavioral2/memory/2712-202-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp	upx
behavioral2/memory/1376-204-0x00007FF702DC0000-0x00007FF703111000-memory.dmp	upx
behavioral2/memory/2772-209-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp	upx
behavioral2/memory/4772-215-0x00007FF723140000-0x00007FF723491000-memory.dmp	upx
behavioral2/memory/1892-217-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tGQmgkK.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HbiPZxE.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HROlPwR.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SkQMvIh.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsTQeLB.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPlGLBk.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxgvLvR.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsKOvlE.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UFtLZPA.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PdpdFJO.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETzUtBx.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAlvBtv.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KVMKbMm.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUBLYzX.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbAOERw.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SftcBTS.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhVxBoa.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\drEqkcY.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNaneIz.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VrWerBd.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ryYUNIi.exe	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2712	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3184 wrote to memory of 2712	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3184 wrote to memory of 1376	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3184 wrote to memory of 1376	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3184 wrote to memory of 2772	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3184 wrote to memory of 2772	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3184 wrote to memory of 4772	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3184 wrote to memory of 4772	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3184 wrote to memory of 1892	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3184 wrote to memory of 1892	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3184 wrote to memory of 1988	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3184 wrote to memory of 1988	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3184 wrote to memory of 3812	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3184 wrote to memory of 3812	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3184 wrote to memory of 3128	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3184 wrote to memory of 3128	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3184 wrote to memory of 3784	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3184 wrote to memory of 3784	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3184 wrote to memory of 4996	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3184 wrote to memory of 4996	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3184 wrote to memory of 3532	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3184 wrote to memory of 3532	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3184 wrote to memory of 2740	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3184 wrote to memory of 2740	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3184 wrote to memory of 1604	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3184 wrote to memory of 1604	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3184 wrote to memory of 4904	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3184 wrote to memory of 4904	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3184 wrote to memory of 2468	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3184 wrote to memory of 2468	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3184 wrote to memory of 5020	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3184 wrote to memory of 5020	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3184 wrote to memory of 4120	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3184 wrote to memory of 4120	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3184 wrote to memory of 3000	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3184 wrote to memory of 3000	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3184 wrote to memory of 4992	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3184 wrote to memory of 4992	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3184 wrote to memory of 4704	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3184 wrote to memory of 4704	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3184 wrote to memory of 3600	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3184 wrote to memory of 3600	3184	2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2f291a8936d0483f047cc05135ae09e9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\System\KVMKbMm.exe
  C:\Windows\System\KVMKbMm.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\HbiPZxE.exe
  C:\Windows\System\HbiPZxE.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\dNaneIz.exe
  C:\Windows\System\dNaneIz.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\HROlPwR.exe
  C:\Windows\System\HROlPwR.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\mUBLYzX.exe
  C:\Windows\System\mUBLYzX.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\AsKOvlE.exe
  C:\Windows\System\AsKOvlE.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\UFtLZPA.exe
  C:\Windows\System\UFtLZPA.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\VrWerBd.exe
  C:\Windows\System\VrWerBd.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\FbAOERw.exe
  C:\Windows\System\FbAOERw.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\PdpdFJO.exe
  C:\Windows\System\PdpdFJO.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\SftcBTS.exe
  C:\Windows\System\SftcBTS.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\SkQMvIh.exe
  C:\Windows\System\SkQMvIh.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\JsTQeLB.exe
  C:\Windows\System\JsTQeLB.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\ETzUtBx.exe
  C:\Windows\System\ETzUtBx.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\vPlGLBk.exe
  C:\Windows\System\vPlGLBk.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\TAlvBtv.exe
  C:\Windows\System\TAlvBtv.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\XhVxBoa.exe
  C:\Windows\System\XhVxBoa.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\MxgvLvR.exe
  C:\Windows\System\MxgvLvR.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\tGQmgkK.exe
  C:\Windows\System\tGQmgkK.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\drEqkcY.exe
  C:\Windows\System\drEqkcY.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\ryYUNIi.exe
  C:\Windows\System\ryYUNIi.exe
  2⤵
  - Executes dropped EXE
  PID:3600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AsKOvlE.exe

Filesize
5.2MB

MD5
fe57cb740c09deb194b15efeaf97c067

SHA1
214a4921dee5348b3f0c1931d1d3b7fa86652931

SHA256
8331f223ef2dd701e2e96346b8f857bf78b74274424278837853ab5371bf4bab

SHA512
0f87f227a60ad4200442c3b8415dcfc086ddd581a887450fc3ca6689d16a5b98aa8e4adfb06709677c64d6675fcba0080bd5f1e0788a48c260f89d4cb5cd79a7

Download Submit
C:\Windows\System\ETzUtBx.exe

Filesize
5.2MB

MD5
495450071b400019fa602d4eea6338e9

SHA1
eb4402783b5fd2e704bbb7fad6ea437e238a20f9

SHA256
e80d656724848e938ae35d4e73e3f40678b748ffcd56a1f48a0631f944215b35

SHA512
59de952c816c75b599727b2eccd4c67411cf61e08c51725dd637ed9bae946856750f3ed64c456501c10d0c7c31d6b79028f73d84bf9f3a7ee01e52e08dee1fa0

Download Submit
C:\Windows\System\FbAOERw.exe

Filesize
5.2MB

MD5
8601a23ea734baf14142fef5efdb0094

SHA1
340203ce5253a7d7b0032f8b5ab8396e1817ba3c

SHA256
62d84349ee6dbdb74dc0cf493bdb9bc21d45d7775307985dff591a73cce01b89

SHA512
4460f3bdc6404afa5041b34d2d1cbff4b6981d98f088085cd8c33d7266cbadf08dc38ff2d919ff9261a801412172d0e26a6dc3cb1d4d75344ebd7a8fc70b2416

Download Submit
C:\Windows\System\HROlPwR.exe

Filesize
5.2MB

MD5
271c5c239d27ce4bef0a826509bf68f9

SHA1
04e1b64ca19580747066b7c483789544f3fefd98

SHA256
a827a4353ed00d701379aada49077f9be959c4ee17c6ccaee49289ebce13d527

SHA512
c5688237c6fbdc81bbee3f467559ecbc19767cd6d80491071c02a6d88bc96bd092b2ffe1a55074ad4b8b9eb6b89f88239b84385e65e0021b0791e95798997a5b

Download Submit
C:\Windows\System\HbiPZxE.exe

Filesize
5.2MB

MD5
c4439cbedebc7c44112104d691daff77

SHA1
19d3c403e740306b38f839de6903d4333d880e49

SHA256
4a71aea515acc798011d1bea1d30c2d23772b76fda14c689556817cfec59a027

SHA512
8b0012959662f44274c460d190adc5bdf877ee8aeb4c7b19c67a58570b3ca61f56d64a361630202a85227835d5b018550de1eeb4b24e80d26a3aa2c29a70852f

Download Submit
C:\Windows\System\JsTQeLB.exe

Filesize
5.2MB

MD5
336f2508ee37cc3d4e77784ee87ffbc1

SHA1
c384f80ace94433d123835a3536ee5d7478ed0ef

SHA256
126b20d96ee9b3a8f3a0f913ef93aeb0bd524275ddd962476c9ab2b63f0fca05

SHA512
99d10e0515a2b9c7a6672647c86d80868b7560c7e1f40ced891c9c9210a033d1b44432c2f52ebddefb51738e2210f2af9e60d480b3382b6eb7aba7cbfae753da

Download Submit
C:\Windows\System\KVMKbMm.exe

Filesize
5.2MB

MD5
8cc41750878eb5c02d87f143f20ba294

SHA1
3b7b36c3ed385395a80ee15965e57cfcdfc8856c

SHA256
211fa2c9211465d673c48fd2863ff265b0f9beb30824a456d523ba098e763dec

SHA512
29c993c22ff51155e366f6e07bca48c53d7b6f683ee4336079a5ffb4b5494a4d3bc827ce6970bf5b0100396405b472a5c8eeca1e7a0bc56258908c63f9bfe868

Download Submit
C:\Windows\System\MxgvLvR.exe

Filesize
5.2MB

MD5
a44ee2cbc49456dac656d1b21a854f0a

SHA1
adc30dc34b8d2c62e607fc9f937b387d979ec994

SHA256
5352c9ddb3da5a749af17a8295d03ccf097dd8c3b20e4d390f56b36157041f5e

SHA512
095c08b8838f34b3847df35901840cd64c5da0a0fec023bdcaaa03e4e9b25e27f155460b1129bcc703ee389655075c59aaa6dc220ce71269b1e5c96a73478535

Download Submit
C:\Windows\System\PdpdFJO.exe

Filesize
5.2MB

MD5
de632469b4ca438e22ad0bae9e5ce1d6

SHA1
cb672b8be34aecd9a8aa8eea1698f55e720f05c7

SHA256
017e1cadfb0b4aae1e50a26a3461acf69d6a1e73c50da786a82c8c1ddba06495

SHA512
e320a7ee0c59d31fbffcef30e7d027a87d1da3f673af57f0ad6d235f9b6241a6769dd52c0a9e700ed550df654d1b096fd4b2299d77109196a2750c09c7d8c5e5

Download Submit
C:\Windows\System\SftcBTS.exe

Filesize
5.2MB

MD5
37719ac24ea26a780d27b7677f268c34

SHA1
aecf029268d994fd342eb3eb343b65431834bda6

SHA256
830b55e7f8a4c908af2582e4800e3b0dcefa45b7a813cbd7127dc985b107548d

SHA512
cabaa51f460487b2a38d6890aa36d9ed988843d52a5c06d948c86026bb7c270ef709a9907bad2fcf35173fc782536f5441e5e48827918f2de5bc511ed6d29c1a

Download Submit
C:\Windows\System\SkQMvIh.exe

Filesize
5.2MB

MD5
3cc797f5484f163dbad0e98109a36bd2

SHA1
4e76c57d8a070b0d2e9adcf80b639724e07f006b

SHA256
458bb828ef4e7d54f4e4a5aef2648cba6a806de25c27040c2e9eacfcd1a63d40

SHA512
0f28b17142517aa8c9c7be72835d80bbb356e490c227bb296a616b06c1f173057bf6e72642c3bd1893a5f1ed82fbd44c41ba2cd023783c5195a42ccadfaccc00

Download Submit
C:\Windows\System\TAlvBtv.exe

Filesize
5.2MB

MD5
82a487d7c55ca9dce535c702243de847

SHA1
06aa277988f938ebcd1cfa6f1b09db8d6bc271e4

SHA256
6adea0ad9053c1b2fac3d7379f389010c898d7dad52a72f16adcc495c2cb0854

SHA512
d40285e6bc41dd3c08c80ebd893387bd5aedd2868f86422e97937e3552aefd4ae987aef715210349aa8dbd049e8f7669135c7c834f1af499345f30d9a34c8499

Download Submit
C:\Windows\System\UFtLZPA.exe

Filesize
5.2MB

MD5
033543420409aec324ed9fd1dc296559

SHA1
2ee4950b63d97461ce6340d42c3c457cd2579a7c

SHA256
396f2601357acd6b765560102393d2234cc968ab3a44c107ed333f77c872ee8f

SHA512
72f8a1f850d404ab4d76402da0d3061065daba7ee76fb4f419a8f1a580ce74ea424e521ba4b6f902850416f8064c6435c99606dfdc97fb9ba723f47385976fd1

Download Submit
C:\Windows\System\VrWerBd.exe

Filesize
5.2MB

MD5
c22bdbb48cfa73e266a18ef27810899a

SHA1
76809b7dd8d765f50a1ea832ab687b282f2b4cc3

SHA256
bb653bbc281ce6a66dd3fdf0b5f7690fa4d44c76bd16dc6917d7b5bd6154148d

SHA512
9fe714f6d0e9994885c0f36b5e3d8e501659700ac80dfefd758bd0fba920b24dca44dc0a8da21b95a4441d5ca058fc4500872af19811de284d012b4e2126e71d

Download Submit
C:\Windows\System\XhVxBoa.exe

Filesize
5.2MB

MD5
5e38edec1396aad3b7fe5d53534137d6

SHA1
c3c9cf5ffcf3d1972709b52df159508f1134a967

SHA256
5b6282f7d1a21e4299d47b67c8c1b39894e80cd80cfbe452f4024389e1707b52

SHA512
464f1fa2995c410e7a8cd289783f9036a5b94e4bb91b62cc833a92b79391596e55a4dd9cb8cc050297d87f22d0d58541894c56c0d2cc8bd9630504d89fba4beb

Download Submit
C:\Windows\System\dNaneIz.exe

Filesize
5.2MB

MD5
3a9a1c84ddf2b37813a352a2c53a8211

SHA1
6189908b177135483069e4483532655377d0bf66

SHA256
d79882f3048108285c36092f1e4b1697c631e62fe0319fa95656d7e44545859d

SHA512
9c5e0a7646975c1887c4518311df72fe8a5a03365e91f0c1fe5804bdca0680a863dfd7543fbb76228c04ec3284cf9b140db6b9684322df52219a8a30127456ac

Download Submit
C:\Windows\System\drEqkcY.exe

Filesize
5.2MB

MD5
1b0dd9d16dd6557eb35a396287391042

SHA1
a070efb2ba5bb57f26d8e3d79e9f6561d3a4b52f

SHA256
3344bcf9825dfd0613d11e04dd565b717fec4339d172a49ea61633ecacc0e8be

SHA512
a726a05e156ec2bdd94b6493ee54134b14e56cf079b25f81209036d8799aec584975ac08c6f77dcb67cf2049e33beb3d51d38cc5a52f83096497e08cba4360d6

Download Submit
C:\Windows\System\mUBLYzX.exe

Filesize
5.2MB

MD5
064d2e61a500daeedfe84fb65ae613b8

SHA1
db4ee2cd11a13b5a51908c9417a3e2cf58d64528

SHA256
787935ed8fb0d1459c22ad7111842030be6becbba16db373535eae6c817c098d

SHA512
ece4548ac7980a692bcb5a884ad89a4e865dccd6ef312b13efdd4a9645ec3a043a509f8f879e35a9660f4a4e7b29eb3f6042ca802a94fb8d87eddb6d3e6a8afa

Download Submit
C:\Windows\System\ryYUNIi.exe

Filesize
5.2MB

MD5
e2abdedbe83dde0a2cb43462b035f16e

SHA1
8a89a58a36d31d6742254a7b9e12bfc70b22c7e0

SHA256
d842557bdc3606faa3b2390ae028f7683b2d7136612e016b209296c2fc26f0b3

SHA512
6397392dcf6d85b60d8e88b61ca5c0c4c6d63d61ab17a6a5438a9bdf4b0c515c9544783c4325833fa1523081c4c2dfe5c2d2f93b7b2f0713943b96d9689f0477

Download Submit
C:\Windows\System\tGQmgkK.exe

Filesize
5.2MB

MD5
d68494bda0264929fff4e6b6202eae00

SHA1
13ed0b6f902d4e55c4ae6b6ecc7bdbdb258c6da3

SHA256
4728afe03d4ce53a51445529fdba13be503affbb5f4e25a507452c907f8a5f1f

SHA512
72fbff9f4b4817c41717cc2abe573a6e7675df1b776e269fbbb43f11d2760b388694a8f678491a0daad9ba05deb472449b71e03a1e2d9b149b3d4ef5fc1e162a

Download Submit
C:\Windows\System\vPlGLBk.exe

Filesize
5.2MB

MD5
fbb82548c009504464dd7f8aad15b7dd

SHA1
672e7615fe93cdc104d7c65a0dd07627b72c284b

SHA256
3f1fb6c0f9e19801488d8a2d0460f74ba85fdc7bd583746a039a689421dce2a8

SHA512
1f1382f7ea4aa880a402c916416a74b289ca0716a5e1eca542d5dbf58f795688197da7563c186787701ce1bc5d34dd2e48225d6c1110819a4c41f7e076386cba

Download Submit
memory/1376-204-0x00007FF702DC0000-0x00007FF703111000-memory.dmp

Filesize
3.3MB

Download
memory/1376-62-0x00007FF702DC0000-0x00007FF703111000-memory.dmp

Filesize
3.3MB

Download
memory/1376-12-0x00007FF702DC0000-0x00007FF703111000-memory.dmp

Filesize
3.3MB

Download
memory/1604-145-0x00007FF797400000-0x00007FF797751000-memory.dmp

Filesize
3.3MB

Download
memory/1604-123-0x00007FF797400000-0x00007FF797751000-memory.dmp

Filesize
3.3MB

Download
memory/1604-248-0x00007FF797400000-0x00007FF797751000-memory.dmp

Filesize
3.3MB

Download
memory/1892-129-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp

Filesize
3.3MB

Download
memory/1892-217-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp

Filesize
3.3MB

Download
memory/1892-30-0x00007FF6609D0000-0x00007FF660D21000-memory.dmp

Filesize
3.3MB

Download
memory/1988-36-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-130-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-219-0x00007FF6D2360000-0x00007FF6D26B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-135-0x00007FF7DB970000-0x00007FF7DBCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-251-0x00007FF7DB970000-0x00007FF7DBCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-202-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-58-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-8-0x00007FF6BFD70000-0x00007FF6C00C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-144-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp

Filesize
3.3MB

Download
memory/2740-241-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp

Filesize
3.3MB

Download
memory/2740-90-0x00007FF7B4410000-0x00007FF7B4761000-memory.dmp

Filesize
3.3MB

Download
memory/2772-82-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-209-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-18-0x00007FF776BA0000-0x00007FF776EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-137-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp

Filesize
3.3MB

Download
memory/3000-259-0x00007FF6E6CE0000-0x00007FF6E7031000-memory.dmp

Filesize
3.3MB

Download
memory/3128-51-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp

Filesize
3.3MB

Download
memory/3128-226-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp

Filesize
3.3MB

Download
memory/3128-132-0x00007FF7B2840000-0x00007FF7B2B91000-memory.dmp

Filesize
3.3MB

Download
memory/3184-1-0x0000014B56C60000-0x0000014B56C70000-memory.dmp

Filesize
64KB

Download
memory/3184-154-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp

Filesize
3.3MB

Download
memory/3184-52-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp

Filesize
3.3MB

Download
memory/3184-124-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp

Filesize
3.3MB

Download
memory/3184-0-0x00007FF7AF210000-0x00007FF7AF561000-memory.dmp

Filesize
3.3MB

Download
memory/3532-239-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp

Filesize
3.3MB

Download
memory/3532-69-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp

Filesize
3.3MB

Download
memory/3532-143-0x00007FF6A1410000-0x00007FF6A1761000-memory.dmp

Filesize
3.3MB

Download
memory/3600-261-0x00007FF677F50000-0x00007FF6782A1000-memory.dmp

Filesize
3.3MB

Download
memory/3600-140-0x00007FF677F50000-0x00007FF6782A1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-225-0x00007FF66A020000-0x00007FF66A371000-memory.dmp

Filesize
3.3MB

Download
memory/3784-53-0x00007FF66A020000-0x00007FF66A371000-memory.dmp

Filesize
3.3MB

Download
memory/3784-133-0x00007FF66A020000-0x00007FF66A371000-memory.dmp

Filesize
3.3MB

Download
memory/3812-43-0x00007FF655DB0000-0x00007FF656101000-memory.dmp

Filesize
3.3MB

Download
memory/3812-131-0x00007FF655DB0000-0x00007FF656101000-memory.dmp

Filesize
3.3MB

Download
memory/3812-222-0x00007FF655DB0000-0x00007FF656101000-memory.dmp

Filesize
3.3MB

Download
memory/4120-142-0x00007FF619A40000-0x00007FF619D91000-memory.dmp

Filesize
3.3MB

Download
memory/4120-254-0x00007FF619A40000-0x00007FF619D91000-memory.dmp

Filesize
3.3MB

Download
memory/4704-139-0x00007FF6E3BD0000-0x00007FF6E3F21000-memory.dmp

Filesize
3.3MB

Download
memory/4704-257-0x00007FF6E3BD0000-0x00007FF6E3F21000-memory.dmp

Filesize
3.3MB

Download
memory/4772-24-0x00007FF723140000-0x00007FF723491000-memory.dmp

Filesize
3.3MB

Download
memory/4772-215-0x00007FF723140000-0x00007FF723491000-memory.dmp

Filesize
3.3MB

Download
memory/4772-128-0x00007FF723140000-0x00007FF723491000-memory.dmp

Filesize
3.3MB

Download
memory/4904-141-0x00007FF7D7CB0000-0x00007FF7D8001000-memory.dmp

Filesize
3.3MB

Download
memory/4904-243-0x00007FF7D7CB0000-0x00007FF7D8001000-memory.dmp

Filesize
3.3MB

Download
memory/4992-138-0x00007FF691B30000-0x00007FF691E81000-memory.dmp

Filesize
3.3MB

Download
memory/4992-255-0x00007FF691B30000-0x00007FF691E81000-memory.dmp

Filesize
3.3MB

Download
memory/4996-134-0x00007FF798540000-0x00007FF798891000-memory.dmp

Filesize
3.3MB

Download
memory/4996-237-0x00007FF798540000-0x00007FF798891000-memory.dmp

Filesize
3.3MB

Download
memory/4996-63-0x00007FF798540000-0x00007FF798891000-memory.dmp

Filesize
3.3MB

Download
memory/5020-136-0x00007FF76BF00000-0x00007FF76C251000-memory.dmp

Filesize
3.3MB

Download
memory/5020-250-0x00007FF76BF00000-0x00007FF76C251000-memory.dmp

Filesize
3.3MB

Download