cobaltstrike | 626fc6ffd0789756375b7c924a05b30745a1bedb55fa9974e8be838c0647a81d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

43a2c86e693f46dae0cd570ec5c0584d
SHA1

ff50d4e864646f5d14241b59359f12c75067d5f3
SHA256

626fc6ffd0789756375b7c924a05b30745a1bedb55fa9974e8be838c0647a81d
SHA512

76624c7572838b564852c25d5a3d4ee973fd3d12f144730e45e93cc4b302d6c1881099aeba73555322663188cb770be726d090dfb745f0ceecaf4fab40cdef04
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b6e-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-8.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-29.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b6f-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-71.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3052-54-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	xmrig
behavioral2/memory/3052-118-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	xmrig
behavioral2/memory/3628-123-0x00007FF759F30000-0x00007FF75A281000-memory.dmp	xmrig
behavioral2/memory/2544-125-0x00007FF742110000-0x00007FF742461000-memory.dmp	xmrig
behavioral2/memory/2920-127-0x00007FF71B100000-0x00007FF71B451000-memory.dmp	xmrig
behavioral2/memory/4152-129-0x00007FF688770000-0x00007FF688AC1000-memory.dmp	xmrig
behavioral2/memory/5012-131-0x00007FF6096F0000-0x00007FF609A41000-memory.dmp	xmrig
behavioral2/memory/1296-132-0x00007FF613820000-0x00007FF613B71000-memory.dmp	xmrig
behavioral2/memory/1880-130-0x00007FF6914E0000-0x00007FF691831000-memory.dmp	xmrig
behavioral2/memory/2320-128-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	xmrig
behavioral2/memory/1948-126-0x00007FF68B6F0000-0x00007FF68BA41000-memory.dmp	xmrig
behavioral2/memory/1220-124-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp	xmrig
behavioral2/memory/3468-121-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp	xmrig
behavioral2/memory/3668-120-0x00007FF61C110000-0x00007FF61C461000-memory.dmp	xmrig
behavioral2/memory/1608-122-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp	xmrig
behavioral2/memory/3180-119-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp	xmrig
behavioral2/memory/1200-133-0x00007FF7C1400000-0x00007FF7C1751000-memory.dmp	xmrig
behavioral2/memory/2468-135-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	xmrig
behavioral2/memory/4992-143-0x00007FF63A610000-0x00007FF63A961000-memory.dmp	xmrig
behavioral2/memory/2724-144-0x00007FF726490000-0x00007FF7267E1000-memory.dmp	xmrig
behavioral2/memory/4828-141-0x00007FF753120000-0x00007FF753471000-memory.dmp	xmrig
behavioral2/memory/3292-134-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp	xmrig
behavioral2/memory/2964-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	xmrig
behavioral2/memory/3052-145-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	xmrig
behavioral2/memory/3180-196-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp	xmrig
behavioral2/memory/3668-198-0x00007FF61C110000-0x00007FF61C461000-memory.dmp	xmrig
behavioral2/memory/3468-200-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp	xmrig
behavioral2/memory/1608-202-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp	xmrig
behavioral2/memory/3628-206-0x00007FF759F30000-0x00007FF75A281000-memory.dmp	xmrig
behavioral2/memory/1220-208-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp	xmrig
behavioral2/memory/2544-221-0x00007FF742110000-0x00007FF742461000-memory.dmp	xmrig
behavioral2/memory/2920-223-0x00007FF71B100000-0x00007FF71B451000-memory.dmp	xmrig
behavioral2/memory/1880-225-0x00007FF6914E0000-0x00007FF691831000-memory.dmp	xmrig
behavioral2/memory/1200-227-0x00007FF7C1400000-0x00007FF7C1751000-memory.dmp	xmrig
behavioral2/memory/2468-231-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	xmrig
behavioral2/memory/3292-230-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp	xmrig
behavioral2/memory/2320-234-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	xmrig
behavioral2/memory/1948-235-0x00007FF68B6F0000-0x00007FF68BA41000-memory.dmp	xmrig
behavioral2/memory/4152-237-0x00007FF688770000-0x00007FF688AC1000-memory.dmp	xmrig
behavioral2/memory/1296-244-0x00007FF613820000-0x00007FF613B71000-memory.dmp	xmrig
behavioral2/memory/4992-248-0x00007FF63A610000-0x00007FF63A961000-memory.dmp	xmrig
behavioral2/memory/5012-252-0x00007FF6096F0000-0x00007FF609A41000-memory.dmp	xmrig
behavioral2/memory/4828-250-0x00007FF753120000-0x00007FF753471000-memory.dmp	xmrig
behavioral2/memory/2964-246-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	xmrig
behavioral2/memory/2724-243-0x00007FF726490000-0x00007FF7267E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3180	wspRUbV.exe
3668	tUWKQgW.exe
3468	skRZjxt.exe
1608	GopkNnO.exe
3628	CsKauMr.exe
1220	rocuQiz.exe
2544	lzWiOyy.exe
2920	GvanjlN.exe
1880	EGKcjuc.exe
1200	GyUwnyb.exe
3292	ZBtfint.exe
2468	twcSvQc.exe
1948	YiXFdMn.exe
2320	dzSGOjl.exe
4152	llidZAP.exe
5012	cgPrVPa.exe
1296	luLSlxh.exe
4828	CVCJxzZ.exe
2964	aEXXpsq.exe
4992	tvCGruw.exe
2724	BggJeqH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3052-0-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	upx
behavioral2/files/0x000d000000023b6e-4.dat	upx
behavioral2/files/0x000a000000023b7b-8.dat	upx
behavioral2/files/0x000a000000023b7a-10.dat	upx
behavioral2/memory/3468-18-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp	upx
behavioral2/memory/3668-15-0x00007FF61C110000-0x00007FF61C461000-memory.dmp	upx
behavioral2/memory/3180-9-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-23.dat	upx
behavioral2/memory/1608-24-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-29.dat	upx
behavioral2/memory/3628-31-0x00007FF759F30000-0x00007FF75A281000-memory.dmp	upx
behavioral2/files/0x000d000000023b6f-34.dat	upx
behavioral2/memory/1220-37-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-41.dat	upx
behavioral2/memory/2544-42-0x00007FF742110000-0x00007FF742461000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-47.dat	upx
behavioral2/files/0x000a000000023b81-53.dat	upx
behavioral2/memory/2920-52-0x00007FF71B100000-0x00007FF71B451000-memory.dmp	upx
behavioral2/memory/3052-54-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-61.dat	upx
behavioral2/files/0x000a000000023b82-64.dat	upx
behavioral2/files/0x000a000000023b85-76.dat	upx
behavioral2/files/0x000a000000023b86-81.dat	upx
behavioral2/files/0x000a000000023b89-95.dat	upx
behavioral2/files/0x000a000000023b8a-103.dat	upx
behavioral2/files/0x000a000000023b8c-112.dat	upx
behavioral2/files/0x000a000000023b8d-115.dat	upx
behavioral2/files/0x000a000000023b8b-109.dat	upx
behavioral2/files/0x000a000000023b88-93.dat	upx
behavioral2/files/0x000a000000023b87-86.dat	upx
behavioral2/files/0x000a000000023b84-71.dat	upx
behavioral2/memory/1880-58-0x00007FF6914E0000-0x00007FF691831000-memory.dmp	upx
behavioral2/memory/3292-117-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp	upx
behavioral2/memory/3052-118-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	upx
behavioral2/memory/3628-123-0x00007FF759F30000-0x00007FF75A281000-memory.dmp	upx
behavioral2/memory/2544-125-0x00007FF742110000-0x00007FF742461000-memory.dmp	upx
behavioral2/memory/2920-127-0x00007FF71B100000-0x00007FF71B451000-memory.dmp	upx
behavioral2/memory/4152-129-0x00007FF688770000-0x00007FF688AC1000-memory.dmp	upx
behavioral2/memory/5012-131-0x00007FF6096F0000-0x00007FF609A41000-memory.dmp	upx
behavioral2/memory/1296-132-0x00007FF613820000-0x00007FF613B71000-memory.dmp	upx
behavioral2/memory/1880-130-0x00007FF6914E0000-0x00007FF691831000-memory.dmp	upx
behavioral2/memory/2320-128-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	upx
behavioral2/memory/1948-126-0x00007FF68B6F0000-0x00007FF68BA41000-memory.dmp	upx
behavioral2/memory/1220-124-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp	upx
behavioral2/memory/3468-121-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp	upx
behavioral2/memory/3668-120-0x00007FF61C110000-0x00007FF61C461000-memory.dmp	upx
behavioral2/memory/1608-122-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp	upx
behavioral2/memory/3180-119-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp	upx
behavioral2/memory/1200-133-0x00007FF7C1400000-0x00007FF7C1751000-memory.dmp	upx
behavioral2/memory/2468-135-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp	upx
behavioral2/memory/4992-143-0x00007FF63A610000-0x00007FF63A961000-memory.dmp	upx
behavioral2/memory/2724-144-0x00007FF726490000-0x00007FF7267E1000-memory.dmp	upx
behavioral2/memory/4828-141-0x00007FF753120000-0x00007FF753471000-memory.dmp	upx
behavioral2/memory/3292-134-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp	upx
behavioral2/memory/2964-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp	upx
behavioral2/memory/3052-145-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp	upx
behavioral2/memory/3180-196-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp	upx
behavioral2/memory/3668-198-0x00007FF61C110000-0x00007FF61C461000-memory.dmp	upx
behavioral2/memory/3468-200-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp	upx
behavioral2/memory/1608-202-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp	upx
behavioral2/memory/3628-206-0x00007FF759F30000-0x00007FF75A281000-memory.dmp	upx
behavioral2/memory/1220-208-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp	upx
behavioral2/memory/2544-221-0x00007FF742110000-0x00007FF742461000-memory.dmp	upx
behavioral2/memory/2920-223-0x00007FF71B100000-0x00007FF71B451000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rocuQiz.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llidZAP.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cgPrVPa.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\luLSlxh.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVCJxzZ.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvCGruw.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BggJeqH.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUWKQgW.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\skRZjxt.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CsKauMr.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GyUwnyb.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzSGOjl.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aEXXpsq.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wspRUbV.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\twcSvQc.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZBtfint.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzWiOyy.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GvanjlN.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EGKcjuc.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiXFdMn.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GopkNnO.exe	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3180	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3052 wrote to memory of 3180	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3052 wrote to memory of 3668	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3052 wrote to memory of 3668	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3052 wrote to memory of 3468	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3052 wrote to memory of 3468	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3052 wrote to memory of 1608	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3052 wrote to memory of 1608	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3052 wrote to memory of 3628	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3052 wrote to memory of 3628	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3052 wrote to memory of 1220	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3052 wrote to memory of 1220	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3052 wrote to memory of 2544	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3052 wrote to memory of 2544	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3052 wrote to memory of 2920	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3052 wrote to memory of 2920	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3052 wrote to memory of 1880	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3052 wrote to memory of 1880	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3052 wrote to memory of 1200	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3052 wrote to memory of 1200	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3052 wrote to memory of 3292	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3052 wrote to memory of 3292	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3052 wrote to memory of 2468	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3052 wrote to memory of 2468	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3052 wrote to memory of 1948	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3052 wrote to memory of 1948	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3052 wrote to memory of 2320	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3052 wrote to memory of 2320	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3052 wrote to memory of 4152	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3052 wrote to memory of 4152	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3052 wrote to memory of 5012	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3052 wrote to memory of 5012	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3052 wrote to memory of 1296	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3052 wrote to memory of 1296	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3052 wrote to memory of 4828	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3052 wrote to memory of 4828	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3052 wrote to memory of 2964	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3052 wrote to memory of 2964	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3052 wrote to memory of 4992	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3052 wrote to memory of 4992	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3052 wrote to memory of 2724	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3052 wrote to memory of 2724	3052	2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_43a2c86e693f46dae0cd570ec5c0584d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\System\wspRUbV.exe
  C:\Windows\System\wspRUbV.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\tUWKQgW.exe
  C:\Windows\System\tUWKQgW.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\skRZjxt.exe
  C:\Windows\System\skRZjxt.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\GopkNnO.exe
  C:\Windows\System\GopkNnO.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\CsKauMr.exe
  C:\Windows\System\CsKauMr.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\rocuQiz.exe
  C:\Windows\System\rocuQiz.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\lzWiOyy.exe
  C:\Windows\System\lzWiOyy.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\GvanjlN.exe
  C:\Windows\System\GvanjlN.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\EGKcjuc.exe
  C:\Windows\System\EGKcjuc.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\GyUwnyb.exe
  C:\Windows\System\GyUwnyb.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\ZBtfint.exe
  C:\Windows\System\ZBtfint.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\twcSvQc.exe
  C:\Windows\System\twcSvQc.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\YiXFdMn.exe
  C:\Windows\System\YiXFdMn.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\dzSGOjl.exe
  C:\Windows\System\dzSGOjl.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\llidZAP.exe
  C:\Windows\System\llidZAP.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\cgPrVPa.exe
  C:\Windows\System\cgPrVPa.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\luLSlxh.exe
  C:\Windows\System\luLSlxh.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\CVCJxzZ.exe
  C:\Windows\System\CVCJxzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\aEXXpsq.exe
  C:\Windows\System\aEXXpsq.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\tvCGruw.exe
  C:\Windows\System\tvCGruw.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\BggJeqH.exe
  C:\Windows\System\BggJeqH.exe
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BggJeqH.exe

Filesize
5.2MB

MD5
91c4be4d40390ea686881419e8c229e3

SHA1
1098fd07049c5ed54875168b2d3ee4c5e51bbfc0

SHA256
79a3eecba1fb1d2d3e89bfa561ff95db68051956171a00ea7d640e361dc416fe

SHA512
0d3c2888afb473abe6bdbeb45c97aa2ce320fa81c6eb3c9158b17b378f1f52da02fbed6035d03c00359f0da1dfd2a6cd22b2a7a79fd8eef2b7c23e2bf916f741

Download Submit
C:\Windows\System\CVCJxzZ.exe

Filesize
5.2MB

MD5
e76ff064a1edfee6b0d9dca01622fcb1

SHA1
267e5d8d2e999ea2261ea71e1001d9542cab35c8

SHA256
dad85d03b67db9895c0b8a8ed01dbe8b7ffaac83888b84f95a517bef048f4884

SHA512
c11fbb17ee983f06dc62ad58944b19a437f3514cf8a4f9629416552552b2c17d45efb1ba641160ddd6a1467b1c765e0c4268fdfd92febacb3cd1b55318169342

Download Submit
C:\Windows\System\CsKauMr.exe

Filesize
5.2MB

MD5
e3878cc8e7a88b7c01647a22bd89c890

SHA1
2d9b774ddfe84ea51963b4ee78377cc391ff4e98

SHA256
e5ba97ca261ee19254915ccea18e89bb49d79bfba368668f25275a742e34d493

SHA512
e549241873cb04f122759a07429c16b65c50a9084157ed0bd25951ddb7be14c2b0597130e17251d12eea1261140f32a76cddbbaa79576a3434291019565e483e

Download Submit
C:\Windows\System\EGKcjuc.exe

Filesize
5.2MB

MD5
2f575e7b24c313766b0b429173162385

SHA1
05230f38c12c27cca3c50ffcb8d5974b2cc1d594

SHA256
b244d6db34280553c50a4e1bc70efe144226c07bbdef1d9fe1339425ba481c46

SHA512
485c02e0942a141c2c9a9d1d81d53a5e96fea52c2bd1afeaf52a2dbe601c949b69a109fa46bd1ab6f58bcf51ac6255f101f4b5ca10328a416ac3e2f4fabc105d

Download Submit
C:\Windows\System\GopkNnO.exe

Filesize
5.2MB

MD5
3b57960dc95ec7288ed66bbb929d7045

SHA1
80b0813822d2ae2ce520acc75d248dbd58a16e51

SHA256
ee8fdddc873061f360be65eedca6c03f1aca4db6a7876592325489bc85dca0ab

SHA512
6a42dbdbe79e5b2345fab2bc43b9c78b2aa18f0914faad2c4be4ecca30cd78796d396c19b7bc72ab98c607ca43a408874a91b42dd542845096ba43207f517523

Download Submit
C:\Windows\System\GvanjlN.exe

Filesize
5.2MB

MD5
7cd91208b52192d5a4073f9f8cc4126f

SHA1
20699ffb110408e6684ae300f6975db4e5d608a0

SHA256
b125c43c505290ca4eaaa24cae9f70081bcf5701789afc7e581fbfa29286edb5

SHA512
e8c4700794368568c0ba6558752e5b59e43d4b91e9ed5635c462b24dba0a9d50b7e93f0db6f07fcedaad90b2abfb3e39426c0657dd41b34a3d8320fb20382e13

Download Submit
C:\Windows\System\GyUwnyb.exe

Filesize
5.2MB

MD5
a7c766482119cbeba82b263bca30dc98

SHA1
39522e1d0e1578c21c48c765f2f57e551d021f31

SHA256
00fafbfb6614fd3e066149e8d1404953a77b6d9de548d7e131875f9e2a8cbac1

SHA512
892a50a53caf96afc4871a787b3b7215f22bc1dd87655f6c8a228788730cb181831cead27373f39969d1d9350b50777546548557ed5dd73a955e2af71125d832

Download Submit
C:\Windows\System\YiXFdMn.exe

Filesize
5.2MB

MD5
28c78a304cf828382d46d7456c91beda

SHA1
11ad7b475c5b913be071130a6daa92bbc9562577

SHA256
420254c9c8a8b08ff9381711fcd074d1beb30461d3ff9fc693f48ddf56740760

SHA512
a206f518543551877d6281cd0ebbebf161b4145e6bc9ccd86fadacf3d76100d63be5443a6c802f5c98f47944743bce94a98b129babecde92657a4ba860bf6730

Download Submit
C:\Windows\System\ZBtfint.exe

Filesize
5.2MB

MD5
fc551621e19f1250792fcfc714216b94

SHA1
4d6e6209abbced02566a702accbc3c2509d11d3b

SHA256
7d446f34ab9bbd40a0b4c1eb5483d6bca718836b5c06f42207da5aa7ff7f5742

SHA512
fa4f75aad55a7ea9835bf112a871d7d13510d329838628899ae526ffcce15d30a756c85a8fdfaca2c40e0374d47ae5e1230005b59bc10f485fba692b9d280d76

Download Submit
C:\Windows\System\aEXXpsq.exe

Filesize
5.2MB

MD5
5c7ec121dfcc0a63df12ee0c9f524e48

SHA1
0d863f87758b8894337d2231dfe3043411d8b359

SHA256
abda7bc6b3b5672bc74893dec76880a2f124d0fa292f35ac860869002ad5a24a

SHA512
4fd74ba17de3e7b48f46ffa163aa4e424dc3ffe9a019a9090cb7aa6cd28d94a71f51045e52e9c9acf69201978f0e318117901a2d6b55a34a19715f7bdd3fdb18

Download Submit
C:\Windows\System\cgPrVPa.exe

Filesize
5.2MB

MD5
501a5f8a5a7cec21cd1ffd969d43d386

SHA1
e549b1d543b6fe1b7d5dc7b8ff0aad82489d61c4

SHA256
8e8ae355e2126705e4cf4f0b0e936679e9c2e3aa713b2e7f25126f22a3608162

SHA512
09a2199327c42bb7f19e5fe509bd777de11f515db2f4d7ca6312d2bcae5084de8ec618b3e504800ce2d12e03c32fd9d72238fd9312d4d354cdcaaa0cbde8f18e

Download Submit
C:\Windows\System\dzSGOjl.exe

Filesize
5.2MB

MD5
b495edc46fe47227f203866e2ab26ebb

SHA1
b39f01427399f2a5892f447feb2b0c3492a1c7d4

SHA256
eec935eca8c281e884bf84f75fec38014de707efb97e7ffd5206eb077c1582d3

SHA512
87892d115dba527e119679494aa089ca1c2b3e39b601a31e74f430be8e8369b2a22f31c035eaa1bf320a96b94ba7ae1254c595d4dc1fdc47ceab9ef97f799b53

Download Submit
C:\Windows\System\llidZAP.exe

Filesize
5.2MB

MD5
484f2297d7dba02776cf3206bf58a495

SHA1
415143eedcf89370d0a0fa6ba2774287d2d957cc

SHA256
d306528b6c423bab7fd9e04972de43e17c8e798c92c13b53fd4486c8fdb5ec1f

SHA512
3c217b864985d454a37c1fbd3a17cb7e855d399126decddc50db4eb2675c1378e6deb60126bdac46f9408f2e8ed1a2f7d61aaec9f097c67ef65b5d00c7d12f9f

Download Submit
C:\Windows\System\luLSlxh.exe

Filesize
5.2MB

MD5
2b8ebaa848e91373d5b5eea3810fda38

SHA1
bb73c92bb03dee034dc3001bb4b8457004763acc

SHA256
82d7a00a3a74d05e077d7a86b80b0aeb9a84bd929ea72492d53b6a371ed98203

SHA512
e83da83b47b3406dec48a81f6f1929263994811d0ca7b3369789ce037569f410443b50ffb8627a9a27b600c93b7ae321cf3e8a4b0f03ffda7734a7b35e723c9c

Download Submit
C:\Windows\System\lzWiOyy.exe

Filesize
5.2MB

MD5
454d27491c005f13de9c4e48cdfcc633

SHA1
f0fe1882aeb51d213f1e0711cc0a6f3e912fe91b

SHA256
03089191bbc07452a499b127e9cf6cbf56488dc797c894fc94c028664c138abe

SHA512
c39d792b6be86ec5e551a91217e2e1e7a3aea8e8dd8ee38b6f3ad3251dea56e8f2f6ab5ad734465b810853f63fd12ad5edab17485c87c87101b88c2f39ce6a4d

Download Submit
C:\Windows\System\rocuQiz.exe

Filesize
5.2MB

MD5
1ebd6f8b5d0c2ba6c22a534f1c8aac89

SHA1
3bd71d6984282ada3ce3358ef3103da6fdf259ab

SHA256
f60301ffce512a1f305431309d007092449c0e26307bc58dcaa324490316b888

SHA512
8350a9709ae2f12fcc001d93ae6ec099924948c53a3f0a1457d60f24f46decda37e57f0af8dc379a3b3ef33abc3957fff88704422bd46023019e79fe16fe0949

Download Submit
C:\Windows\System\skRZjxt.exe

Filesize
5.2MB

MD5
432e323158a3a50c5a8cbb3b0985dfd0

SHA1
90daac81cd8628a4e8027010b9465340b1ec78d7

SHA256
1475a2c8e45ebc81148f2e4338af6b8e2f378b5e4150175f2050ba65cdff866a

SHA512
8ab737a011074087b4f20f4070c45c3e1cfeb9a364ea49b25b1882824a365b75e091bd40767cf4c4e29d90bd098eab6bc7387a3e770dbdb759653fa6f4ffc071

Download Submit
C:\Windows\System\tUWKQgW.exe

Filesize
5.2MB

MD5
9125f48faaec374b8d9109036b6c9f9f

SHA1
eccfe7d33a79d0ae17ece9a644d542cfa7a5c3a0

SHA256
f6ba21ffefb127e9024d895450a8fc42f13c95608811813b037af9bbd301cbff

SHA512
a6de0d733b874afc181a9bdcd3757ade53d9f91ac9e31594d6ce82574250ea9b04b4d27842880f350897a7450a2616381c97f26e198c3d5330f8b22fc65130ee

Download Submit
C:\Windows\System\tvCGruw.exe

Filesize
5.2MB

MD5
a1ed0668a220292f8af3bb4e6c582c0a

SHA1
21a8d4db684b9fa3a1959e442d24f9e6823cfbf5

SHA256
a9e1fd511a4b47bc1790ab36060370e7e8adc9c38d44819d30fd923a2c11a6e3

SHA512
96b513773fbe042a7c638cef42e7cc7390c44f982332a9f4faf7cf7377bced106f0addaf5c72e6bf9f69823961a4496e75dfa79dcf0cda82de19a6067bbee885

Download Submit
C:\Windows\System\twcSvQc.exe

Filesize
5.2MB

MD5
420f58a66f320f9e002e2acdebbefe6a

SHA1
8be9acfdb76668ba93939e090a815dc774dbf7c6

SHA256
30b1c0585b289a591632446402375739d97b84d26edd5ab5d5d23faee403f3c7

SHA512
7197f0010be9455880a139f69a221ca4a67ebefce85724460643d53d8978185cc2d3dd21b1dd30d92eacafb8c4cebbd647d54d2e636c102135cf9fff800e6b56

Download Submit
C:\Windows\System\wspRUbV.exe

Filesize
5.2MB

MD5
8b786903b1e421a6c13ae9e1eda5e88b

SHA1
74776fbee0d179496d78180e8603aaa4afa0d8ee

SHA256
88b11186141d25fc6dee57ccd291d14370e507c36562524cff0776341a9c2d3e

SHA512
413683da43cea4b7a2351e0f53c7d6491a1d9eb4da87206ab4c67970f8fbbaf0b0d5e7fab4dfac20b3ee878ce1f7c481418444d1bb3a635eec25e468d0f336c3

Download Submit
memory/1200-227-0x00007FF7C1400000-0x00007FF7C1751000-memory.dmp

Filesize
3.3MB

Download
memory/1200-133-0x00007FF7C1400000-0x00007FF7C1751000-memory.dmp

Filesize
3.3MB

Download
memory/1220-37-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp

Filesize
3.3MB

Download
memory/1220-124-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp

Filesize
3.3MB

Download
memory/1220-208-0x00007FF744AF0000-0x00007FF744E41000-memory.dmp

Filesize
3.3MB

Download
memory/1296-132-0x00007FF613820000-0x00007FF613B71000-memory.dmp

Filesize
3.3MB

Download
memory/1296-244-0x00007FF613820000-0x00007FF613B71000-memory.dmp

Filesize
3.3MB

Download
memory/1608-24-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp

Filesize
3.3MB

Download
memory/1608-122-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp

Filesize
3.3MB

Download
memory/1608-202-0x00007FF61ABB0000-0x00007FF61AF01000-memory.dmp

Filesize
3.3MB

Download
memory/1880-225-0x00007FF6914E0000-0x00007FF691831000-memory.dmp

Filesize
3.3MB

Download
memory/1880-58-0x00007FF6914E0000-0x00007FF691831000-memory.dmp

Filesize
3.3MB

Download
memory/1880-130-0x00007FF6914E0000-0x00007FF691831000-memory.dmp

Filesize
3.3MB

Download
memory/1948-126-0x00007FF68B6F0000-0x00007FF68BA41000-memory.dmp

Filesize
3.3MB

Download
memory/1948-235-0x00007FF68B6F0000-0x00007FF68BA41000-memory.dmp

Filesize
3.3MB

Download
memory/2320-234-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp

Filesize
3.3MB

Download
memory/2320-128-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp

Filesize
3.3MB

Download
memory/2468-231-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp

Filesize
3.3MB

Download
memory/2468-135-0x00007FF7FB0B0000-0x00007FF7FB401000-memory.dmp

Filesize
3.3MB

Download
memory/2544-125-0x00007FF742110000-0x00007FF742461000-memory.dmp

Filesize
3.3MB

Download
memory/2544-42-0x00007FF742110000-0x00007FF742461000-memory.dmp

Filesize
3.3MB

Download
memory/2544-221-0x00007FF742110000-0x00007FF742461000-memory.dmp

Filesize
3.3MB

Download
memory/2724-243-0x00007FF726490000-0x00007FF7267E1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-144-0x00007FF726490000-0x00007FF7267E1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-127-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

Filesize
3.3MB

Download
memory/2920-223-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

Filesize
3.3MB

Download
memory/2920-52-0x00007FF71B100000-0x00007FF71B451000-memory.dmp

Filesize
3.3MB

Download
memory/2964-246-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp

Filesize
3.3MB

Download
memory/2964-142-0x00007FF7A7930000-0x00007FF7A7C81000-memory.dmp

Filesize
3.3MB

Download
memory/3052-118-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

Filesize
3.3MB

Download
memory/3052-1-0x00000286D0720000-0x00000286D0730000-memory.dmp

Filesize
64KB

Download
memory/3052-54-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

Filesize
3.3MB

Download
memory/3052-0-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

Filesize
3.3MB

Download
memory/3052-145-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

Filesize
3.3MB

Download
memory/3180-196-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp

Filesize
3.3MB

Download
memory/3180-9-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp

Filesize
3.3MB

Download
memory/3180-119-0x00007FF66D720000-0x00007FF66DA71000-memory.dmp

Filesize
3.3MB

Download
memory/3292-134-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp

Filesize
3.3MB

Download
memory/3292-230-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp

Filesize
3.3MB

Download
memory/3292-117-0x00007FF7B60F0000-0x00007FF7B6441000-memory.dmp

Filesize
3.3MB

Download
memory/3468-200-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp

Filesize
3.3MB

Download
memory/3468-18-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp

Filesize
3.3MB

Download
memory/3468-121-0x00007FF7CFF00000-0x00007FF7D0251000-memory.dmp

Filesize
3.3MB

Download
memory/3628-206-0x00007FF759F30000-0x00007FF75A281000-memory.dmp

Filesize
3.3MB

Download
memory/3628-31-0x00007FF759F30000-0x00007FF75A281000-memory.dmp

Filesize
3.3MB

Download
memory/3628-123-0x00007FF759F30000-0x00007FF75A281000-memory.dmp

Filesize
3.3MB

Download
memory/3668-198-0x00007FF61C110000-0x00007FF61C461000-memory.dmp

Filesize
3.3MB

Download
memory/3668-15-0x00007FF61C110000-0x00007FF61C461000-memory.dmp

Filesize
3.3MB

Download
memory/3668-120-0x00007FF61C110000-0x00007FF61C461000-memory.dmp

Filesize
3.3MB

Download
memory/4152-129-0x00007FF688770000-0x00007FF688AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-237-0x00007FF688770000-0x00007FF688AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-250-0x00007FF753120000-0x00007FF753471000-memory.dmp

Filesize
3.3MB

Download
memory/4828-141-0x00007FF753120000-0x00007FF753471000-memory.dmp

Filesize
3.3MB

Download
memory/4992-248-0x00007FF63A610000-0x00007FF63A961000-memory.dmp

Filesize
3.3MB

Download
memory/4992-143-0x00007FF63A610000-0x00007FF63A961000-memory.dmp

Filesize
3.3MB

Download
memory/5012-131-0x00007FF6096F0000-0x00007FF609A41000-memory.dmp

Filesize
3.3MB

Download
memory/5012-252-0x00007FF6096F0000-0x00007FF609A41000-memory.dmp

Filesize
3.3MB

Download