cobaltstrike | 7191d0259c0661e8d153087bceb961eb7e6ae992685cc83815fb42e5c4bea1f4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3e3ed853167df8318854dda16fef727a
SHA1

e4c648900245da9a8e64878d2d3ef36e6c235df6
SHA256

7191d0259c0661e8d153087bceb961eb7e6ae992685cc83815fb42e5c4bea1f4
SHA512

398bb9f5b10a98e292f85f1baeaa00424c48629da1d14e0ba4874214967f6b5a44acde3946a32bc5c45337d1395d78e3533fbbf14359b1f15a4928ae9c0fe34d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibf56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8e-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-8.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ba9-26.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-41.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023baf-48.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb6-55.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb0-42.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-30.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b8f-62.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bba-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbb-80.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf6-135.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf1-133.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bef-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bee-114.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bec-107.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bed-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbc-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2184-58-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	xmrig
behavioral2/memory/4192-71-0x00007FF615800000-0x00007FF615B51000-memory.dmp	xmrig
behavioral2/memory/3640-104-0x00007FF6E90D0000-0x00007FF6E9421000-memory.dmp	xmrig
behavioral2/memory/2716-112-0x00007FF61BE10000-0x00007FF61C161000-memory.dmp	xmrig
behavioral2/memory/4124-119-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp	xmrig
behavioral2/memory/4652-127-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	xmrig
behavioral2/memory/4868-132-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp	xmrig
behavioral2/memory/2012-130-0x00007FF690440000-0x00007FF690791000-memory.dmp	xmrig
behavioral2/memory/2476-111-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp	xmrig
behavioral2/memory/832-110-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp	xmrig
behavioral2/memory/2272-105-0x00007FF77C800000-0x00007FF77CB51000-memory.dmp	xmrig
behavioral2/memory/3936-86-0x00007FF6936F0000-0x00007FF693A41000-memory.dmp	xmrig
behavioral2/memory/5080-72-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp	xmrig
behavioral2/memory/2492-146-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp	xmrig
behavioral2/memory/4584-148-0x00007FF703710000-0x00007FF703A61000-memory.dmp	xmrig
behavioral2/memory/2400-147-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp	xmrig
behavioral2/memory/2184-137-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	xmrig
behavioral2/memory/4904-152-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp	xmrig
behavioral2/memory/1644-158-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp	xmrig
behavioral2/memory/1008-156-0x00007FF768EB0000-0x00007FF769201000-memory.dmp	xmrig
behavioral2/memory/2872-155-0x00007FF7971F0000-0x00007FF797541000-memory.dmp	xmrig
behavioral2/memory/2032-157-0x00007FF65D240000-0x00007FF65D591000-memory.dmp	xmrig
behavioral2/memory/4572-153-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp	xmrig
behavioral2/memory/2184-159-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	xmrig
behavioral2/memory/4192-215-0x00007FF615800000-0x00007FF615B51000-memory.dmp	xmrig
behavioral2/memory/5080-217-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp	xmrig
behavioral2/memory/832-219-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp	xmrig
behavioral2/memory/2476-221-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp	xmrig
behavioral2/memory/4124-225-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp	xmrig
behavioral2/memory/4652-224-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	xmrig
behavioral2/memory/2492-228-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp	xmrig
behavioral2/memory/4868-231-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp	xmrig
behavioral2/memory/2012-230-0x00007FF690440000-0x00007FF690791000-memory.dmp	xmrig
behavioral2/memory/2400-235-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp	xmrig
behavioral2/memory/4584-246-0x00007FF703710000-0x00007FF703A61000-memory.dmp	xmrig
behavioral2/memory/3936-249-0x00007FF6936F0000-0x00007FF693A41000-memory.dmp	xmrig
behavioral2/memory/4904-250-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp	xmrig
behavioral2/memory/2272-257-0x00007FF77C800000-0x00007FF77CB51000-memory.dmp	xmrig
behavioral2/memory/4572-260-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp	xmrig
behavioral2/memory/2716-259-0x00007FF61BE10000-0x00007FF61C161000-memory.dmp	xmrig
behavioral2/memory/3640-255-0x00007FF6E90D0000-0x00007FF6E9421000-memory.dmp	xmrig
behavioral2/memory/2872-253-0x00007FF7971F0000-0x00007FF797541000-memory.dmp	xmrig
behavioral2/memory/1644-263-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp	xmrig
behavioral2/memory/1008-267-0x00007FF768EB0000-0x00007FF769201000-memory.dmp	xmrig
behavioral2/memory/2032-266-0x00007FF65D240000-0x00007FF65D591000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4192	biIalrA.exe
5080	ZkGguaU.exe
832	TCLHMpa.exe
2476	oXaPPwb.exe
4124	xOkMSGe.exe
2012	tzpUgqk.exe
4652	LfWTWmQ.exe
4868	AUGyfyg.exe
2492	iIVpprS.exe
2400	oAPtTYr.exe
4584	pnPFsgW.exe
3936	QQHvgJZ.exe
3640	DuTGMNX.exe
2272	XakMBlw.exe
4904	tgPDYBv.exe
4572	DQvIpXd.exe
2716	BAIebXo.exe
2872	MMMDNSG.exe
1008	wmreELc.exe
2032	UMfXfzV.exe
1644	xsWcSFC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2184-0-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-4.dat	upx
behavioral2/memory/4192-10-0x00007FF615800000-0x00007FF615B51000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-11.dat	upx
behavioral2/files/0x000b000000023b9b-8.dat	upx
behavioral2/memory/832-20-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp	upx
behavioral2/files/0x0008000000023ba9-26.dat	upx
behavioral2/memory/4124-35-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-41.dat	upx
behavioral2/files/0x0009000000023baf-48.dat	upx
behavioral2/files/0x0008000000023bb6-55.dat	upx
behavioral2/memory/2492-54-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp	upx
behavioral2/memory/4868-50-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp	upx
behavioral2/memory/2012-45-0x00007FF690440000-0x00007FF690791000-memory.dmp	upx
behavioral2/files/0x0009000000023bb0-42.dat	upx
behavioral2/memory/4652-40-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	upx
behavioral2/files/0x0012000000023ba7-30.dat	upx
behavioral2/memory/2476-28-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp	upx
behavioral2/memory/5080-19-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp	upx
behavioral2/memory/2184-58-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	upx
behavioral2/files/0x000c000000023b8f-62.dat	upx
behavioral2/files/0x0008000000023bba-69.dat	upx
behavioral2/memory/4192-71-0x00007FF615800000-0x00007FF615B51000-memory.dmp	upx
behavioral2/files/0x0008000000023bbb-80.dat	upx
behavioral2/files/0x0009000000023bbd-85.dat	upx
behavioral2/memory/4904-91-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp	upx
behavioral2/memory/3640-104-0x00007FF6E90D0000-0x00007FF6E9421000-memory.dmp	upx
behavioral2/memory/4572-109-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp	upx
behavioral2/memory/2716-112-0x00007FF61BE10000-0x00007FF61C161000-memory.dmp	upx
behavioral2/memory/4124-119-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp	upx
behavioral2/memory/4652-127-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	upx
behavioral2/files/0x0008000000023bf6-135.dat	upx
behavioral2/files/0x0008000000023bf1-133.dat	upx
behavioral2/memory/4868-132-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp	upx
behavioral2/memory/2012-130-0x00007FF690440000-0x00007FF690791000-memory.dmp	upx
behavioral2/memory/1644-129-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp	upx
behavioral2/memory/2032-128-0x00007FF65D240000-0x00007FF65D591000-memory.dmp	upx
behavioral2/files/0x0008000000023bef-124.dat	upx
behavioral2/memory/1008-122-0x00007FF768EB0000-0x00007FF769201000-memory.dmp	upx
behavioral2/files/0x0008000000023bee-114.dat	upx
behavioral2/memory/2872-113-0x00007FF7971F0000-0x00007FF797541000-memory.dmp	upx
behavioral2/memory/2476-111-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp	upx
behavioral2/memory/832-110-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bec-107.dat	upx
behavioral2/memory/2272-105-0x00007FF77C800000-0x00007FF77CB51000-memory.dmp	upx
behavioral2/files/0x0008000000023bed-100.dat	upx
behavioral2/files/0x0008000000023bbc-87.dat	upx
behavioral2/memory/3936-86-0x00007FF6936F0000-0x00007FF693A41000-memory.dmp	upx
behavioral2/memory/4584-83-0x00007FF703710000-0x00007FF703A61000-memory.dmp	upx
behavioral2/memory/5080-72-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp	upx
behavioral2/files/0x0008000000023bb9-70.dat	upx
behavioral2/memory/2400-61-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp	upx
behavioral2/memory/2492-146-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp	upx
behavioral2/memory/4584-148-0x00007FF703710000-0x00007FF703A61000-memory.dmp	upx
behavioral2/memory/2400-147-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp	upx
behavioral2/memory/2184-137-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	upx
behavioral2/memory/4904-152-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp	upx
behavioral2/memory/1644-158-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp	upx
behavioral2/memory/1008-156-0x00007FF768EB0000-0x00007FF769201000-memory.dmp	upx
behavioral2/memory/2872-155-0x00007FF7971F0000-0x00007FF797541000-memory.dmp	upx
behavioral2/memory/2032-157-0x00007FF65D240000-0x00007FF65D591000-memory.dmp	upx
behavioral2/memory/4572-153-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp	upx
behavioral2/memory/2184-159-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp	upx
behavioral2/memory/4192-215-0x00007FF615800000-0x00007FF615B51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tzpUgqk.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LfWTWmQ.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DuTGMNX.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XakMBlw.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmreELc.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZkGguaU.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oXaPPwb.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUGyfyg.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQHvgJZ.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DQvIpXd.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\biIalrA.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TCLHMpa.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIVpprS.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oAPtTYr.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MMMDNSG.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOkMSGe.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pnPFsgW.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tgPDYBv.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BAIebXo.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMfXfzV.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xsWcSFC.exe	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4192	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2184 wrote to memory of 4192	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2184 wrote to memory of 5080	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2184 wrote to memory of 5080	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2184 wrote to memory of 832	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2184 wrote to memory of 832	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2184 wrote to memory of 2476	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2184 wrote to memory of 2476	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2184 wrote to memory of 4124	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2184 wrote to memory of 4124	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2184 wrote to memory of 2012	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2184 wrote to memory of 2012	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2184 wrote to memory of 4652	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2184 wrote to memory of 4652	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2184 wrote to memory of 4868	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2184 wrote to memory of 4868	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2184 wrote to memory of 2492	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2184 wrote to memory of 2492	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2184 wrote to memory of 2400	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2184 wrote to memory of 2400	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2184 wrote to memory of 4584	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2184 wrote to memory of 4584	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2184 wrote to memory of 3936	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2184 wrote to memory of 3936	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2184 wrote to memory of 3640	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2184 wrote to memory of 3640	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2184 wrote to memory of 2272	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2184 wrote to memory of 2272	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2184 wrote to memory of 4904	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2184 wrote to memory of 4904	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2184 wrote to memory of 4572	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2184 wrote to memory of 4572	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2184 wrote to memory of 2716	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2184 wrote to memory of 2716	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2184 wrote to memory of 2872	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2184 wrote to memory of 2872	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2184 wrote to memory of 1008	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2184 wrote to memory of 1008	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2184 wrote to memory of 2032	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2184 wrote to memory of 2032	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2184 wrote to memory of 1644	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2184 wrote to memory of 1644	2184	2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_3e3ed853167df8318854dda16fef727a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System\biIalrA.exe
  C:\Windows\System\biIalrA.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\ZkGguaU.exe
  C:\Windows\System\ZkGguaU.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\TCLHMpa.exe
  C:\Windows\System\TCLHMpa.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\oXaPPwb.exe
  C:\Windows\System\oXaPPwb.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\xOkMSGe.exe
  C:\Windows\System\xOkMSGe.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\tzpUgqk.exe
  C:\Windows\System\tzpUgqk.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\LfWTWmQ.exe
  C:\Windows\System\LfWTWmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\AUGyfyg.exe
  C:\Windows\System\AUGyfyg.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\iIVpprS.exe
  C:\Windows\System\iIVpprS.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\oAPtTYr.exe
  C:\Windows\System\oAPtTYr.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\pnPFsgW.exe
  C:\Windows\System\pnPFsgW.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\QQHvgJZ.exe
  C:\Windows\System\QQHvgJZ.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\DuTGMNX.exe
  C:\Windows\System\DuTGMNX.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\XakMBlw.exe
  C:\Windows\System\XakMBlw.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\tgPDYBv.exe
  C:\Windows\System\tgPDYBv.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\DQvIpXd.exe
  C:\Windows\System\DQvIpXd.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\BAIebXo.exe
  C:\Windows\System\BAIebXo.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\MMMDNSG.exe
  C:\Windows\System\MMMDNSG.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\wmreELc.exe
  C:\Windows\System\wmreELc.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\UMfXfzV.exe
  C:\Windows\System\UMfXfzV.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\xsWcSFC.exe
  C:\Windows\System\xsWcSFC.exe
  2⤵
  - Executes dropped EXE
  PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUGyfyg.exe

Filesize
5.2MB

MD5
4ba6aca1fcf5e1a69d96378be991c694

SHA1
62848c8a72bc33db54addc8794643785faa79a01

SHA256
48f33211f4fe5268b16dd8094900a53edeec2bf63e65049b3d2d36ac5f9fa966

SHA512
9905f09f6a281dc2292c9483041b8e46803f54455bc6a3e06b3e0fe82b2dcd6569dd7115a62aad78e032947293b282b9148330b58be8aff590edcfe1eabb65d7

Download Submit
C:\Windows\System\BAIebXo.exe

Filesize
5.2MB

MD5
4b4f1b5a67195f930092f954ea33dfaf

SHA1
9aa87256bcc6e9bdd683015dff527eb03d6058b9

SHA256
972dd059ee57cbe6ce80603d4313ca4e8dbe82cfe808471ff3f657b8284902fa

SHA512
1fd6fd52e2d79129e0d12fdae169a72ca9124d62d9814aefc3c908e6bd8f38afaabd0dacfb5c4f01098cd718db769e1277cc32bb65c3ecafd9bb29036cdee21e

Download Submit
C:\Windows\System\DQvIpXd.exe

Filesize
5.2MB

MD5
845083f5ba7070ca348db01b461ee8d2

SHA1
843cb79cc0d147baf967900aff5e000bfa5eae15

SHA256
7832eae7ecdb6ff43c694595ac7acd5eb594972978bf8cf6173dc1507de133a7

SHA512
476b723b7ef26869497da1e96968f1ee2ac866bd575da2f2f941e59de6b75e78c1e6cb12d0c5aa86d625b6e3a12bd87ffc19c15860ead313b94c4ffc9d00fe14

Download Submit
C:\Windows\System\DuTGMNX.exe

Filesize
5.2MB

MD5
9860fda53a3cb3383518ca7ac5e579d0

SHA1
e231e213cc730b558109e5fccb0180610a033265

SHA256
06b40461251123428f906af8162ec61fa0b159deabe4b213e1c3c3bb8e140d89

SHA512
2f695bfe51eb9880e470f9eba11ab94647cebfc1022eb6fdc148c291b3fbb50b282a5d4f8bff9a4912ed90efda36bd507b1b225835acb9370b8137a75be82b31

Download Submit
C:\Windows\System\LfWTWmQ.exe

Filesize
5.2MB

MD5
098f1168236b27c4486a99067f89a8f0

SHA1
ed8e57532215754c3c77990e31c38b6f7fc89080

SHA256
5c598e5c56ab439b10bf1ab5ae3c1e147aee48c9387ccbf7078725ee8b77fde4

SHA512
ef27a37962bc2c480704f0371810585d9e4fe77b26b9895f0fc4cf8756d6fa9a3f9f5f85343fa556faad88a52a712ac9677683850fc0a46f1cba7c48cae956c1

Download Submit
C:\Windows\System\MMMDNSG.exe

Filesize
5.2MB

MD5
cd48a9637065625202349e3e616666a3

SHA1
8d8e08df3c1c4c757c9102ad1be2df0fa13add2f

SHA256
252ca1e2f3ba2078d60267df249a39fa412e4c5ee72bcac4c743daa77df4e9cd

SHA512
2a2eecd53c12b4871db2e61a7aa05196c08d57b1475a2358a2330bb25f070707efa16fc63a5f368a26f06fe2823e4ce95b33137db042ab0ce46d21a7623e77c8

Download Submit
C:\Windows\System\QQHvgJZ.exe

Filesize
5.2MB

MD5
c3771722262feb6dbdd23ba1ad529a14

SHA1
c3c07251155cca769e9c3b3d19ce5c50d1d9957a

SHA256
d97f4177af40aa1f5748d4f8f4078c4df949c4366c7aa9cc5b78eb0c8d3fdc56

SHA512
603bf9407d178235b969da612d0c5257e4f3857483f5734e399544dc72b0771f7f17c0233f65c2282c8fb72a08b79dc745f80f161914d54a56400b927c747314

Download Submit
C:\Windows\System\TCLHMpa.exe

Filesize
5.2MB

MD5
45a65973445c1c9c1b6e91f79a4aa34f

SHA1
c5aaf51ec90602d3dc7b95475b3f9f546e8abebd

SHA256
2a1e6bdda1bf29b4d4177a19f0ff054d22b84acab55f449f0e30b3c03612b154

SHA512
a8c13808a0a2aec00ea8c922115bc341a45b21696e9aaecf24d5b27be4938d78742113a2629b982ce88a0cbe595866dde490e9da490931669ecd5286c2a4db89

Download Submit
C:\Windows\System\UMfXfzV.exe

Filesize
5.2MB

MD5
65c3c74f85426da59674984cf29eb5b8

SHA1
7be930f7500ed1a055ec105d7155d307b3fc47b9

SHA256
b3392632694bf2feb2058cd5e5be7dca8f398106aa82541d7694b92c9e4f72bf

SHA512
d11e93fc7413c3084ffd8c09b84f5dbfa641eb0cb16f70e84aedd6eb8ecb83ba42f7ca346066dc530bcc3b2be88bb784e4eef6be2eb2ef5fa5027d2841c929a5

Download Submit
C:\Windows\System\XakMBlw.exe

Filesize
5.2MB

MD5
89973c31500b89d8efe0c425e4ff50a3

SHA1
4acf83b594dbe4e1f2ac474fef7aa8bfc8bc8709

SHA256
8b97e55448af73ca7e0dde2a3d8b976e65b72244787bcc3e2495280b15a474e2

SHA512
234d1570d19ddfd20f6224468fd87c87f77928ac2df8903af2395cf06d6d4c68d9c211f6422e428a87f9df9f08254f987fe2f3831af546f771e237263b5ac13f

Download Submit
C:\Windows\System\ZkGguaU.exe

Filesize
5.2MB

MD5
7e78f972904300140815d93311ed2046

SHA1
9c35a0be4a0278dcfc8e2d820436649937df82e4

SHA256
e515fcaf4209a9a309459723810289045c71564bb83b0087407bad9022c41636

SHA512
b9b2fe4d16f37ee8470123a0f3cc1fb11846d90c2f4a3fc74765f4a5dabc2d9bf11083f9046dc06fea404a52959dff1fafb44b31543bb10b2a4179284548565b

Download Submit
C:\Windows\System\biIalrA.exe

Filesize
5.2MB

MD5
a766cfd58ae23f1a84c8bb4a5acff319

SHA1
bb536c38350d28fe7ce26c80de529e57c99b8270

SHA256
7c4be6100fd4c54556b4b16aa5d57ba71f4162895f1e2adadc2a7b7bb3038944

SHA512
519708229cffbbfc29a198208da1aca31f02b97517bb780c5305477c86fecbfa460f965e3fa195ca7df2fb925183405cb974e4f15382445263348c66a4b629d6

Download Submit
C:\Windows\System\iIVpprS.exe

Filesize
5.2MB

MD5
8675aa61f59e16dfa96eb750317c6532

SHA1
6aa6dcb5632554a629c58fb542b8303bbd52e040

SHA256
619ac231df8f490b9661a799c736cebff755d0e98d5e43528cd066fe5936fc70

SHA512
3db88a7ba33cd11f3691988357b14a4672e0a8834e422a40d23f22ff16377d91e54e18bbe5c62b2330cd634d8a883a7a52999efe95bdcf53ed096dce77015623

Download Submit
C:\Windows\System\oAPtTYr.exe

Filesize
5.2MB

MD5
6baa076819bedf15c5a6a71fd399b818

SHA1
d4855ee5b96c42a149aade29de6aa7d6221107a9

SHA256
be2deed193f5808c0ff8cb5ec117a3a58335909aedcf5e99ffdc1464f9ec0656

SHA512
20bbfe78621d97cad4b2ab3b77907f5deb360b46e727750658e8af465ab4a4fedde4b3a05214e95e6c3eb78450290c8ee6fbe92759f52ac1408e0162ab40663a

Download Submit
C:\Windows\System\oXaPPwb.exe

Filesize
5.2MB

MD5
f23743a34962d13934b0917bfde65ccb

SHA1
64244961847c44e2f3ebffb5c436592ea5639169

SHA256
a6751299ed7741c8bf7a5f5a530503709611878731fbd9bed803bc50e14fece0

SHA512
b8176b1322428d49a244eff21005cff1c23e930f80ca77ce662a99c67f5c7b108358fd477feaff1d30a56112209092f6ee51aeb068ad55ec44fe39072372073b

Download Submit
C:\Windows\System\pnPFsgW.exe

Filesize
5.2MB

MD5
96f0b40a9493289d1188c64308f40fc1

SHA1
7143fdfd397e02ca8ef97c6d99e6c1e499b10fba

SHA256
61efdbce892c6bdf7d62dc9a053e1eff05809d9bc7efdf76faf9b4196a914e80

SHA512
346e391265ac80834b4cf12e8c4d9fe36a59476f2a0b576120cb085255e7e2cf00bdfcd270a7bac1306622d5e4966a085ec6a2d79dad1089720d01691403f7cb

Download Submit
C:\Windows\System\tgPDYBv.exe

Filesize
5.2MB

MD5
e9ccceae147ac13d13a89ccf42d46c58

SHA1
9e4256eade75e9a0ccb18eb3a937f1cb088f81b5

SHA256
6a67dbcb3d2e3cf591be0efc45c2ada4f478d53be9ef76a5f9a692fd3215c51c

SHA512
e5fe9bbba932734865de13d3ebcb7b006fa80dcf2e025d11497b18781fbca5a0470a71f1a9783bccc232e7510200a90284c853d55eab5f0a8814256c864035c1

Download Submit
C:\Windows\System\tzpUgqk.exe

Filesize
5.2MB

MD5
7d3383163a7fc27cc6fc3db4b6fe5264

SHA1
254638deac5e0fde2e80ed0c97821a9391173fae

SHA256
bc6d8536351df4c03154e1571327615437b03fda679ef2988216b07b8acbe7f9

SHA512
b746040812b96415ed9b2f90a833cff14c0b4ca19405168170138bd06ca598e86c2ac3f9f5a8f91acacfb3a96b6bf6eab803110e559bc4aa021acc535c7f7458

Download Submit
C:\Windows\System\wmreELc.exe

Filesize
5.2MB

MD5
803b25e2d706b73b78dfe514a319c772

SHA1
7825bd2f2869cd6b9dbdf4f57e91071e7968de1c

SHA256
d7aa3d9c848653e7582d465ad3e2764df698cfe71f122c62b2023ba2cf3c4e17

SHA512
50b7602c2a92f5ad7958e28af5865f818978627be29d50b303a9636059ad9a84bbac0965773b9e76667bc5e2a15febba022b2a8e2d939f2d952c3c4b54b8db7b

Download Submit
C:\Windows\System\xOkMSGe.exe

Filesize
5.2MB

MD5
11a5706aecb0a0f3097f4f32c21c65fc

SHA1
db23b98ba0a19e5896ffb8b1c3dcd25d717d06b4

SHA256
86b7a92c019401926a558b845ded04e0d905e634f08e8b7141d4583242bf2bc2

SHA512
6401947718ec3a53e70408b48cfeb6224c3dfabbc2569805aecf3a79163c5a9e5f60586b1bf61e68e130bb3dd8ab79eb0de6647acd1fdbe2eae52b35a1949a0e

Download Submit
C:\Windows\System\xsWcSFC.exe

Filesize
5.2MB

MD5
4c03090d9453ea2c47bcf55fae0eda52

SHA1
f1a62f2947e703a9e5413fe84a5d62cd22a9ee3c

SHA256
0ed2dcc2dd4a3ef3cdccb926c0982f000f2faceaa9cea9af5a8b38e1c5f0fba7

SHA512
031dcb69e50aeeac6c8b77ecb21cd99d7228d4b1788bd1da5e643dc8c19b72d7381f2a98c9d644df51eae6ad8598f5ec6cbd5802a6f16b06e76e72718407286a

Download Submit
memory/832-219-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/832-20-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/832-110-0x00007FF64B250000-0x00007FF64B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-122-0x00007FF768EB0000-0x00007FF769201000-memory.dmp

Filesize
3.3MB

Download
memory/1008-267-0x00007FF768EB0000-0x00007FF769201000-memory.dmp

Filesize
3.3MB

Download
memory/1008-156-0x00007FF768EB0000-0x00007FF769201000-memory.dmp

Filesize
3.3MB

Download
memory/1644-129-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp

Filesize
3.3MB

Download
memory/1644-263-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp

Filesize
3.3MB

Download
memory/1644-158-0x00007FF68EDE0000-0x00007FF68F131000-memory.dmp

Filesize
3.3MB

Download
memory/2012-130-0x00007FF690440000-0x00007FF690791000-memory.dmp

Filesize
3.3MB

Download
memory/2012-45-0x00007FF690440000-0x00007FF690791000-memory.dmp

Filesize
3.3MB

Download
memory/2012-230-0x00007FF690440000-0x00007FF690791000-memory.dmp

Filesize
3.3MB

Download
memory/2032-157-0x00007FF65D240000-0x00007FF65D591000-memory.dmp

Filesize
3.3MB

Download
memory/2032-266-0x00007FF65D240000-0x00007FF65D591000-memory.dmp

Filesize
3.3MB

Download
memory/2032-128-0x00007FF65D240000-0x00007FF65D591000-memory.dmp

Filesize
3.3MB

Download
memory/2184-159-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-58-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-0-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-137-0x00007FF7869D0000-0x00007FF786D21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1-0x000002B2F2AB0000-0x000002B2F2AC0000-memory.dmp

Filesize
64KB

Download
memory/2272-257-0x00007FF77C800000-0x00007FF77CB51000-memory.dmp

Filesize
3.3MB

Download
memory/2272-105-0x00007FF77C800000-0x00007FF77CB51000-memory.dmp

Filesize
3.3MB

Download
memory/2400-61-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp

Filesize
3.3MB

Download
memory/2400-235-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp

Filesize
3.3MB

Download
memory/2400-147-0x00007FF74A0C0000-0x00007FF74A411000-memory.dmp

Filesize
3.3MB

Download
memory/2476-111-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp

Filesize
3.3MB

Download
memory/2476-28-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp

Filesize
3.3MB

Download
memory/2476-221-0x00007FF7FD330000-0x00007FF7FD681000-memory.dmp

Filesize
3.3MB

Download
memory/2492-54-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp

Filesize
3.3MB

Download
memory/2492-228-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp

Filesize
3.3MB

Download
memory/2492-146-0x00007FF7AC430000-0x00007FF7AC781000-memory.dmp

Filesize
3.3MB

Download
memory/2716-112-0x00007FF61BE10000-0x00007FF61C161000-memory.dmp

Filesize
3.3MB

Download
memory/2716-259-0x00007FF61BE10000-0x00007FF61C161000-memory.dmp

Filesize
3.3MB

Download
memory/2872-253-0x00007FF7971F0000-0x00007FF797541000-memory.dmp

Filesize
3.3MB

Download
memory/2872-155-0x00007FF7971F0000-0x00007FF797541000-memory.dmp

Filesize
3.3MB

Download
memory/2872-113-0x00007FF7971F0000-0x00007FF797541000-memory.dmp

Filesize
3.3MB

Download
memory/3640-255-0x00007FF6E90D0000-0x00007FF6E9421000-memory.dmp

Filesize
3.3MB

Download
memory/3640-104-0x00007FF6E90D0000-0x00007FF6E9421000-memory.dmp

Filesize
3.3MB

Download
memory/3936-86-0x00007FF6936F0000-0x00007FF693A41000-memory.dmp

Filesize
3.3MB

Download
memory/3936-249-0x00007FF6936F0000-0x00007FF693A41000-memory.dmp

Filesize
3.3MB

Download
memory/4124-35-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp

Filesize
3.3MB

Download
memory/4124-119-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp

Filesize
3.3MB

Download
memory/4124-225-0x00007FF6ACFC0000-0x00007FF6AD311000-memory.dmp

Filesize
3.3MB

Download
memory/4192-10-0x00007FF615800000-0x00007FF615B51000-memory.dmp

Filesize
3.3MB

Download
memory/4192-71-0x00007FF615800000-0x00007FF615B51000-memory.dmp

Filesize
3.3MB

Download
memory/4192-215-0x00007FF615800000-0x00007FF615B51000-memory.dmp

Filesize
3.3MB

Download
memory/4572-109-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-153-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-260-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-246-0x00007FF703710000-0x00007FF703A61000-memory.dmp

Filesize
3.3MB

Download
memory/4584-148-0x00007FF703710000-0x00007FF703A61000-memory.dmp

Filesize
3.3MB

Download
memory/4584-83-0x00007FF703710000-0x00007FF703A61000-memory.dmp

Filesize
3.3MB

Download
memory/4652-224-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-40-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-127-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-50-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp

Filesize
3.3MB

Download
memory/4868-231-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp

Filesize
3.3MB

Download
memory/4868-132-0x00007FF7E65E0000-0x00007FF7E6931000-memory.dmp

Filesize
3.3MB

Download
memory/4904-91-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-152-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-250-0x00007FF7C2370000-0x00007FF7C26C1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-217-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-72-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-19-0x00007FF64D970000-0x00007FF64DCC1000-memory.dmp

Filesize
3.3MB

Download