cobaltstrike | c622388c10a4836d4094605d16d7bff2f7a9217e7bb2c84c03ccde55c24a796c

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

89da154e88cbcf7ed2e639fc59535648
SHA1

e41f5fadc9687dc88510a04e7f6c3748911cfbb6
SHA256

c622388c10a4836d4094605d16d7bff2f7a9217e7bb2c84c03ccde55c24a796c
SHA512

4ac4430f64a23646d1609b83830a05e778d705e7715b432daa261b02691c0acec2bf1f8d272175603a828b56408baf6334859d672d171d4ae142b37dc0310bb1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023cac-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-51.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb0-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2016-58-0x00007FF6DE770000-0x00007FF6DEAC1000-memory.dmp	xmrig
behavioral2/memory/4576-78-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	xmrig
behavioral2/memory/3592-77-0x00007FF6BB1E0000-0x00007FF6BB531000-memory.dmp	xmrig
behavioral2/memory/332-66-0x00007FF69DC30000-0x00007FF69DF81000-memory.dmp	xmrig
behavioral2/memory/4504-81-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	xmrig
behavioral2/memory/3356-94-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp	xmrig
behavioral2/memory/3660-134-0x00007FF6FC6E0000-0x00007FF6FCA31000-memory.dmp	xmrig
behavioral2/memory/664-136-0x00007FF72A3F0000-0x00007FF72A741000-memory.dmp	xmrig
behavioral2/memory/5084-132-0x00007FF721D70000-0x00007FF7220C1000-memory.dmp	xmrig
behavioral2/memory/3596-107-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp	xmrig
behavioral2/memory/1340-106-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp	xmrig
behavioral2/memory/3724-89-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp	xmrig
behavioral2/memory/1472-88-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	xmrig
behavioral2/memory/1096-87-0x00007FF623130000-0x00007FF623481000-memory.dmp	xmrig
behavioral2/memory/3620-85-0x00007FF769440000-0x00007FF769791000-memory.dmp	xmrig
behavioral2/memory/5032-84-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp	xmrig
behavioral2/memory/3264-82-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp	xmrig
behavioral2/memory/4504-142-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	xmrig
behavioral2/memory/3396-158-0x00007FF787180000-0x00007FF7874D1000-memory.dmp	xmrig
behavioral2/memory/2900-163-0x00007FF67D230000-0x00007FF67D581000-memory.dmp	xmrig
behavioral2/memory/4504-164-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	xmrig
behavioral2/memory/2216-162-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp	xmrig
behavioral2/memory/1720-159-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp	xmrig
behavioral2/memory/5004-156-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp	xmrig
behavioral2/memory/4504-165-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	xmrig
behavioral2/memory/3264-195-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp	xmrig
behavioral2/memory/5032-197-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp	xmrig
behavioral2/memory/3620-199-0x00007FF769440000-0x00007FF769791000-memory.dmp	xmrig
behavioral2/memory/1096-209-0x00007FF623130000-0x00007FF623481000-memory.dmp	xmrig
behavioral2/memory/3592-217-0x00007FF6BB1E0000-0x00007FF6BB531000-memory.dmp	xmrig
behavioral2/memory/2016-216-0x00007FF6DE770000-0x00007FF6DEAC1000-memory.dmp	xmrig
behavioral2/memory/1472-213-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	xmrig
behavioral2/memory/3724-212-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp	xmrig
behavioral2/memory/3596-225-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp	xmrig
behavioral2/memory/4576-227-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	xmrig
behavioral2/memory/332-224-0x00007FF69DC30000-0x00007FF69DF81000-memory.dmp	xmrig
behavioral2/memory/3356-221-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp	xmrig
behavioral2/memory/1340-220-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp	xmrig
behavioral2/memory/3396-245-0x00007FF787180000-0x00007FF7874D1000-memory.dmp	xmrig
behavioral2/memory/5004-247-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp	xmrig
behavioral2/memory/5084-249-0x00007FF721D70000-0x00007FF7220C1000-memory.dmp	xmrig
behavioral2/memory/664-253-0x00007FF72A3F0000-0x00007FF72A741000-memory.dmp	xmrig
behavioral2/memory/3660-252-0x00007FF6FC6E0000-0x00007FF6FCA31000-memory.dmp	xmrig
behavioral2/memory/1720-256-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp	xmrig
behavioral2/memory/2900-258-0x00007FF67D230000-0x00007FF67D581000-memory.dmp	xmrig
behavioral2/memory/2216-260-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3264	bmLLuxa.exe
5032	sccWkar.exe
3620	ZvmpiEq.exe
1096	pHNgleU.exe
1472	RhYpdaY.exe
3724	ndCJDAG.exe
3592	fZsqwSv.exe
2016	SoBYzIG.exe
332	EPAhRGr.exe
4576	bfwGoGu.exe
3356	SDbPNSn.exe
1340	yMkTiJT.exe
3596	utZCJJd.exe
5004	RfnsqQw.exe
664	SSEvzGI.exe
3396	UvXrRPN.exe
1720	tlyIXmB.exe
5084	duDEvQS.exe
3660	WzbSVIp.exe
2216	FTgeKbV.exe
2900	AcUxFZU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4504-0-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	upx
behavioral2/memory/3264-6-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp	upx
behavioral2/files/0x0009000000023cac-5.dat	upx
behavioral2/files/0x0007000000023cb7-10.dat	upx
behavioral2/files/0x0007000000023cb6-11.dat	upx
behavioral2/memory/5032-12-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-27.dat	upx
behavioral2/files/0x0007000000023cb9-34.dat	upx
behavioral2/files/0x0007000000023cba-47.dat	upx
behavioral2/files/0x0007000000023cbd-54.dat	upx
behavioral2/memory/2016-58-0x00007FF6DE770000-0x00007FF6DEAC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-74.dat	upx
behavioral2/memory/3596-79-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp	upx
behavioral2/memory/4576-78-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	upx
behavioral2/memory/3592-77-0x00007FF6BB1E0000-0x00007FF6BB531000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-76.dat	upx
behavioral2/memory/1340-73-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-71.dat	upx
behavioral2/memory/3356-70-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp	upx
behavioral2/memory/332-66-0x00007FF69DC30000-0x00007FF69DF81000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-59.dat	upx
behavioral2/memory/3724-53-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-51.dat	upx
behavioral2/memory/1472-29-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	upx
behavioral2/files/0x0009000000023cb0-24.dat	upx
behavioral2/memory/1096-23-0x00007FF623130000-0x00007FF623481000-memory.dmp	upx
behavioral2/memory/3620-18-0x00007FF769440000-0x00007FF769791000-memory.dmp	upx
behavioral2/memory/4504-81-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	upx
behavioral2/memory/3356-94-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-97.dat	upx
behavioral2/files/0x0007000000023cc4-111.dat	upx
behavioral2/memory/3396-120-0x00007FF787180000-0x00007FF7874D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-131.dat	upx
behavioral2/memory/3660-134-0x00007FF6FC6E0000-0x00007FF6FCA31000-memory.dmp	upx
behavioral2/memory/664-136-0x00007FF72A3F0000-0x00007FF72A741000-memory.dmp	upx
behavioral2/memory/2900-138-0x00007FF67D230000-0x00007FF67D581000-memory.dmp	upx
behavioral2/memory/2216-137-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-133.dat	upx
behavioral2/memory/5084-132-0x00007FF721D70000-0x00007FF7220C1000-memory.dmp	upx
behavioral2/memory/1720-129-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-128.dat	upx
behavioral2/files/0x0007000000023cc7-126.dat	upx
behavioral2/files/0x0007000000023cc6-124.dat	upx
behavioral2/files/0x0007000000023cc5-122.dat	upx
behavioral2/memory/5004-115-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp	upx
behavioral2/memory/3596-107-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp	upx
behavioral2/memory/1340-106-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp	upx
behavioral2/memory/3724-89-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp	upx
behavioral2/memory/1472-88-0x00007FF739A30000-0x00007FF739D81000-memory.dmp	upx
behavioral2/memory/1096-87-0x00007FF623130000-0x00007FF623481000-memory.dmp	upx
behavioral2/memory/3620-85-0x00007FF769440000-0x00007FF769791000-memory.dmp	upx
behavioral2/memory/5032-84-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp	upx
behavioral2/memory/3264-82-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp	upx
behavioral2/memory/4504-142-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	upx
behavioral2/memory/3396-158-0x00007FF787180000-0x00007FF7874D1000-memory.dmp	upx
behavioral2/memory/2900-163-0x00007FF67D230000-0x00007FF67D581000-memory.dmp	upx
behavioral2/memory/4504-164-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	upx
behavioral2/memory/2216-162-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp	upx
behavioral2/memory/1720-159-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp	upx
behavioral2/memory/5004-156-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp	upx
behavioral2/memory/4504-165-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp	upx
behavioral2/memory/3264-195-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp	upx
behavioral2/memory/5032-197-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp	upx
behavioral2/memory/3620-199-0x00007FF769440000-0x00007FF769791000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bmLLuxa.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfnsqQw.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tlyIXmB.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzbSVIp.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sccWkar.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPAhRGr.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\utZCJJd.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTgeKbV.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcUxFZU.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHNgleU.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndCJDAG.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bfwGoGu.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDbPNSn.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SSEvzGI.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\duDEvQS.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvmpiEq.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RhYpdaY.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fZsqwSv.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SoBYzIG.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yMkTiJT.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvXrRPN.exe	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3264	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4504 wrote to memory of 3264	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4504 wrote to memory of 5032	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4504 wrote to memory of 5032	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4504 wrote to memory of 3620	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4504 wrote to memory of 3620	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4504 wrote to memory of 1096	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4504 wrote to memory of 1096	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4504 wrote to memory of 1472	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4504 wrote to memory of 1472	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4504 wrote to memory of 3724	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4504 wrote to memory of 3724	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4504 wrote to memory of 3592	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4504 wrote to memory of 3592	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4504 wrote to memory of 2016	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4504 wrote to memory of 2016	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4504 wrote to memory of 332	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4504 wrote to memory of 332	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4504 wrote to memory of 4576	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4504 wrote to memory of 4576	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4504 wrote to memory of 3356	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4504 wrote to memory of 3356	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4504 wrote to memory of 1340	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4504 wrote to memory of 1340	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4504 wrote to memory of 3596	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4504 wrote to memory of 3596	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4504 wrote to memory of 5004	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4504 wrote to memory of 5004	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4504 wrote to memory of 664	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4504 wrote to memory of 664	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4504 wrote to memory of 3396	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4504 wrote to memory of 3396	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4504 wrote to memory of 1720	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4504 wrote to memory of 1720	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4504 wrote to memory of 5084	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4504 wrote to memory of 5084	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4504 wrote to memory of 3660	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4504 wrote to memory of 3660	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4504 wrote to memory of 2216	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4504 wrote to memory of 2216	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4504 wrote to memory of 2900	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4504 wrote to memory of 2900	4504	2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_89da154e88cbcf7ed2e639fc59535648_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System\bmLLuxa.exe
  C:\Windows\System\bmLLuxa.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\sccWkar.exe
  C:\Windows\System\sccWkar.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\ZvmpiEq.exe
  C:\Windows\System\ZvmpiEq.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\pHNgleU.exe
  C:\Windows\System\pHNgleU.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\RhYpdaY.exe
  C:\Windows\System\RhYpdaY.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\ndCJDAG.exe
  C:\Windows\System\ndCJDAG.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\fZsqwSv.exe
  C:\Windows\System\fZsqwSv.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\SoBYzIG.exe
  C:\Windows\System\SoBYzIG.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\EPAhRGr.exe
  C:\Windows\System\EPAhRGr.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\bfwGoGu.exe
  C:\Windows\System\bfwGoGu.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\SDbPNSn.exe
  C:\Windows\System\SDbPNSn.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\yMkTiJT.exe
  C:\Windows\System\yMkTiJT.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\utZCJJd.exe
  C:\Windows\System\utZCJJd.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\RfnsqQw.exe
  C:\Windows\System\RfnsqQw.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\SSEvzGI.exe
  C:\Windows\System\SSEvzGI.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\UvXrRPN.exe
  C:\Windows\System\UvXrRPN.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\tlyIXmB.exe
  C:\Windows\System\tlyIXmB.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\duDEvQS.exe
  C:\Windows\System\duDEvQS.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\WzbSVIp.exe
  C:\Windows\System\WzbSVIp.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\FTgeKbV.exe
  C:\Windows\System\FTgeKbV.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\AcUxFZU.exe
  C:\Windows\System\AcUxFZU.exe
  2⤵
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AcUxFZU.exe

Filesize
5.2MB

MD5
2e3191b4bb382f8cdd48844658ee0d9f

SHA1
ebe0a296f3fa028642e48aa0aaabe37d8dcdb083

SHA256
f5d21ce4b430e3898581a84fb9414dd4a668eb05285096f57aeebd4b7a594668

SHA512
1ec75eb118be034120b5b51b237499aa3c9bff8534512176be4c5c4b7939e1016fa4cace9eb6ac19e3ecff5f5d5a075a9e11f15489f58c0730d33aaa6d88e39a

Download Submit
C:\Windows\System\EPAhRGr.exe

Filesize
5.2MB

MD5
be61220e0b03e856fa7681671b82ab4e

SHA1
507960001223fdcaf6ddfcb88dc5de4da3e6a300

SHA256
d4d3b871f3278c8348b38d731c1f90cb85c167d3eb5d1639145db92213edc547

SHA512
74d01a1d2a5610da211c3a7e87b0e0484d8bc977b524eb5813a7daf1b12f5fc93822acf545d618675849c20e6f7c3fb62d40ceff45d27e432b6575ab3bc0369a

Download Submit
C:\Windows\System\FTgeKbV.exe

Filesize
5.2MB

MD5
71e55382763f11fd77571353e9eb4949

SHA1
1d83ca535e8e4ac7a66696e52753b5052cfb0548

SHA256
d8826de432e4b38ab8580101238c55512723f4227a5b01a977f80699d0a66d39

SHA512
cb0724dc8b552f97ab42d8747ab972c96d8c68196388ec288c777088b53de535f7743f7ccae8fdc4273cb1f2c43a0d33ea67960b459b94e4da88c2541829f344

Download Submit
C:\Windows\System\RfnsqQw.exe

Filesize
5.2MB

MD5
b1778b73a3e989ac2bd9c1cbf20197e6

SHA1
a3fde50413530decc11f0e717740f9fd7f4d3dca

SHA256
0fc57e42c980fbc027419e2dc5f69e65dd6d9a59375601b530efe3cce311aa68

SHA512
8ca8b22a42704ed555bd6bbd2a7c5c7f7c8c6db656e33d34b3c3b91747dd58858c5edef5cb2894afa92279320f018e6801c15d484be649860e5053b02c432a8a

Download Submit
C:\Windows\System\RhYpdaY.exe

Filesize
5.2MB

MD5
e2404f34c2a3d3baaa0da4425ef5d327

SHA1
0e000f3314917155a0c3c1160fa5773b75a7b4d5

SHA256
feced02547f029b30f8e386bc25303f40c0449ecfab34999ae61a4821cb8900d

SHA512
2a897f0ed58b19e3d389eeddc00461c0cb1a8f0685853d70ff8347816436ca91ded69c1054bb80dd5c3f4c4cfd43d70b8a4f9f209ff1606f3902d311c944825c

Download Submit
C:\Windows\System\SDbPNSn.exe

Filesize
5.2MB

MD5
c6be9cbece53fe9f4d50cb7da4d32989

SHA1
524814f204026a9db132f6fc928a282248ee9c94

SHA256
e2d2f2a2669c68224ff7c8ca96900797f33c528875372bf72d9d9d49e49a03f7

SHA512
0bc9f9707e40835bf771a975eff02ad4d059d071640df1b44330e35c221f3b2fe1db62c375bebb5146f09d8c60ed030afb4321136a6c168825a16fc394925ceb

Download Submit
C:\Windows\System\SSEvzGI.exe

Filesize
5.2MB

MD5
69984c3477e16d291b3de95111520fbd

SHA1
f351bd005fb360b0c94c6590a12d8e1176b72f23

SHA256
986726d148a6ea6ddffafa836310cbbe8cbced930eb359fc1084fbffcc505410

SHA512
84c217aa96123368cf1cfab3436101f6b518d6356711509301a271488a757cd45f71d3bc89611875b0f928a20f784e6b375437453e6fab659d78043bb71286ba

Download Submit
C:\Windows\System\SoBYzIG.exe

Filesize
5.2MB

MD5
c7d1e86ab19d4a072c8f2adef4b805e9

SHA1
02e46fb1a2d4aab08367b4014874ff632e1c53b2

SHA256
e6501b3f534ec418d1bead17784452b09385771e0c47d67e0a4353148676139d

SHA512
bf47529103924b8ab3e2e0c4298ffcfd063493f692654de039a74fbfacbeb139d88112602c9624e16c3e559eebcce4fde7ce4812d5f8e6d05d8d1d880aa85a6b

Download Submit
C:\Windows\System\UvXrRPN.exe

Filesize
5.2MB

MD5
63c648bbb21144f4d80dd8dce70f18ce

SHA1
0f04b867368d329790667d1670e2407bce529323

SHA256
fadcc6af286f6601f47698a06f963778289e70a816d4fd653660b205141cb242

SHA512
bcbec59d4633158e87ee50f0ff627af4c257e8dd1438346d15080d6cdf99b3b7efa785594bd6e81d0a5cbc32b5854c7ebf9715f02ecb00aa2989fe4afbd1610e

Download Submit
C:\Windows\System\WzbSVIp.exe

Filesize
5.2MB

MD5
4580677ba1426fd46b852a3ae8974aa1

SHA1
0aa5fec7a87b7bbbf6853cac34dcf02e2e305b18

SHA256
113fac18e6a40837faf5af37e5e756fe62ed6daf8df493b0f7b2f3fb6110bf2e

SHA512
686e2f2ad4d9c667579a1bef7a4f507c7565157e9139e60ccd59c1653c3fe94f67232ec690edbe06f01d8fe3f17894531b510f5d59f6f85f2287f07d7c76d9e4

Download Submit
C:\Windows\System\ZvmpiEq.exe

Filesize
5.2MB

MD5
cf73315fb2bf72f812b9f6b03de609a3

SHA1
fd70d6955c98f1f5f49fb419c2ea648b3f5633ab

SHA256
c322997a80ae7c49fd5248ce4b13f8d9bd8b8ba2b3612ccd5adaa5ca4de4935d

SHA512
b8e328bc5a4ec213a75e34e6d98e2b7f7ed91e4f416ea17b2de3d1a2eeec8c3ffb13dc466610c3db3d4e9722f51bf2cd0b9325999546d68ad3a5e5e4166aa70d

Download Submit
C:\Windows\System\bfwGoGu.exe

Filesize
5.2MB

MD5
6ef89d25cf8c0e00c2305bdde09c2cc6

SHA1
265664c5189e01577c84a2385e55eaf4316d372d

SHA256
214fd897f2c61d04ae8eec23df9f38d547e4e76501b6ae4a09cc3baca3763134

SHA512
2d9fc0c00443a493df4bdc92c314108815bfe8e8f8f4d091a1f5465328923e7c7f9d1b18bb161aad98eb7bbb1325e79a6385a78f15532f302c591c8374258bb7

Download Submit
C:\Windows\System\bmLLuxa.exe

Filesize
5.2MB

MD5
9b02f070eda9a20cfdf4db9845fe5dd8

SHA1
1504b588defc800c64f96e298ae6bba25ffd2db2

SHA256
4e6da27602ca3e67b564e53e089932872d9261013076ba1f796d4cc4ec003705

SHA512
bd47b4c3d9e9bd41273d466c54db551b774a578e2d7b3bf901ec712ee3aec1686994f5ea48e333b870f607d2c9a16b369fe6ee6629311d922afa1b396ca0bf87

Download Submit
C:\Windows\System\duDEvQS.exe

Filesize
5.2MB

MD5
3346f01bf584d99b9bdc826f27260d2e

SHA1
fb0f5c4f9d5340cae102df3b56ff773cf49aafd8

SHA256
7306804c9d146cbf458961a5ce30a8181445dc26f6d752a1cbf8b00f05a33627

SHA512
53b16d3a10762a555fe70d1796089cdbb1c8b6c53d2272ba12646092da1dc819a9c9a3bbcfc9a1c56d7a10ba2509e708010a80f6442239123fb763e15c913704

Download Submit
C:\Windows\System\fZsqwSv.exe

Filesize
5.2MB

MD5
e00542a25f831c4c938e2a66c52c74ff

SHA1
3c095c23842af45ff47e680994fadcd824f83a3e

SHA256
c0773630fab3764f050f9790012c36c4e7a084e8c14c3844125c1bbfa39c19d3

SHA512
483e3eec004bcb240d5a6ba2a3e5a35d025bc158d4ca9f0244acd5e5a4f21f5ae0836268e6ed9c1391d7a04dc362f001eb22d9a8d40aae875942094ee468a5fa

Download Submit
C:\Windows\System\ndCJDAG.exe

Filesize
5.2MB

MD5
2811da2ebfd88b3e378886ff06d7c8ac

SHA1
2fe3f7db5adf3fdea40c6756228666763adb95ea

SHA256
8dbdcda0f7959f619230964f0b8ad7a0a9a7e2a77fc5015c5333ad67f4663235

SHA512
7cd51ce8b5903d995f8c01333fe11d3a51e4d679ee9904041e4fb2adbadd5eebf3b7234b67441727d6583f9e0a4b82ee8d06d73c6696301a9d07f26ef3f8db00

Download Submit
C:\Windows\System\pHNgleU.exe

Filesize
5.2MB

MD5
acade01a45ee8447177e410728567c26

SHA1
46a3a27c50f2a56cc5504773835edcc0c771d4c2

SHA256
daddd329746db5d36ba6d496d6602e912792a57af6db8addbc0bf337edfb3fee

SHA512
93a6e58533478128e58aea4c5a2b7ce0fd5750dc677fa6e5f2b04f2477905efc205831cce0eff6f4221ddc2d313d2129e2ac407ade98b34ca234adfa5bf199f1

Download Submit
C:\Windows\System\sccWkar.exe

Filesize
5.2MB

MD5
28b2ee5f2a51193ba8401d4e5c6add13

SHA1
6d0587f6fd8ca46cac16127bede3ee313231df66

SHA256
a285c76b9dc58e697768bd5092b883100d7ad1214bd557b153976c66c02762e1

SHA512
d60dbce78167d1827d14ede493276cfa3b8868dc58a170b8db5ed55a870ed8a9b88aa57aeb3f040139daa9cded4dd2b47bc8b60fa3eaedbaf99d872d5a6d7dcb

Download Submit
C:\Windows\System\tlyIXmB.exe

Filesize
5.2MB

MD5
ae9e7cfdccade305a52dffa25b70ce6f

SHA1
d6d8d958fac4a389bad5fc7666e47a30b3c636e1

SHA256
fd9058d0527062f8e1e7e63fc1970eaa11a31ddb732a66351dfd17b223a83f11

SHA512
e7a7e2644da451076590be3ed267843fbb7f3a266750e30668350ad54c3ec833a62bc92ddf8d35fda13a800ed890018d7151d8fa3e28a3f92332254ad1d5480e

Download Submit
C:\Windows\System\utZCJJd.exe

Filesize
5.2MB

MD5
a4cf2c6cc954d3146ad04d7bc27db341

SHA1
49e1fac784860b21f0797c654e46eb5ed17a6448

SHA256
ebbe8e2571a624e7f9aac692bb074fd71a168aeddef1ed3693c9a7e6c5aa0e78

SHA512
97d8ba4698d43dbd9cf6b5a1969cd64d8304dcd3cd36afe8181342d5e14ecca0a489530e5aa99a8fc0f344cf12212f3389b22b43943bbbad65c332f11fa6179e

Download Submit
C:\Windows\System\yMkTiJT.exe

Filesize
5.2MB

MD5
b73c266a76c5a8553cbb4fcd3a0e0e5c

SHA1
b4bc85402cfccea698edf6e00273a1516f238dee

SHA256
85270c72e1a7dfb7cab0d12a3fab3b95f408734e3471976e726262bfb6e30e2d

SHA512
eb93ba99c759a0ea6e7ef674cd15a041622c853fee67fdc23f0b231b145fb88229ebf39446dda212a83eed4d0c5bbef254818af685e3104cf22de127fcd4d2f7

Download Submit
memory/332-66-0x00007FF69DC30000-0x00007FF69DF81000-memory.dmp

Filesize
3.3MB

Download
memory/332-224-0x00007FF69DC30000-0x00007FF69DF81000-memory.dmp

Filesize
3.3MB

Download
memory/664-136-0x00007FF72A3F0000-0x00007FF72A741000-memory.dmp

Filesize
3.3MB

Download
memory/664-253-0x00007FF72A3F0000-0x00007FF72A741000-memory.dmp

Filesize
3.3MB

Download
memory/1096-23-0x00007FF623130000-0x00007FF623481000-memory.dmp

Filesize
3.3MB

Download
memory/1096-87-0x00007FF623130000-0x00007FF623481000-memory.dmp

Filesize
3.3MB

Download
memory/1096-209-0x00007FF623130000-0x00007FF623481000-memory.dmp

Filesize
3.3MB

Download
memory/1340-73-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-106-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-220-0x00007FF6BBC60000-0x00007FF6BBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1472-29-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/1472-88-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/1472-213-0x00007FF739A30000-0x00007FF739D81000-memory.dmp

Filesize
3.3MB

Download
memory/1720-129-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp

Filesize
3.3MB

Download
memory/1720-159-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp

Filesize
3.3MB

Download
memory/1720-256-0x00007FF7C5BC0000-0x00007FF7C5F11000-memory.dmp

Filesize
3.3MB

Download
memory/2016-58-0x00007FF6DE770000-0x00007FF6DEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-216-0x00007FF6DE770000-0x00007FF6DEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-137-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp

Filesize
3.3MB

Download
memory/2216-260-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp

Filesize
3.3MB

Download
memory/2216-162-0x00007FF73B0E0000-0x00007FF73B431000-memory.dmp

Filesize
3.3MB

Download
memory/2900-138-0x00007FF67D230000-0x00007FF67D581000-memory.dmp

Filesize
3.3MB

Download
memory/2900-258-0x00007FF67D230000-0x00007FF67D581000-memory.dmp

Filesize
3.3MB

Download
memory/2900-163-0x00007FF67D230000-0x00007FF67D581000-memory.dmp

Filesize
3.3MB

Download
memory/3264-6-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp

Filesize
3.3MB

Download
memory/3264-195-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp

Filesize
3.3MB

Download
memory/3264-82-0x00007FF7D6DC0000-0x00007FF7D7111000-memory.dmp

Filesize
3.3MB

Download
memory/3356-70-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp

Filesize
3.3MB

Download
memory/3356-94-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp

Filesize
3.3MB

Download
memory/3356-221-0x00007FF69FCC0000-0x00007FF6A0011000-memory.dmp

Filesize
3.3MB

Download
memory/3396-120-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-245-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-158-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-77-0x00007FF6BB1E0000-0x00007FF6BB531000-memory.dmp

Filesize
3.3MB

Download
memory/3592-217-0x00007FF6BB1E0000-0x00007FF6BB531000-memory.dmp

Filesize
3.3MB

Download
memory/3596-79-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-107-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-225-0x00007FF7AA870000-0x00007FF7AABC1000-memory.dmp

Filesize
3.3MB

Download
memory/3620-199-0x00007FF769440000-0x00007FF769791000-memory.dmp

Filesize
3.3MB

Download
memory/3620-85-0x00007FF769440000-0x00007FF769791000-memory.dmp

Filesize
3.3MB

Download
memory/3620-18-0x00007FF769440000-0x00007FF769791000-memory.dmp

Filesize
3.3MB

Download
memory/3660-252-0x00007FF6FC6E0000-0x00007FF6FCA31000-memory.dmp

Filesize
3.3MB

Download
memory/3660-134-0x00007FF6FC6E0000-0x00007FF6FCA31000-memory.dmp

Filesize
3.3MB

Download
memory/3724-212-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp

Filesize
3.3MB

Download
memory/3724-53-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp

Filesize
3.3MB

Download
memory/3724-89-0x00007FF634D60000-0x00007FF6350B1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-164-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp

Filesize
3.3MB

Download
memory/4504-1-0x0000014699870000-0x0000014699880000-memory.dmp

Filesize
64KB

Download
memory/4504-165-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp

Filesize
3.3MB

Download
memory/4504-0-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp

Filesize
3.3MB

Download
memory/4504-142-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp

Filesize
3.3MB

Download
memory/4504-81-0x00007FF7EA020000-0x00007FF7EA371000-memory.dmp

Filesize
3.3MB

Download
memory/4576-78-0x00007FF647EE0000-0x00007FF648231000-memory.dmp

Filesize
3.3MB

Download
memory/4576-227-0x00007FF647EE0000-0x00007FF648231000-memory.dmp

Filesize
3.3MB

Download
memory/5004-156-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp

Filesize
3.3MB

Download
memory/5004-247-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp

Filesize
3.3MB

Download
memory/5004-115-0x00007FF7EE5B0000-0x00007FF7EE901000-memory.dmp

Filesize
3.3MB

Download
memory/5032-84-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp

Filesize
3.3MB

Download
memory/5032-12-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp

Filesize
3.3MB

Download
memory/5032-197-0x00007FF68E810000-0x00007FF68EB61000-memory.dmp

Filesize
3.3MB

Download
memory/5084-249-0x00007FF721D70000-0x00007FF7220C1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-132-0x00007FF721D70000-0x00007FF7220C1000-memory.dmp

Filesize
3.3MB

Download