cobaltstrike | ca32e834c6a719da8248e3df8e118c02e592c7ce7b0cbf7e758ab6eb384db953

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a85e71a04519498a8dacb40825d29b20
SHA1

36779c5a3c9a3edc3216dd3cd88b30f02e816ba6
SHA256

ca32e834c6a719da8248e3df8e118c02e592c7ce7b0cbf7e758ab6eb384db953
SHA512

976926cce083cece58498bc6b3cecad338b5f17bd9d559838b316d512cb0d1328e2a7fe69218439eb6313f0d88216eca9613bbd43071b816ce9128cfb50cebfe
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUU

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b31-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-58.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b8d-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-113.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb0-117.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba1-108.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba0-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-36.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b8c-14.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2992-74-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp	xmrig
behavioral2/memory/408-43-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp	xmrig
behavioral2/memory/3036-34-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp	xmrig
behavioral2/memory/1324-119-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	xmrig
behavioral2/memory/964-123-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp	xmrig
behavioral2/memory/3256-131-0x00007FF66B510000-0x00007FF66B861000-memory.dmp	xmrig
behavioral2/memory/2564-139-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	xmrig
behavioral2/memory/3548-140-0x00007FF74C0D0000-0x00007FF74C421000-memory.dmp	xmrig
behavioral2/memory/3152-138-0x00007FF6D59C0000-0x00007FF6D5D11000-memory.dmp	xmrig
behavioral2/memory/2188-137-0x00007FF71B670000-0x00007FF71B9C1000-memory.dmp	xmrig
behavioral2/memory/4912-136-0x00007FF615960000-0x00007FF615CB1000-memory.dmp	xmrig
behavioral2/memory/3176-135-0x00007FF719160000-0x00007FF7194B1000-memory.dmp	xmrig
behavioral2/memory/3528-134-0x00007FF6CEB00000-0x00007FF6CEE51000-memory.dmp	xmrig
behavioral2/memory/4568-133-0x00007FF743260000-0x00007FF7435B1000-memory.dmp	xmrig
behavioral2/memory/4032-132-0x00007FF69BBD0000-0x00007FF69BF21000-memory.dmp	xmrig
behavioral2/memory/4720-130-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp	xmrig
behavioral2/memory/1488-127-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp	xmrig
behavioral2/memory/1908-126-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp	xmrig
behavioral2/memory/5104-125-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp	xmrig
behavioral2/memory/4712-121-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	xmrig
behavioral2/memory/1844-120-0x00007FF7584F0000-0x00007FF758841000-memory.dmp	xmrig
behavioral2/memory/3696-128-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp	xmrig
behavioral2/memory/1324-141-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	xmrig
behavioral2/memory/1324-142-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	xmrig
behavioral2/memory/1844-194-0x00007FF7584F0000-0x00007FF758841000-memory.dmp	xmrig
behavioral2/memory/3036-197-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp	xmrig
behavioral2/memory/4712-198-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	xmrig
behavioral2/memory/964-209-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp	xmrig
behavioral2/memory/408-211-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp	xmrig
behavioral2/memory/3696-219-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp	xmrig
behavioral2/memory/2992-221-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp	xmrig
behavioral2/memory/5104-215-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp	xmrig
behavioral2/memory/1908-214-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp	xmrig
behavioral2/memory/1488-217-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp	xmrig
behavioral2/memory/3528-234-0x00007FF6CEB00000-0x00007FF6CEE51000-memory.dmp	xmrig
behavioral2/memory/3256-239-0x00007FF66B510000-0x00007FF66B861000-memory.dmp	xmrig
behavioral2/memory/4032-238-0x00007FF69BBD0000-0x00007FF69BF21000-memory.dmp	xmrig
behavioral2/memory/3176-236-0x00007FF719160000-0x00007FF7194B1000-memory.dmp	xmrig
behavioral2/memory/4720-231-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp	xmrig
behavioral2/memory/4568-230-0x00007FF743260000-0x00007FF7435B1000-memory.dmp	xmrig
behavioral2/memory/2188-248-0x00007FF71B670000-0x00007FF71B9C1000-memory.dmp	xmrig
behavioral2/memory/4912-249-0x00007FF615960000-0x00007FF615CB1000-memory.dmp	xmrig
behavioral2/memory/2564-244-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	xmrig
behavioral2/memory/3548-242-0x00007FF74C0D0000-0x00007FF74C421000-memory.dmp	xmrig
behavioral2/memory/3152-246-0x00007FF6D59C0000-0x00007FF6D5D11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1844	CIoNGiY.exe
4712	tmgIKrX.exe
3036	RNuRfpP.exe
964	QgseYZn.exe
408	DVkupni.exe
5104	xBqKXGu.exe
1908	hPuagBn.exe
1488	KerNyPe.exe
3696	Wigyetp.exe
2992	QnjiSok.exe
4720	voZWeGA.exe
3256	TkwPIgv.exe
4032	UyRYOTZ.exe
4568	cWhnOQW.exe
3528	JkmQqZp.exe
3176	DFUibSP.exe
4912	KhMOhCE.exe
2188	VwuJvuE.exe
3152	ehzkmTl.exe
2564	IXLVPPH.exe
3548	cEmYggH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1324-0-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	upx
behavioral2/files/0x000c000000023b31-5.dat	upx
behavioral2/files/0x000a000000023b91-19.dat	upx
behavioral2/files/0x000a000000023b90-21.dat	upx
behavioral2/files/0x000a000000023b92-32.dat	upx
behavioral2/memory/5104-38-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-47.dat	upx
behavioral2/files/0x000a000000023b97-54.dat	upx
behavioral2/files/0x000a000000023b96-58.dat	upx
behavioral2/memory/4720-68-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp	upx
behavioral2/files/0x000c000000023b8d-72.dat	upx
behavioral2/memory/2992-74-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-87.dat	upx
behavioral2/files/0x000a000000023b9c-93.dat	upx
behavioral2/files/0x000a000000023b9b-91.dat	upx
behavioral2/files/0x000a000000023b9a-89.dat	upx
behavioral2/files/0x000a000000023ba9-113.dat	upx
behavioral2/files/0x000e000000023bb0-117.dat	upx
behavioral2/files/0x000b000000023ba1-108.dat	upx
behavioral2/files/0x000b000000023ba0-103.dat	upx
behavioral2/files/0x000a000000023b9d-98.dat	upx
behavioral2/files/0x000a000000023b98-84.dat	upx
behavioral2/memory/3256-79-0x00007FF66B510000-0x00007FF66B861000-memory.dmp	upx
behavioral2/memory/3696-57-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp	upx
behavioral2/memory/1488-52-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp	upx
behavioral2/memory/1908-48-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-44.dat	upx
behavioral2/memory/408-43-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-36.dat	upx
behavioral2/memory/3036-34-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp	upx
behavioral2/memory/964-20-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp	upx
behavioral2/memory/4712-17-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	upx
behavioral2/files/0x000c000000023b8c-14.dat	upx
behavioral2/memory/1844-7-0x00007FF7584F0000-0x00007FF758841000-memory.dmp	upx
behavioral2/memory/1324-119-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	upx
behavioral2/memory/964-123-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp	upx
behavioral2/memory/3256-131-0x00007FF66B510000-0x00007FF66B861000-memory.dmp	upx
behavioral2/memory/2564-139-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	upx
behavioral2/memory/3548-140-0x00007FF74C0D0000-0x00007FF74C421000-memory.dmp	upx
behavioral2/memory/3152-138-0x00007FF6D59C0000-0x00007FF6D5D11000-memory.dmp	upx
behavioral2/memory/2188-137-0x00007FF71B670000-0x00007FF71B9C1000-memory.dmp	upx
behavioral2/memory/4912-136-0x00007FF615960000-0x00007FF615CB1000-memory.dmp	upx
behavioral2/memory/3176-135-0x00007FF719160000-0x00007FF7194B1000-memory.dmp	upx
behavioral2/memory/3528-134-0x00007FF6CEB00000-0x00007FF6CEE51000-memory.dmp	upx
behavioral2/memory/4568-133-0x00007FF743260000-0x00007FF7435B1000-memory.dmp	upx
behavioral2/memory/4032-132-0x00007FF69BBD0000-0x00007FF69BF21000-memory.dmp	upx
behavioral2/memory/4720-130-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp	upx
behavioral2/memory/1488-127-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp	upx
behavioral2/memory/1908-126-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp	upx
behavioral2/memory/5104-125-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp	upx
behavioral2/memory/4712-121-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	upx
behavioral2/memory/1844-120-0x00007FF7584F0000-0x00007FF758841000-memory.dmp	upx
behavioral2/memory/3696-128-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp	upx
behavioral2/memory/1324-141-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	upx
behavioral2/memory/1324-142-0x00007FF7563F0000-0x00007FF756741000-memory.dmp	upx
behavioral2/memory/1844-194-0x00007FF7584F0000-0x00007FF758841000-memory.dmp	upx
behavioral2/memory/3036-197-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp	upx
behavioral2/memory/4712-198-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	upx
behavioral2/memory/964-209-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp	upx
behavioral2/memory/408-211-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp	upx
behavioral2/memory/3696-219-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp	upx
behavioral2/memory/2992-221-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp	upx
behavioral2/memory/5104-215-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp	upx
behavioral2/memory/1908-214-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\JkmQqZp.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KhMOhCE.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IXLVPPH.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QgseYZn.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPuagBn.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DVkupni.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\voZWeGA.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UyRYOTZ.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cWhnOQW.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CIoNGiY.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tmgIKrX.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KerNyPe.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Wigyetp.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkwPIgv.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cEmYggH.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RNuRfpP.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xBqKXGu.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VwuJvuE.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ehzkmTl.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QnjiSok.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFUibSP.exe	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1844	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1324 wrote to memory of 1844	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1324 wrote to memory of 4712	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1324 wrote to memory of 4712	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1324 wrote to memory of 3036	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1324 wrote to memory of 3036	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1324 wrote to memory of 964	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1324 wrote to memory of 964	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1324 wrote to memory of 408	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1324 wrote to memory of 408	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1324 wrote to memory of 5104	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1324 wrote to memory of 5104	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1324 wrote to memory of 1908	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1324 wrote to memory of 1908	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1324 wrote to memory of 1488	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1324 wrote to memory of 1488	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1324 wrote to memory of 3696	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1324 wrote to memory of 3696	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1324 wrote to memory of 2992	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1324 wrote to memory of 2992	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1324 wrote to memory of 4720	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1324 wrote to memory of 4720	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1324 wrote to memory of 3256	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1324 wrote to memory of 3256	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1324 wrote to memory of 4032	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1324 wrote to memory of 4032	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1324 wrote to memory of 4568	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1324 wrote to memory of 4568	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1324 wrote to memory of 3528	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1324 wrote to memory of 3528	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1324 wrote to memory of 3176	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1324 wrote to memory of 3176	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1324 wrote to memory of 4912	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1324 wrote to memory of 4912	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1324 wrote to memory of 2188	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1324 wrote to memory of 2188	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1324 wrote to memory of 3152	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1324 wrote to memory of 3152	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1324 wrote to memory of 2564	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1324 wrote to memory of 2564	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1324 wrote to memory of 3548	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1324 wrote to memory of 3548	1324	2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_a85e71a04519498a8dacb40825d29b20_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\System\CIoNGiY.exe
  C:\Windows\System\CIoNGiY.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\tmgIKrX.exe
  C:\Windows\System\tmgIKrX.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\RNuRfpP.exe
  C:\Windows\System\RNuRfpP.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\QgseYZn.exe
  C:\Windows\System\QgseYZn.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\DVkupni.exe
  C:\Windows\System\DVkupni.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\xBqKXGu.exe
  C:\Windows\System\xBqKXGu.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\hPuagBn.exe
  C:\Windows\System\hPuagBn.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\KerNyPe.exe
  C:\Windows\System\KerNyPe.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\Wigyetp.exe
  C:\Windows\System\Wigyetp.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\QnjiSok.exe
  C:\Windows\System\QnjiSok.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\voZWeGA.exe
  C:\Windows\System\voZWeGA.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\TkwPIgv.exe
  C:\Windows\System\TkwPIgv.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\UyRYOTZ.exe
  C:\Windows\System\UyRYOTZ.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\cWhnOQW.exe
  C:\Windows\System\cWhnOQW.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\JkmQqZp.exe
  C:\Windows\System\JkmQqZp.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\DFUibSP.exe
  C:\Windows\System\DFUibSP.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\KhMOhCE.exe
  C:\Windows\System\KhMOhCE.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\VwuJvuE.exe
  C:\Windows\System\VwuJvuE.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\ehzkmTl.exe
  C:\Windows\System\ehzkmTl.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\IXLVPPH.exe
  C:\Windows\System\IXLVPPH.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\cEmYggH.exe
  C:\Windows\System\cEmYggH.exe
  2⤵
  - Executes dropped EXE
  PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CIoNGiY.exe

Filesize
5.2MB

MD5
601721ac78de6384330783cd57d63980

SHA1
2b11e2429e18506939fa0d48715f9ce15fefd5b9

SHA256
1459f6a5f64aa050f0429fe892afcf9e9264143ff331d36a7745c3cd649281af

SHA512
1c93b3c426f6b4db8e85dda101055486b31c7b4217090dcd6d9dd2a8ab5fed49d50e237efad3e63f117ce6d8d41af1eb24b550117958f0083e1705416119192a

Download Submit
C:\Windows\System\DFUibSP.exe

Filesize
5.2MB

MD5
382848c57adfec2aa4a5ac7f351f8880

SHA1
6be5487a6124dc1eb3ad707c9badc0f8c8154a19

SHA256
b04a7fd7eb24dc2dd043e909ad484d8253a0b8f5a4e5e21175d66c70e66ae2dd

SHA512
9287323604346d20b97f4d0fd5f53f9ccb0518aa6faa356bba4f24268b1dea1893233b138293e3ee137143b3656e9dcb55b51fdbb9733de538cf23e0db656722

Download Submit
C:\Windows\System\DVkupni.exe

Filesize
5.2MB

MD5
fb09f8070bbf6d47f0d8f0ac4e332a2f

SHA1
c0a6f54527d6a3959bc4e16bcdf63329784dc936

SHA256
abd019be32012508472d25a24e7dc5baf4947b3cf9fd22768d2ff822e900aecc

SHA512
41a1e4f7daaa2b35c2cc376a0a6cd03165e415a8b95192e1a2798a201023261d0b4d1ba3de6c17ff3df7556e3a1ba9e989d22fc144c629ce2fac52402a878849

Download Submit
C:\Windows\System\IXLVPPH.exe

Filesize
5.2MB

MD5
e42e00b01ec7d9bcc754949881f60f4e

SHA1
e4edb2b21e796b536801543f88ab060d6afcd88c

SHA256
1f0c5834f9e7f685dc2ece026313f04f46c9384e7e12a0e164183da0388a4121

SHA512
77ebad15cfabdec76d70b1597cdbc467ecc0d6f687a50afde9137a4b866a5f5c3017b17781c5caa8839a43f4366ff3c6a869ac8e80e5e6eff9c5b0e36e84273a

Download Submit
C:\Windows\System\JkmQqZp.exe

Filesize
5.2MB

MD5
c1b3263dffd71602081bb40779526de5

SHA1
9f4cb0ea35078089ede6e7433b696e45bad46e8d

SHA256
3df9f751dcacfedab7ad697c5d1aa71892dd1d23fe457ee35e16a6debcc3517e

SHA512
e4f458cbc7e511f624e3d6553b33e09f2df83fd5ca24f464342c9290ce0e10a8bd99d10d5d202b50bfc01b0f50174641c5c4cf43366b55fc7c61110e964c7b8d

Download Submit
C:\Windows\System\KerNyPe.exe

Filesize
5.2MB

MD5
d5b1008259015edb024cd7711b97c702

SHA1
a93b6b3a87ecfff411ed45335475a4558f533f1e

SHA256
b604d5bfadeb3ebdcf1cb239e5e7be02e885fa8b038f0fd57fe09dd19c9b5d08

SHA512
81d8d998c985c8c18a751b237088835204ffc83b365fbbfda366d8a371905749871c657f2530076e8b778e2d0542f85bc2687395285c9d52ba7390a05342126d

Download Submit
C:\Windows\System\KhMOhCE.exe

Filesize
5.2MB

MD5
8cb3de88a76c0aa2e7eafc2b774709fc

SHA1
2e5edbb45c9d936891d37cb98f756a01d621af25

SHA256
f851d468b0f71f085b08f2df8ecb553f026cba498ddbeef2a86ac11c35782201

SHA512
f10771500e05cfe98c4491a243fd4f111a2142acb92c39e349e7896c460f1f2c11035425c1499fd35042bb6e5cb9a529d0b1db4f4333fcf3dc67a0dc28ca4aa6

Download Submit
C:\Windows\System\QgseYZn.exe

Filesize
5.2MB

MD5
0e6ff456efb0b8c09b650186170addbc

SHA1
6cc075386dd60c276419f1a43b475507b9af8dfe

SHA256
39d28cf81e08f70f5891c908e8bf24b5a098d95ddce5f114af03d66b3df678a8

SHA512
3427c8baf56e72ad223ac986bf983ac855c3e4205b8726e1cdb2c9b43dd2aeaa2fb782fff3cebf63105b68814df0ebc67e3035d319bd1600354d6ad84c2d86c6

Download Submit
C:\Windows\System\QnjiSok.exe

Filesize
5.2MB

MD5
50c4aff1d313123b3b17e72899e420c4

SHA1
4dea3a7fc00c2f6ffd4e06cda544686cd012a815

SHA256
a58167a345045ff0a370080f9fd2bbb54eb6458bc8d52e2d78631c5e99b390c0

SHA512
1b6286c4623ba235fbd92f3cb19e3bfba1a49af5e27ac66c8dc81f0d074e5506d0d518ddf468109b4e8345e16ddca0d70c510e13fe8ce77e0716b73e8fd3d0b2

Download Submit
C:\Windows\System\RNuRfpP.exe

Filesize
5.2MB

MD5
b895947027a42577f35fccb522de402a

SHA1
c91d7be93a469af0a61050970a746ba8333d9b50

SHA256
8b75daff4df54326e80d1a821990047fd557e076372153cc56e7236591230f33

SHA512
da0f23fca5307a6345ba33286d386087d961df3adcb3d8141c3817d2ef4e13250e92cff6363f5dd12553f635d8635e22e79be4dfdf8507c8d167b22db2894572

Download Submit
C:\Windows\System\TkwPIgv.exe

Filesize
5.2MB

MD5
7b72fdc9d198d792b9bd28666798c23c

SHA1
1a438731304486686f717587ea9e593307532fdf

SHA256
9e3a454daef7a920b143238726c7275d35bdab5616fe61a48ee1cfb48a6f4bb1

SHA512
7e6af0b1f3a058dfca5867f6dfa4bfed0248ed05049b0bf0552fa4333bb254c62f0711149c2d35dc9c3aef94c3cc368fd550e9d32aaa9ebed152598d50a6a0ef

Download Submit
C:\Windows\System\UyRYOTZ.exe

Filesize
5.2MB

MD5
93cd2f952500a379b6d44692a26d525e

SHA1
64b9c3a165135700b1c85bf9ddfedbd6dac50518

SHA256
0f727636d81a47feaa08c5fc627be78a06875f7238fabeca1a5eb3f8ac229517

SHA512
73601f94ae7652bf188d5606cc446236aeb515fa210877ee824566394a94af09d6cad442ad0a6f5997d1a9429cab7d64d69e51d8b45861d44b8c08fdc5b27412

Download Submit
C:\Windows\System\VwuJvuE.exe

Filesize
5.2MB

MD5
5b144c7f655ce7d316dccad255ec308f

SHA1
94a21e2099b7c222b3e03cc7754b2ef6c6000eef

SHA256
b900319cb21ca57922c857b452a74bd61c2735fb29a0c94fb63a2cb853ed027e

SHA512
070e06b00b10aaf888b311071e2d51e45c217c1ebbf36e5fb10fb4ff760802edc54c0818ab84634c9c839734c9f8d26d40da4d4c7f21d435b20041284581da84

Download Submit
C:\Windows\System\Wigyetp.exe

Filesize
5.2MB

MD5
4dc381133e195e3d0caf6bfbdbf08f73

SHA1
d4ff37fb15587a3b96630ced083d8ede7c0f90b2

SHA256
b94744ad0bee50a9e6b07e90721af38257f504650e52ee56167285ad512967f8

SHA512
cd4b678330401489f5461df1660300860472c3c634b9800f43b87f6d1d74b9b5d66838e84c3bc273e0d2c38563551e0ea31597c2939502ff43c9592df352aff8

Download Submit
C:\Windows\System\cEmYggH.exe

Filesize
5.2MB

MD5
6563f53a888b56c39cc56b282e7b7c95

SHA1
9607b98e1fb7dab0b872133679d74d267a91c5c7

SHA256
f739e8b5c8b218ad6b96194d1014a1bd8c06158523d833d0ee0dfd4bca94e252

SHA512
6de9d7c04c9cf7b04428fe8db0c72a3d0f9e999e5593008f5359d077885ac8c33cf9d6345152da572e518a97dead51dbb7974861c02d7f65b5801c514d1a80c2

Download Submit
C:\Windows\System\cWhnOQW.exe

Filesize
5.2MB

MD5
cf22f8b74964267f1139d92be3647d04

SHA1
f3f29e9451a81030df04ca2c5ed978b549aeea8e

SHA256
9a79ad7551018b84784d7e70dfcefb48034446883c2518e8b7007137f2382886

SHA512
567a5e90d09a9bbde4bbc6118c889e3842fa8e4ee5690ee1bc845d7c887cf8f14d91dd8f5dd7bddbc9c68447b82284e000c8f4392aebff8259a3800519826cf3

Download Submit
C:\Windows\System\ehzkmTl.exe

Filesize
5.2MB

MD5
2f3de512943c93f8b906701bdc6f7e06

SHA1
2751cc9a8a0bbfecd2ba67df2422625b9b00bab5

SHA256
360c806a82ec26eb966d23d7cd0e86380580c4199d9f6386bc9508146d978149

SHA512
15cf3c7041dd345885ff2682527d7b9f6c37f20e674d46ccf0c265a82c861f1ab584e3c0471a8f2097c64461da6eff70c67646a2d4e2f53894ef84119693fc89

Download Submit
C:\Windows\System\hPuagBn.exe

Filesize
5.2MB

MD5
84526b80fe82e635ccb9dc00807adcc6

SHA1
1ba47ea6877628bb73462524fae14ed7c17c9019

SHA256
a65585d173e7a5921e49019df3ce04d2f14e229e9248cafe073ef88c0c7a781c

SHA512
3496b4169d08e680cdcd8323f28bb1beeee5daf213e7132b0c131f2b0f315a8a5fe8938a1321ef8b16726b17e79e65f6b82331c7ab3626845e10e495bba2ff5c

Download Submit
C:\Windows\System\tmgIKrX.exe

Filesize
5.2MB

MD5
98b21e312c87127453f5181e1c356d43

SHA1
93ec08daf2cef513ab79ea7704544b4e47deeff9

SHA256
040eec8001eb5eade0dd0624bfcfe10c70a2fde227c8690b8284425827986837

SHA512
2fcb16b3c31f6ffc45d850c9221355518887fe2d1a8f3bfae84e7d3da53a606aaf855b100de8d85481ce08cc7370f466be214251dae1d6b6956abdfd7a245c8e

Download Submit
C:\Windows\System\voZWeGA.exe

Filesize
5.2MB

MD5
aa2b4d82a495ffe448b34360b80acafe

SHA1
75bfc79b802b27d793d63f07b56e7497f541fcb6

SHA256
e248b13e1f7cbcd69afc1390ac6419d56a57cce8a0de94a1cdc20b1eafcee48f

SHA512
a1add9dbe2f55327addf7a2e647abc78e8a9d9085019aa520afe98a2d248064b5dfe096c5cfc21d55a66f64fd600241ed07c0342ac41b2c942da46c67e9dc133

Download Submit
C:\Windows\System\xBqKXGu.exe

Filesize
5.2MB

MD5
c5d14dd626335f4b99d6a54a846711f5

SHA1
d27866af82647bb8b812c595474593f1674efdf7

SHA256
44be1ba65534f26307f68a026cb0374b3034b1250f5d0c1b2b0d96980b126911

SHA512
37e2cdf49c662679dfc2f894d4b9c218015b415f1d2ee1e7139fed837db5c5bf7ea879deb20c7c2899ae834e758a958bc592f70112ffb78a3a372faf9f199e67

Download Submit
memory/408-43-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp

Filesize
3.3MB

Download
memory/408-211-0x00007FF7D4670000-0x00007FF7D49C1000-memory.dmp

Filesize
3.3MB

Download
memory/964-209-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp

Filesize
3.3MB

Download
memory/964-20-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp

Filesize
3.3MB

Download
memory/964-123-0x00007FF6BBF20000-0x00007FF6BC271000-memory.dmp

Filesize
3.3MB

Download
memory/1324-119-0x00007FF7563F0000-0x00007FF756741000-memory.dmp

Filesize
3.3MB

Download
memory/1324-141-0x00007FF7563F0000-0x00007FF756741000-memory.dmp

Filesize
3.3MB

Download
memory/1324-1-0x0000029A392F0000-0x0000029A39300000-memory.dmp

Filesize
64KB

Download
memory/1324-142-0x00007FF7563F0000-0x00007FF756741000-memory.dmp

Filesize
3.3MB

Download
memory/1324-0-0x00007FF7563F0000-0x00007FF756741000-memory.dmp

Filesize
3.3MB

Download
memory/1488-52-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp

Filesize
3.3MB

Download
memory/1488-217-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp

Filesize
3.3MB

Download
memory/1488-127-0x00007FF6DEA40000-0x00007FF6DED91000-memory.dmp

Filesize
3.3MB

Download
memory/1844-7-0x00007FF7584F0000-0x00007FF758841000-memory.dmp

Filesize
3.3MB

Download
memory/1844-194-0x00007FF7584F0000-0x00007FF758841000-memory.dmp

Filesize
3.3MB

Download
memory/1844-120-0x00007FF7584F0000-0x00007FF758841000-memory.dmp

Filesize
3.3MB

Download
memory/1908-214-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp

Filesize
3.3MB

Download
memory/1908-48-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp

Filesize
3.3MB

Download
memory/1908-126-0x00007FF6C4340000-0x00007FF6C4691000-memory.dmp

Filesize
3.3MB

Download
memory/2188-248-0x00007FF71B670000-0x00007FF71B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-137-0x00007FF71B670000-0x00007FF71B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2564-139-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp

Filesize
3.3MB

Download
memory/2564-244-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp

Filesize
3.3MB

Download
memory/2992-74-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-221-0x00007FF7D7780000-0x00007FF7D7AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-197-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-34-0x00007FF674F50000-0x00007FF6752A1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-246-0x00007FF6D59C0000-0x00007FF6D5D11000-memory.dmp

Filesize
3.3MB

Download
memory/3152-138-0x00007FF6D59C0000-0x00007FF6D5D11000-memory.dmp

Filesize
3.3MB

Download
memory/3176-236-0x00007FF719160000-0x00007FF7194B1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-135-0x00007FF719160000-0x00007FF7194B1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-131-0x00007FF66B510000-0x00007FF66B861000-memory.dmp

Filesize
3.3MB

Download
memory/3256-239-0x00007FF66B510000-0x00007FF66B861000-memory.dmp

Filesize
3.3MB

Download
memory/3256-79-0x00007FF66B510000-0x00007FF66B861000-memory.dmp

Filesize
3.3MB

Download
memory/3528-134-0x00007FF6CEB00000-0x00007FF6CEE51000-memory.dmp

Filesize
3.3MB

Download
memory/3528-234-0x00007FF6CEB00000-0x00007FF6CEE51000-memory.dmp

Filesize
3.3MB

Download
memory/3548-242-0x00007FF74C0D0000-0x00007FF74C421000-memory.dmp

Filesize
3.3MB

Download
memory/3548-140-0x00007FF74C0D0000-0x00007FF74C421000-memory.dmp

Filesize
3.3MB

Download
memory/3696-219-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp

Filesize
3.3MB

Download
memory/3696-57-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp

Filesize
3.3MB

Download
memory/3696-128-0x00007FF7E30F0000-0x00007FF7E3441000-memory.dmp

Filesize
3.3MB

Download
memory/4032-238-0x00007FF69BBD0000-0x00007FF69BF21000-memory.dmp

Filesize
3.3MB

Download
memory/4032-132-0x00007FF69BBD0000-0x00007FF69BF21000-memory.dmp

Filesize
3.3MB

Download
memory/4568-230-0x00007FF743260000-0x00007FF7435B1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-133-0x00007FF743260000-0x00007FF7435B1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-198-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-121-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-17-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-68-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp

Filesize
3.3MB

Download
memory/4720-231-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp

Filesize
3.3MB

Download
memory/4720-130-0x00007FF74B8E0000-0x00007FF74BC31000-memory.dmp

Filesize
3.3MB

Download
memory/4912-249-0x00007FF615960000-0x00007FF615CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-136-0x00007FF615960000-0x00007FF615CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-125-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp

Filesize
3.3MB

Download
memory/5104-215-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp

Filesize
3.3MB

Download
memory/5104-38-0x00007FF6B5C40000-0x00007FF6B5F91000-memory.dmp

Filesize
3.3MB

Download