cobaltstrike | 163d86cde6f535b0ad31ec9184ec2281ba12d4783dd0b375f46d6e18b634f889

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b543f236a6c63b1cfbcbd3726e5e974c
SHA1

7c5b11d7a34279f27fcd93341be6f5144c0d08d4
SHA256

163d86cde6f535b0ad31ec9184ec2281ba12d4783dd0b375f46d6e18b634f889
SHA512

8e5d3f23b7971e43173bdeb0a2af03051bb477345946c33099a0768829598b3e1e0078aa0e6cabe9294aa30b9d989f43319a5ddd257db5df8e0c5a9a7fcb15f5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c84-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-23.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022efc-27.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023b50-38.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b57-37.dat	cobalt_reflective_dll
behavioral2/files/0x0010000000023b59-44.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c85-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-84.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b5a-59.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4356-57-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	xmrig
behavioral2/memory/4248-83-0x00007FF6AA520000-0x00007FF6AA871000-memory.dmp	xmrig
behavioral2/memory/4864-127-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	xmrig
behavioral2/memory/5000-130-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp	xmrig
behavioral2/memory/3684-129-0x00007FF627CA0000-0x00007FF627FF1000-memory.dmp	xmrig
behavioral2/memory/4408-128-0x00007FF7E1C50000-0x00007FF7E1FA1000-memory.dmp	xmrig
behavioral2/memory/5036-126-0x00007FF686310000-0x00007FF686661000-memory.dmp	xmrig
behavioral2/memory/1736-123-0x00007FF6B59F0000-0x00007FF6B5D41000-memory.dmp	xmrig
behavioral2/memory/2792-120-0x00007FF729400000-0x00007FF729751000-memory.dmp	xmrig
behavioral2/memory/3044-119-0x00007FF604D30000-0x00007FF605081000-memory.dmp	xmrig
behavioral2/memory/4356-131-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	xmrig
behavioral2/memory/3144-146-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp	xmrig
behavioral2/memory/2848-144-0x00007FF763A20000-0x00007FF763D71000-memory.dmp	xmrig
behavioral2/memory/508-148-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp	xmrig
behavioral2/memory/4628-141-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp	xmrig
behavioral2/memory/4572-140-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp	xmrig
behavioral2/memory/4120-139-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp	xmrig
behavioral2/memory/2960-137-0x00007FF7141B0000-0x00007FF714501000-memory.dmp	xmrig
behavioral2/memory/4536-135-0x00007FF627A30000-0x00007FF627D81000-memory.dmp	xmrig
behavioral2/memory/4124-138-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp	xmrig
behavioral2/memory/3300-136-0x00007FF600540000-0x00007FF600891000-memory.dmp	xmrig
behavioral2/memory/3596-134-0x00007FF631E30000-0x00007FF632181000-memory.dmp	xmrig
behavioral2/memory/2964-149-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp	xmrig
behavioral2/memory/4356-153-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	xmrig
behavioral2/memory/3044-203-0x00007FF604D30000-0x00007FF605081000-memory.dmp	xmrig
behavioral2/memory/5000-205-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp	xmrig
behavioral2/memory/3596-207-0x00007FF631E30000-0x00007FF632181000-memory.dmp	xmrig
behavioral2/memory/4536-212-0x00007FF627A30000-0x00007FF627D81000-memory.dmp	xmrig
behavioral2/memory/3300-214-0x00007FF600540000-0x00007FF600891000-memory.dmp	xmrig
behavioral2/memory/4124-226-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp	xmrig
behavioral2/memory/2960-228-0x00007FF7141B0000-0x00007FF714501000-memory.dmp	xmrig
behavioral2/memory/4120-233-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp	xmrig
behavioral2/memory/4628-232-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp	xmrig
behavioral2/memory/4572-234-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp	xmrig
behavioral2/memory/2848-236-0x00007FF763A20000-0x00007FF763D71000-memory.dmp	xmrig
behavioral2/memory/2792-240-0x00007FF729400000-0x00007FF729751000-memory.dmp	xmrig
behavioral2/memory/4248-238-0x00007FF6AA520000-0x00007FF6AA871000-memory.dmp	xmrig
behavioral2/memory/1736-249-0x00007FF6B59F0000-0x00007FF6B5D41000-memory.dmp	xmrig
behavioral2/memory/4408-258-0x00007FF7E1C50000-0x00007FF7E1FA1000-memory.dmp	xmrig
behavioral2/memory/508-257-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp	xmrig
behavioral2/memory/5036-255-0x00007FF686310000-0x00007FF686661000-memory.dmp	xmrig
behavioral2/memory/4864-252-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	xmrig
behavioral2/memory/2964-251-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp	xmrig
behavioral2/memory/3144-246-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp	xmrig
behavioral2/memory/3684-260-0x00007FF627CA0000-0x00007FF627FF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3044	whecQYh.exe
5000	IjubgoV.exe
3596	xCmTEgm.exe
4536	LxxBEEx.exe
3300	zAKhpFG.exe
4124	uQiJeMc.exe
2960	DoXRonN.exe
4120	VVNAZBp.exe
4572	jEJyyMs.exe
4628	YSdjASL.exe
2792	jROtQME.exe
4248	dsQMQAE.exe
2848	YJtdFJC.exe
1736	EDWZVbu.exe
3144	YpurRjR.exe
5036	uwJyUiK.exe
508	aGNaZNC.exe
2964	lQWYTAn.exe
4864	EBIlOvA.exe
4408	FGuYCbB.exe
3684	qapBbBU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4356-0-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	upx
behavioral2/files/0x0008000000023c84-4.dat	upx
behavioral2/files/0x0007000000023c88-10.dat	upx
behavioral2/files/0x0007000000023c89-15.dat	upx
behavioral2/memory/3596-16-0x00007FF631E30000-0x00007FF632181000-memory.dmp	upx
behavioral2/memory/5000-14-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp	upx
behavioral2/memory/3044-6-0x00007FF604D30000-0x00007FF605081000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-23.dat	upx
behavioral2/files/0x0002000000022efc-27.dat	upx
behavioral2/memory/4536-24-0x00007FF627A30000-0x00007FF627D81000-memory.dmp	upx
behavioral2/memory/3300-30-0x00007FF600540000-0x00007FF600891000-memory.dmp	upx
behavioral2/files/0x000e000000023b50-38.dat	upx
behavioral2/files/0x000d000000023b57-37.dat	upx
behavioral2/memory/4124-39-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp	upx
behavioral2/memory/2960-40-0x00007FF7141B0000-0x00007FF714501000-memory.dmp	upx
behavioral2/files/0x0010000000023b59-44.dat	upx
behavioral2/files/0x0008000000023c85-53.dat	upx
behavioral2/memory/4356-57-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-69.dat	upx
behavioral2/files/0x0007000000023c8d-74.dat	upx
behavioral2/files/0x0007000000023c90-81.dat	upx
behavioral2/memory/4248-83-0x00007FF6AA520000-0x00007FF6AA871000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-97.dat	upx
behavioral2/memory/2964-108-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-113.dat	upx
behavioral2/files/0x0007000000023c95-121.dat	upx
behavioral2/memory/4864-127-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	upx
behavioral2/memory/5000-130-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp	upx
behavioral2/memory/3684-129-0x00007FF627CA0000-0x00007FF627FF1000-memory.dmp	upx
behavioral2/memory/4408-128-0x00007FF7E1C50000-0x00007FF7E1FA1000-memory.dmp	upx
behavioral2/memory/5036-126-0x00007FF686310000-0x00007FF686661000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-124.dat	upx
behavioral2/memory/1736-123-0x00007FF6B59F0000-0x00007FF6B5D41000-memory.dmp	upx
behavioral2/memory/2792-120-0x00007FF729400000-0x00007FF729751000-memory.dmp	upx
behavioral2/memory/3044-119-0x00007FF604D30000-0x00007FF605081000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-109.dat	upx
behavioral2/files/0x0007000000023c92-105.dat	upx
behavioral2/memory/508-102-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-99.dat	upx
behavioral2/memory/3144-98-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp	upx
behavioral2/memory/2848-91-0x00007FF763A20000-0x00007FF763D71000-memory.dmp	upx
behavioral2/memory/4572-79-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-84.dat	upx
behavioral2/files/0x000d000000023b5a-59.dat	upx
behavioral2/memory/4628-54-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp	upx
behavioral2/memory/4120-50-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp	upx
behavioral2/memory/4356-131-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	upx
behavioral2/memory/3144-146-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp	upx
behavioral2/memory/2848-144-0x00007FF763A20000-0x00007FF763D71000-memory.dmp	upx
behavioral2/memory/508-148-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp	upx
behavioral2/memory/4628-141-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp	upx
behavioral2/memory/4572-140-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp	upx
behavioral2/memory/4120-139-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp	upx
behavioral2/memory/2960-137-0x00007FF7141B0000-0x00007FF714501000-memory.dmp	upx
behavioral2/memory/4536-135-0x00007FF627A30000-0x00007FF627D81000-memory.dmp	upx
behavioral2/memory/4124-138-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp	upx
behavioral2/memory/3300-136-0x00007FF600540000-0x00007FF600891000-memory.dmp	upx
behavioral2/memory/3596-134-0x00007FF631E30000-0x00007FF632181000-memory.dmp	upx
behavioral2/memory/2964-149-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp	upx
behavioral2/memory/4356-153-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp	upx
behavioral2/memory/3044-203-0x00007FF604D30000-0x00007FF605081000-memory.dmp	upx
behavioral2/memory/5000-205-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp	upx
behavioral2/memory/3596-207-0x00007FF631E30000-0x00007FF632181000-memory.dmp	upx
behavioral2/memory/4536-212-0x00007FF627A30000-0x00007FF627D81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IjubgoV.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVNAZBp.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGNaZNC.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\whecQYh.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uQiJeMc.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEJyyMs.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YSdjASL.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YJtdFJC.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YpurRjR.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCmTEgm.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LxxBEEx.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DoXRonN.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jROtQME.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwJyUiK.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EBIlOvA.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zAKhpFG.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dsQMQAE.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EDWZVbu.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lQWYTAn.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGuYCbB.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qapBbBU.exe	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3044	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4356 wrote to memory of 3044	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4356 wrote to memory of 5000	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4356 wrote to memory of 5000	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4356 wrote to memory of 3596	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4356 wrote to memory of 3596	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4356 wrote to memory of 4536	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4356 wrote to memory of 4536	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4356 wrote to memory of 3300	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4356 wrote to memory of 3300	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4356 wrote to memory of 2960	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4356 wrote to memory of 2960	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4356 wrote to memory of 4124	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4356 wrote to memory of 4124	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4356 wrote to memory of 4120	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4356 wrote to memory of 4120	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4356 wrote to memory of 4572	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4356 wrote to memory of 4572	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4356 wrote to memory of 4628	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4356 wrote to memory of 4628	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4356 wrote to memory of 2792	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4356 wrote to memory of 2792	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4356 wrote to memory of 4248	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4356 wrote to memory of 4248	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4356 wrote to memory of 2848	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4356 wrote to memory of 2848	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4356 wrote to memory of 1736	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4356 wrote to memory of 1736	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4356 wrote to memory of 3144	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4356 wrote to memory of 3144	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4356 wrote to memory of 5036	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4356 wrote to memory of 5036	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4356 wrote to memory of 508	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4356 wrote to memory of 508	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4356 wrote to memory of 2964	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4356 wrote to memory of 2964	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4356 wrote to memory of 4864	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4356 wrote to memory of 4864	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4356 wrote to memory of 4408	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4356 wrote to memory of 4408	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4356 wrote to memory of 3684	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4356 wrote to memory of 3684	4356	2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_b543f236a6c63b1cfbcbd3726e5e974c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\System\whecQYh.exe
  C:\Windows\System\whecQYh.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\IjubgoV.exe
  C:\Windows\System\IjubgoV.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\xCmTEgm.exe
  C:\Windows\System\xCmTEgm.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\LxxBEEx.exe
  C:\Windows\System\LxxBEEx.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\zAKhpFG.exe
  C:\Windows\System\zAKhpFG.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\DoXRonN.exe
  C:\Windows\System\DoXRonN.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\uQiJeMc.exe
  C:\Windows\System\uQiJeMc.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\VVNAZBp.exe
  C:\Windows\System\VVNAZBp.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\jEJyyMs.exe
  C:\Windows\System\jEJyyMs.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\YSdjASL.exe
  C:\Windows\System\YSdjASL.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\jROtQME.exe
  C:\Windows\System\jROtQME.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\dsQMQAE.exe
  C:\Windows\System\dsQMQAE.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\YJtdFJC.exe
  C:\Windows\System\YJtdFJC.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\EDWZVbu.exe
  C:\Windows\System\EDWZVbu.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\YpurRjR.exe
  C:\Windows\System\YpurRjR.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\uwJyUiK.exe
  C:\Windows\System\uwJyUiK.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\aGNaZNC.exe
  C:\Windows\System\aGNaZNC.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\lQWYTAn.exe
  C:\Windows\System\lQWYTAn.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\EBIlOvA.exe
  C:\Windows\System\EBIlOvA.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\FGuYCbB.exe
  C:\Windows\System\FGuYCbB.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\qapBbBU.exe
  C:\Windows\System\qapBbBU.exe
  2⤵
  - Executes dropped EXE
  PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DoXRonN.exe

Filesize
5.2MB

MD5
b2189ea0d33bde7852c2ae97ad56148a

SHA1
7798c5ffef3cc900dfe631ddbb55733ab42a413f

SHA256
10439334c1ab1089946495577ea7dec84d766c951ce1e1e1558e7952fdd055ca

SHA512
47bda2dcfcf2ff476414b18e5ddd72c3da40807335d160a510634211a6da95829f24da4618e445d2a7f12baedbdaad47647348fc5de2a78465d0e988902d5209

Download Submit
C:\Windows\System\EBIlOvA.exe

Filesize
5.2MB

MD5
34ae94a5cae270ab76fcc1585de43219

SHA1
65e6ad0de603030baf8d45ffb9057dd7e35c4b97

SHA256
a87ee08fd3dbe343865a995171f67ae35e0b3d48119e53c67447cb370a110322

SHA512
0afdd12d95d47d4d5c15c100db7fb7207e58cb99f03aaa47ff3b1722bc59e1a5d7ac40858248daed5a18777d897a9e09ea820bba3a2910578335e668a158272b

Download Submit
C:\Windows\System\EDWZVbu.exe

Filesize
5.2MB

MD5
65c65f8522e622e538e7006de39167be

SHA1
19bef5fba3575387b52c29def2a72e01a8b17701

SHA256
8a0da67b31e13597aee2601d33d32f4713a4973ae2620fae7ee85b39adf3402c

SHA512
a38bedd41fd45f39c886ccf5e79d2aec1783270256fbc93337d833690afdaf09514f1dc5b85c5830ed02470b6c241aac31709da1b06f0675f425d9d599e70b58

Download Submit
C:\Windows\System\FGuYCbB.exe

Filesize
5.2MB

MD5
6bfa96883f92f62b661d6a67fd5faa52

SHA1
89fadac815c8135a5579da5fff41b9b879d3db94

SHA256
44ab968d00ce0b2d3e1aae7ac2de597490a3161b0e5856adf7c562bec6a780e5

SHA512
3fba7743c31cc9a95e8c8372406bd0d607c9fce81c84aed9701b0ece3939139b024245fc296a153a714d0f7b4df4fae776973a690207d3094dc091ebf6e56770

Download Submit
C:\Windows\System\IjubgoV.exe

Filesize
5.2MB

MD5
3d4f326767fb2ce5a56ec77590018d32

SHA1
1b91cacd8998da26c18adcd711cd0e4b88cfddee

SHA256
250a6e30cfd4df776cd3138b3953936844a4951f736e4011fe0ff499c72e2afc

SHA512
8d5e97eacf4fdbffd4e28f042e2be1d24843c4ffca544fffd717b66d18cdad563d40a045c789b6862fe6aad6bee4c678f340f44320f1f2e1006660c3946a895c

Download Submit
C:\Windows\System\LxxBEEx.exe

Filesize
5.2MB

MD5
5a4d129263151dc1393a944fba11cffc

SHA1
6971b6ed67a6b92f50784e0ec50c6c96255e2f64

SHA256
250868b1d90602abb58f95510fb5c8d9f7733ee26bd21cbfeb705082991443ba

SHA512
177dbb0988b2c841fd22c7bed3f7a7ea250992f7de8953213727d93de95031188ab1daf3b741d86369f4a4a3e2544607d85f8e8906a8a5fd636c68cbdf6816ab

Download Submit
C:\Windows\System\VVNAZBp.exe

Filesize
5.2MB

MD5
201c774a7e652f29734e9839dbcda629

SHA1
d0841fc6b11f88c7e471baea1868bb7045d962c6

SHA256
b785bea49f9b0353bcafb3e3d6c63c49bf8178bdb323a5f733835969c72d7136

SHA512
770264d3cb3099ab0cf9c40a8eb0b5cbdc7c8ba87dde7225a029ff7fc596bb11d2e0a4d4f00fc9c5dbf9c4bb2846a27fffe4cfa50b136b7431c5cc7cfd90ff88

Download Submit
C:\Windows\System\YJtdFJC.exe

Filesize
5.2MB

MD5
81e53310496dd7e1e6ddeafd7ffb7fcf

SHA1
0e490e9ca059a8967e49b1c532c00f5b7a68e7fb

SHA256
27d9649a3945f6e6abb13c987f302f35f9af7806518cb1d8733fa961062c6e02

SHA512
92765de05e125a75982ccde61a50d48ef445edd6638c821c0dd85f56e10da08a2bc944c4f57f9fc04b671b7716edcc241933db7500d53ab5b176fa9f8a893f31

Download Submit
C:\Windows\System\YSdjASL.exe

Filesize
5.2MB

MD5
6f2ab13c68443bd1f21534746c655d5a

SHA1
feaed33306bb682383c4e58d57d40274a4b1cf8d

SHA256
4d18aac2bc912708a65a8646d2a203ef211d39613d66ec01bb56024374222a31

SHA512
2af5d47b81aaba0161449463bd608467261b3161e8ca44d8028b8c121f20f3bdf3feab1ad92e7e74aedfe740622804a094f35ab5d978deca566419702da71cd3

Download Submit
C:\Windows\System\YpurRjR.exe

Filesize
5.2MB

MD5
8aa25e871ef09e0fdd802a0b45af2328

SHA1
c6520c6e54f032e25b9c319161b24985dd231d42

SHA256
274d52ec25f45ab88824dbbe69b850c1d229d52660bba3c0ee7666348f66a017

SHA512
2d69065a6f98deaa90d02f95a4ec3dbfd1c541b585efc9ab12058b29dfc1fccc25f1e8db8fe851e7f63ca5547c95e4af4511653e3ba9f48e3f9b811c7dab2408

Download Submit
C:\Windows\System\aGNaZNC.exe

Filesize
5.2MB

MD5
481e406e98fac32df68bdec7200edf21

SHA1
33e762ad723c906c8120ece23ad5410a5369714d

SHA256
555539ed340de644425a3bbd98a405dd32a9e1ac259e00846d8c4ebefdf7ff3f

SHA512
1dc0b51bbbef99141f47cb7eb18c2d0500cf3009bfe2cf41f6716dd75167fe32708adccca7173661e25ad0927dd00b8b3e88a08a18e8fa2abbc1184395c2190c

Download Submit
C:\Windows\System\dsQMQAE.exe

Filesize
5.2MB

MD5
87141bffb11298e16f045b90a3c4b871

SHA1
d62e3cc3bf103d9375df02be9f2d06643103ffd8

SHA256
02bf81cc9802bd27ab6ac7e3f1c119cba0ca251aced911ee24810d31577f62f1

SHA512
adcc7554859cdf570302c541da0b9fdb6887c04f38fde3fd300d4271330a6eb4d1e1e0c62c774608ed54afd1c6c73a17fe74f43ef52c2093b049b33ed6a6a16b

Download Submit
C:\Windows\System\jEJyyMs.exe

Filesize
5.2MB

MD5
8c939f142929a3806a5239166baf970e

SHA1
41d0b02270a376ee01eb76f2568552a9e901ed66

SHA256
8a1204816bd22f35ade384d25fb6a5e1d98bb58aceb0438fc9d3dd187e8b7832

SHA512
a1a43edf32e1550914f54d977756c79952a5f989fff9871ba6dda9d77c27fe6bd219136406eee817d00f1390cfb1522ed8b5b44b2a4efd6d1ff1362204cbe29a

Download Submit
C:\Windows\System\jROtQME.exe

Filesize
5.2MB

MD5
cbb57e06024a51c02fcee1e9e9d66b95

SHA1
99849a079f2bec73d26a42d56d7c826c36c52dbf

SHA256
8ffd74559e4b0f8c50df8a56c24a0f23eb913b04a2935d0bda7c1e7975db81d8

SHA512
a8e2de129a23a44b0699c0fa6ed7edf6d71e68add54e01cfd015105d23349fc6de17f812c18a2be57f72e23a1db9b34221ca291219181842f110004e0bad9c75

Download Submit
C:\Windows\System\lQWYTAn.exe

Filesize
5.2MB

MD5
9e10a74f50b304cf316c249e1034e2b2

SHA1
9df0df8a37381b62a10de5e073d46b6e0309ddf9

SHA256
f9321d3e907fe90e78339d9630a044ed332b8d6c1fc5d10898642172438706b4

SHA512
41a8f842d0844ead080db55ac5df61e34521f7cd1697e94b643433bdcceea22845b747a75fff70ccf892887b7eb9ae148bf5cb5f30f2c5d2d4c708cbdf039131

Download Submit
C:\Windows\System\qapBbBU.exe

Filesize
5.2MB

MD5
975f5efad9cf16bcd8fb2b940a08a954

SHA1
6258188a9c7161dfb582975e633617161f01b581

SHA256
d26a39cd1c94c8425a5d3c0ecdc6ee7864f79aa5b2ab71b9a66a722a182d42f9

SHA512
dead6f98518df73896bbece373f3ee88413d1dac0601544294e0ae84b5fafde049a5a42321ac52577b3f17767c20ca066729030ff1e7057c59a4c12f9df5d3ed

Download Submit
C:\Windows\System\uQiJeMc.exe

Filesize
5.2MB

MD5
30d997de6d27cfe69ff6cc1f0d8d3db6

SHA1
14e652721a4af9bd845cc4ebb81be5783878e8d9

SHA256
16019b1f04072dd5dd953a4a6ce64f5e92e7f71ec2b3e8e3086860724062ec48

SHA512
bb2f79b194000412ed5db55555eebaf8841b93ee3fa8edf799e2eee7e0c1bcdf82d2e132d1f643a16b9695fd105b7126f648e9b17131abdb8283ba79cb715e06

Download Submit
C:\Windows\System\uwJyUiK.exe

Filesize
5.2MB

MD5
367300a7a5481d2376f39f6df536c9dd

SHA1
22815c51e6eaf0bf52a6d044a25e2ed8a74e32a7

SHA256
b22068da2ea1351f89cab4d93d2f91332bf94408cfe874e3b29ddbb80d1ce51a

SHA512
193f10f45016bf02c75368f2e673377162d867fd5c4e4cc6501b4e98f588583098dbdd69483caff6e2dc368db940f95139e77fd1349746659bd70e5a93c6f564

Download Submit
C:\Windows\System\whecQYh.exe

Filesize
5.2MB

MD5
27d1437ef227705b1330099073bc9864

SHA1
122ba2ea271c5adc54714a024f7bb21975f8d684

SHA256
73ddebd97f8ee37c261682d030c7885ae23ee10b5aa6b7e53850ca0bde323428

SHA512
f1b41f0fe4b36e0729b6dd6d26010e62f13e28cbadddbb23f4f885fe34ec30b5729576297b948efb4d467c9a93c8e271d6993e141fc8ff9f94bee6f233059aa6

Download Submit
C:\Windows\System\xCmTEgm.exe

Filesize
5.2MB

MD5
e69b4b51b9667b030bde3be4cd887e7f

SHA1
f537b79f84262f1805e64aae070d2f7ce3668428

SHA256
f5caa178af43ad59a9a7d8dea1ecb75b91b0f9b34e64841023f0dd9066375400

SHA512
64050fa139e92a19b8984ca4f26a803bba9d2950e5b621ad7259850b2072fbf6ed909ce2fe4092ff5a277a83dfd7cba319a497be1c5427a5035081fbf1dfc747

Download Submit
C:\Windows\System\zAKhpFG.exe

Filesize
5.2MB

MD5
7c618cfe29fece7cc20f5dcb218cd3d3

SHA1
21d199c373e1b5bebbe02dc3832d07da83d56ff4

SHA256
481d572e1b131f981a020e7f140d9f5cb785d21396246e74ea12048c6dfff017

SHA512
12bc944e48751de3964bfb34a042c53ab82db2727b40ed26f938e2b9757e24a3558cbf66a7ca8ae7f7576e9a71f67903245e37e624f8e553d63b3e64d1599267

Download Submit
memory/508-102-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp

Filesize
3.3MB

Download
memory/508-148-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp

Filesize
3.3MB

Download
memory/508-257-0x00007FF6591A0000-0x00007FF6594F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-249-0x00007FF6B59F0000-0x00007FF6B5D41000-memory.dmp

Filesize
3.3MB

Download
memory/1736-123-0x00007FF6B59F0000-0x00007FF6B5D41000-memory.dmp

Filesize
3.3MB

Download
memory/2792-240-0x00007FF729400000-0x00007FF729751000-memory.dmp

Filesize
3.3MB

Download
memory/2792-120-0x00007FF729400000-0x00007FF729751000-memory.dmp

Filesize
3.3MB

Download
memory/2848-91-0x00007FF763A20000-0x00007FF763D71000-memory.dmp

Filesize
3.3MB

Download
memory/2848-236-0x00007FF763A20000-0x00007FF763D71000-memory.dmp

Filesize
3.3MB

Download
memory/2848-144-0x00007FF763A20000-0x00007FF763D71000-memory.dmp

Filesize
3.3MB

Download
memory/2960-137-0x00007FF7141B0000-0x00007FF714501000-memory.dmp

Filesize
3.3MB

Download
memory/2960-228-0x00007FF7141B0000-0x00007FF714501000-memory.dmp

Filesize
3.3MB

Download
memory/2960-40-0x00007FF7141B0000-0x00007FF714501000-memory.dmp

Filesize
3.3MB

Download
memory/2964-251-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp

Filesize
3.3MB

Download
memory/2964-108-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp

Filesize
3.3MB

Download
memory/2964-149-0x00007FF6D4BC0000-0x00007FF6D4F11000-memory.dmp

Filesize
3.3MB

Download
memory/3044-119-0x00007FF604D30000-0x00007FF605081000-memory.dmp

Filesize
3.3MB

Download
memory/3044-203-0x00007FF604D30000-0x00007FF605081000-memory.dmp

Filesize
3.3MB

Download
memory/3044-6-0x00007FF604D30000-0x00007FF605081000-memory.dmp

Filesize
3.3MB

Download
memory/3144-146-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp

Filesize
3.3MB

Download
memory/3144-246-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp

Filesize
3.3MB

Download
memory/3144-98-0x00007FF6F26A0000-0x00007FF6F29F1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-214-0x00007FF600540000-0x00007FF600891000-memory.dmp

Filesize
3.3MB

Download
memory/3300-30-0x00007FF600540000-0x00007FF600891000-memory.dmp

Filesize
3.3MB

Download
memory/3300-136-0x00007FF600540000-0x00007FF600891000-memory.dmp

Filesize
3.3MB

Download
memory/3596-207-0x00007FF631E30000-0x00007FF632181000-memory.dmp

Filesize
3.3MB

Download
memory/3596-134-0x00007FF631E30000-0x00007FF632181000-memory.dmp

Filesize
3.3MB

Download
memory/3596-16-0x00007FF631E30000-0x00007FF632181000-memory.dmp

Filesize
3.3MB

Download
memory/3684-260-0x00007FF627CA0000-0x00007FF627FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-129-0x00007FF627CA0000-0x00007FF627FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-50-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-233-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-139-0x00007FF64D880000-0x00007FF64DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-138-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp

Filesize
3.3MB

Download
memory/4124-226-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp

Filesize
3.3MB

Download
memory/4124-39-0x00007FF7AFCF0000-0x00007FF7B0041000-memory.dmp

Filesize
3.3MB

Download
memory/4248-238-0x00007FF6AA520000-0x00007FF6AA871000-memory.dmp

Filesize
3.3MB

Download
memory/4248-83-0x00007FF6AA520000-0x00007FF6AA871000-memory.dmp

Filesize
3.3MB

Download
memory/4356-1-0x0000026CDE570000-0x0000026CDE580000-memory.dmp

Filesize
64KB

Download
memory/4356-0-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-131-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-57-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-153-0x00007FF65DC60000-0x00007FF65DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-128-0x00007FF7E1C50000-0x00007FF7E1FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-258-0x00007FF7E1C50000-0x00007FF7E1FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-135-0x00007FF627A30000-0x00007FF627D81000-memory.dmp

Filesize
3.3MB

Download
memory/4536-24-0x00007FF627A30000-0x00007FF627D81000-memory.dmp

Filesize
3.3MB

Download
memory/4536-212-0x00007FF627A30000-0x00007FF627D81000-memory.dmp

Filesize
3.3MB

Download
memory/4572-234-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp

Filesize
3.3MB

Download
memory/4572-79-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp

Filesize
3.3MB

Download
memory/4572-140-0x00007FF70CB20000-0x00007FF70CE71000-memory.dmp

Filesize
3.3MB

Download
memory/4628-232-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp

Filesize
3.3MB

Download
memory/4628-54-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp

Filesize
3.3MB

Download
memory/4628-141-0x00007FF7FA2B0000-0x00007FF7FA601000-memory.dmp

Filesize
3.3MB

Download
memory/4864-127-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-252-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-205-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-14-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-130-0x00007FF71FBA0000-0x00007FF71FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-255-0x00007FF686310000-0x00007FF686661000-memory.dmp

Filesize
3.3MB

Download
memory/5036-126-0x00007FF686310000-0x00007FF686661000-memory.dmp

Filesize
3.3MB

Download