cobaltstrike | ca5b36b7420bae5c00ea096b75ba2ace97d81c7f02bdc67b4bfd4e95bbf5261b

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

da8f1fe5784c21bf1cd69e3a862bc190
SHA1

4578a4b71a0806b9f0dd3dba755f384479697da0
SHA256

ca5b36b7420bae5c00ea096b75ba2ace97d81c7f02bdc67b4bfd4e95bbf5261b
SHA512

48280ffd8b92ff9202b041d8f1cb4bb7c06bb69855b80cc1cccf40acf539e722d9a5255cc94cf9de5fd1c3fd774ce9476b11b59e3eb7a6ac0ebab2fdbc01254e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca3-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca4-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2624-112-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	xmrig
behavioral2/memory/2096-113-0x00007FF7252D0000-0x00007FF725621000-memory.dmp	xmrig
behavioral2/memory/3484-115-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp	xmrig
behavioral2/memory/3164-116-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp	xmrig
behavioral2/memory/4216-125-0x00007FF712470000-0x00007FF7127C1000-memory.dmp	xmrig
behavioral2/memory/5084-121-0x00007FF615600000-0x00007FF615951000-memory.dmp	xmrig
behavioral2/memory/4928-119-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp	xmrig
behavioral2/memory/1272-118-0x00007FF646880000-0x00007FF646BD1000-memory.dmp	xmrig
behavioral2/memory/2956-128-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp	xmrig
behavioral2/memory/4900-129-0x00007FF6FDA10000-0x00007FF6FDD61000-memory.dmp	xmrig
behavioral2/memory/560-133-0x00007FF701B20000-0x00007FF701E71000-memory.dmp	xmrig
behavioral2/memory/1848-132-0x00007FF60E670000-0x00007FF60E9C1000-memory.dmp	xmrig
behavioral2/memory/4008-131-0x00007FF7E8560000-0x00007FF7E88B1000-memory.dmp	xmrig
behavioral2/memory/3240-130-0x00007FF6735C0000-0x00007FF673911000-memory.dmp	xmrig
behavioral2/memory/1436-127-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp	xmrig
behavioral2/memory/3596-126-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp	xmrig
behavioral2/memory/3852-124-0x00007FF7AD6C0000-0x00007FF7ADA11000-memory.dmp	xmrig
behavioral2/memory/3708-123-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp	xmrig
behavioral2/memory/2652-122-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	xmrig
behavioral2/memory/3276-120-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp	xmrig
behavioral2/memory/824-117-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp	xmrig
behavioral2/memory/3452-114-0x00007FF781E00000-0x00007FF782151000-memory.dmp	xmrig
behavioral2/memory/2624-134-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	xmrig
behavioral2/memory/2624-156-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	xmrig
behavioral2/memory/2096-187-0x00007FF7252D0000-0x00007FF725621000-memory.dmp	xmrig
behavioral2/memory/3452-189-0x00007FF781E00000-0x00007FF782151000-memory.dmp	xmrig
behavioral2/memory/3484-191-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp	xmrig
behavioral2/memory/3164-193-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp	xmrig
behavioral2/memory/824-205-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp	xmrig
behavioral2/memory/4928-209-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp	xmrig
behavioral2/memory/1272-207-0x00007FF646880000-0x00007FF646BD1000-memory.dmp	xmrig
behavioral2/memory/4216-219-0x00007FF712470000-0x00007FF7127C1000-memory.dmp	xmrig
behavioral2/memory/3276-216-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp	xmrig
behavioral2/memory/3708-221-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp	xmrig
behavioral2/memory/3596-223-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp	xmrig
behavioral2/memory/1436-230-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp	xmrig
behavioral2/memory/2956-232-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp	xmrig
behavioral2/memory/3852-218-0x00007FF7AD6C0000-0x00007FF7ADA11000-memory.dmp	xmrig
behavioral2/memory/5084-214-0x00007FF615600000-0x00007FF615951000-memory.dmp	xmrig
behavioral2/memory/2652-212-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	xmrig
behavioral2/memory/3240-240-0x00007FF6735C0000-0x00007FF673911000-memory.dmp	xmrig
behavioral2/memory/560-239-0x00007FF701B20000-0x00007FF701E71000-memory.dmp	xmrig
behavioral2/memory/4900-242-0x00007FF6FDA10000-0x00007FF6FDD61000-memory.dmp	xmrig
behavioral2/memory/1848-237-0x00007FF60E670000-0x00007FF60E9C1000-memory.dmp	xmrig
behavioral2/memory/4008-235-0x00007FF7E8560000-0x00007FF7E88B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2096	PVrOXPs.exe
3452	xleiYqI.exe
3484	QEBqVOm.exe
3164	xSMHITL.exe
824	rTgeGuc.exe
1272	JHltuBo.exe
4928	UQyojGq.exe
3276	GOXotoV.exe
5084	nizqKyF.exe
2652	NIjEJqE.exe
3708	lUIhTfA.exe
3852	TPeOEfX.exe
4216	WkXOIxB.exe
3596	jclIHvv.exe
1436	pPPUZFh.exe
2956	eqHhEcE.exe
4900	dAEHyOZ.exe
3240	ZWnMEQz.exe
4008	KnOHbcu.exe
1848	COOJCit.exe
560	UPfFKkm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca3-5.dat	upx
behavioral2/files/0x0007000000023ca8-9.dat	upx
behavioral2/files/0x0007000000023ca7-11.dat	upx
behavioral2/memory/3164-24-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-26.dat	upx
behavioral2/files/0x0007000000023cac-40.dat	upx
behavioral2/files/0x0007000000023cae-53.dat	upx
behavioral2/files/0x0007000000023caf-59.dat	upx
behavioral2/files/0x0007000000023cb0-64.dat	upx
behavioral2/files/0x0007000000023cb1-69.dat	upx
behavioral2/files/0x0007000000023cb4-83.dat	upx
behavioral2/files/0x0007000000023cb6-97.dat	upx
behavioral2/files/0x0007000000023cb7-103.dat	upx
behavioral2/files/0x0007000000023cb9-109.dat	upx
behavioral2/files/0x0007000000023cb8-107.dat	upx
behavioral2/files/0x0007000000023cb5-92.dat	upx
behavioral2/files/0x0007000000023cb3-82.dat	upx
behavioral2/files/0x0007000000023cb2-77.dat	upx
behavioral2/files/0x0007000000023cad-50.dat	upx
behavioral2/files/0x0008000000023ca4-46.dat	upx
behavioral2/files/0x0007000000023cab-36.dat	upx
behavioral2/files/0x0007000000023caa-32.dat	upx
behavioral2/memory/3484-17-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp	upx
behavioral2/memory/3452-13-0x00007FF781E00000-0x00007FF782151000-memory.dmp	upx
behavioral2/memory/2096-6-0x00007FF7252D0000-0x00007FF725621000-memory.dmp	upx
behavioral2/memory/824-111-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp	upx
behavioral2/memory/2624-112-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	upx
behavioral2/memory/2096-113-0x00007FF7252D0000-0x00007FF725621000-memory.dmp	upx
behavioral2/memory/3484-115-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp	upx
behavioral2/memory/3164-116-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp	upx
behavioral2/memory/4216-125-0x00007FF712470000-0x00007FF7127C1000-memory.dmp	upx
behavioral2/memory/5084-121-0x00007FF615600000-0x00007FF615951000-memory.dmp	upx
behavioral2/memory/4928-119-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp	upx
behavioral2/memory/1272-118-0x00007FF646880000-0x00007FF646BD1000-memory.dmp	upx
behavioral2/memory/2956-128-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp	upx
behavioral2/memory/4900-129-0x00007FF6FDA10000-0x00007FF6FDD61000-memory.dmp	upx
behavioral2/memory/560-133-0x00007FF701B20000-0x00007FF701E71000-memory.dmp	upx
behavioral2/memory/1848-132-0x00007FF60E670000-0x00007FF60E9C1000-memory.dmp	upx
behavioral2/memory/4008-131-0x00007FF7E8560000-0x00007FF7E88B1000-memory.dmp	upx
behavioral2/memory/3240-130-0x00007FF6735C0000-0x00007FF673911000-memory.dmp	upx
behavioral2/memory/1436-127-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp	upx
behavioral2/memory/3596-126-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp	upx
behavioral2/memory/3852-124-0x00007FF7AD6C0000-0x00007FF7ADA11000-memory.dmp	upx
behavioral2/memory/3708-123-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp	upx
behavioral2/memory/2652-122-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	upx
behavioral2/memory/3276-120-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp	upx
behavioral2/memory/824-117-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp	upx
behavioral2/memory/3452-114-0x00007FF781E00000-0x00007FF782151000-memory.dmp	upx
behavioral2/memory/2624-134-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	upx
behavioral2/memory/2624-156-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp	upx
behavioral2/memory/2096-187-0x00007FF7252D0000-0x00007FF725621000-memory.dmp	upx
behavioral2/memory/3452-189-0x00007FF781E00000-0x00007FF782151000-memory.dmp	upx
behavioral2/memory/3484-191-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp	upx
behavioral2/memory/3164-193-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp	upx
behavioral2/memory/824-205-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp	upx
behavioral2/memory/4928-209-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp	upx
behavioral2/memory/1272-207-0x00007FF646880000-0x00007FF646BD1000-memory.dmp	upx
behavioral2/memory/4216-219-0x00007FF712470000-0x00007FF7127C1000-memory.dmp	upx
behavioral2/memory/3276-216-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp	upx
behavioral2/memory/3708-221-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp	upx
behavioral2/memory/3596-223-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp	upx
behavioral2/memory/1436-230-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp	upx
behavioral2/memory/2956-232-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xSMHITL.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHltuBo.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UQyojGq.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOXotoV.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIjEJqE.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPeOEfX.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PVrOXPs.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QEBqVOm.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dAEHyOZ.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UPfFKkm.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jclIHvv.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZWnMEQz.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\COOJCit.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xleiYqI.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nizqKyF.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pPPUZFh.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnOHbcu.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lUIhTfA.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WkXOIxB.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rTgeGuc.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eqHhEcE.exe	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2096	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 2096	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 3452	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 3452	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 3484	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 3484	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 3164	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 3164	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 824	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 824	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 1272	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 1272	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 4928	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 4928	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 3276	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2624 wrote to memory of 3276	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2624 wrote to memory of 5084	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2624 wrote to memory of 5084	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2624 wrote to memory of 2652	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2624 wrote to memory of 2652	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2624 wrote to memory of 3708	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 3708	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 3852	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 3852	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 4216	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 4216	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 3596	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 3596	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 1436	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 1436	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 2956	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 2956	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 4900	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 4900	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 3240	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 3240	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 4008	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 4008	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 1848	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 1848	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 560	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2624 wrote to memory of 560	2624	2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_da8f1fe5784c21bf1cd69e3a862bc190_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System\PVrOXPs.exe
  C:\Windows\System\PVrOXPs.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\xleiYqI.exe
  C:\Windows\System\xleiYqI.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\QEBqVOm.exe
  C:\Windows\System\QEBqVOm.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\xSMHITL.exe
  C:\Windows\System\xSMHITL.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\rTgeGuc.exe
  C:\Windows\System\rTgeGuc.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\JHltuBo.exe
  C:\Windows\System\JHltuBo.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\UQyojGq.exe
  C:\Windows\System\UQyojGq.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\GOXotoV.exe
  C:\Windows\System\GOXotoV.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\nizqKyF.exe
  C:\Windows\System\nizqKyF.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\NIjEJqE.exe
  C:\Windows\System\NIjEJqE.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\lUIhTfA.exe
  C:\Windows\System\lUIhTfA.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\TPeOEfX.exe
  C:\Windows\System\TPeOEfX.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\WkXOIxB.exe
  C:\Windows\System\WkXOIxB.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\jclIHvv.exe
  C:\Windows\System\jclIHvv.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\pPPUZFh.exe
  C:\Windows\System\pPPUZFh.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\eqHhEcE.exe
  C:\Windows\System\eqHhEcE.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\dAEHyOZ.exe
  C:\Windows\System\dAEHyOZ.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\ZWnMEQz.exe
  C:\Windows\System\ZWnMEQz.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\KnOHbcu.exe
  C:\Windows\System\KnOHbcu.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\COOJCit.exe
  C:\Windows\System\COOJCit.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\UPfFKkm.exe
  C:\Windows\System\UPfFKkm.exe
  2⤵
  - Executes dropped EXE
  PID:560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\COOJCit.exe

Filesize
5.2MB

MD5
94a9c931a3773fbeb567facc645bbe4c

SHA1
9756ab9a076a5fa3bfde44be73530a68e4e51d5f

SHA256
e2041caa15d49c1dce32aa90c6ce26f1c013a4e6550d76b0f228dd04f84ba3b7

SHA512
335524d49986055fefb6130af46ce2030c5dccfe36ed3298112bcac2137d1d5394a64997d840f929bdd951d074c1105388fb01ad98d6151595be666d6905c843

Download Submit
C:\Windows\System\GOXotoV.exe

Filesize
5.2MB

MD5
89f58716efd56bfc5c956e48e9058db6

SHA1
d71c4c4bf15be93062d597f28b6333d78f1f0b3d

SHA256
17f7e3a1b3c9bf217518c9553f51199e5cee7525d02b114b4b4099da074187c9

SHA512
2e039c332be1a60e771bf0e721cdda796286601f0b33229cf7117d802483df36206483eaa83eb8d470fb0df433b4b7ee05bacea22628b637f5b0bffcaa8f6798

Download Submit
C:\Windows\System\JHltuBo.exe

Filesize
5.2MB

MD5
a9d0735f3768f18989c9ba41de1d60d2

SHA1
44473c9f6642ce2bd845806103b1cd0040b838e4

SHA256
49402ab5bc21b00eee3261b1948446d81b810fc73a65ce7f91a0b5b88d29c13a

SHA512
a42dfca1b527c99702f1273c9d70275a77f34640a35ca65f742c19641eda0a4eb0bb2f2c31f3c3d2058923189b0788f534ba0a2a4d1872d8281f11ede008f95f

Download Submit
C:\Windows\System\KnOHbcu.exe

Filesize
5.2MB

MD5
7f90bea89cc2423188d79cf1c506b1b7

SHA1
d8a81dc25a18192946215344961d46f75494a4e5

SHA256
2bb6537df7a28c4f1a8d2dbefb5fe5c7b2051dbc930c90932316e3fc8b869c0a

SHA512
ae9f9c539543a6497c6b4a1664980882747e5b548c760314e882dd85dfd49767157fb768164aae4b133f4212c7b6cac78bcaba8e4c71a4a1099104daa3d90b4c

Download Submit
C:\Windows\System\NIjEJqE.exe

Filesize
5.2MB

MD5
26716094bec9e9048b6f53b1c242b2f0

SHA1
111c4cfbc0bfe2d41c69bab76b86de0b1734281b

SHA256
766ed84bf3e851237a245b9281bc5102761ec6d89a62e94fe76ec04113348db9

SHA512
b1cd780729d01a28e6991268513b85539f4054fc76b9fa842629e30049e689c569cc3157a952193e4c6fa51638b002773b15639a03aa4da328c007d0e3750b48

Download Submit
C:\Windows\System\PVrOXPs.exe

Filesize
5.2MB

MD5
b187cc5d08fb8807c9e58054d23eb194

SHA1
d91ae096bfadf4bd8037a145610023c5873ecb3d

SHA256
8aef6f1c82f1fa50f2c317ec50e5bc63b128c274904649d17950c052cff8d898

SHA512
8535f9180aa17c81d10f67c888d656c8ab9320dda539ed88903e3ae64f8f97f43c2e1adb1fc837963a412b9f4949b887bd6791a5b31bb3738a0860aabb82f3f2

Download Submit
C:\Windows\System\QEBqVOm.exe

Filesize
5.2MB

MD5
66ef21c52fc9e4b0a3cc431ad0fdf879

SHA1
746c555a82257364e201a364e44e2fb1bfda7dd1

SHA256
aeb7803817d07eafe6b5f22aa75f7bfcc1e062eb6b4b2623be641df8e0e6848e

SHA512
abf7a85ca9aedf7f5ea41488e06cf7200331d0fea6513de5bb8d8ff884e413f8eb56398244329590506e4226e0a2b3fe6f3cd557ee3ff20283aa2b4b0e45e6e0

Download Submit
C:\Windows\System\TPeOEfX.exe

Filesize
5.2MB

MD5
efabdb73f9f8e2578280f5b02467e57e

SHA1
efd386316083c488eabc0ed273857f0d2032c419

SHA256
0fd58b4b5343c400ab766f64e4266bff8405c13fd300b12d42406312ed7a8b55

SHA512
3bfd5505fddacc97a09b4cd1bf0121c4c877bae620350a92906e09d6aee75f47621eea99e68d06472d75e54e05203a33ac783f8a880a812c7f9f3f0e08033df4

Download Submit
C:\Windows\System\UPfFKkm.exe

Filesize
5.2MB

MD5
d4d734adea249f33411ac1ff20863b11

SHA1
0c3ad2a243a0e00cd054480d65db6861c7b64304

SHA256
65dcc9945e17ed88de9b47f15a4f8ae183805a919c349ce1253cafa66b2b904f

SHA512
1e6d840aa27508b52c92d8a2c02017d0a5ca0a80abdee1a4a17920f1580e17cd74bc2999e047d68aa678e1ae20c573ce3884d7381748a61bde5f2aa993213dca

Download Submit
C:\Windows\System\UQyojGq.exe

Filesize
5.2MB

MD5
6179bf34f5f3419e6fdf1c6e5cd141b7

SHA1
55a6bd8da23b99d5ec1ee5a3a4f2a667680f0cf1

SHA256
9c1ac2f13c796406574652c52147283b75815645589f658e1e0c684db08e3db8

SHA512
23de57625182b645f337622eb99e0bf8ec4b325ec8d73109a80240e016b402dbd0264b2aab690e0c37985a62305ebbe0f789b753b5b67ce4e90a0e9c85355a8c

Download Submit
C:\Windows\System\WkXOIxB.exe

Filesize
5.2MB

MD5
13f8ab1a98dfdde55151c8a38aa9212e

SHA1
75c8b3959393b9f2e18a242ac20b69abdcdebcb2

SHA256
9fa22416a44c3d69daadb4b58f80c05c5a11324898b99be5fced28c5dca0aab8

SHA512
6d568abfc37e4b943b87360efd89cbd3079a5a0c0c0e897ed118a1ec32c002f0638edac751fb7c2af3fa2959437221bd2dcd568d1ee558380524a9ad7febb854

Download Submit
C:\Windows\System\ZWnMEQz.exe

Filesize
5.2MB

MD5
15afa06ff150fb062b81886daa77e84c

SHA1
180cd79a8fa7ee731a42b81dadfad2cd270c82f1

SHA256
4cd49dfa656ba965288f674adf4f3c20587e95a8c92b5aa70340ea9eaa533e95

SHA512
df5fc0d4734fe0d7ea854be7c75c86283d240d69b77030567d469234fd7e3f1bc99735c4e0b38f12cc0b30ff934704b5cd6b4924da08e61f5599ceb79318d87d

Download Submit
C:\Windows\System\dAEHyOZ.exe

Filesize
5.2MB

MD5
b8559d9f0f46c9d6e81e6dc705bf76d0

SHA1
70a2d1ff8786f910379e2940091e2055c58f2890

SHA256
875167a087a09578138e04785d317d9843e17c2dec4bc7aa0d272f09b388c13c

SHA512
f22ea05e2aa6249cd7aadc172a2884d5af2a06876c955fa9c7a4a34a9cea4b39a1a33d8f30be84220af031fa8b66c33ee940455ab8bab3d244a2f3483978e0f0

Download Submit
C:\Windows\System\eqHhEcE.exe

Filesize
5.2MB

MD5
a818c937042feaa4886eab4dbaf1527b

SHA1
39039eef8805c07c5780642e60cce52b0573b88e

SHA256
f0c0f95b9b5396180242ecdec1ebbe6a518830ab700ca7224347bc48f0c25ff0

SHA512
36efc20b701589a7c99bdfac20c6a2f4a061bec96df80e0c56d358593206bf3d1135f1934a6881259ddea5757536c8cae72ff4bdf133496a429f41edf595a938

Download Submit
C:\Windows\System\jclIHvv.exe

Filesize
5.2MB

MD5
d66b814ad210a2803fb5f9747e8aec7f

SHA1
5ec399120cd2eb4087991e63eafda82f3c0d2ef8

SHA256
f39982491e7f1b2cd2179755568b05f526c717f43dcbaa5a43d62d4f6fa0ba90

SHA512
57fe695d3043284f204b9d22b1601b2202f3c3bd4a6f5d7bce4d73c30090c110e052c3985536439255f98eefa937b9055981df3fbb0260697d00c76b8f5d2f67

Download Submit
C:\Windows\System\lUIhTfA.exe

Filesize
5.2MB

MD5
8c92967f8bef2c3b5ac580edf73ca82a

SHA1
046304e97f9a17c9c58aac42635f9d88f9ea8685

SHA256
1dc6f6dbeabc7c9818e9afbd6b0d1d6cbb34acd27eac277c41ff81f298b3133a

SHA512
c34c9ac14a0e5f7408ae41e3c13899f0fd44e8541eb63e92e94e1cf4bf2101c6aa89796d30bbfbdf29750bec2201c0aac0359db787e1b838391475b7728d183a

Download Submit
C:\Windows\System\nizqKyF.exe

Filesize
5.2MB

MD5
456d431a6f79957668e38de0a399492d

SHA1
07ba3320572fa0e52077e7712b55bb82e9edeebb

SHA256
6142926cc7250bda9c5d3a666e63ebb669137009dc06b79303b7e901bd10dce5

SHA512
788f8d681fda4e03b62edb28981d8df74d7f64e56ffebb07649d5aa2ddc5f0c25e879e05c65e5478f1a73a6ff7f1b2af1a7ee50be291cc623add9733308a8ab1

Download Submit
C:\Windows\System\pPPUZFh.exe

Filesize
5.2MB

MD5
00eb6e43d52f43410d188b74d7c0d59d

SHA1
aa65ecc5faaf3a436e7f76bb70726a3f16e21905

SHA256
3260a827ecf400c4e68075e40a05fe46d170fb09d83ddc4111c4ee891342961e

SHA512
807d36cac43a941cd574dc6c02f60ef8d8c63b1547df78dd0fcd89c385ccede73ef4ba78bb960d64abb56fa7f5b207cfd5d4a9db645c00d057f3618c4bc2c3cc

Download Submit
C:\Windows\System\rTgeGuc.exe

Filesize
5.2MB

MD5
f5dc140a16254e13bcd0e696f0463f4f

SHA1
f4f1e7c5e8ab61ed433624bcf505dee2e67e81d5

SHA256
cf91a426d071c299f7c0c69a6de9d5ff5e310a7c48aeeae2377ca2a26fd45ff2

SHA512
9a52783a32eab69a94455e44cce23f938565176c8b667b19c43caf66c0d938e6f0f471c48d41c278c494eb8c7eba7877e72f8714ffb19b9040e1957b79d87943

Download Submit
C:\Windows\System\xSMHITL.exe

Filesize
5.2MB

MD5
62cdad959e84c8c32460a3218b839a50

SHA1
5f57a98501291bf8688cf4c3f2a352286d39a05f

SHA256
b2ef44be30918d68cd48a710321495dfe204807faf87821a1ee5105c9c1d13b7

SHA512
7b75de13adb5c3ff32c422b9536037ec1d2015102c5e1803529d08bb5c7f13b556a8ad0a8210348522706701793c83cfbe87eacfc541d7e6a5828a6a1aef59b9

Download Submit
C:\Windows\System\xleiYqI.exe

Filesize
5.2MB

MD5
2783029cbb58426cbf00e5182bc0035b

SHA1
f9cfc3248b02f5fdb2c0a85441dbc87586e593cf

SHA256
703fe6125969fabf13278de1b8fd0a28b0ee9da7afd82aa2940d85e1482ab71a

SHA512
bf777976d4266ead00911072656dc3bd745b10714bda99a9f290740195c1e71ab13d42763e17cab369ee0baf623d744f7e55b7003b383548bdbd3ee88dec70e3

Download Submit
memory/560-133-0x00007FF701B20000-0x00007FF701E71000-memory.dmp

Filesize
3.3MB

Download
memory/560-239-0x00007FF701B20000-0x00007FF701E71000-memory.dmp

Filesize
3.3MB

Download
memory/824-111-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp

Filesize
3.3MB

Download
memory/824-117-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp

Filesize
3.3MB

Download
memory/824-205-0x00007FF73E1C0000-0x00007FF73E511000-memory.dmp

Filesize
3.3MB

Download
memory/1272-118-0x00007FF646880000-0x00007FF646BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-207-0x00007FF646880000-0x00007FF646BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-127-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp

Filesize
3.3MB

Download
memory/1436-230-0x00007FF65D0F0000-0x00007FF65D441000-memory.dmp

Filesize
3.3MB

Download
memory/1848-237-0x00007FF60E670000-0x00007FF60E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-132-0x00007FF60E670000-0x00007FF60E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-187-0x00007FF7252D0000-0x00007FF725621000-memory.dmp

Filesize
3.3MB

Download
memory/2096-6-0x00007FF7252D0000-0x00007FF725621000-memory.dmp

Filesize
3.3MB

Download
memory/2096-113-0x00007FF7252D0000-0x00007FF725621000-memory.dmp

Filesize
3.3MB

Download
memory/2624-156-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-1-0x00000226B4B40000-0x00000226B4B50000-memory.dmp

Filesize
64KB

Download
memory/2624-0-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-134-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-112-0x00007FF663C50000-0x00007FF663FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-212-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-122-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-128-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp

Filesize
3.3MB

Download
memory/2956-232-0x00007FF7C00B0000-0x00007FF7C0401000-memory.dmp

Filesize
3.3MB

Download
memory/3164-24-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp

Filesize
3.3MB

Download
memory/3164-116-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp

Filesize
3.3MB

Download
memory/3164-193-0x00007FF7E52C0000-0x00007FF7E5611000-memory.dmp

Filesize
3.3MB

Download
memory/3240-240-0x00007FF6735C0000-0x00007FF673911000-memory.dmp

Filesize
3.3MB

Download
memory/3240-130-0x00007FF6735C0000-0x00007FF673911000-memory.dmp

Filesize
3.3MB

Download
memory/3276-120-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-216-0x00007FF6E5580000-0x00007FF6E58D1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-114-0x00007FF781E00000-0x00007FF782151000-memory.dmp

Filesize
3.3MB

Download
memory/3452-189-0x00007FF781E00000-0x00007FF782151000-memory.dmp

Filesize
3.3MB

Download
memory/3452-13-0x00007FF781E00000-0x00007FF782151000-memory.dmp

Filesize
3.3MB

Download
memory/3484-17-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp

Filesize
3.3MB

Download
memory/3484-191-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp

Filesize
3.3MB

Download
memory/3484-115-0x00007FF7A43B0000-0x00007FF7A4701000-memory.dmp

Filesize
3.3MB

Download
memory/3596-126-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-223-0x00007FF70F990000-0x00007FF70FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-221-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp

Filesize
3.3MB

Download
memory/3708-123-0x00007FF7C4530000-0x00007FF7C4881000-memory.dmp

Filesize
3.3MB

Download
memory/3852-218-0x00007FF7AD6C0000-0x00007FF7ADA11000-memory.dmp

Filesize
3.3MB

Download
memory/3852-124-0x00007FF7AD6C0000-0x00007FF7ADA11000-memory.dmp

Filesize
3.3MB

Download
memory/4008-131-0x00007FF7E8560000-0x00007FF7E88B1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-235-0x00007FF7E8560000-0x00007FF7E88B1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-125-0x00007FF712470000-0x00007FF7127C1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-219-0x00007FF712470000-0x00007FF7127C1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-129-0x00007FF6FDA10000-0x00007FF6FDD61000-memory.dmp

Filesize
3.3MB

Download
memory/4900-242-0x00007FF6FDA10000-0x00007FF6FDD61000-memory.dmp

Filesize
3.3MB

Download
memory/4928-209-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-119-0x00007FF73D150000-0x00007FF73D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-214-0x00007FF615600000-0x00007FF615951000-memory.dmp

Filesize
3.3MB

Download
memory/5084-121-0x00007FF615600000-0x00007FF615951000-memory.dmp

Filesize
3.3MB

Download