cobaltstrike | 79a4805597e0e66559bbe66a762ec33164455c23796a16dbd1ac0724710c1158

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5fd2801560427896fa023e85b33000b5
SHA1

13c098a61c854981c9819d4d64b613e6b10fccad
SHA256

79a4805597e0e66559bbe66a762ec33164455c23796a16dbd1ac0724710c1158
SHA512

240e025a5be27fada221a9f75a72e1aa981eb46c90cf8e8ad938bde95f6513cec64b9a163c1dedcbf6f461a70505d61f6a93b0c271b66ef4586ef75a636fdeb8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023bbc-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-7.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc3-15.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd1-22.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-31.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-46.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd2-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-52.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022af2-60.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bb3-84.dat	cobalt_reflective_dll
behavioral2/files/0x0011000000023b29-88.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-113.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023b28-86.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b27-81.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023b24-71.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2056-23-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	xmrig
behavioral2/memory/4748-55-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	xmrig
behavioral2/memory/2744-62-0x00007FF6751C0000-0x00007FF675511000-memory.dmp	xmrig
behavioral2/memory/432-70-0x00007FF640E70000-0x00007FF6411C1000-memory.dmp	xmrig
behavioral2/memory/4472-69-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	xmrig
behavioral2/memory/968-108-0x00007FF6EF520000-0x00007FF6EF871000-memory.dmp	xmrig
behavioral2/memory/4896-129-0x00007FF772A90000-0x00007FF772DE1000-memory.dmp	xmrig
behavioral2/memory/4804-131-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	xmrig
behavioral2/memory/2460-130-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp	xmrig
behavioral2/memory/1144-128-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp	xmrig
behavioral2/memory/1592-125-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp	xmrig
behavioral2/memory/4756-119-0x00007FF603B10000-0x00007FF603E61000-memory.dmp	xmrig
behavioral2/memory/3604-101-0x00007FF75B9A0000-0x00007FF75BCF1000-memory.dmp	xmrig
behavioral2/memory/1580-139-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/1348-140-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp	xmrig
behavioral2/memory/2276-142-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp	xmrig
behavioral2/memory/4748-132-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	xmrig
behavioral2/memory/2272-141-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp	xmrig
behavioral2/memory/1408-144-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp	xmrig
behavioral2/memory/1648-147-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp	xmrig
behavioral2/memory/1584-149-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp	xmrig
behavioral2/memory/2256-154-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	xmrig
behavioral2/memory/4816-148-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp	xmrig
behavioral2/memory/4748-155-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	xmrig
behavioral2/memory/2744-209-0x00007FF6751C0000-0x00007FF675511000-memory.dmp	xmrig
behavioral2/memory/4472-211-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	xmrig
behavioral2/memory/2056-213-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	xmrig
behavioral2/memory/1144-217-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp	xmrig
behavioral2/memory/2460-216-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp	xmrig
behavioral2/memory/1348-220-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp	xmrig
behavioral2/memory/1580-221-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	xmrig
behavioral2/memory/2272-223-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp	xmrig
behavioral2/memory/2276-233-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp	xmrig
behavioral2/memory/432-235-0x00007FF640E70000-0x00007FF6411C1000-memory.dmp	xmrig
behavioral2/memory/1408-237-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp	xmrig
behavioral2/memory/3604-239-0x00007FF75B9A0000-0x00007FF75BCF1000-memory.dmp	xmrig
behavioral2/memory/968-248-0x00007FF6EF520000-0x00007FF6EF871000-memory.dmp	xmrig
behavioral2/memory/1648-243-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp	xmrig
behavioral2/memory/1584-250-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp	xmrig
behavioral2/memory/4756-254-0x00007FF603B10000-0x00007FF603E61000-memory.dmp	xmrig
behavioral2/memory/4896-253-0x00007FF772A90000-0x00007FF772DE1000-memory.dmp	xmrig
behavioral2/memory/4804-256-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	xmrig
behavioral2/memory/1592-258-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp	xmrig
behavioral2/memory/4816-261-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp	xmrig
behavioral2/memory/2256-265-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2744	nnCHcnh.exe
4472	HeUiyXC.exe
2056	QTqlMEJ.exe
1144	oLJOaJQ.exe
2460	BBvAxzu.exe
1580	xvfUXgp.exe
1348	oQsJApf.exe
2272	bVlZuSn.exe
2276	ousxZbH.exe
432	gDoaxNA.exe
1408	kZZMqTi.exe
3604	yBRRCcO.exe
968	zJPnjhS.exe
1648	gCoQprK.exe
4816	ZGmyCGt.exe
1584	CuPFgOw.exe
4756	EOtHhRV.exe
4896	oCkGVew.exe
4804	tzePRzN.exe
1592	DFgFSbQ.exe
2256	MJIWgtK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4748-0-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	upx
behavioral2/files/0x000b000000023bbc-5.dat	upx
behavioral2/files/0x0008000000023bcc-7.dat	upx
behavioral2/files/0x000e000000023bc3-15.dat	upx
behavioral2/files/0x0009000000023bd1-22.dat	upx
behavioral2/files/0x0009000000023bd3-31.dat	upx
behavioral2/memory/2460-33-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp	upx
behavioral2/memory/1580-39-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	upx
behavioral2/files/0x000e000000023bd7-41.dat	upx
behavioral2/files/0x0008000000023bd9-46.dat	upx
behavioral2/memory/2272-47-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp	upx
behavioral2/memory/1348-40-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp	upx
behavioral2/files/0x0009000000023bd2-35.dat	upx
behavioral2/memory/1144-24-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp	upx
behavioral2/memory/2056-23-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	upx
behavioral2/memory/4472-20-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	upx
behavioral2/memory/2744-8-0x00007FF6751C0000-0x00007FF675511000-memory.dmp	upx
behavioral2/files/0x0008000000023bdc-52.dat	upx
behavioral2/memory/4748-55-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	upx
behavioral2/memory/2744-62-0x00007FF6751C0000-0x00007FF675511000-memory.dmp	upx
behavioral2/files/0x0002000000022af2-60.dat	upx
behavioral2/memory/2276-59-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp	upx
behavioral2/memory/432-70-0x00007FF640E70000-0x00007FF6411C1000-memory.dmp	upx
behavioral2/memory/4472-69-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	upx
behavioral2/files/0x000c000000023bb3-84.dat	upx
behavioral2/files/0x0011000000023b29-88.dat	upx
behavioral2/files/0x0008000000023bdd-91.dat	upx
behavioral2/memory/968-108-0x00007FF6EF520000-0x00007FF6EF871000-memory.dmp	upx
behavioral2/files/0x0008000000023bdf-117.dat	upx
behavioral2/files/0x0008000000023c10-124.dat	upx
behavioral2/memory/4896-129-0x00007FF772A90000-0x00007FF772DE1000-memory.dmp	upx
behavioral2/memory/4804-131-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	upx
behavioral2/memory/2460-130-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp	upx
behavioral2/memory/1144-128-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp	upx
behavioral2/memory/2256-127-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	upx
behavioral2/memory/1592-125-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0f-122.dat	upx
behavioral2/files/0x0008000000023c0e-120.dat	upx
behavioral2/memory/4756-119-0x00007FF603B10000-0x00007FF603E61000-memory.dmp	upx
behavioral2/memory/4816-116-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp	upx
behavioral2/files/0x0008000000023bde-113.dat	upx
behavioral2/memory/3604-101-0x00007FF75B9A0000-0x00007FF75BCF1000-memory.dmp	upx
behavioral2/memory/1584-98-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp	upx
behavioral2/memory/1648-94-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp	upx
behavioral2/files/0x000e000000023b28-86.dat	upx
behavioral2/files/0x000d000000023b27-81.dat	upx
behavioral2/memory/1408-72-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp	upx
behavioral2/files/0x000e000000023b24-71.dat	upx
behavioral2/memory/1580-139-0x00007FF764060000-0x00007FF7643B1000-memory.dmp	upx
behavioral2/memory/1348-140-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp	upx
behavioral2/memory/2276-142-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp	upx
behavioral2/memory/4748-132-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	upx
behavioral2/memory/2272-141-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp	upx
behavioral2/memory/1408-144-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp	upx
behavioral2/memory/1648-147-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp	upx
behavioral2/memory/1584-149-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp	upx
behavioral2/memory/2256-154-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	upx
behavioral2/memory/4816-148-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp	upx
behavioral2/memory/4748-155-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp	upx
behavioral2/memory/2744-209-0x00007FF6751C0000-0x00007FF675511000-memory.dmp	upx
behavioral2/memory/4472-211-0x00007FF686970000-0x00007FF686CC1000-memory.dmp	upx
behavioral2/memory/2056-213-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	upx
behavioral2/memory/1144-217-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp	upx
behavioral2/memory/2460-216-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yBRRCcO.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJPnjhS.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuPFgOw.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJIWgtK.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLJOaJQ.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BBvAxzu.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVlZuSn.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ousxZbH.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kZZMqTi.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnCHcnh.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTqlMEJ.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGmyCGt.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EOtHhRV.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HeUiyXC.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCoQprK.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDoaxNA.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oCkGVew.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tzePRzN.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFgFSbQ.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xvfUXgp.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oQsJApf.exe	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2744	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4748 wrote to memory of 2744	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4748 wrote to memory of 4472	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4748 wrote to memory of 4472	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4748 wrote to memory of 2056	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4748 wrote to memory of 2056	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4748 wrote to memory of 1144	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4748 wrote to memory of 1144	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4748 wrote to memory of 2460	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4748 wrote to memory of 2460	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4748 wrote to memory of 1580	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4748 wrote to memory of 1580	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4748 wrote to memory of 1348	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4748 wrote to memory of 1348	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4748 wrote to memory of 2272	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4748 wrote to memory of 2272	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4748 wrote to memory of 2276	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4748 wrote to memory of 2276	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4748 wrote to memory of 432	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4748 wrote to memory of 432	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4748 wrote to memory of 1408	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4748 wrote to memory of 1408	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4748 wrote to memory of 3604	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4748 wrote to memory of 3604	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4748 wrote to memory of 968	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4748 wrote to memory of 968	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4748 wrote to memory of 1648	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4748 wrote to memory of 1648	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4748 wrote to memory of 4816	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4748 wrote to memory of 4816	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4748 wrote to memory of 1584	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4748 wrote to memory of 1584	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4748 wrote to memory of 4756	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4748 wrote to memory of 4756	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4748 wrote to memory of 4896	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4748 wrote to memory of 4896	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4748 wrote to memory of 4804	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4748 wrote to memory of 4804	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4748 wrote to memory of 1592	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4748 wrote to memory of 1592	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4748 wrote to memory of 2256	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4748 wrote to memory of 2256	4748	2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_5fd2801560427896fa023e85b33000b5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\System\nnCHcnh.exe
  C:\Windows\System\nnCHcnh.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\HeUiyXC.exe
  C:\Windows\System\HeUiyXC.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\QTqlMEJ.exe
  C:\Windows\System\QTqlMEJ.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\oLJOaJQ.exe
  C:\Windows\System\oLJOaJQ.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\BBvAxzu.exe
  C:\Windows\System\BBvAxzu.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\xvfUXgp.exe
  C:\Windows\System\xvfUXgp.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\oQsJApf.exe
  C:\Windows\System\oQsJApf.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\bVlZuSn.exe
  C:\Windows\System\bVlZuSn.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\ousxZbH.exe
  C:\Windows\System\ousxZbH.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\gDoaxNA.exe
  C:\Windows\System\gDoaxNA.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\kZZMqTi.exe
  C:\Windows\System\kZZMqTi.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\yBRRCcO.exe
  C:\Windows\System\yBRRCcO.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\zJPnjhS.exe
  C:\Windows\System\zJPnjhS.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\gCoQprK.exe
  C:\Windows\System\gCoQprK.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\ZGmyCGt.exe
  C:\Windows\System\ZGmyCGt.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\CuPFgOw.exe
  C:\Windows\System\CuPFgOw.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\EOtHhRV.exe
  C:\Windows\System\EOtHhRV.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\oCkGVew.exe
  C:\Windows\System\oCkGVew.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\tzePRzN.exe
  C:\Windows\System\tzePRzN.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\DFgFSbQ.exe
  C:\Windows\System\DFgFSbQ.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\MJIWgtK.exe
  C:\Windows\System\MJIWgtK.exe
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BBvAxzu.exe

Filesize
5.2MB

MD5
391b3a5740b571e99235cb2617d7e20a

SHA1
b8bd9ce54d15acdfd917a1d06d780264bd415028

SHA256
59cbeb304679221f7e0cce82c58fbe086958865939da5c05495515938dcfa571

SHA512
a03002adb96759af7578d01d3d5e9eaa24abe12d6582a1d7556e45a958942faa878661dad03f459d6ecad1dbaf4cae3e62e0f7dd0ab953a1af7a0c3fbe5554b9

Download Submit
C:\Windows\System\CuPFgOw.exe

Filesize
5.2MB

MD5
8b49a10ce489a7c38657434c827a2a1e

SHA1
f7823f925c870739915822955b16c8005893f82e

SHA256
dc5fbd85f86b56c7b331d62362f485c015bf6ff15c79dbf052a85fa11148367a

SHA512
2275c63d213fcd1d6408a7e7f943b14fe51f43a3100c4cbd9d930a71d610b588cd36f65adfaee7651f41756f631058b6230b95f095d6b4b9aad9ed8d04c490e6

Download Submit
C:\Windows\System\DFgFSbQ.exe

Filesize
5.2MB

MD5
b00ad1cde2fdf70d3308d8f6e9b331c4

SHA1
f01994fb6bdf144f70b1eaff26dc1b9d0b2252fa

SHA256
37b45e104e98e0cc6c60951a703ee44595b5813c601232f39961bb10c58748c9

SHA512
ae08d89fa8282010e6ec2cfb8c541c5e075e61987f8468aed4b54915313b6838489a01dc4d95b73fb405b8e4e3130c0c95d3aae406a61b45822a8fa6cadea722

Download Submit
C:\Windows\System\EOtHhRV.exe

Filesize
5.2MB

MD5
89f01011496f5c745b2861165ba8c086

SHA1
5eb1aa292cb85a1162e0573c069471d2d2ad2a28

SHA256
10d8e232223648f47945f611bfabceed7c416df32c71e0a906d20bbf9668715d

SHA512
8ae4a3807aefd6ae8c13c8f3610a7080f0b366ba243b87b966ebb49cb288ddfe2d7f7bd606bba934dfdd943f5e30f36d3134543c6f0bc01836a6debbd6410993

Download Submit
C:\Windows\System\HeUiyXC.exe

Filesize
5.2MB

MD5
dc6719b9c70df06e975231e249f8f928

SHA1
99bf3e623f681c9046db0dd9022fdab1c3c87dbf

SHA256
f3283183fe02d00c272bc27d7b4fa64f182ed844fe0f100a72e34a589c3553b1

SHA512
9ded14f608125a8432906793a8186433acff5b5466645d962cf527df8d707aced679f4671d8e22ae13b43c2fac5b1ae7ccaf785312f66767737adc766213b815

Download Submit
C:\Windows\System\MJIWgtK.exe

Filesize
5.2MB

MD5
ce5b79eb700f00b89a16db7750cf778c

SHA1
7bbe7f12a37a5754c44a3bc261c9044b67d16b6a

SHA256
bc823755768d9dcdb3b9e2613666a42593d1488ec24dbd05f0d1ec9de6192ad5

SHA512
021f753efd832497ebf25eb7d42f55b1b60c45a674338976d468c365271a4117adc479d21df509e4e9f6ad6d14609fd20f29dcc1bbc22fdd4738ce91fb4c3121

Download Submit
C:\Windows\System\QTqlMEJ.exe

Filesize
5.2MB

MD5
a5a54fde9d8c85c776edc8446d768407

SHA1
d5cf5c0e7bac1336aef8226fbaf6ebc3df20040f

SHA256
ce04370b05b0b718242851fb2efd5141c544cf63606b3dc328e5022845a28714

SHA512
c349fcc9fd723193a3504e93a7faeae9c24d08fe1881d4135103a980f1cc4d80a4b3473856da8addb295152385a5db63c3bff16770270ba8c1ac5eda21002028

Download Submit
C:\Windows\System\ZGmyCGt.exe

Filesize
5.2MB

MD5
c880a34bfd75e7f6c25b040f5ab4f0e8

SHA1
438bdf73c0649b1db966ce830b8840cbaddb2b9d

SHA256
369cc0ff51a0b44217371cc3bbdb682137e5b91729bc74223530610af51d3a1e

SHA512
13e170e250d628a44122700f621a44670bc1676eaffe379e14b65796d3653e668b261c0c99e9f9019ab96b04fa773e876a58e1cec077f1b832758507ae9afbdb

Download Submit
C:\Windows\System\bVlZuSn.exe

Filesize
5.2MB

MD5
798cc0632951214b5b29dc54071918ac

SHA1
e66892ec276652081120649db465c003f927e134

SHA256
a2f9703f6e1b3a655ae967098f2587632d35f8d14fbba0c1f35c763cfdbb0d85

SHA512
013112574dd9cd737d41db40aa835004686bcd5c3b1e7e77b33ccb0aa9aab1dae4d62956824567c29dc81f623f5aac7cfc05600a00ba0e5985aca94322acf09e

Download Submit
C:\Windows\System\gCoQprK.exe

Filesize
5.2MB

MD5
a864ecefee7c0fbf2a6543410b94f1e1

SHA1
28f03307b8343bf3e8337556923324be0f124bd1

SHA256
3adad8b90bae84d7267a1fe2fa473e95bfaad25fe63b2a54645adafa1b396efc

SHA512
c7ec4a17eaad6cbe0fa6888c21ee2c4cf33afb07adbc2284c3fd9c76e92ee05e52990c62b53269f9ff4eb0ff9320090eeb9d0656a1dcf0ece1aef8375698c80e

Download Submit
C:\Windows\System\gDoaxNA.exe

Filesize
5.2MB

MD5
7c1cddc49bab3f45d3f21c3fe917f3cf

SHA1
72e1ba75e7a82a57502594d5b00cbf645506a644

SHA256
909f07b6e2b706be7b7232206c170a0d682fa387a3339f958a9501c9ad894ada

SHA512
ac160f6ba47b80a9655abd2473336179537b44d496e0d71dc54951a738af3f5f23774f29a45015e185ee9f7b4e28b41c31579574eae831c8f6ca1d444769b593

Download Submit
C:\Windows\System\kZZMqTi.exe

Filesize
5.2MB

MD5
b572d0a7500225cba9c897b161ceec45

SHA1
f7f12988f9700cbec51bfe19a8bef787290be8bd

SHA256
3223a0a4f9a7ded4a7423361964e3858c21a1d1e9b63f51c60ba50c85c175958

SHA512
8f07b22df44984731135d26e1971a8199daa82144c36d8a3673563af2c9a5471ff22fef80456f495fca49035e78a726ab9724e0ba07a3911b07dbdb0b59513db

Download Submit
C:\Windows\System\nnCHcnh.exe

Filesize
5.2MB

MD5
75bba0472ac4e24e9362230424aa1586

SHA1
823796bc5dd3f39a63922502b4a75b10492864f4

SHA256
b4423d8e3069d7afa9d53eea9bab585b58910437cdd7a2ffa7f78c1ac9299e9e

SHA512
3794479094cce14d7be48e8492a50b0305b5463130963f1dd42ec2b29512cc3f59e8da8759df0a175ede24b3f8085c45b7e924fe105abbed7df2530afd71bc3e

Download Submit
C:\Windows\System\oCkGVew.exe

Filesize
5.2MB

MD5
e335609cebe7a364f595e53568f1e527

SHA1
809ecc9761905892af9800e5e75a5f90c6d2e098

SHA256
1a3e2aa8f91b6fe41b27d868dd12ce60ec54b95eb529f7178733c9a79430126f

SHA512
572903f821d58f80e0ac563c2c7a5aa70755dd85bebe61a61bbe2edd885f64c5a1203113ad120960f693aa8b4bea336aeea2ce7153b10f9c844b147cdc965c21

Download Submit
C:\Windows\System\oLJOaJQ.exe

Filesize
5.2MB

MD5
bc6cd25c08550056b41fa39991b29ced

SHA1
e91a74c73764a337228c49107d7d21f155887c7e

SHA256
85492b195750eba2cb5ffba82f81bf4b0e35283776d46c9b18bf056d46f01876

SHA512
f74a956e972c2e188dd7c87eb1d46d1dcad581ebc195366bc2f3e101b0b292e7ad4f661015fae017ed2d16fa667d41f4958de9fa00ba1de6f6ea161d6dfc4000

Download Submit
C:\Windows\System\oQsJApf.exe

Filesize
5.2MB

MD5
01104ace52fbd3877db7b98f0b4a7295

SHA1
cf4ad0e3ab7aa7eb701516e625a68256c3f8aab9

SHA256
971ac1c2500913e1ff4e167f76c148d4ffe5bf68dc1c7d06260a70d080cddf1d

SHA512
30f8ea58f2e0ddb4b1478ac134e18df5df77b4b23a062e867708cf94fd37bcfecc1c55aafdbf53597ce0be026a8e80c1625012fb0e726e4fe29f4a78d0ce7646

Download Submit
C:\Windows\System\ousxZbH.exe

Filesize
5.2MB

MD5
f44f2027c723019841fae14baba41616

SHA1
ec1532d30109e9f6cc31e5b91bec317c16b08938

SHA256
dd115cb3379a0410e69e9e0146aae75edd92363e70e64352fbb933c08fbc82ee

SHA512
1d4352fc03233328a2992a74fd870c4623f6d0a8db2b6b9ce7d1482b1129c817e87e2bacda0769073f38a2bfc6498170a58c58cfc669264730990fd8467bb502

Download Submit
C:\Windows\System\tzePRzN.exe

Filesize
5.2MB

MD5
64d07c73566747083aa7c780b8abbe90

SHA1
600c1aba9981a5f5c84968980acd9a9ce0d0e3d5

SHA256
c009d9345a19e4495cbddbd0ec9a64f2a9c594eeedae97b20b3eee7c213e9b44

SHA512
afe647ea3a04ccff52c6ed931b446aa576e7e16fb705a241f693dcf092897363ed32510f2629bc52c42475c19f16cfcb8444a03ef3a049fc66b790974dac7b0b

Download Submit
C:\Windows\System\xvfUXgp.exe

Filesize
5.2MB

MD5
bc26845dbd27d9059ab11c0679dc0b43

SHA1
fccb702b99a68e863d4fb2c3e83f9b874da7db8a

SHA256
32831731d65e6b28235e9484328defd5c5fa637ce2f2a5ce122277fdeaee6575

SHA512
5f00e93b75fd91138996b3360e1db3f682d7a0536ad102d37ef18a93d409ca79bcd6d9832066d88a5ef24e02f69187f38ebe30104d50ce90f8cec409a1b68201

Download Submit
C:\Windows\System\yBRRCcO.exe

Filesize
5.2MB

MD5
987b63d226fbf38e5c02287227317ba8

SHA1
546a65e152a543a6939f6b305ce041c9b695a66c

SHA256
6e5ee8059af138a74df81f77ec524733358bc97b12789294a98ec14dcabc6193

SHA512
9d2521991f2442ed904275750c6d45eef400d14fd9633e3c1cca5e3c80b1c3567d8a206a4ada4b78c3ad6135338a7d0345f3ab70fb9f05a853895014eb2c1bea

Download Submit
C:\Windows\System\zJPnjhS.exe

Filesize
5.2MB

MD5
13ab9f6f5ea0906ffe05871f3a73bf16

SHA1
50ba1366b1359c1d8730f5589684ea5a4eac1a50

SHA256
e2631f85c38ba81fb9b8c239cb670ea5623cd083328b4edc3c72576db68841d1

SHA512
2d69680ed1ff76aca470fe4adc4f656321431985530766c1fb5bbd0f28f97f7616cf3ad7dad7fc82118c1499820b17e143a4790c545982a94cd9a584d4e38e50

Download Submit
memory/432-70-0x00007FF640E70000-0x00007FF6411C1000-memory.dmp

Filesize
3.3MB

Download
memory/432-235-0x00007FF640E70000-0x00007FF6411C1000-memory.dmp

Filesize
3.3MB

Download
memory/968-248-0x00007FF6EF520000-0x00007FF6EF871000-memory.dmp

Filesize
3.3MB

Download
memory/968-108-0x00007FF6EF520000-0x00007FF6EF871000-memory.dmp

Filesize
3.3MB

Download
memory/1144-128-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-24-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1144-217-0x00007FF6ABF70000-0x00007FF6AC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-140-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-40-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-220-0x00007FF603E70000-0x00007FF6041C1000-memory.dmp

Filesize
3.3MB

Download
memory/1408-144-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/1408-72-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/1408-237-0x00007FF6F28C0000-0x00007FF6F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/1580-139-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-39-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-221-0x00007FF764060000-0x00007FF7643B1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-149-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-250-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-98-0x00007FF62EC80000-0x00007FF62EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-125-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-258-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-243-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-147-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-94-0x00007FF613C60000-0x00007FF613FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-23-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp

Filesize
3.3MB

Download
memory/2056-213-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp

Filesize
3.3MB

Download
memory/2256-127-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/2256-265-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/2256-154-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/2272-141-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-47-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-223-0x00007FF6C2F60000-0x00007FF6C32B1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-59-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp

Filesize
3.3MB

Download
memory/2276-233-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp

Filesize
3.3MB

Download
memory/2276-142-0x00007FF7FEFE0000-0x00007FF7FF331000-memory.dmp

Filesize
3.3MB

Download
memory/2460-216-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-33-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-130-0x00007FF734F50000-0x00007FF7352A1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-62-0x00007FF6751C0000-0x00007FF675511000-memory.dmp

Filesize
3.3MB

Download
memory/2744-8-0x00007FF6751C0000-0x00007FF675511000-memory.dmp

Filesize
3.3MB

Download
memory/2744-209-0x00007FF6751C0000-0x00007FF675511000-memory.dmp

Filesize
3.3MB

Download
memory/3604-101-0x00007FF75B9A0000-0x00007FF75BCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-239-0x00007FF75B9A0000-0x00007FF75BCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-211-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-20-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-69-0x00007FF686970000-0x00007FF686CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-55-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp

Filesize
3.3MB

Download
memory/4748-155-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp

Filesize
3.3MB

Download
memory/4748-1-0x000001F312880000-0x000001F312890000-memory.dmp

Filesize
64KB

Download
memory/4748-132-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp

Filesize
3.3MB

Download
memory/4748-0-0x00007FF62CEF0000-0x00007FF62D241000-memory.dmp

Filesize
3.3MB

Download
memory/4756-119-0x00007FF603B10000-0x00007FF603E61000-memory.dmp

Filesize
3.3MB

Download
memory/4756-254-0x00007FF603B10000-0x00007FF603E61000-memory.dmp

Filesize
3.3MB

Download
memory/4804-256-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-131-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-116-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-261-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-148-0x00007FF7FBA10000-0x00007FF7FBD61000-memory.dmp

Filesize
3.3MB

Download
memory/4896-129-0x00007FF772A90000-0x00007FF772DE1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-253-0x00007FF772A90000-0x00007FF772DE1000-memory.dmp

Filesize
3.3MB

Download