cobaltstrike | e1676f64843d656f0bbbefd3caa1968b781b6f96c81559ab8c6691d288b47e2a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6162fe22410b388d4480995fb1899bc9
SHA1

a98651592d4a549b2d2ee859e4f641f5f8d1076f
SHA256

e1676f64843d656f0bbbefd3caa1968b781b6f96c81559ab8c6691d288b47e2a
SHA512

6def7146ab9dadb093d76eb217433a33c77e4f9c31d51298659b1da6f891fe05b51797cd50fbbd81148410b7487d9a3aa76d26c8c04d05801e182caaf47c83b4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l9:RWWBibf56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c9d-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-33.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c9e-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-21.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2864-83-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	xmrig
behavioral2/memory/1440-118-0x00007FF621820000-0x00007FF621B71000-memory.dmp	xmrig
behavioral2/memory/5004-126-0x00007FF6A4E20000-0x00007FF6A5171000-memory.dmp	xmrig
behavioral2/memory/1924-131-0x00007FF711F20000-0x00007FF712271000-memory.dmp	xmrig
behavioral2/memory/3056-130-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp	xmrig
behavioral2/memory/3512-129-0x00007FF676230000-0x00007FF676581000-memory.dmp	xmrig
behavioral2/memory/5080-125-0x00007FF707760000-0x00007FF707AB1000-memory.dmp	xmrig
behavioral2/memory/892-122-0x00007FF75DCE0000-0x00007FF75E031000-memory.dmp	xmrig
behavioral2/memory/4308-117-0x00007FF7E2610000-0x00007FF7E2961000-memory.dmp	xmrig
behavioral2/memory/3460-103-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	xmrig
behavioral2/memory/1680-102-0x00007FF7FDBF0000-0x00007FF7FDF41000-memory.dmp	xmrig
behavioral2/memory/3700-97-0x00007FF778440000-0x00007FF778791000-memory.dmp	xmrig
behavioral2/memory/2128-90-0x00007FF60DA30000-0x00007FF60DD81000-memory.dmp	xmrig
behavioral2/memory/2088-81-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp	xmrig
behavioral2/memory/2380-64-0x00007FF6F64A0000-0x00007FF6F67F1000-memory.dmp	xmrig
behavioral2/memory/2864-132-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	xmrig
behavioral2/memory/1488-139-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp	xmrig
behavioral2/memory/1896-140-0x00007FF7641B0000-0x00007FF764501000-memory.dmp	xmrig
behavioral2/memory/2172-138-0x00007FF611820000-0x00007FF611B71000-memory.dmp	xmrig
behavioral2/memory/1736-147-0x00007FF795FB0000-0x00007FF796301000-memory.dmp	xmrig
behavioral2/memory/2088-145-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp	xmrig
behavioral2/memory/112-137-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp	xmrig
behavioral2/memory/3296-143-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp	xmrig
behavioral2/memory/3132-136-0x00007FF624270000-0x00007FF6245C1000-memory.dmp	xmrig
behavioral2/memory/2864-154-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	xmrig
behavioral2/memory/3460-207-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	xmrig
behavioral2/memory/1440-209-0x00007FF621820000-0x00007FF621B71000-memory.dmp	xmrig
behavioral2/memory/3056-211-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp	xmrig
behavioral2/memory/3132-213-0x00007FF624270000-0x00007FF6245C1000-memory.dmp	xmrig
behavioral2/memory/2172-226-0x00007FF611820000-0x00007FF611B71000-memory.dmp	xmrig
behavioral2/memory/112-228-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp	xmrig
behavioral2/memory/1488-232-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp	xmrig
behavioral2/memory/2380-231-0x00007FF6F64A0000-0x00007FF6F67F1000-memory.dmp	xmrig
behavioral2/memory/1896-235-0x00007FF7641B0000-0x00007FF764501000-memory.dmp	xmrig
behavioral2/memory/2088-238-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp	xmrig
behavioral2/memory/2128-237-0x00007FF60DA30000-0x00007FF60DD81000-memory.dmp	xmrig
behavioral2/memory/3296-245-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp	xmrig
behavioral2/memory/1680-244-0x00007FF7FDBF0000-0x00007FF7FDF41000-memory.dmp	xmrig
behavioral2/memory/4308-249-0x00007FF7E2610000-0x00007FF7E2961000-memory.dmp	xmrig
behavioral2/memory/5080-251-0x00007FF707760000-0x00007FF707AB1000-memory.dmp	xmrig
behavioral2/memory/892-253-0x00007FF75DCE0000-0x00007FF75E031000-memory.dmp	xmrig
behavioral2/memory/1736-255-0x00007FF795FB0000-0x00007FF796301000-memory.dmp	xmrig
behavioral2/memory/3700-248-0x00007FF778440000-0x00007FF778791000-memory.dmp	xmrig
behavioral2/memory/3512-257-0x00007FF676230000-0x00007FF676581000-memory.dmp	xmrig
behavioral2/memory/1924-259-0x00007FF711F20000-0x00007FF712271000-memory.dmp	xmrig
behavioral2/memory/5004-261-0x00007FF6A4E20000-0x00007FF6A5171000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3460	iTVmPDV.exe
1440	BzyNLGC.exe
3056	WrWiDkt.exe
3132	hEEqDVU.exe
112	qkiDqFs.exe
2172	ocIrQUe.exe
1488	jxbneOA.exe
1896	fyjtDNd.exe
2380	CPqvgzW.exe
2128	ModtUXt.exe
3296	uLDqwNs.exe
3700	gjsVqfo.exe
2088	vAyhbjK.exe
1680	xoQPuPR.exe
4308	XhgqBGj.exe
892	teIXTRd.exe
1736	QVKpGoo.exe
5080	TkmJruX.exe
5004	lwWocze.exe
3512	PBBzXSj.exe
1924	gsABJPv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2864-0-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	upx
behavioral2/files/0x0009000000023c9d-4.dat	upx
behavioral2/files/0x0007000000023ca2-11.dat	upx
behavioral2/memory/1440-17-0x00007FF621820000-0x00007FF621B71000-memory.dmp	upx
behavioral2/memory/3132-25-0x00007FF624270000-0x00007FF6245C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-26.dat	upx
behavioral2/files/0x0007000000023ca4-28.dat	upx
behavioral2/files/0x0007000000023ca6-33.dat	upx
behavioral2/memory/1488-45-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp	upx
behavioral2/files/0x0009000000023c9e-49.dat	upx
behavioral2/files/0x0007000000023caa-60.dat	upx
behavioral2/files/0x0007000000023ca9-75.dat	upx
behavioral2/memory/2864-83-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-86.dat	upx
behavioral2/files/0x0007000000023cad-93.dat	upx
behavioral2/files/0x0007000000023cb1-99.dat	upx
behavioral2/files/0x0007000000023cb2-108.dat	upx
behavioral2/memory/1440-118-0x00007FF621820000-0x00007FF621B71000-memory.dmp	upx
behavioral2/memory/5004-126-0x00007FF6A4E20000-0x00007FF6A5171000-memory.dmp	upx
behavioral2/memory/1924-131-0x00007FF711F20000-0x00007FF712271000-memory.dmp	upx
behavioral2/memory/3056-130-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp	upx
behavioral2/memory/3512-129-0x00007FF676230000-0x00007FF676581000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-127.dat	upx
behavioral2/memory/5080-125-0x00007FF707760000-0x00007FF707AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-123.dat	upx
behavioral2/memory/892-122-0x00007FF75DCE0000-0x00007FF75E031000-memory.dmp	upx
behavioral2/memory/4308-117-0x00007FF7E2610000-0x00007FF7E2961000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-112.dat	upx
behavioral2/memory/1736-111-0x00007FF795FB0000-0x00007FF796301000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-104.dat	upx
behavioral2/memory/3460-103-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	upx
behavioral2/memory/1680-102-0x00007FF7FDBF0000-0x00007FF7FDF41000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-98.dat	upx
behavioral2/memory/3700-97-0x00007FF778440000-0x00007FF778791000-memory.dmp	upx
behavioral2/memory/2128-90-0x00007FF60DA30000-0x00007FF60DD81000-memory.dmp	upx
behavioral2/memory/2088-81-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-71.dat	upx
behavioral2/memory/3296-70-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp	upx
behavioral2/memory/2380-64-0x00007FF6F64A0000-0x00007FF6F67F1000-memory.dmp	upx
behavioral2/memory/1896-56-0x00007FF7641B0000-0x00007FF764501000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-55.dat	upx
behavioral2/files/0x0007000000023ca7-47.dat	upx
behavioral2/memory/2172-37-0x00007FF611820000-0x00007FF611B71000-memory.dmp	upx
behavioral2/memory/112-30-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp	upx
behavioral2/memory/3056-23-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-21.dat	upx
behavioral2/memory/3460-9-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	upx
behavioral2/memory/2864-132-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	upx
behavioral2/memory/1488-139-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp	upx
behavioral2/memory/1896-140-0x00007FF7641B0000-0x00007FF764501000-memory.dmp	upx
behavioral2/memory/2172-138-0x00007FF611820000-0x00007FF611B71000-memory.dmp	upx
behavioral2/memory/1736-147-0x00007FF795FB0000-0x00007FF796301000-memory.dmp	upx
behavioral2/memory/2088-145-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp	upx
behavioral2/memory/112-137-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp	upx
behavioral2/memory/3296-143-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp	upx
behavioral2/memory/3132-136-0x00007FF624270000-0x00007FF6245C1000-memory.dmp	upx
behavioral2/memory/2864-154-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp	upx
behavioral2/memory/3460-207-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	upx
behavioral2/memory/1440-209-0x00007FF621820000-0x00007FF621B71000-memory.dmp	upx
behavioral2/memory/3056-211-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp	upx
behavioral2/memory/3132-213-0x00007FF624270000-0x00007FF6245C1000-memory.dmp	upx
behavioral2/memory/2172-226-0x00007FF611820000-0x00007FF611B71000-memory.dmp	upx
behavioral2/memory/112-228-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp	upx
behavioral2/memory/1488-232-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fyjtDNd.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ModtUXt.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uLDqwNs.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lwWocze.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PBBzXSj.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iTVmPDV.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjsVqfo.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAyhbjK.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoQPuPR.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhgqBGj.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\teIXTRd.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkmJruX.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocIrQUe.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkiDqFs.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPqvgzW.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QVKpGoo.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BzyNLGC.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEEqDVU.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxbneOA.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsABJPv.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WrWiDkt.exe	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3460	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2864 wrote to memory of 3460	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2864 wrote to memory of 1440	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2864 wrote to memory of 1440	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2864 wrote to memory of 3056	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2864 wrote to memory of 3056	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2864 wrote to memory of 3132	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2864 wrote to memory of 3132	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2864 wrote to memory of 112	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2864 wrote to memory of 112	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2864 wrote to memory of 2172	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2864 wrote to memory of 2172	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2864 wrote to memory of 1488	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2864 wrote to memory of 1488	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2864 wrote to memory of 1896	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2864 wrote to memory of 1896	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2864 wrote to memory of 2380	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2864 wrote to memory of 2380	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2864 wrote to memory of 2128	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2864 wrote to memory of 2128	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2864 wrote to memory of 3296	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2864 wrote to memory of 3296	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2864 wrote to memory of 3700	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2864 wrote to memory of 3700	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2864 wrote to memory of 2088	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2864 wrote to memory of 2088	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2864 wrote to memory of 1680	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2864 wrote to memory of 1680	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2864 wrote to memory of 1736	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2864 wrote to memory of 1736	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2864 wrote to memory of 4308	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2864 wrote to memory of 4308	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2864 wrote to memory of 892	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2864 wrote to memory of 892	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2864 wrote to memory of 5080	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2864 wrote to memory of 5080	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2864 wrote to memory of 5004	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2864 wrote to memory of 5004	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2864 wrote to memory of 3512	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2864 wrote to memory of 3512	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2864 wrote to memory of 1924	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2864 wrote to memory of 1924	2864	2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_6162fe22410b388d4480995fb1899bc9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System\iTVmPDV.exe
  C:\Windows\System\iTVmPDV.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\BzyNLGC.exe
  C:\Windows\System\BzyNLGC.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\WrWiDkt.exe
  C:\Windows\System\WrWiDkt.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\hEEqDVU.exe
  C:\Windows\System\hEEqDVU.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\qkiDqFs.exe
  C:\Windows\System\qkiDqFs.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System\ocIrQUe.exe
  C:\Windows\System\ocIrQUe.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\jxbneOA.exe
  C:\Windows\System\jxbneOA.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\fyjtDNd.exe
  C:\Windows\System\fyjtDNd.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\CPqvgzW.exe
  C:\Windows\System\CPqvgzW.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\ModtUXt.exe
  C:\Windows\System\ModtUXt.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\uLDqwNs.exe
  C:\Windows\System\uLDqwNs.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\gjsVqfo.exe
  C:\Windows\System\gjsVqfo.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\vAyhbjK.exe
  C:\Windows\System\vAyhbjK.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\xoQPuPR.exe
  C:\Windows\System\xoQPuPR.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\QVKpGoo.exe
  C:\Windows\System\QVKpGoo.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\XhgqBGj.exe
  C:\Windows\System\XhgqBGj.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\teIXTRd.exe
  C:\Windows\System\teIXTRd.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\TkmJruX.exe
  C:\Windows\System\TkmJruX.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\lwWocze.exe
  C:\Windows\System\lwWocze.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\PBBzXSj.exe
  C:\Windows\System\PBBzXSj.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\gsABJPv.exe
  C:\Windows\System\gsABJPv.exe
  2⤵
  - Executes dropped EXE
  PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BzyNLGC.exe

Filesize
5.2MB

MD5
b2757ce450861a2ea226ea3e297afe22

SHA1
cc8e8e7a9cf52500ef033e60a6dc43f7839c88a1

SHA256
6b123ebf706e28ba6a6de603fa2408d7fb2a0de9bf68d2514f38b30b721725d1

SHA512
6eb5f0ddaaef646ea249ae03a92edc64c049707b38f876062f7b0eb01ef0434e841f909a434fbcfc6c63c8a3496ba17e93dd0829df19d4e099c2d738844c9391

Download Submit
C:\Windows\System\CPqvgzW.exe

Filesize
5.2MB

MD5
03e95e3b6f9a69a0bacb6adc4a3c5329

SHA1
1394b69f66e3e3ae8e1e51b2cfa9c8632db713fa

SHA256
b10060dd63fb4548421a941f7c7957babfc31b8852d83b4324046a740c6386e8

SHA512
532b90e7a757ca22e6a21c34a5c1328d56cd7676213faa19b6358af39fee3f75d41f6d8a7d8b313a9b2b31106283c47a041ba7f9b15ada120dcb5db4ea34fc0b

Download Submit
C:\Windows\System\ModtUXt.exe

Filesize
5.2MB

MD5
c1c011331eb42da50f60dfe1b6241a96

SHA1
fd4005482cfb03b815aee33e0549cadc80989039

SHA256
1048151813d02375e1d7d6b631823bd0df80a5bc545cc45dedd862b57666a653

SHA512
a93334a0902fba4c519935316b1479e11691f49bd4693cecaaecb2bef562dbc8c1f903740b2e79d5298453521d171099cf170b3008cd6fbd976b8bff6dd1b342

Download Submit
C:\Windows\System\PBBzXSj.exe

Filesize
5.2MB

MD5
be93e714d7b76cf3b008374435444284

SHA1
9b4286ec61ed92a5159e1cb361ec208caa19e1ec

SHA256
1c05ea302034be8f8f9fa8b38cdfd01a954ee7fbb479c4318bbee49ee2b59546

SHA512
c8f3c9ff620cb31b924f17edff8bc71967b89938d538f994d1c7cbfd1a534403c0d59516072195660fb443eff70eec4d5bca34e0d2bcb8f7c237db415176aa26

Download Submit
C:\Windows\System\QVKpGoo.exe

Filesize
5.2MB

MD5
e75da8604d4f6a2b3dddcc1bafa3bca5

SHA1
099afc4f804bd3a243345b6c384cdb2fa97c75f5

SHA256
b16ff6e4c6c4c5db0729ed66bbea9850ffd7bb344b3bdceca66c836aa56d511e

SHA512
944c3ded9b0cb7479ec3a0fde1aa81a6f41a9a1ac4b3071bd10e0fc83fcdf35e4786b7866efde841ae73d49d57620a31e830715852139a0827fb2348944dde07

Download Submit
C:\Windows\System\TkmJruX.exe

Filesize
5.2MB

MD5
6c24c73af3664bb0469d7e88d4f344a7

SHA1
23e4d1d033584af24f0e9071dc5a9391fba89ee6

SHA256
a08c6f2312e9518c62c50334fcefa50d7eab1bba379f1026a0a0d6ca9097a871

SHA512
e1d1f2d6d340c103c1090bff00998f2eb40a00c0d40d9059df8a51cb3f6cd6735394ed296a07d0f1c1a4f5527155fce50cc03cb0af06925eabe002455058ea8f

Download Submit
C:\Windows\System\WrWiDkt.exe

Filesize
5.2MB

MD5
85fccfb0854ac427814703eacd000b5a

SHA1
fa21302b9ca592b054a6c3333db3cb424b76405f

SHA256
411494586d884bd485dd14f6064185b8302b6953764fee72b9609ca22568bc2e

SHA512
5380009a1d63ee7d1516fe1a43b32919d20e63ac29703d12c4a7baf498eddd5aeabfbb9d27589d599ae14902a9ab8c065e76ebe4f6e5cc11d93af2d6c373741c

Download Submit
C:\Windows\System\XhgqBGj.exe

Filesize
5.2MB

MD5
544840fbbe016837a23118a4e8b59f82

SHA1
c22ab7baf53e3a895946f02be8c55a4c8d4a1a43

SHA256
63895cc840fb9e76cc1e9fc75174af29e9102d539d130f22f96c2fcd9f5bdb57

SHA512
1ba12d1ac64fb6e469ab092573d915dd3ee434742dd66348626bf6cb9d59a4ec38e67b6dcf237569614067a49c9416170e6937af50563e3d8106d2a4a4ed8882

Download Submit
C:\Windows\System\fyjtDNd.exe

Filesize
5.2MB

MD5
97f5bfee3081c9cdda0da0b2828e4aa2

SHA1
0ee592d3da4ae847f8a3c0e6ba1c3413ec58d64b

SHA256
23c9c3aa352c4295fa2da6f291051b18c3f7bc69d537b5038de45e6c4ba5dac2

SHA512
92dd01b9ffbabdc06257edb0708c8ddf461444f2f6bdb3e908b049729c7c1dfa1f406ad34d2971307b7a339feb9cbff83dd8d97a9cb3f686bb69dfb2ac6be060

Download Submit
C:\Windows\System\gjsVqfo.exe

Filesize
5.2MB

MD5
553e9e41d69a55469b0b4fc3b8e27719

SHA1
14b87746c90a25ef3dc05252ef160bac84390da6

SHA256
ed902752c64ea1d94c3284971ced911948dbc19f428ef2cc42154244ef5d80b7

SHA512
a5c6d117f80305f93db4b7294942d4ae8a2f6dec15219cb2edf68bfba003a29f95418ed71a8626cd5ede56860ed5365a3d9ce82930162e5cf271b39eee06b758

Download Submit
C:\Windows\System\gsABJPv.exe

Filesize
5.2MB

MD5
f7a08c47aa28e5b6f76d13dfd6fd64f8

SHA1
fb61c4ad03fdf067d78fb6b6f5dbce2e569d2d96

SHA256
7b4313438206dd9b1bb6805296368d0e3e9b9a25cc4df9ec8bb11cf6aa7331cb

SHA512
830bbdfb0104f57af69092dc1af0f7387fe5912cf42b55ceaf3b06d67bc5926b762256c7e040e61537bb9be37bb3e1332d810838cfebc58cc99c2a6f7d0ecae5

Download Submit
C:\Windows\System\hEEqDVU.exe

Filesize
5.2MB

MD5
e74a4754aa085cbf4bfeb19f3bba56ed

SHA1
bbb881d10e4134835f84bb647b4936951827e822

SHA256
d198c941a685a7486529a7eaea97e722f682a0596fd2f8b3962239f4a4da6dae

SHA512
2887f1945617343736c3d2d2894637bc0875eb607283311c07cb3b1ca3ada1e24788e8384da1211bf609ddbb68bf496e8f39ec5fabf902a6c8197adda920c79c

Download Submit
C:\Windows\System\iTVmPDV.exe

Filesize
5.2MB

MD5
045a80dac0c0c12317d1d8e7d5dc4132

SHA1
62aaefb40a89dbee235ec6f25c7c9e4cccbe0381

SHA256
42f8308cc3bd3d8552907192393f859089c99f80022c35ab0926f2a3e6fc81f4

SHA512
8d82eb916b4f84105c235b2b877232ee374745167c567a7410c1079be838f7fa2f7827b9285ee0363b90d69cd45974c2fc1031e6dfc027129dd9cd78d8592995

Download Submit
C:\Windows\System\jxbneOA.exe

Filesize
5.2MB

MD5
b41ffc7d4b0da60a902577b13d85fa1f

SHA1
f4f6b535273da2108f88cca049a59c7cadf73e98

SHA256
0317f2b9c4b6d01f0549225f698a22bc19b827dbed0086fd309b151116f9056b

SHA512
db1ada253bec36e28e3057cb8dd24f6d5266430b1fde126bc502061ac192bf86f8063ecc70062d9e25d7210ed286deeb03dc6caa81578064bf51bfcc2cabdc97

Download Submit
C:\Windows\System\lwWocze.exe

Filesize
5.2MB

MD5
69433ad2f795d42ace4c01b730e967e3

SHA1
3b17b592c8a088685f0742eeae48a5e5015d90e0

SHA256
15ce938a6b6c495735571a2487485ba00545fcc31671f3a38271206a70b9b04b

SHA512
b9cc2a49a4e52744a02bc31ec4af10d951ddc35caa852afe11360d495061e5b1d831d5ec65f01e509fc41f355d9c98e02bb44e5bffb76e61433438f3f1aed0a5

Download Submit
C:\Windows\System\ocIrQUe.exe

Filesize
5.2MB

MD5
22f613bd7a43cd5ac761d60d0635f85c

SHA1
14201830049e4238840c3a7503a3eaa0c8c6ac9b

SHA256
9e0c03892fff90c019637755af106aeaa6bc0400f3a2825c782a7d20b4e3fdf5

SHA512
d2e2c61d61372eab5484c35964e78ca26f8dc4fc45a2b3921f44290ab0ab706a703641089e9ac5410c0a5d30ae698e1843fa55a40fc765a1942d5575c592f8cf

Download Submit
C:\Windows\System\qkiDqFs.exe

Filesize
5.2MB

MD5
600c1176a3822d4d90fe1fc346869ee4

SHA1
95af60055e2a3bbc84be2220b7fd5ecfc213fc1b

SHA256
65824ffb3f44cb116c28802b7f5cc71de91205d510c78b149ed857bbcfb42abc

SHA512
81352eebf14ebe5af09f4986d88d89844c85682f9e00d96764c7db76a6bc442f0c8e832af6da5511e36ebbcee98009547e9355e2e9640b9b7ab59abda9921b56

Download Submit
C:\Windows\System\teIXTRd.exe

Filesize
5.2MB

MD5
20f18a83db0ef8cec619cc34a1fd48b0

SHA1
cb3fa1b2a7888d500a9b1d31686e1b3213527819

SHA256
6ae374da002c2d159297aa7beb6b3227c8ccbbffd1cdc12f7db14919aa767a72

SHA512
45f219cb4e2041368196ecfad4d1e2cb4b3e34068cf03e85ce75ec08860f41fd420ebcb80a30368f14209d0bbf2454cad670a92e2b958279518c85cfe5a209f8

Download Submit
C:\Windows\System\uLDqwNs.exe

Filesize
5.2MB

MD5
f726c3841da38b3ae29aa2f4f5d0acdd

SHA1
0512d6f9a39ab98f2f4ddc1f8e4508f01c7a09e5

SHA256
30ac65b9be176224ca5742864397ad29a895f3aae1891a89c36b73b5bc40339f

SHA512
9088a33689cb6b37ad7ee38adc7b2f1b2f6a829e3ba8a693fd8250567be7165f8485b402c541677e93069373fd56822ccadd270ca7f94f31556844cab5a841cd

Download Submit
C:\Windows\System\vAyhbjK.exe

Filesize
5.2MB

MD5
fe3bb833e67edd18c6b6a3b04ca7add5

SHA1
3fa4d0c88ddb0d25d87145a30ea89df994833c2d

SHA256
d4785820923fd3f482295730247cd055574ee03c93d7c43dd2b50a0367217c28

SHA512
b190dc0e7509782af130a199b8e276c387834cbfa31b8289ebd6809411e659fe22652d9777b95833728da073ecd8a8b06dbdc780966e271fd85e9cf9cd210416

Download Submit
C:\Windows\System\xoQPuPR.exe

Filesize
5.2MB

MD5
a337e794a1a81003ddbf3730bd340c96

SHA1
177e1532f3da8dfe3da0a15fde18f17f8d0dbd75

SHA256
6c6d6fd57fce436f21dbc62f01c73a35af8cae431663dcae7d6d1f887d3c90e3

SHA512
41fc3d77b71130a0e489bd499db5d22fd2a26c477d98ea9d1529ccac568d41dce65d4b01050e43c05a18a90813b09121a37bac22de154dbc77cec3dd02bad9ca

Download Submit
memory/112-228-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp

Filesize
3.3MB

Download
memory/112-30-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp

Filesize
3.3MB

Download
memory/112-137-0x00007FF60E850000-0x00007FF60EBA1000-memory.dmp

Filesize
3.3MB

Download
memory/892-122-0x00007FF75DCE0000-0x00007FF75E031000-memory.dmp

Filesize
3.3MB

Download
memory/892-253-0x00007FF75DCE0000-0x00007FF75E031000-memory.dmp

Filesize
3.3MB

Download
memory/1440-17-0x00007FF621820000-0x00007FF621B71000-memory.dmp

Filesize
3.3MB

Download
memory/1440-118-0x00007FF621820000-0x00007FF621B71000-memory.dmp

Filesize
3.3MB

Download
memory/1440-209-0x00007FF621820000-0x00007FF621B71000-memory.dmp

Filesize
3.3MB

Download
memory/1488-45-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-139-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-232-0x00007FF7E8070000-0x00007FF7E83C1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-102-0x00007FF7FDBF0000-0x00007FF7FDF41000-memory.dmp

Filesize
3.3MB

Download
memory/1680-244-0x00007FF7FDBF0000-0x00007FF7FDF41000-memory.dmp

Filesize
3.3MB

Download
memory/1736-111-0x00007FF795FB0000-0x00007FF796301000-memory.dmp

Filesize
3.3MB

Download
memory/1736-147-0x00007FF795FB0000-0x00007FF796301000-memory.dmp

Filesize
3.3MB

Download
memory/1736-255-0x00007FF795FB0000-0x00007FF796301000-memory.dmp

Filesize
3.3MB

Download
memory/1896-235-0x00007FF7641B0000-0x00007FF764501000-memory.dmp

Filesize
3.3MB

Download
memory/1896-140-0x00007FF7641B0000-0x00007FF764501000-memory.dmp

Filesize
3.3MB

Download
memory/1896-56-0x00007FF7641B0000-0x00007FF764501000-memory.dmp

Filesize
3.3MB

Download
memory/1924-131-0x00007FF711F20000-0x00007FF712271000-memory.dmp

Filesize
3.3MB

Download
memory/1924-259-0x00007FF711F20000-0x00007FF712271000-memory.dmp

Filesize
3.3MB

Download
memory/2088-145-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-238-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-81-0x00007FF6616A0000-0x00007FF6619F1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-237-0x00007FF60DA30000-0x00007FF60DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2128-90-0x00007FF60DA30000-0x00007FF60DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-37-0x00007FF611820000-0x00007FF611B71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-138-0x00007FF611820000-0x00007FF611B71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-226-0x00007FF611820000-0x00007FF611B71000-memory.dmp

Filesize
3.3MB

Download
memory/2380-64-0x00007FF6F64A0000-0x00007FF6F67F1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-231-0x00007FF6F64A0000-0x00007FF6F67F1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-154-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-0-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-1-0x0000019AB7AE0000-0x0000019AB7AF0000-memory.dmp

Filesize
64KB

Download
memory/2864-83-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-132-0x00007FF75C9A0000-0x00007FF75CCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-211-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp

Filesize
3.3MB

Download
memory/3056-130-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp

Filesize
3.3MB

Download
memory/3056-23-0x00007FF7B35B0000-0x00007FF7B3901000-memory.dmp

Filesize
3.3MB

Download
memory/3132-25-0x00007FF624270000-0x00007FF6245C1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-213-0x00007FF624270000-0x00007FF6245C1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-136-0x00007FF624270000-0x00007FF6245C1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-70-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-245-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-143-0x00007FF723D60000-0x00007FF7240B1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-207-0x00007FF7794E0000-0x00007FF779831000-memory.dmp

Filesize
3.3MB

Download
memory/3460-103-0x00007FF7794E0000-0x00007FF779831000-memory.dmp

Filesize
3.3MB

Download
memory/3460-9-0x00007FF7794E0000-0x00007FF779831000-memory.dmp

Filesize
3.3MB

Download
memory/3512-129-0x00007FF676230000-0x00007FF676581000-memory.dmp

Filesize
3.3MB

Download
memory/3512-257-0x00007FF676230000-0x00007FF676581000-memory.dmp

Filesize
3.3MB

Download
memory/3700-97-0x00007FF778440000-0x00007FF778791000-memory.dmp

Filesize
3.3MB

Download
memory/3700-248-0x00007FF778440000-0x00007FF778791000-memory.dmp

Filesize
3.3MB

Download
memory/4308-117-0x00007FF7E2610000-0x00007FF7E2961000-memory.dmp

Filesize
3.3MB

Download
memory/4308-249-0x00007FF7E2610000-0x00007FF7E2961000-memory.dmp

Filesize
3.3MB

Download
memory/5004-126-0x00007FF6A4E20000-0x00007FF6A5171000-memory.dmp

Filesize
3.3MB

Download
memory/5004-261-0x00007FF6A4E20000-0x00007FF6A5171000-memory.dmp

Filesize
3.3MB

Download
memory/5080-125-0x00007FF707760000-0x00007FF707AB1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-251-0x00007FF707760000-0x00007FF707AB1000-memory.dmp

Filesize
3.3MB

Download