cobaltstrike | 0692623eb0720d597542c87722f0827c726e6591982966b68c3a2a5af2572287

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cc38ebbee6682e5b777dd158fee2a025
SHA1

db587a74ddee1a5cdd529981b9204f52fdaff6db
SHA256

0692623eb0720d597542c87722f0827c726e6591982966b68c3a2a5af2572287
SHA512

9573211670c962bc84cee5c8ad4307b41ab297472006ebbfb14d074273e209946780c952e9f82d1b125d361dcc6b838c24349e684701c0d315c31c172908c83a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bae-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca4-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/860-13-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	xmrig
behavioral2/memory/3772-111-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp	xmrig
behavioral2/memory/860-113-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	xmrig
behavioral2/memory/552-116-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	xmrig
behavioral2/memory/3164-120-0x00007FF710CB0000-0x00007FF711001000-memory.dmp	xmrig
behavioral2/memory/4696-115-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp	xmrig
behavioral2/memory/4988-119-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp	xmrig
behavioral2/memory/4292-122-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp	xmrig
behavioral2/memory/2152-121-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp	xmrig
behavioral2/memory/2952-118-0x00007FF7670B0000-0x00007FF767401000-memory.dmp	xmrig
behavioral2/memory/3556-114-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp	xmrig
behavioral2/memory/4144-112-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	xmrig
behavioral2/memory/4520-123-0x00007FF766080000-0x00007FF7663D1000-memory.dmp	xmrig
behavioral2/memory/1496-128-0x00007FF6601C0000-0x00007FF660511000-memory.dmp	xmrig
behavioral2/memory/4284-133-0x00007FF6BA270000-0x00007FF6BA5C1000-memory.dmp	xmrig
behavioral2/memory/4552-132-0x00007FF62F770000-0x00007FF62FAC1000-memory.dmp	xmrig
behavioral2/memory/2692-131-0x00007FF69AA30000-0x00007FF69AD81000-memory.dmp	xmrig
behavioral2/memory/4568-129-0x00007FF6D5D90000-0x00007FF6D60E1000-memory.dmp	xmrig
behavioral2/memory/1640-127-0x00007FF644270000-0x00007FF6445C1000-memory.dmp	xmrig
behavioral2/memory/3276-126-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp	xmrig
behavioral2/memory/2424-124-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp	xmrig
behavioral2/memory/3616-130-0x00007FF62E7D0000-0x00007FF62EB21000-memory.dmp	xmrig
behavioral2/memory/2060-125-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp	xmrig
behavioral2/memory/4144-134-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	xmrig
behavioral2/memory/4144-156-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	xmrig
behavioral2/memory/860-185-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	xmrig
behavioral2/memory/3556-187-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp	xmrig
behavioral2/memory/4696-197-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp	xmrig
behavioral2/memory/3772-201-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp	xmrig
behavioral2/memory/552-200-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	xmrig
behavioral2/memory/2952-203-0x00007FF7670B0000-0x00007FF767401000-memory.dmp	xmrig
behavioral2/memory/3164-206-0x00007FF710CB0000-0x00007FF711001000-memory.dmp	xmrig
behavioral2/memory/4988-207-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp	xmrig
behavioral2/memory/2152-209-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp	xmrig
behavioral2/memory/4520-221-0x00007FF766080000-0x00007FF7663D1000-memory.dmp	xmrig
behavioral2/memory/2424-224-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp	xmrig
behavioral2/memory/3276-228-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp	xmrig
behavioral2/memory/2060-226-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp	xmrig
behavioral2/memory/4292-222-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp	xmrig
behavioral2/memory/4568-237-0x00007FF6D5D90000-0x00007FF6D60E1000-memory.dmp	xmrig
behavioral2/memory/1496-236-0x00007FF6601C0000-0x00007FF660511000-memory.dmp	xmrig
behavioral2/memory/1640-242-0x00007FF644270000-0x00007FF6445C1000-memory.dmp	xmrig
behavioral2/memory/4552-240-0x00007FF62F770000-0x00007FF62FAC1000-memory.dmp	xmrig
behavioral2/memory/4284-238-0x00007FF6BA270000-0x00007FF6BA5C1000-memory.dmp	xmrig
behavioral2/memory/3616-233-0x00007FF62E7D0000-0x00007FF62EB21000-memory.dmp	xmrig
behavioral2/memory/2692-232-0x00007FF69AA30000-0x00007FF69AD81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
860	zesTbBQ.exe
3556	EgMtRlD.exe
4696	VzMoyxn.exe
552	KwyoUWv.exe
3772	QNdAaIW.exe
2952	nrOeLQH.exe
4988	TkpsPzU.exe
3164	uYqGQGu.exe
2152	VCyvygP.exe
4292	velqVeZ.exe
4520	TmnzrNA.exe
2424	XLHVmdQ.exe
2060	LjIIiBk.exe
3276	wXKiAqw.exe
1640	JVMLXwf.exe
1496	eZDrJSI.exe
4568	fFvaMlX.exe
3616	dnTcakK.exe
2692	BRNVllL.exe
4552	MzCnJOk.exe
4284	DTebQqL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-0-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	upx
behavioral2/files/0x000c000000023bae-5.dat	upx
behavioral2/files/0x0007000000023ca8-10.dat	upx
behavioral2/files/0x0007000000023ca7-11.dat	upx
behavioral2/files/0x0007000000023ca9-23.dat	upx
behavioral2/files/0x0007000000023caa-26.dat	upx
behavioral2/files/0x0007000000023cab-35.dat	upx
behavioral2/files/0x0007000000023cad-45.dat	upx
behavioral2/files/0x0007000000023cae-50.dat	upx
behavioral2/files/0x0008000000023ca4-60.dat	upx
behavioral2/files/0x0007000000023cb0-65.dat	upx
behavioral2/files/0x0007000000023cb3-79.dat	upx
behavioral2/files/0x0007000000023cb6-95.dat	upx
behavioral2/files/0x0007000000023cb7-100.dat	upx
behavioral2/files/0x0007000000023cb9-109.dat	upx
behavioral2/files/0x0007000000023cb8-107.dat	upx
behavioral2/files/0x0007000000023cb5-91.dat	upx
behavioral2/files/0x0007000000023cb4-85.dat	upx
behavioral2/files/0x0007000000023cb2-75.dat	upx
behavioral2/files/0x0007000000023cb1-70.dat	upx
behavioral2/files/0x0007000000023caf-55.dat	upx
behavioral2/files/0x0007000000023cac-40.dat	upx
behavioral2/memory/552-27-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	upx
behavioral2/memory/4696-22-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp	upx
behavioral2/memory/3556-17-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp	upx
behavioral2/memory/860-13-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	upx
behavioral2/memory/3772-111-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp	upx
behavioral2/memory/860-113-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	upx
behavioral2/memory/552-116-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	upx
behavioral2/memory/3164-120-0x00007FF710CB0000-0x00007FF711001000-memory.dmp	upx
behavioral2/memory/4696-115-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp	upx
behavioral2/memory/4988-119-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp	upx
behavioral2/memory/4292-122-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp	upx
behavioral2/memory/2152-121-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp	upx
behavioral2/memory/2952-118-0x00007FF7670B0000-0x00007FF767401000-memory.dmp	upx
behavioral2/memory/3556-114-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp	upx
behavioral2/memory/4144-112-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	upx
behavioral2/memory/4520-123-0x00007FF766080000-0x00007FF7663D1000-memory.dmp	upx
behavioral2/memory/1496-128-0x00007FF6601C0000-0x00007FF660511000-memory.dmp	upx
behavioral2/memory/4284-133-0x00007FF6BA270000-0x00007FF6BA5C1000-memory.dmp	upx
behavioral2/memory/4552-132-0x00007FF62F770000-0x00007FF62FAC1000-memory.dmp	upx
behavioral2/memory/2692-131-0x00007FF69AA30000-0x00007FF69AD81000-memory.dmp	upx
behavioral2/memory/4568-129-0x00007FF6D5D90000-0x00007FF6D60E1000-memory.dmp	upx
behavioral2/memory/1640-127-0x00007FF644270000-0x00007FF6445C1000-memory.dmp	upx
behavioral2/memory/3276-126-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp	upx
behavioral2/memory/2424-124-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp	upx
behavioral2/memory/3616-130-0x00007FF62E7D0000-0x00007FF62EB21000-memory.dmp	upx
behavioral2/memory/2060-125-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp	upx
behavioral2/memory/4144-134-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	upx
behavioral2/memory/4144-156-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp	upx
behavioral2/memory/860-185-0x00007FF635380000-0x00007FF6356D1000-memory.dmp	upx
behavioral2/memory/3556-187-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp	upx
behavioral2/memory/4696-197-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp	upx
behavioral2/memory/3772-201-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp	upx
behavioral2/memory/552-200-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	upx
behavioral2/memory/2952-203-0x00007FF7670B0000-0x00007FF767401000-memory.dmp	upx
behavioral2/memory/3164-206-0x00007FF710CB0000-0x00007FF711001000-memory.dmp	upx
behavioral2/memory/4988-207-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp	upx
behavioral2/memory/2152-209-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp	upx
behavioral2/memory/4520-221-0x00007FF766080000-0x00007FF7663D1000-memory.dmp	upx
behavioral2/memory/2424-224-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp	upx
behavioral2/memory/3276-228-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp	upx
behavioral2/memory/2060-226-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp	upx
behavioral2/memory/4292-222-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nrOeLQH.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zesTbBQ.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNdAaIW.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dnTcakK.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRNVllL.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MzCnJOk.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DTebQqL.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgMtRlD.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KwyoUWv.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VCyvygP.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XLHVmdQ.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjIIiBk.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXKiAqw.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JVMLXwf.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFvaMlX.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzMoyxn.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkpsPzU.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TmnzrNA.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZDrJSI.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYqGQGu.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\velqVeZ.exe	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 860	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4144 wrote to memory of 860	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4144 wrote to memory of 3556	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4144 wrote to memory of 3556	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4144 wrote to memory of 4696	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4144 wrote to memory of 4696	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4144 wrote to memory of 552	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4144 wrote to memory of 552	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4144 wrote to memory of 3772	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4144 wrote to memory of 3772	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4144 wrote to memory of 2952	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4144 wrote to memory of 2952	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4144 wrote to memory of 4988	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4144 wrote to memory of 4988	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4144 wrote to memory of 3164	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4144 wrote to memory of 3164	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4144 wrote to memory of 2152	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4144 wrote to memory of 2152	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4144 wrote to memory of 4292	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4144 wrote to memory of 4292	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4144 wrote to memory of 4520	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4144 wrote to memory of 4520	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4144 wrote to memory of 2424	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4144 wrote to memory of 2424	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4144 wrote to memory of 2060	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4144 wrote to memory of 2060	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4144 wrote to memory of 3276	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4144 wrote to memory of 3276	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4144 wrote to memory of 1640	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4144 wrote to memory of 1640	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4144 wrote to memory of 1496	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4144 wrote to memory of 1496	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4144 wrote to memory of 4568	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4144 wrote to memory of 4568	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4144 wrote to memory of 3616	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4144 wrote to memory of 3616	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4144 wrote to memory of 2692	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4144 wrote to memory of 2692	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4144 wrote to memory of 4552	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4144 wrote to memory of 4552	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4144 wrote to memory of 4284	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4144 wrote to memory of 4284	4144	2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_cc38ebbee6682e5b777dd158fee2a025_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\System\zesTbBQ.exe
  C:\Windows\System\zesTbBQ.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\EgMtRlD.exe
  C:\Windows\System\EgMtRlD.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\VzMoyxn.exe
  C:\Windows\System\VzMoyxn.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\KwyoUWv.exe
  C:\Windows\System\KwyoUWv.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\QNdAaIW.exe
  C:\Windows\System\QNdAaIW.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\nrOeLQH.exe
  C:\Windows\System\nrOeLQH.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\TkpsPzU.exe
  C:\Windows\System\TkpsPzU.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\uYqGQGu.exe
  C:\Windows\System\uYqGQGu.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\VCyvygP.exe
  C:\Windows\System\VCyvygP.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\velqVeZ.exe
  C:\Windows\System\velqVeZ.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\TmnzrNA.exe
  C:\Windows\System\TmnzrNA.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\XLHVmdQ.exe
  C:\Windows\System\XLHVmdQ.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\LjIIiBk.exe
  C:\Windows\System\LjIIiBk.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\wXKiAqw.exe
  C:\Windows\System\wXKiAqw.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\JVMLXwf.exe
  C:\Windows\System\JVMLXwf.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\eZDrJSI.exe
  C:\Windows\System\eZDrJSI.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\fFvaMlX.exe
  C:\Windows\System\fFvaMlX.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\dnTcakK.exe
  C:\Windows\System\dnTcakK.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\BRNVllL.exe
  C:\Windows\System\BRNVllL.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\MzCnJOk.exe
  C:\Windows\System\MzCnJOk.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\DTebQqL.exe
  C:\Windows\System\DTebQqL.exe
  2⤵
  - Executes dropped EXE
  PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BRNVllL.exe

Filesize
5.2MB

MD5
9d200453c089b04a9fdf47d65c423322

SHA1
f52155c6bc43048871260948acd3671f228d36ed

SHA256
02aac8fc0d6e69ef729b549cc19289089ea781be3dd15e580c437e76189aec8c

SHA512
15ae937e119596a24e85dac9b542c260d04fbca8e7c57463d3e131d7fd413b6c71f35b63e0e538859ed40cc364ccee3ad1f13e48462404da93b381adc75275c5

Download Submit
C:\Windows\System\DTebQqL.exe

Filesize
5.2MB

MD5
305d373154feaa0fb85ef94acd3a3139

SHA1
36d339161cdf9ff76b0e228dcc7635360680e561

SHA256
bc137a80b75b6d2836c5d759d2cadf9c7cb391a21163a07a34356fca7e3816ab

SHA512
ba8cb087946b4ed975208a2ae7970d9e1c51392b22ff1a21a9b9a73bcc6a1af7ef5f5141f5aed64b4d4f84b740ad054d9837029c39f01528978defc057f61a1d

Download Submit
C:\Windows\System\EgMtRlD.exe

Filesize
5.2MB

MD5
76fe91c71fbbcfe65b102aacebe81e2a

SHA1
60bffd1a1d38dac50e1aa35f0d8e6b9951deb699

SHA256
53a6530f0648291843aa85f4a0262cab2c4db90970c13da0073def96a5cd87b8

SHA512
663e255515e022157ba2f6acebf6405be88d8db0c1873e1fc9b570fecdedab480202dd0d517fe4bc571d2d38d17043c8d29f64f2cb347f663652d97fd4cbd08a

Download Submit
C:\Windows\System\JVMLXwf.exe

Filesize
5.2MB

MD5
59faf94c3cf7ff044d5b17c542fdf32b

SHA1
c3d49b8821c88c254b90a269779e13aae3a4ade6

SHA256
650ceb50ad4ee1a85111e219b6d5c1d682200671fa583da572def021801f0aa8

SHA512
2e040c6875335fd4191d6bf54383c58ef04541e5a563b1b5f2b359fbfde0bf9c133db593d2eebb5e2bc3d98c0fd7726b0a2a0936a85ccdec157d8b2936a016fa

Download Submit
C:\Windows\System\KwyoUWv.exe

Filesize
5.2MB

MD5
b50743fd53e19df109cee13605f87702

SHA1
b519b2fe727a05ef739910958b6a5fff1c4ba4ae

SHA256
cce9c59d7c27f9b55b5cc497560552a7ac8f10551386eff6c1e0e09465da3eb3

SHA512
4cf31f8e24a0082c63e1abf7383e383862f381565143f19bcd50e5817b84ac36d367ab1b0a00fae07e7b1849080f8da15a30fd50b034ac678d1e21e7197fa034

Download Submit
C:\Windows\System\LjIIiBk.exe

Filesize
5.2MB

MD5
f1f9d0745aa5b70c651a138f30749c68

SHA1
073f6f60ff8b6d9560d7993ecf3fc3a502013e4c

SHA256
92e90ba8e8ea07073879b7c739f16b05e61d586885a8406c70a02a36c07acb9e

SHA512
3059dbc92ed27dd1fc36b37e9977327b113632440cf5d4da0df41fb98ec7f2757c865390171ca56b366db13d51b9af8f5733f49be784f0071d469ea3535662c8

Download Submit
C:\Windows\System\MzCnJOk.exe

Filesize
5.2MB

MD5
4b1aa12d8d84cb53ed23231a0d3d35ee

SHA1
bd49530d062eb35486e95f1df19cc8fd821f2fe1

SHA256
430323c8ded0a9716fbc744257b0fd203eb3d84bc04660b5a10ec76322f9b1aa

SHA512
7deb6763c0bff7d51f5ea53ad728e1f7b4d67964b9bf7610cda071c261c6b911150a2638f572266050f1b9313e875aaebbeb5ce8610ae4e5d18344856b0307d8

Download Submit
C:\Windows\System\QNdAaIW.exe

Filesize
5.2MB

MD5
52c55a64e8da20b66bac423fcf67de9b

SHA1
b1e31bb38394206a5f9e138f8a48bf1a018dffd3

SHA256
4141cb61e0ee58fd097af3c3220f1108e5497b19ae34891904da6999844aea51

SHA512
e7b50199da50820515b85cb41ec0bca072f7355e50e0ecc835f110395f92f06783fa92ccffd39cc9ab47a0ef37dd4f7def41c55323fe705243610be72d3aed28

Download Submit
C:\Windows\System\TkpsPzU.exe

Filesize
5.2MB

MD5
f246a173a35e3a526b42421de1a532a2

SHA1
c50c58428cdc1d8990db03f345d80ae1ba74ebf4

SHA256
086aeee71d0462e5012fe1e08ea63033643d1e310b2d8dfdb2f69174637bf858

SHA512
a0cf6973fec512c4d849643b78366e720360c8fdbea76bf74cc9d99ab988d1bde05f4548162ec02d2a4eae31363613b41d18dc69d40447fa35ac939368c8cacd

Download Submit
C:\Windows\System\TmnzrNA.exe

Filesize
5.2MB

MD5
917bcc5a14f081e97322216f74d9bc1a

SHA1
2e7091037814bec64f60658f68a45f4ba5c9f55a

SHA256
cade9126b9f9ddb0235709217e3277df9f33c492e9bf0738174426577d376410

SHA512
c88301a173d258cd452bac3e36db28ca15bb7092ad6553c2a737c7c97242db2a25bda984c9941d6753ce1bd3dd03bdd8ee08abce15328f542dbe74a45695ed81

Download Submit
C:\Windows\System\VCyvygP.exe

Filesize
5.2MB

MD5
3790adbb620f177e4dafbafdcc7ed107

SHA1
4ac6144b1f1f7ebfa2f89877853d57be172a58c0

SHA256
56cc28ef2ee71dbc24e78bb068bba4c0ffcf3834555cff18289c7733c0ac0f66

SHA512
a7f0cfc3d58c8729c5a94d3ad301640eff506a27ee334c00661cef3d6b0f15e0f8812b70f8ba7dc40b7396d558c981b0f99c1738b5547a3c971df62113bd77a6

Download Submit
C:\Windows\System\VzMoyxn.exe

Filesize
5.2MB

MD5
31285dc5802b9cba949a0f7a5c85a405

SHA1
5d58b86945d079c29303e6e8b6bd9c16ca772857

SHA256
62e86e241e0b69e6b524fab8bdc893719ea5efcfb15400d3c9e514fda2a573db

SHA512
2282707db7a78222824b214fc7b2d6f229f4cb1b31a180e1037160b7b18c4ad434b29fa69b9547ba3260564f1ccbb39a534b274205c9ccc17ff98bae3fb32c05

Download Submit
C:\Windows\System\XLHVmdQ.exe

Filesize
5.2MB

MD5
fd1a54b2ebfe8b6cb63e1e985376764b

SHA1
9b2eaa269662bc4e389c6ba00b250a18620df199

SHA256
b53f7804cbd1feabb5eaf5804d3b2b781271ca696da6d19c3d96314ba2ad071a

SHA512
413bb3a1a0609eb88368752574f4400ef90c374296e0f32b56334b514b2015ab99fea5a6cfaf554b8b9db6c566c1ed1103f122774c7494ea207a6dd2b34e73e7

Download Submit
C:\Windows\System\dnTcakK.exe

Filesize
5.2MB

MD5
9a187a7b68a7a64f430b170e9a8cc89f

SHA1
3ecc9d5045bfcc11923e8600747dc2db83da9823

SHA256
98b263648b87e2280f2ec13ad55efbecc33217913119b1248ee37e79435c0d58

SHA512
ce6389009ba444497d78c27c3aa3b46b6e90c45a9054fbdcdc5c1a6a0cac3528e954837d4cc725de5bb21cf93e09dcbae644701bb0007215655a209cf493535f

Download Submit
C:\Windows\System\eZDrJSI.exe

Filesize
5.2MB

MD5
85753e403b5971b673eddb968ede6150

SHA1
014ca034d52e827c818042240d72b1625ead72f3

SHA256
db54c481d0671f88f1e86579c0eee1d6ec18c00968811613a92363b119b7b5a5

SHA512
51ec06e1408ab95c6984775dabea9b4781a363ad92b394c63153598674180fa3140e826dcffa0041e6eacf70e3caf89d463e768e4825b919534ef63a9c5a07fb

Download Submit
C:\Windows\System\fFvaMlX.exe

Filesize
5.2MB

MD5
d192e541146943a75bcb4418cfd284da

SHA1
1a4a65a52bc7318406975c7b578c6a1044ad29e4

SHA256
3ab5cc1a111a0fde96c2f96ab084937e2c35174e21bb442482c8a47b05ac3148

SHA512
a2a1832159a4ccda0b82df588f1dcee35a9fc72539674dbae120e48e4c5d06c421cee8de33cad01547e60dbd090c6bb6077a3d4a48db87a97ee04fab21937669

Download Submit
C:\Windows\System\nrOeLQH.exe

Filesize
5.2MB

MD5
5406a8cae912a841438f1e9d033b0220

SHA1
43b1e49e751c793ae8a217f62033c34883ba7d78

SHA256
e408f326c9b885b49592322292689f9043eea64c45591df47cefc8d5bd0f2bed

SHA512
5621f265d1d449d50b8f043e80ef67a057866fbacf061f6a4e881c992e03d1346bb90b34f794f9346d89cff567d1526e41aead44e13f58271c8e32c6acbce937

Download Submit
C:\Windows\System\uYqGQGu.exe

Filesize
5.2MB

MD5
e8919670522029d70604e29370f2de06

SHA1
9665ca892a3a200d46c003a49e02a47d5d6daa22

SHA256
c910a3e9294457c4bb10ad36c0b1227a3527dfb7b90e69567f0da122161a1f76

SHA512
891824654b61d258b275c1e0977f129ead6ff33550797fc22c99ed99c65bf0e0cac311495aa7ee563bd6fce18a593e3222322872393c29fbf07ddf0bb61a567c

Download Submit
C:\Windows\System\velqVeZ.exe

Filesize
5.2MB

MD5
15d9baac6dd3a265c34837c283746516

SHA1
b3ad539c28942d77bc29f1b6cb233d307db7bd9b

SHA256
c8d68bf1b6e4eb44b53eb7652795f19d04a44cafd859442c036d139074064707

SHA512
814777985aba4eb7d5fd6fc7052840e06d7f75c5a1f8ac69b9e6d8df81de8ce8bcc7c147b4d3df359a44a6b0545452944c335403a29ccc6061f3cd46964cde9a

Download Submit
C:\Windows\System\wXKiAqw.exe

Filesize
5.2MB

MD5
9cfa601a1a459313ad1b8d8c65c2218b

SHA1
a7781ac91ae7dcaf3b815507a36884ba94027ac1

SHA256
55372a8bd774009dd383bc790cf0b9b3d8d8313ef3976abb9a975eb3cc1caace

SHA512
43c2f3d6b504f52bab42a99bb119f9c5e88627f55d67c5c670fd8906062fd67679997e2f8fdf44a198a64adcd86dfa8e78367f517fcc5113a54f55359156a182

Download Submit
C:\Windows\System\zesTbBQ.exe

Filesize
5.2MB

MD5
163fea4125ba6b6a3e77e9f742b1d1ae

SHA1
c08e859f481149e3679a9a22f8b4f33ddcc97893

SHA256
37db4134c91daddfa99df8cf25f218587c5120f53b1a56fcef8f9fcb16d55d90

SHA512
03116fcc9c84c20badf868588d6f1ace63c5edfa999f586a25a56302cc6364fff4d3b549752b13a085384982cbf7cd19595182d7daa57fe7a1644c8f85b0e47f

Download Submit
memory/552-116-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/552-200-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/552-27-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/860-185-0x00007FF635380000-0x00007FF6356D1000-memory.dmp

Filesize
3.3MB

Download
memory/860-13-0x00007FF635380000-0x00007FF6356D1000-memory.dmp

Filesize
3.3MB

Download
memory/860-113-0x00007FF635380000-0x00007FF6356D1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-236-0x00007FF6601C0000-0x00007FF660511000-memory.dmp

Filesize
3.3MB

Download
memory/1496-128-0x00007FF6601C0000-0x00007FF660511000-memory.dmp

Filesize
3.3MB

Download
memory/1640-127-0x00007FF644270000-0x00007FF6445C1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-242-0x00007FF644270000-0x00007FF6445C1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-226-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp

Filesize
3.3MB

Download
memory/2060-125-0x00007FF7D2E10000-0x00007FF7D3161000-memory.dmp

Filesize
3.3MB

Download
memory/2152-209-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp

Filesize
3.3MB

Download
memory/2152-121-0x00007FF71CEB0000-0x00007FF71D201000-memory.dmp

Filesize
3.3MB

Download
memory/2424-224-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp

Filesize
3.3MB

Download
memory/2424-124-0x00007FF6AD7E0000-0x00007FF6ADB31000-memory.dmp

Filesize
3.3MB

Download
memory/2692-232-0x00007FF69AA30000-0x00007FF69AD81000-memory.dmp

Filesize
3.3MB

Download
memory/2692-131-0x00007FF69AA30000-0x00007FF69AD81000-memory.dmp

Filesize
3.3MB

Download
memory/2952-203-0x00007FF7670B0000-0x00007FF767401000-memory.dmp

Filesize
3.3MB

Download
memory/2952-118-0x00007FF7670B0000-0x00007FF767401000-memory.dmp

Filesize
3.3MB

Download
memory/3164-206-0x00007FF710CB0000-0x00007FF711001000-memory.dmp

Filesize
3.3MB

Download
memory/3164-120-0x00007FF710CB0000-0x00007FF711001000-memory.dmp

Filesize
3.3MB

Download
memory/3276-228-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/3276-126-0x00007FF6E4AC0000-0x00007FF6E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/3556-114-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp

Filesize
3.3MB

Download
memory/3556-187-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp

Filesize
3.3MB

Download
memory/3556-17-0x00007FF6DD720000-0x00007FF6DDA71000-memory.dmp

Filesize
3.3MB

Download
memory/3616-130-0x00007FF62E7D0000-0x00007FF62EB21000-memory.dmp

Filesize
3.3MB

Download
memory/3616-233-0x00007FF62E7D0000-0x00007FF62EB21000-memory.dmp

Filesize
3.3MB

Download
memory/3772-111-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-201-0x00007FF7FBD50000-0x00007FF7FC0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-134-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-156-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-112-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-0-0x00007FF64D690000-0x00007FF64D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-1-0x0000014856450000-0x0000014856460000-memory.dmp

Filesize
64KB

Download
memory/4284-133-0x00007FF6BA270000-0x00007FF6BA5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-238-0x00007FF6BA270000-0x00007FF6BA5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-222-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp

Filesize
3.3MB

Download
memory/4292-122-0x00007FF76B830000-0x00007FF76BB81000-memory.dmp

Filesize
3.3MB

Download
memory/4520-221-0x00007FF766080000-0x00007FF7663D1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-123-0x00007FF766080000-0x00007FF7663D1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-240-0x00007FF62F770000-0x00007FF62FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-132-0x00007FF62F770000-0x00007FF62FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-129-0x00007FF6D5D90000-0x00007FF6D60E1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-237-0x00007FF6D5D90000-0x00007FF6D60E1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-115-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp

Filesize
3.3MB

Download
memory/4696-22-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp

Filesize
3.3MB

Download
memory/4696-197-0x00007FF7458F0000-0x00007FF745C41000-memory.dmp

Filesize
3.3MB

Download
memory/4988-119-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp

Filesize
3.3MB

Download
memory/4988-207-0x00007FF6D7D40000-0x00007FF6D8091000-memory.dmp

Filesize
3.3MB

Download