cobaltstrike | 4fbdd2106b6317636925bdec856b34fd9b6b458b9618b1b6ec04081a67c81e7f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8160a41b45de5d5d2466d68bdf8fb840
SHA1

f8836e64c2ded0f767a69124a571fdf3714a41c7
SHA256

4fbdd2106b6317636925bdec856b34fd9b6b458b9618b1b6ec04081a67c81e7f
SHA512

a442574f89c595fe7cd03e751a4bd76d35f833d8ed9cb916fad3532610997db6d0fd791b9c0c8f8e2d0d31555ff22132508afe2307d5932a999772518a53c8a9
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibd56utgpPFotBER/mQ32lUf

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023ca3-8.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023c09-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-43.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1456-86-0x00007FF707B80000-0x00007FF707ED1000-memory.dmp	xmrig
behavioral2/memory/3892-93-0x00007FF717610000-0x00007FF717961000-memory.dmp	xmrig
behavioral2/memory/4772-98-0x00007FF73A5E0000-0x00007FF73A931000-memory.dmp	xmrig
behavioral2/memory/3640-97-0x00007FF61A340000-0x00007FF61A691000-memory.dmp	xmrig
behavioral2/memory/4836-96-0x00007FF780940000-0x00007FF780C91000-memory.dmp	xmrig
behavioral2/memory/3996-95-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	xmrig
behavioral2/memory/2988-94-0x00007FF765440000-0x00007FF765791000-memory.dmp	xmrig
behavioral2/memory/4512-85-0x00007FF66DA40000-0x00007FF66DD91000-memory.dmp	xmrig
behavioral2/memory/2728-99-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/2020-110-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp	xmrig
behavioral2/memory/3988-143-0x00007FF623FE0000-0x00007FF624331000-memory.dmp	xmrig
behavioral2/memory/740-141-0x00007FF747130000-0x00007FF747481000-memory.dmp	xmrig
behavioral2/memory/1256-113-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp	xmrig
behavioral2/memory/1140-112-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp	xmrig
behavioral2/memory/4196-108-0x00007FF689310000-0x00007FF689661000-memory.dmp	xmrig
behavioral2/memory/3032-101-0x00007FF701A40000-0x00007FF701D91000-memory.dmp	xmrig
behavioral2/memory/4556-100-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp	xmrig
behavioral2/memory/3992-104-0x00007FF602120000-0x00007FF602471000-memory.dmp	xmrig
behavioral2/memory/4764-103-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp	xmrig
behavioral2/memory/2728-145-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/2272-162-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp	xmrig
behavioral2/memory/2728-163-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/4280-165-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp	xmrig
behavioral2/memory/1724-167-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp	xmrig
behavioral2/memory/2728-168-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/4556-210-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp	xmrig
behavioral2/memory/3032-211-0x00007FF701A40000-0x00007FF701D91000-memory.dmp	xmrig
behavioral2/memory/3992-215-0x00007FF602120000-0x00007FF602471000-memory.dmp	xmrig
behavioral2/memory/4764-214-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp	xmrig
behavioral2/memory/2020-222-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp	xmrig
behavioral2/memory/1140-220-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp	xmrig
behavioral2/memory/3996-233-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	xmrig
behavioral2/memory/4772-239-0x00007FF73A5E0000-0x00007FF73A931000-memory.dmp	xmrig
behavioral2/memory/3640-237-0x00007FF61A340000-0x00007FF61A691000-memory.dmp	xmrig
behavioral2/memory/4836-235-0x00007FF780940000-0x00007FF780C91000-memory.dmp	xmrig
behavioral2/memory/1456-230-0x00007FF707B80000-0x00007FF707ED1000-memory.dmp	xmrig
behavioral2/memory/4512-228-0x00007FF66DA40000-0x00007FF66DD91000-memory.dmp	xmrig
behavioral2/memory/4196-226-0x00007FF689310000-0x00007FF689661000-memory.dmp	xmrig
behavioral2/memory/3892-224-0x00007FF717610000-0x00007FF717961000-memory.dmp	xmrig
behavioral2/memory/2988-218-0x00007FF765440000-0x00007FF765791000-memory.dmp	xmrig
behavioral2/memory/1256-232-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp	xmrig
behavioral2/memory/2272-252-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp	xmrig
behavioral2/memory/3988-254-0x00007FF623FE0000-0x00007FF624331000-memory.dmp	xmrig
behavioral2/memory/4280-257-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp	xmrig
behavioral2/memory/740-256-0x00007FF747130000-0x00007FF747481000-memory.dmp	xmrig
behavioral2/memory/1724-259-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4556	GvCvYeQ.exe
3032	TmvOEBK.exe
4764	AzExexm.exe
3992	lSdCeHq.exe
4512	qlkJAzJ.exe
1456	NVTVFvY.exe
4196	IvLLwvs.exe
3892	qxjyLio.exe
2020	GKmVnpW.exe
2988	sqiXKrd.exe
1140	DPqopNG.exe
1256	bJzbRVI.exe
3996	QCrTaNJ.exe
4772	lqKDnAZ.exe
4836	qMgCTfw.exe
3640	VRMsnGf.exe
2272	ediPaBw.exe
3988	DrydhXy.exe
4280	zpmxHYA.exe
740	GlqtmcW.exe
1724	neewrVC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2728-0-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-8.dat	upx
behavioral2/memory/4556-6-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp	upx
behavioral2/files/0x000a000000023c09-5.dat	upx
behavioral2/files/0x0007000000023ca2-9.dat	upx
behavioral2/memory/3032-13-0x00007FF701A40000-0x00007FF701D91000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-19.dat	upx
behavioral2/files/0x0007000000023ca7-33.dat	upx
behavioral2/files/0x0007000000023ca8-43.dat	upx
behavioral2/files/0x0008000000023c9f-77.dat	upx
behavioral2/memory/1456-86-0x00007FF707B80000-0x00007FF707ED1000-memory.dmp	upx
behavioral2/memory/3892-93-0x00007FF717610000-0x00007FF717961000-memory.dmp	upx
behavioral2/memory/4772-98-0x00007FF73A5E0000-0x00007FF73A931000-memory.dmp	upx
behavioral2/memory/3640-97-0x00007FF61A340000-0x00007FF61A691000-memory.dmp	upx
behavioral2/memory/4836-96-0x00007FF780940000-0x00007FF780C91000-memory.dmp	upx
behavioral2/memory/3996-95-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	upx
behavioral2/memory/2988-94-0x00007FF765440000-0x00007FF765791000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-91.dat	upx
behavioral2/files/0x0007000000023cae-89.dat	upx
behavioral2/memory/4512-85-0x00007FF66DA40000-0x00007FF66DD91000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-82.dat	upx
behavioral2/files/0x0007000000023cac-80.dat	upx
behavioral2/files/0x0007000000023cab-76.dat	upx
behavioral2/memory/1256-75-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-71.dat	upx
behavioral2/files/0x0007000000023ca9-64.dat	upx
behavioral2/memory/1140-61-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-52.dat	upx
behavioral2/memory/2020-50-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp	upx
behavioral2/memory/4196-49-0x00007FF689310000-0x00007FF689661000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-42.dat	upx
behavioral2/memory/3992-36-0x00007FF602120000-0x00007FF602471000-memory.dmp	upx
behavioral2/memory/4764-27-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp	upx
behavioral2/memory/2728-99-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/memory/2020-110-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-115.dat	upx
behavioral2/files/0x0007000000023cb3-128.dat	upx
behavioral2/memory/4280-140-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp	upx
behavioral2/memory/1724-142-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp	upx
behavioral2/memory/3988-143-0x00007FF623FE0000-0x00007FF624331000-memory.dmp	upx
behavioral2/memory/740-141-0x00007FF747130000-0x00007FF747481000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-135.dat	upx
behavioral2/memory/2272-133-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-132.dat	upx
behavioral2/files/0x0007000000023cb4-129.dat	upx
behavioral2/memory/1256-113-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp	upx
behavioral2/memory/1140-112-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp	upx
behavioral2/memory/4196-108-0x00007FF689310000-0x00007FF689661000-memory.dmp	upx
behavioral2/memory/3032-101-0x00007FF701A40000-0x00007FF701D91000-memory.dmp	upx
behavioral2/memory/4556-100-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp	upx
behavioral2/memory/3992-104-0x00007FF602120000-0x00007FF602471000-memory.dmp	upx
behavioral2/memory/4764-103-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp	upx
behavioral2/memory/2728-145-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/memory/2272-162-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp	upx
behavioral2/memory/2728-163-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/memory/4280-165-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp	upx
behavioral2/memory/1724-167-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp	upx
behavioral2/memory/2728-168-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/memory/4556-210-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp	upx
behavioral2/memory/3032-211-0x00007FF701A40000-0x00007FF701D91000-memory.dmp	upx
behavioral2/memory/3992-215-0x00007FF602120000-0x00007FF602471000-memory.dmp	upx
behavioral2/memory/4764-214-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp	upx
behavioral2/memory/2020-222-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp	upx
behavioral2/memory/1140-220-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TmvOEBK.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qxjyLio.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJzbRVI.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GvCvYeQ.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lSdCeHq.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lqKDnAZ.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\neewrVC.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKmVnpW.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPqopNG.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DrydhXy.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpmxHYA.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlqtmcW.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VRMsnGf.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AzExexm.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qlkJAzJ.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVTVFvY.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IvLLwvs.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqiXKrd.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCrTaNJ.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qMgCTfw.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ediPaBw.exe	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4556	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2728 wrote to memory of 4556	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2728 wrote to memory of 3032	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2728 wrote to memory of 3032	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2728 wrote to memory of 4764	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2728 wrote to memory of 4764	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2728 wrote to memory of 3992	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2728 wrote to memory of 3992	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2728 wrote to memory of 4512	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2728 wrote to memory of 4512	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2728 wrote to memory of 1456	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2728 wrote to memory of 1456	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2728 wrote to memory of 4196	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2728 wrote to memory of 4196	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2728 wrote to memory of 3892	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2728 wrote to memory of 3892	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2728 wrote to memory of 2020	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2728 wrote to memory of 2020	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2728 wrote to memory of 2988	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2728 wrote to memory of 2988	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2728 wrote to memory of 1140	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2728 wrote to memory of 1140	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2728 wrote to memory of 1256	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2728 wrote to memory of 1256	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2728 wrote to memory of 3996	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2728 wrote to memory of 3996	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2728 wrote to memory of 4772	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2728 wrote to memory of 4772	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2728 wrote to memory of 4836	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2728 wrote to memory of 4836	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2728 wrote to memory of 3640	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2728 wrote to memory of 3640	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2728 wrote to memory of 2272	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2728 wrote to memory of 2272	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2728 wrote to memory of 3988	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2728 wrote to memory of 3988	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2728 wrote to memory of 4280	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2728 wrote to memory of 4280	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2728 wrote to memory of 740	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2728 wrote to memory of 740	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2728 wrote to memory of 1724	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2728 wrote to memory of 1724	2728	2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_8160a41b45de5d5d2466d68bdf8fb840_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System\GvCvYeQ.exe
  C:\Windows\System\GvCvYeQ.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\TmvOEBK.exe
  C:\Windows\System\TmvOEBK.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\AzExexm.exe
  C:\Windows\System\AzExexm.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\lSdCeHq.exe
  C:\Windows\System\lSdCeHq.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\qlkJAzJ.exe
  C:\Windows\System\qlkJAzJ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\NVTVFvY.exe
  C:\Windows\System\NVTVFvY.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\IvLLwvs.exe
  C:\Windows\System\IvLLwvs.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\qxjyLio.exe
  C:\Windows\System\qxjyLio.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\GKmVnpW.exe
  C:\Windows\System\GKmVnpW.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\sqiXKrd.exe
  C:\Windows\System\sqiXKrd.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\DPqopNG.exe
  C:\Windows\System\DPqopNG.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\bJzbRVI.exe
  C:\Windows\System\bJzbRVI.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\QCrTaNJ.exe
  C:\Windows\System\QCrTaNJ.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\lqKDnAZ.exe
  C:\Windows\System\lqKDnAZ.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\qMgCTfw.exe
  C:\Windows\System\qMgCTfw.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\VRMsnGf.exe
  C:\Windows\System\VRMsnGf.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\ediPaBw.exe
  C:\Windows\System\ediPaBw.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\DrydhXy.exe
  C:\Windows\System\DrydhXy.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\zpmxHYA.exe
  C:\Windows\System\zpmxHYA.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\GlqtmcW.exe
  C:\Windows\System\GlqtmcW.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\neewrVC.exe
  C:\Windows\System\neewrVC.exe
  2⤵
  - Executes dropped EXE
  PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AzExexm.exe

Filesize
5.2MB

MD5
fa571f2c40830cbb03ee729309cd7c62

SHA1
ec367fd01b6ba5fd88c4c170ca2a668999a4ee9b

SHA256
3511f0db18b8780719029a77a40ff9331e13cf8eebbbf070fe0cee23afefd154

SHA512
2b811af438d9bb16e314ddfa24cdb7176c05cc3dadf6350eef023f330b7a414acd1ee2cb86d20eff82694e949eb1f7e80dad6818c81bd96deec209b49c69d1e2

Download Submit
C:\Windows\System\DPqopNG.exe

Filesize
5.2MB

MD5
0eb70b14f8f3c808474c1733a07c63bf

SHA1
55f6b14026e28b62c001bab1c017e71d8f0195cf

SHA256
ed64ffe65a9ebd010b6b02d2e36f43223e605aaa9f57fbaf0c7434b03c9c6dd9

SHA512
f317b5c9f1604635eada194360cbc4edfed0029e8131f43970f2fcc4ee6051ca2f0738eb46118d1d61c4e6ed4c9f6e7677910cba4f331092f0296a323c45db9f

Download Submit
C:\Windows\System\DrydhXy.exe

Filesize
5.2MB

MD5
7f2ed624550506e536d1683c97150588

SHA1
4d8d6ca3cbc1984d2920e5bcf68e384f5eaada7b

SHA256
5eff8f2fda6b51c63366c36440fba1c498894f102623172dbbe42ecf9f8e6cfa

SHA512
f89b7eca98facd42a92aade2b2bc2638b8593f7f92c9732fcaab2328358029306d3b49b2bddf8a9bb8dba59b374d95918385ebfe5e5c01ddf896c73a4a831a56

Download Submit
C:\Windows\System\GKmVnpW.exe

Filesize
5.2MB

MD5
e945a15b07b31e897b714fb7a2fa1069

SHA1
48c29a4933e3de55bcd8c6500bd2a5cc23c9e2a9

SHA256
87b549e986b845bec2849721957c9ddba40eead5168ae623dc77ec9615490b1a

SHA512
c5d9a1f72bd869072b1ca3ab59b877dcb9ddf53f207564169de1a2be2cbfebf397e21bc41dfd9d10d1cd45cd17c76c8b228c20562519008f8c0164d29f4aa407

Download Submit
C:\Windows\System\GlqtmcW.exe

Filesize
5.2MB

MD5
615d03fea9dcfd2e93b894fe701132b7

SHA1
49c82d62593d103a84e36aa07715aed353b16c24

SHA256
5ba05ee60fab52a831b7bba54a7cacf11a71babf454b4b156b7fddeb3b60bb51

SHA512
fc3afbbbd863eb4edf8c00e867d37d29f99a7f8e615b3ff97c4b365c9e10d516ab6ddd4afc97c5d7ec170fd1b55e8f041e7bbaed6f02c0dac0a9d964b084c9dc

Download Submit
C:\Windows\System\GvCvYeQ.exe

Filesize
5.2MB

MD5
f39d12a2adf05008823b0ed8d362f2d4

SHA1
5f1d14a834f94f816c6784be054b0dec843fec1d

SHA256
c6104d1b2af69cf5c5b01a722184c4087bfd0f802e7cf163131bd3275adfb2b7

SHA512
c51ac62587347a26c89bc6c527ddb9f2653faf156bb13aca5ed3d5caebdb00c87821b0cef95273278083c75347ac1a5ce08a1055fe1d365f940bc1b033c71955

Download Submit
C:\Windows\System\IvLLwvs.exe

Filesize
5.2MB

MD5
41f579bde3a3b74d2b79c542ac186004

SHA1
6ae6280c4acbe5bd093d0e1d11ef8869ff11b3c6

SHA256
1066e3c75406c1c157347878765471404e3d3c56d76b3bc1a0acb1b279c354e5

SHA512
f264ddba46e109ffc570101a22c53d30c75665a068dc2f52ee56bbea148641e29549ce2946b827f4417be3402ab6400a63c5d1d757f249bbbc20e5a284cd3328

Download Submit
C:\Windows\System\NVTVFvY.exe

Filesize
5.2MB

MD5
47a71b73a37c0231e8c9b6d8611dbc69

SHA1
055fa23c8f1bc547eb1e9bcc6672cb08eb7e6231

SHA256
90bdd42f6d03bcc4675d0c273865f116bb1b674c47085053104a1fbfd742f2a3

SHA512
3a7c47e846bdbab9198ce7bac021ebdfcf4d4719644341416bcece617d049b7625bacc06e9c3071fd0fd73d2814d382205ac097a2c026c99b79989e86e11b731

Download Submit
C:\Windows\System\QCrTaNJ.exe

Filesize
5.2MB

MD5
28d483b36bcabe59e8457871b401aa06

SHA1
0e955d236edfc210374f425ebe33cc87c48a3d00

SHA256
634a16aeeb8792c4360a19a3b384b5f09d969b3e7c07a8a40ecfba0e315f82c1

SHA512
bf5b0e5f4b18625c22b20672296b977caf24c07f8a7180118e1abe9b4b411e3cdcce74eae707e9203aec2355000f9dfdf679e2f41449d54c86b9eacc73ef9c69

Download Submit
C:\Windows\System\TmvOEBK.exe

Filesize
5.2MB

MD5
6a6adf85e6577c3699840296ac7dff4e

SHA1
ac9811cc92c740d7b28ed10df20e63cea8b10271

SHA256
318e41182f3d675ed5c8cac4d0fd3a6f552fc0872f48f39abb1b12d20bbc1e88

SHA512
94a875501056a68d989c1c1ec1e57bae1d0a4452166b23abb049a46a3abf3b162975082cff73c421fde0b3351ec487da5610f3811dee8006b1226fc46eee5dc1

Download Submit
C:\Windows\System\VRMsnGf.exe

Filesize
5.2MB

MD5
057085455df31cf2cd736876555f7c69

SHA1
759fccdf40e5f5b222b9e5c57d5ef80eed43371c

SHA256
4ee0eb649c7bd48d18fbdf54791621fdd27984d02f745fa79c3b142964dfc5f8

SHA512
9184fc26b0009fdfae2cdfa799fca379d9bfdd44c753c4f4ef203a099b8f151f157544dca5d36759459b8254d9e0175ed7e8b3338e41a71b8b8c5b391837eec1

Download Submit
C:\Windows\System\bJzbRVI.exe

Filesize
5.2MB

MD5
4688153ef8e8d3eabcd0eed1d7ab8a83

SHA1
88e9f01ee0833cc8a945b3e4ef2ffa577b18ceea

SHA256
95eb966ecccb4aab24c329829bd57e8c9600812685279b63ad8bd266c12f8db6

SHA512
9573a6ab327ad87cda5398ea16b1180dfd47722e605c0123b633384dbd80d525d039a5887db82cc50fdcb8ccc574598c2f873016ace86bad3107f86e2f30df53

Download Submit
C:\Windows\System\ediPaBw.exe

Filesize
5.2MB

MD5
ee9c1a5ebb344805512489c92073e7b5

SHA1
1a9deadb78662abb07371dd5710e3f5be8bf593c

SHA256
6d028ca4caeb474290bf66d276d64bdedae0f0d842cf075196e0316984a33415

SHA512
7f8d44955939a36b2bfaa3c60d58ef45ce11348dc0ec6f3d269b0654b2f289f714ac048c0341052721931e0ae1113a889ea10b911fbd8b9474a073378b9cca8c

Download Submit
C:\Windows\System\lSdCeHq.exe

Filesize
5.2MB

MD5
54b6a5991289dcc6c5db2745bc5e814a

SHA1
4589ab2c25771ec46ce3a163d524b1c5aeddc8a3

SHA256
116fe99439bb27d80d4b6c1f530ecb94fcf2010e38b3f1ef2d195e06041d28ca

SHA512
e6c83740936a3af480419f0ff3fd40ec3fcbf250539237a8002acf1098b45cb586958eb355969b59302a159d943919707164354eb92c14bb5e4fc629fa556947

Download Submit
C:\Windows\System\lqKDnAZ.exe

Filesize
5.2MB

MD5
f7d230224fd29d67eac00c17474ff12e

SHA1
a2a23b4e6ca892422031a82d143b7f9aef92e630

SHA256
c130db9a95b6cad2fd46f0bcdc0d0f1fc7b9bbb489001271df58be3eaf2cd3db

SHA512
2a2168ea7e958de26260129f4ae828eef72c56cba4c099dcfa01a6b86be071a091248977113b65eecd5db469f0e3f062f98eeca10cf0ab2e25929c6b4d140b9d

Download Submit
C:\Windows\System\neewrVC.exe

Filesize
5.2MB

MD5
21b1c0597ed78a054e96cd5dea7c842f

SHA1
aec5578875e8e7c836f7d1969513133005097b95

SHA256
34b62d210a8658847112b9523efef492cc42ce16cce9d3a62429f45914a087fe

SHA512
afe189fd71936bbce36b57c54c52f5b3df0d11fa61111fb0b76fd46ae19e3e4a4df44ca9b27d6a56618a340814e3dfefa46f47fa99bc763c0c7e73ecb986d790

Download Submit
C:\Windows\System\qMgCTfw.exe

Filesize
5.2MB

MD5
c3cf249d7b4a3497813da9bfca51c881

SHA1
3be4b10cfab0e1777e61feca4f5953ae1b1e9feb

SHA256
8f97b669228f7536586bb50d05bd574db64de8c84578c3c28d098c40dd0f5248

SHA512
ab4c4373e24a14a0cf326ee79508ff9ba58e7b73a162a8b30d852207fb6ed6f8bc41410d995eb52d39482cc21eff6b35fafd42d874f261888a1cb138bece96ed

Download Submit
C:\Windows\System\qlkJAzJ.exe

Filesize
5.2MB

MD5
7061f63ceb2062c4fc6b9942f0bde6ed

SHA1
930ae63435c0bd8b3161cada5f4bdd36297717d2

SHA256
47c36b421e147d5388fedaf8778176426c8a5fda41d7dbd3a7d30a12dd52b0ff

SHA512
41a5cddb07484d5537d701fa0dbbaaadc2e00cc3fbfe836ca39d7f457a5511d9940ab6dac278c8c6e7222a88b17cf24de1fd87702f79762e3ef641a2e504be91

Download Submit
C:\Windows\System\qxjyLio.exe

Filesize
5.2MB

MD5
435a523fcd78f14de3d25eba9965485f

SHA1
00ee6478bafc34bb11bd6f5ea1682f664ebd24f7

SHA256
af70bc8a77d82cfa77d8640efddc29dbf22b13e6f6e08690d1ce501311d05e37

SHA512
a7fc4effd315db9bedb4569e92520c804732feead1ebf0bcc89b22effe1c1816d007445d4df5a9b200a0bf5b24e2d52d1f685ab4c637e83794c9bf23530ac05f

Download Submit
C:\Windows\System\sqiXKrd.exe

Filesize
5.2MB

MD5
ffb242bf2fd4b28e7a3fe8350fb80295

SHA1
7e272164320258a13494b516ff30bfd5d65fea97

SHA256
2153a4e1ce1b2cafeb74223de2cca330fb5f8ae8efeccfaa4fc931bb510b0f17

SHA512
1553bcc3998613f1eaf5fae310b5691c8a56e9565b2054b3703cecb0be142cdbd45b9d3d448038b14973c263d832605735272588e0fc46f0ace235812c9654c6

Download Submit
C:\Windows\System\zpmxHYA.exe

Filesize
5.2MB

MD5
32262c3496355823e3895df0261a7f2c

SHA1
3da6d0103a29eaefbb8fdeaed4423cf6bba10c9c

SHA256
2ed504b71b43a62407f2b457db465f5cbdcdcad496fbf82ca8641ef9eebfcb1c

SHA512
8d89dba21687c15b89f59264f8c64bf44a2f176c1005d271fb49a84e7174797a113a30d2b72b619ff13b1deecdc2ab72eb27dff8845b048b6d472ddcaf7f939e

Download Submit
memory/740-141-0x00007FF747130000-0x00007FF747481000-memory.dmp

Filesize
3.3MB

Download
memory/740-256-0x00007FF747130000-0x00007FF747481000-memory.dmp

Filesize
3.3MB

Download
memory/1140-61-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-112-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-220-0x00007FF69A760000-0x00007FF69AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-75-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp

Filesize
3.3MB

Download
memory/1256-113-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp

Filesize
3.3MB

Download
memory/1256-232-0x00007FF6E56C0000-0x00007FF6E5A11000-memory.dmp

Filesize
3.3MB

Download
memory/1456-230-0x00007FF707B80000-0x00007FF707ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-86-0x00007FF707B80000-0x00007FF707ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-142-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp

Filesize
3.3MB

Download
memory/1724-259-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp

Filesize
3.3MB

Download
memory/1724-167-0x00007FF641BD0000-0x00007FF641F21000-memory.dmp

Filesize
3.3MB

Download
memory/2020-110-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-50-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-222-0x00007FF62CF90000-0x00007FF62D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-133-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-162-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-252-0x00007FF7A7560000-0x00007FF7A78B1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-1-0x0000020B1E610000-0x0000020B1E620000-memory.dmp

Filesize
64KB

Download
memory/2728-145-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-168-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-0-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-163-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-99-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-94-0x00007FF765440000-0x00007FF765791000-memory.dmp

Filesize
3.3MB

Download
memory/2988-218-0x00007FF765440000-0x00007FF765791000-memory.dmp

Filesize
3.3MB

Download
memory/3032-101-0x00007FF701A40000-0x00007FF701D91000-memory.dmp

Filesize
3.3MB

Download
memory/3032-211-0x00007FF701A40000-0x00007FF701D91000-memory.dmp

Filesize
3.3MB

Download
memory/3032-13-0x00007FF701A40000-0x00007FF701D91000-memory.dmp

Filesize
3.3MB

Download
memory/3640-237-0x00007FF61A340000-0x00007FF61A691000-memory.dmp

Filesize
3.3MB

Download
memory/3640-97-0x00007FF61A340000-0x00007FF61A691000-memory.dmp

Filesize
3.3MB

Download
memory/3892-224-0x00007FF717610000-0x00007FF717961000-memory.dmp

Filesize
3.3MB

Download
memory/3892-93-0x00007FF717610000-0x00007FF717961000-memory.dmp

Filesize
3.3MB

Download
memory/3988-254-0x00007FF623FE0000-0x00007FF624331000-memory.dmp

Filesize
3.3MB

Download
memory/3988-143-0x00007FF623FE0000-0x00007FF624331000-memory.dmp

Filesize
3.3MB

Download
memory/3992-36-0x00007FF602120000-0x00007FF602471000-memory.dmp

Filesize
3.3MB

Download
memory/3992-104-0x00007FF602120000-0x00007FF602471000-memory.dmp

Filesize
3.3MB

Download
memory/3992-215-0x00007FF602120000-0x00007FF602471000-memory.dmp

Filesize
3.3MB

Download
memory/3996-233-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-95-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

Filesize
3.3MB

Download
memory/4196-226-0x00007FF689310000-0x00007FF689661000-memory.dmp

Filesize
3.3MB

Download
memory/4196-108-0x00007FF689310000-0x00007FF689661000-memory.dmp

Filesize
3.3MB

Download
memory/4196-49-0x00007FF689310000-0x00007FF689661000-memory.dmp

Filesize
3.3MB

Download
memory/4280-165-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-140-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-257-0x00007FF7926A0000-0x00007FF7929F1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-228-0x00007FF66DA40000-0x00007FF66DD91000-memory.dmp

Filesize
3.3MB

Download
memory/4512-85-0x00007FF66DA40000-0x00007FF66DD91000-memory.dmp

Filesize
3.3MB

Download
memory/4556-100-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-6-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-210-0x00007FF6D5950000-0x00007FF6D5CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-103-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-214-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-27-0x00007FF6C8B80000-0x00007FF6C8ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-239-0x00007FF73A5E0000-0x00007FF73A931000-memory.dmp

Filesize
3.3MB

Download
memory/4772-98-0x00007FF73A5E0000-0x00007FF73A931000-memory.dmp

Filesize
3.3MB

Download
memory/4836-96-0x00007FF780940000-0x00007FF780C91000-memory.dmp

Filesize
3.3MB

Download
memory/4836-235-0x00007FF780940000-0x00007FF780C91000-memory.dmp

Filesize
3.3MB

Download