cobaltstrike | e0b7a6688ecc7c4316968f2e4c710a7860225733e5b6f63e7d551893c44c324d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5a43481bf402bd0ad63c6c46b4b5aec3
SHA1

7e1bc60dbfb36352349b2a60caae05fc22e5479f
SHA256

e0b7a6688ecc7c4316968f2e4c710a7860225733e5b6f63e7d551893c44c324d
SHA512

ef2b5b243011fb984dba102170294ed024249bf122261324861a3158cd173208f8e63185e2989a2cf0abe5a878ef96fba5a2a09b5ee9b697a8f585597a862375
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibd56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b1f-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-19.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b76-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-40.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b77-37.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b75-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-81.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4352-108-0x00007FF783FB0000-0x00007FF784301000-memory.dmp	xmrig
behavioral2/memory/3204-116-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp	xmrig
behavioral2/memory/3880-115-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp	xmrig
behavioral2/memory/2316-75-0x00007FF776A10000-0x00007FF776D61000-memory.dmp	xmrig
behavioral2/memory/4260-66-0x00007FF6FDB80000-0x00007FF6FDED1000-memory.dmp	xmrig
behavioral2/memory/3532-65-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	xmrig
behavioral2/memory/1640-124-0x00007FF7993A0000-0x00007FF7996F1000-memory.dmp	xmrig
behavioral2/memory/3532-125-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	xmrig
behavioral2/memory/3268-130-0x00007FF768C10000-0x00007FF768F61000-memory.dmp	xmrig
behavioral2/memory/2028-131-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp	xmrig
behavioral2/memory/1240-133-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp	xmrig
behavioral2/memory/5032-134-0x00007FF795F80000-0x00007FF7962D1000-memory.dmp	xmrig
behavioral2/memory/4752-136-0x00007FF6F19F0000-0x00007FF6F1D41000-memory.dmp	xmrig
behavioral2/memory/4320-138-0x00007FF67FAF0000-0x00007FF67FE41000-memory.dmp	xmrig
behavioral2/memory/2296-139-0x00007FF6AFAD0000-0x00007FF6AFE21000-memory.dmp	xmrig
behavioral2/memory/2288-140-0x00007FF72BDC0000-0x00007FF72C111000-memory.dmp	xmrig
behavioral2/memory/2776-137-0x00007FF734DC0000-0x00007FF735111000-memory.dmp	xmrig
behavioral2/memory/3860-135-0x00007FF767E40000-0x00007FF768191000-memory.dmp	xmrig
behavioral2/memory/400-132-0x00007FF655C30000-0x00007FF655F81000-memory.dmp	xmrig
behavioral2/memory/4024-128-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp	xmrig
behavioral2/memory/3484-143-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp	xmrig
behavioral2/memory/2688-146-0x00007FF623810000-0x00007FF623B61000-memory.dmp	xmrig
behavioral2/memory/5024-141-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp	xmrig
behavioral2/memory/3532-154-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	xmrig
behavioral2/memory/2316-201-0x00007FF776A10000-0x00007FF776D61000-memory.dmp	xmrig
behavioral2/memory/3880-210-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp	xmrig
behavioral2/memory/4024-213-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp	xmrig
behavioral2/memory/3204-214-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp	xmrig
behavioral2/memory/3268-217-0x00007FF768C10000-0x00007FF768F61000-memory.dmp	xmrig
behavioral2/memory/2028-218-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp	xmrig
behavioral2/memory/400-220-0x00007FF655C30000-0x00007FF655F81000-memory.dmp	xmrig
behavioral2/memory/1240-225-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp	xmrig
behavioral2/memory/4260-238-0x00007FF6FDB80000-0x00007FF6FDED1000-memory.dmp	xmrig
behavioral2/memory/5024-239-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp	xmrig
behavioral2/memory/3484-241-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp	xmrig
behavioral2/memory/2688-244-0x00007FF623810000-0x00007FF623B61000-memory.dmp	xmrig
behavioral2/memory/1640-245-0x00007FF7993A0000-0x00007FF7996F1000-memory.dmp	xmrig
behavioral2/memory/4352-247-0x00007FF783FB0000-0x00007FF784301000-memory.dmp	xmrig
behavioral2/memory/5032-252-0x00007FF795F80000-0x00007FF7962D1000-memory.dmp	xmrig
behavioral2/memory/2296-253-0x00007FF6AFAD0000-0x00007FF6AFE21000-memory.dmp	xmrig
behavioral2/memory/4752-257-0x00007FF6F19F0000-0x00007FF6F1D41000-memory.dmp	xmrig
behavioral2/memory/2776-256-0x00007FF734DC0000-0x00007FF735111000-memory.dmp	xmrig
behavioral2/memory/3860-250-0x00007FF767E40000-0x00007FF768191000-memory.dmp	xmrig
behavioral2/memory/2288-261-0x00007FF72BDC0000-0x00007FF72C111000-memory.dmp	xmrig
behavioral2/memory/4320-260-0x00007FF67FAF0000-0x00007FF67FE41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2316	PODlmPF.exe
3880	cJYUTYh.exe
4024	GeAWILp.exe
3204	dmxnqdj.exe
3268	UuummxS.exe
2028	reicKkb.exe
400	YAeSIbV.exe
1240	CzHeLAp.exe
5024	dihPNtW.exe
4260	gxcEuoG.exe
3484	LGndeOK.exe
4352	HSRrezH.exe
1640	KIOqQcQ.exe
2688	xQiKcAH.exe
5032	eTdYkrn.exe
2296	VNXCczI.exe
3860	iOTSLSl.exe
4752	ZIQIlob.exe
2776	GTUbVIG.exe
2288	PjYatTT.exe
4320	orqJPGU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	upx
behavioral2/files/0x000c000000023b1f-4.dat	upx
behavioral2/memory/2316-7-0x00007FF776A10000-0x00007FF776D61000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-19.dat	upx
behavioral2/files/0x0031000000023b76-25.dat	upx
behavioral2/memory/4024-24-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp	upx
behavioral2/memory/3204-30-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-40.dat	upx
behavioral2/memory/400-42-0x00007FF655C30000-0x00007FF655F81000-memory.dmp	upx
behavioral2/files/0x0031000000023b77-37.dat	upx
behavioral2/memory/2028-36-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp	upx
behavioral2/memory/3268-35-0x00007FF768C10000-0x00007FF768F61000-memory.dmp	upx
behavioral2/files/0x0031000000023b75-27.dat	upx
behavioral2/files/0x000a000000023b73-15.dat	upx
behavioral2/memory/3880-14-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-47.dat	upx
behavioral2/files/0x000a000000023b7a-51.dat	upx
behavioral2/files/0x000a000000023b7b-56.dat	upx
behavioral2/files/0x000a000000023b7c-64.dat	upx
behavioral2/files/0x000a000000023b7d-68.dat	upx
behavioral2/files/0x000a000000023b7f-84.dat	upx
behavioral2/memory/2688-89-0x00007FF623810000-0x00007FF623B61000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-97.dat	upx
behavioral2/memory/4352-108-0x00007FF783FB0000-0x00007FF784301000-memory.dmp	upx
behavioral2/memory/3204-116-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-122.dat	upx
behavioral2/files/0x000a000000023b86-120.dat	upx
behavioral2/memory/3880-115-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-113.dat	upx
behavioral2/files/0x000a000000023b83-111.dat	upx
behavioral2/files/0x000a000000023b81-105.dat	upx
behavioral2/files/0x000a000000023b80-96.dat	upx
behavioral2/files/0x000a000000023b7e-81.dat	upx
behavioral2/memory/2316-75-0x00007FF776A10000-0x00007FF776D61000-memory.dmp	upx
behavioral2/memory/3484-70-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp	upx
behavioral2/memory/4260-66-0x00007FF6FDB80000-0x00007FF6FDED1000-memory.dmp	upx
behavioral2/memory/3532-65-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	upx
behavioral2/memory/5024-59-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp	upx
behavioral2/memory/1240-52-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp	upx
behavioral2/memory/1640-124-0x00007FF7993A0000-0x00007FF7996F1000-memory.dmp	upx
behavioral2/memory/3532-125-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	upx
behavioral2/memory/3268-130-0x00007FF768C10000-0x00007FF768F61000-memory.dmp	upx
behavioral2/memory/2028-131-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp	upx
behavioral2/memory/1240-133-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp	upx
behavioral2/memory/5032-134-0x00007FF795F80000-0x00007FF7962D1000-memory.dmp	upx
behavioral2/memory/4752-136-0x00007FF6F19F0000-0x00007FF6F1D41000-memory.dmp	upx
behavioral2/memory/4320-138-0x00007FF67FAF0000-0x00007FF67FE41000-memory.dmp	upx
behavioral2/memory/2296-139-0x00007FF6AFAD0000-0x00007FF6AFE21000-memory.dmp	upx
behavioral2/memory/2288-140-0x00007FF72BDC0000-0x00007FF72C111000-memory.dmp	upx
behavioral2/memory/2776-137-0x00007FF734DC0000-0x00007FF735111000-memory.dmp	upx
behavioral2/memory/3860-135-0x00007FF767E40000-0x00007FF768191000-memory.dmp	upx
behavioral2/memory/400-132-0x00007FF655C30000-0x00007FF655F81000-memory.dmp	upx
behavioral2/memory/4024-128-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp	upx
behavioral2/memory/3484-143-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp	upx
behavioral2/memory/2688-146-0x00007FF623810000-0x00007FF623B61000-memory.dmp	upx
behavioral2/memory/5024-141-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp	upx
behavioral2/memory/3532-154-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp	upx
behavioral2/memory/2316-201-0x00007FF776A10000-0x00007FF776D61000-memory.dmp	upx
behavioral2/memory/3880-210-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp	upx
behavioral2/memory/4024-213-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp	upx
behavioral2/memory/3204-214-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp	upx
behavioral2/memory/3268-217-0x00007FF768C10000-0x00007FF768F61000-memory.dmp	upx
behavioral2/memory/2028-218-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp	upx
behavioral2/memory/400-220-0x00007FF655C30000-0x00007FF655F81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LGndeOK.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSRrezH.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNXCczI.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eTdYkrn.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeAWILp.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dihPNtW.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KIOqQcQ.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GTUbVIG.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\orqJPGU.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cJYUTYh.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dmxnqdj.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\reicKkb.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzHeLAp.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xQiKcAH.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iOTSLSl.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZIQIlob.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PODlmPF.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UuummxS.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YAeSIbV.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gxcEuoG.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjYatTT.exe	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2316	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3532 wrote to memory of 2316	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3532 wrote to memory of 3880	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3532 wrote to memory of 3880	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3532 wrote to memory of 4024	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3532 wrote to memory of 4024	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3532 wrote to memory of 3204	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3532 wrote to memory of 3204	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3532 wrote to memory of 3268	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3532 wrote to memory of 3268	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3532 wrote to memory of 2028	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3532 wrote to memory of 2028	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3532 wrote to memory of 400	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3532 wrote to memory of 400	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3532 wrote to memory of 1240	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3532 wrote to memory of 1240	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3532 wrote to memory of 5024	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3532 wrote to memory of 5024	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3532 wrote to memory of 4260	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3532 wrote to memory of 4260	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3532 wrote to memory of 3484	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3532 wrote to memory of 3484	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3532 wrote to memory of 4352	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3532 wrote to memory of 4352	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3532 wrote to memory of 1640	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3532 wrote to memory of 1640	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3532 wrote to memory of 2688	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3532 wrote to memory of 2688	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3532 wrote to memory of 2296	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3532 wrote to memory of 2296	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3532 wrote to memory of 5032	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3532 wrote to memory of 5032	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3532 wrote to memory of 3860	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3532 wrote to memory of 3860	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3532 wrote to memory of 4752	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3532 wrote to memory of 4752	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3532 wrote to memory of 2776	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3532 wrote to memory of 2776	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3532 wrote to memory of 4320	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3532 wrote to memory of 4320	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3532 wrote to memory of 2288	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3532 wrote to memory of 2288	3532	2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_5a43481bf402bd0ad63c6c46b4b5aec3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\System\PODlmPF.exe
  C:\Windows\System\PODlmPF.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\cJYUTYh.exe
  C:\Windows\System\cJYUTYh.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\GeAWILp.exe
  C:\Windows\System\GeAWILp.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\dmxnqdj.exe
  C:\Windows\System\dmxnqdj.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\UuummxS.exe
  C:\Windows\System\UuummxS.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\reicKkb.exe
  C:\Windows\System\reicKkb.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\YAeSIbV.exe
  C:\Windows\System\YAeSIbV.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\CzHeLAp.exe
  C:\Windows\System\CzHeLAp.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\dihPNtW.exe
  C:\Windows\System\dihPNtW.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\gxcEuoG.exe
  C:\Windows\System\gxcEuoG.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\LGndeOK.exe
  C:\Windows\System\LGndeOK.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\HSRrezH.exe
  C:\Windows\System\HSRrezH.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\KIOqQcQ.exe
  C:\Windows\System\KIOqQcQ.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\xQiKcAH.exe
  C:\Windows\System\xQiKcAH.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\VNXCczI.exe
  C:\Windows\System\VNXCczI.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\eTdYkrn.exe
  C:\Windows\System\eTdYkrn.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\iOTSLSl.exe
  C:\Windows\System\iOTSLSl.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\ZIQIlob.exe
  C:\Windows\System\ZIQIlob.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\GTUbVIG.exe
  C:\Windows\System\GTUbVIG.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\orqJPGU.exe
  C:\Windows\System\orqJPGU.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\PjYatTT.exe
  C:\Windows\System\PjYatTT.exe
  2⤵
  - Executes dropped EXE
  PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CzHeLAp.exe

Filesize
5.2MB

MD5
df3e879810b53f22460db92f656db02a

SHA1
bf02856f838b53e586ac32b8f660e7dca2c94aa0

SHA256
113ccf931f640597c510ce48075a7eab5baeff16394e590c50fecbdaf39e34da

SHA512
0a8f674a4b42285edcf41960aba5fbcaeaf557f6b317d70e520032c2db4bfacf5b4465ed880a613a0b07c14a444a6769709c720775515afdaed082a240bf1d19

Download Submit
C:\Windows\System\GTUbVIG.exe

Filesize
5.2MB

MD5
aee4e41224cecc6c7630360bc2111133

SHA1
ecf66724eef3ec363e8655bda128ce70b9c7e323

SHA256
f71c222e66cdb1690107b2ce9b2c2ecbe54c8b3f3d8a650bde77d3bf1def4060

SHA512
c2afde7ca5fe3c953f8724ce4fe85a93c1201584429ff7b8c4b3668e154ca317687ec3dec101417db8a7c9f84747368cde1cfaf7e4812f78ed8c0f71facb4962

Download Submit
C:\Windows\System\GeAWILp.exe

Filesize
5.2MB

MD5
1a4654f8fb06bc1ee5caf036eb5bbba5

SHA1
81618b82e717f8ff85d7fa454409be96a217a561

SHA256
45a0cd8b296e7175e78c60480a64e1b78aee585de38e807ff403f5737822507b

SHA512
1f31bea455fb42fb7df3a249c6b302572658d2e615a220ed7c0f7f51606985894c7d2ae72984eeeeb3845ec01a7dda9d6b6208d4e19110cdd8c06be182bed4f1

Download Submit
C:\Windows\System\HSRrezH.exe

Filesize
5.2MB

MD5
0cc40b0b2e3794f36fbfb47d28016dbc

SHA1
fb4f766b0dc6b779aa6abee4d2c13e4d0b8286ae

SHA256
8fd3a49645ef0edc765944149eac1d8d747719f36a4d7da8062e571cfc3c8005

SHA512
040151fe2a720d3c94defec2c5af8e0690593c658af0c7d719a8c63ba7bff2b2f67bb13d4f6d207d88157a0fd8bfb06327ed93d258073a81af23d770153b8fbf

Download Submit
C:\Windows\System\KIOqQcQ.exe

Filesize
5.2MB

MD5
7a4601d8223c3a58e74e10f7e51ff277

SHA1
0d2a52f71121bdb552b118a5625f466fa3231922

SHA256
50f620b213d882258a134a1e28041ac29790dbbe6aa66a79f5a8668d59b526e1

SHA512
821e4f4bd63e4151b88bc60d86b4e192993e0b334fbc31b004aae0e44d37205cea711fd97a8e577ceddbb5d33e537520c22c8479ce2775f157cc8c500c5b956e

Download Submit
C:\Windows\System\LGndeOK.exe

Filesize
5.2MB

MD5
a5f86ff951e680bf3a210b73354caee9

SHA1
ede7b95e534cd78bfb2134aacb32b80df8d0218e

SHA256
894a42e1f4cdca17eb5470a3857372e9b6d01747641433118398ec234edd3290

SHA512
dd2022e736ed5b7a0f21d8916d5ff7adcda97c9270c18be3b56be27b60e4781adde177f80f43b2c3c109700b9e23a8bce687671cfbeff4871546b19b5c4592d6

Download Submit
C:\Windows\System\PODlmPF.exe

Filesize
5.2MB

MD5
2dc3510e8550e45ae001eaf596cf45a3

SHA1
92099cdf3eab73db999341200ecf6c75c9247bbc

SHA256
43692c84da6a86db507997f87c37875570e7d58ec92dd86c751de53058e77420

SHA512
361e25e6cce6eb2507718b0cd87d51f84b385275a34dafcb2419fb6d63661b24873f5eac6ce932e5620e6118758d050ba683a9897f9d9e23a51d0bd29af34b8e

Download Submit
C:\Windows\System\PjYatTT.exe

Filesize
5.2MB

MD5
143d93a9c11dc58ae2a3ea2e91775240

SHA1
27f4e861cb50a8a75f11f8588fa4fcba678da8e9

SHA256
7bcc3f1e51c7bff667f880a149e10630238c1226e72b8c6e87af9cd6613d18ba

SHA512
648c2cc7adb70fef1f70d29a16423cfdeae4b42355741e8a9b4330680505d85060aa9b6cda954034241338f56505329e611344820527643b6f27da4258eedf4b

Download Submit
C:\Windows\System\UuummxS.exe

Filesize
5.2MB

MD5
a26118af75fa302637b56ed36b14e864

SHA1
5ac2b88c40d83ae499aa69443f6e2666adc2609d

SHA256
21564346492f41f38ad1267598a239704804368567880837bfd35f5b887b9766

SHA512
5fb631433479585577fc026f425d0adcb0dbb4612401445d02fc79593ccda39a375090f3e8bf2c18d1c6286f272de1a122a7a248613e0a99a64bf1d04dfe3239

Download Submit
C:\Windows\System\VNXCczI.exe

Filesize
5.2MB

MD5
f064f22bd3badf5d02b19572b017efbe

SHA1
13bdb82ac78c37b43cab2cdc3450363031c548a0

SHA256
bcc401fbc64d85d6591ea621c0670b9ea58e3b4364e0524cfe7ff79512901738

SHA512
fbbae5eded4c8ddf12a402c94657dab11ff56682ad3e7a7f029274fdac196de17bdb9f1d39eed7aa217c0a5ffdf730e544ed25cfdc4a7155cf01e7d1cda412cd

Download Submit
C:\Windows\System\YAeSIbV.exe

Filesize
5.2MB

MD5
478f0454d7f3b1d8ccf07d30680bc0f9

SHA1
d7826f1b8b9d8f0d762b590ef03a6f7d26fbe26b

SHA256
b86e4b8c5084b48e6ab18c01c503216d31480ce886f7253efd92c0ad4cc3364c

SHA512
91d800f0614c8b28e936f631e5270fe80976a96e467ba3ee0bf21c00d3011f2d1ad82e72f0faa898e06dd09a3cdb4a854bc072064f37dfeaf40bf801992c31d9

Download Submit
C:\Windows\System\ZIQIlob.exe

Filesize
5.2MB

MD5
7a14db906d64a70d542499be68da203a

SHA1
e1697071f3dfbc35e8edd1b6ab6f45f204425c64

SHA256
743edfb88f64cdeedd5c678cd7025dae1adde6413c28d3cbf0f8858a0e4f703a

SHA512
9a5485992051938620b3b90e32414d84abb6e0636673f8c0d94c312aab001fe45205408c22ee443e87a28a193da3a04bc5d4792074f6f37b55536285faf59260

Download Submit
C:\Windows\System\cJYUTYh.exe

Filesize
5.2MB

MD5
f6a253aaacff0b5f69a5622623f8ab7c

SHA1
1f01b934f618ff0433a143e98ce8abd55af8d6b7

SHA256
462e87961ce5316b86036fb4a98a01281268773deb757c860915963e976c7f68

SHA512
f53fba827b3b1ce87f3cb35e4490004a2070ef0e6d061d018e4107915374d4d0ea1ac7895ed1f7227d29bd304b0ca6cae923c883fda91c46873fb9c9e3dad310

Download Submit
C:\Windows\System\dihPNtW.exe

Filesize
5.2MB

MD5
8bda854a794ee0209574589b8859f923

SHA1
f0a1f8557a912a6714fa024e298c6f9ecfd02770

SHA256
6e0c33ef6a319f8bdc754d7d8b2599b14ae12e7a65ecfc9f2c8128e7d8883024

SHA512
81149e5c5642a8739e4d0628ae8e392faecf4593e0e53f8929783a20a2754bd27bd03b45807a1ed7182a18d8e811a22693faab1c550e813a06ea9410d73551ac

Download Submit
C:\Windows\System\dmxnqdj.exe

Filesize
5.2MB

MD5
0ce99f188f95f71caf17d27e718bf361

SHA1
e21973d1c7659ba0691cad596924f69ac2bc032e

SHA256
f74d49f63fa40c821f8ae0d51530407f4267af10d73075e841f162516a2fa0e6

SHA512
909bdc44cabb00fcc8c30ee13785e12df17259c8feb5288c7d5e137eac9b0be1aff8c6bf9c8ece254a26a13a168dc1167646747ce59fba8b6886fcb85e10b1c3

Download Submit
C:\Windows\System\eTdYkrn.exe

Filesize
5.2MB

MD5
90bb96870d71a80c4038c5b5146e038c

SHA1
384c27bd979832b7d29a051174c8f8ed1e2af735

SHA256
f5eed5abdd466a78879a9edea4a6dd7dac9d5ed69b6622dc43bceff542e844f3

SHA512
e4eff02bd686b1cc48b0769aed42db75f803f11da0b3070a272ecd093cfecd2d269ac95834b58772cb5bb17c6257dc0ebe3688945f7eee5677a52e7bc7f6c628

Download Submit
C:\Windows\System\gxcEuoG.exe

Filesize
5.2MB

MD5
dcc17956eb2a6a1111e8b644a485e65a

SHA1
0f22190afe797b99c9975dfac7b6700935fae646

SHA256
9b602930dccbb457217945f66dd66576e89ca3bb97dda804f3f04d329abaa914

SHA512
4a889e99ed4472c19af6364176f1f25330ca7d6408d3e50266360534b9f6f82ef99d0b5008a0e1c34cc15ab5fbc9b38c2d35dd1ede8ce128b8b19e9abb88d6f9

Download Submit
C:\Windows\System\iOTSLSl.exe

Filesize
5.2MB

MD5
2dd96137bac725d259dbe7b117dabe47

SHA1
2f08955101d4fad3ec784b93b870b07a586bf380

SHA256
a5cb1f0995658187f80548bc22330cc7c17b5f28e94c1605a008ff994f94d819

SHA512
3f0d6552172194e611b9f1b40df9adc338797cf3c9343d2b027e22c6e9d0881d345c259e1a92acb29c85c9d873e5776657976a426b85272f80fe660116c0afde

Download Submit
C:\Windows\System\orqJPGU.exe

Filesize
5.2MB

MD5
e2d2ba89fc1ca7bcff1a75b5529861bb

SHA1
c7626d11409b4044d34dfea188251a3ad964ad8a

SHA256
186b5cf6bc9c2ee091504acfb1bf6210cc077f086cf8885116b3307c2b04f553

SHA512
0afb4b825ee96a687c47c2b41a2a29e69867b0c2bddd0b7e8b467b7096af3ada435d8b8b2c6b1be262304198e2c848e3cadb8e34b10527bb11aecc5665659920

Download Submit
C:\Windows\System\reicKkb.exe

Filesize
5.2MB

MD5
216a99b68fc801d54b14721940e6967b

SHA1
84a3f1b4a585767f19d03a57e32c61188cc0e8c9

SHA256
a615cef7580dbd42844914d305a9a6a4798c01f39cb92db052ab1fc564fe75bf

SHA512
ea730c8670889923556eac5613c55842420ec05ee2058e55c8bb43847fa631a8f341a72f8bbab213ee9d1ddb647a925e0752500d220e61286680a86027ad71b0

Download Submit
C:\Windows\System\xQiKcAH.exe

Filesize
5.2MB

MD5
54332de0656f5347150e7ae63190f213

SHA1
895b0b5b4cdfbb35f7711b3b7892209881e7e0f5

SHA256
36da9cd2e200f921941bc4548e7423464bcb96331cb12623072823c69de6e600

SHA512
2e89e1102aa8c5c1167846e92a00bcb5023252e223dc2a22f30e0566b8f5f939126608cad64d7dae74de19f81e60b69b72d9285febf706e2a11e6063f17d5204

Download Submit
memory/400-42-0x00007FF655C30000-0x00007FF655F81000-memory.dmp

Filesize
3.3MB

Download
memory/400-132-0x00007FF655C30000-0x00007FF655F81000-memory.dmp

Filesize
3.3MB

Download
memory/400-220-0x00007FF655C30000-0x00007FF655F81000-memory.dmp

Filesize
3.3MB

Download
memory/1240-133-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp

Filesize
3.3MB

Download
memory/1240-52-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp

Filesize
3.3MB

Download
memory/1240-225-0x00007FF656FA0000-0x00007FF6572F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-124-0x00007FF7993A0000-0x00007FF7996F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-245-0x00007FF7993A0000-0x00007FF7996F1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-131-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2028-218-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2028-36-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2288-140-0x00007FF72BDC0000-0x00007FF72C111000-memory.dmp

Filesize
3.3MB

Download
memory/2288-261-0x00007FF72BDC0000-0x00007FF72C111000-memory.dmp

Filesize
3.3MB

Download
memory/2296-139-0x00007FF6AFAD0000-0x00007FF6AFE21000-memory.dmp

Filesize
3.3MB

Download
memory/2296-253-0x00007FF6AFAD0000-0x00007FF6AFE21000-memory.dmp

Filesize
3.3MB

Download
memory/2316-75-0x00007FF776A10000-0x00007FF776D61000-memory.dmp

Filesize
3.3MB

Download
memory/2316-7-0x00007FF776A10000-0x00007FF776D61000-memory.dmp

Filesize
3.3MB

Download
memory/2316-201-0x00007FF776A10000-0x00007FF776D61000-memory.dmp

Filesize
3.3MB

Download
memory/2688-146-0x00007FF623810000-0x00007FF623B61000-memory.dmp

Filesize
3.3MB

Download
memory/2688-244-0x00007FF623810000-0x00007FF623B61000-memory.dmp

Filesize
3.3MB

Download
memory/2688-89-0x00007FF623810000-0x00007FF623B61000-memory.dmp

Filesize
3.3MB

Download
memory/2776-137-0x00007FF734DC0000-0x00007FF735111000-memory.dmp

Filesize
3.3MB

Download
memory/2776-256-0x00007FF734DC0000-0x00007FF735111000-memory.dmp

Filesize
3.3MB

Download
memory/3204-116-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp

Filesize
3.3MB

Download
memory/3204-30-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp

Filesize
3.3MB

Download
memory/3204-214-0x00007FF7528B0000-0x00007FF752C01000-memory.dmp

Filesize
3.3MB

Download
memory/3268-217-0x00007FF768C10000-0x00007FF768F61000-memory.dmp

Filesize
3.3MB

Download
memory/3268-130-0x00007FF768C10000-0x00007FF768F61000-memory.dmp

Filesize
3.3MB

Download
memory/3268-35-0x00007FF768C10000-0x00007FF768F61000-memory.dmp

Filesize
3.3MB

Download
memory/3484-143-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-241-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-70-0x00007FF77BD60000-0x00007FF77C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-65-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp

Filesize
3.3MB

Download
memory/3532-1-0x00000251CEC10000-0x00000251CEC20000-memory.dmp

Filesize
64KB

Download
memory/3532-154-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp

Filesize
3.3MB

Download
memory/3532-125-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp

Filesize
3.3MB

Download
memory/3532-0-0x00007FF7A5DE0000-0x00007FF7A6131000-memory.dmp

Filesize
3.3MB

Download
memory/3860-135-0x00007FF767E40000-0x00007FF768191000-memory.dmp

Filesize
3.3MB

Download
memory/3860-250-0x00007FF767E40000-0x00007FF768191000-memory.dmp

Filesize
3.3MB

Download
memory/3880-210-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp

Filesize
3.3MB

Download
memory/3880-14-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp

Filesize
3.3MB

Download
memory/3880-115-0x00007FF7748E0000-0x00007FF774C31000-memory.dmp

Filesize
3.3MB

Download
memory/4024-128-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp

Filesize
3.3MB

Download
memory/4024-213-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp

Filesize
3.3MB

Download
memory/4024-24-0x00007FF6F45F0000-0x00007FF6F4941000-memory.dmp

Filesize
3.3MB

Download
memory/4260-238-0x00007FF6FDB80000-0x00007FF6FDED1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-66-0x00007FF6FDB80000-0x00007FF6FDED1000-memory.dmp

Filesize
3.3MB

Download
memory/4320-138-0x00007FF67FAF0000-0x00007FF67FE41000-memory.dmp

Filesize
3.3MB

Download
memory/4320-260-0x00007FF67FAF0000-0x00007FF67FE41000-memory.dmp

Filesize
3.3MB

Download
memory/4352-108-0x00007FF783FB0000-0x00007FF784301000-memory.dmp

Filesize
3.3MB

Download
memory/4352-247-0x00007FF783FB0000-0x00007FF784301000-memory.dmp

Filesize
3.3MB

Download
memory/4752-257-0x00007FF6F19F0000-0x00007FF6F1D41000-memory.dmp

Filesize
3.3MB

Download
memory/4752-136-0x00007FF6F19F0000-0x00007FF6F1D41000-memory.dmp

Filesize
3.3MB

Download
memory/5024-239-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp

Filesize
3.3MB

Download
memory/5024-59-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp

Filesize
3.3MB

Download
memory/5024-141-0x00007FF6C63C0000-0x00007FF6C6711000-memory.dmp

Filesize
3.3MB

Download
memory/5032-252-0x00007FF795F80000-0x00007FF7962D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-134-0x00007FF795F80000-0x00007FF7962D1000-memory.dmp

Filesize
3.3MB

Download