cobaltstrike | 3df27a54485f674a21e40067dea0e9f3813fb2dcde94e8d4c4c7481c601d37cb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3054f3ae6a8df22d4b14bb93cd900504
SHA1

f2d8b4c27de9715b481557c9986130e02a50c6cc
SHA256

3df27a54485f674a21e40067dea0e9f3813fb2dcde94e8d4c4c7481c601d37cb
SHA512

8e0fdeb4238578764b6e059439252729bfb6e43a4cf304c54d56332716dcfec76ecfd2721f890242cc0fa64a530403536361f7f5d1eccc0bfd702b234336e1cc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b81-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-80.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7f-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-132.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-133.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3988-46-0x00007FF754CD0000-0x00007FF755021000-memory.dmp	xmrig
behavioral2/memory/3092-86-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	xmrig
behavioral2/memory/3160-102-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp	xmrig
behavioral2/memory/4704-101-0x00007FF734160000-0x00007FF7344B1000-memory.dmp	xmrig
behavioral2/memory/1884-91-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp	xmrig
behavioral2/memory/1396-88-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp	xmrig
behavioral2/memory/1952-74-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp	xmrig
behavioral2/memory/3744-62-0x00007FF639040000-0x00007FF639391000-memory.dmp	xmrig
behavioral2/memory/3988-111-0x00007FF754CD0000-0x00007FF755021000-memory.dmp	xmrig
behavioral2/memory/3168-131-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	xmrig
behavioral2/memory/2528-129-0x00007FF749570000-0x00007FF7498C1000-memory.dmp	xmrig
behavioral2/memory/924-127-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp	xmrig
behavioral2/memory/2144-139-0x00007FF787DF0000-0x00007FF788141000-memory.dmp	xmrig
behavioral2/memory/4572-138-0x00007FF670540000-0x00007FF670891000-memory.dmp	xmrig
behavioral2/memory/1128-136-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp	xmrig
behavioral2/memory/4564-114-0x00007FF620DC0000-0x00007FF621111000-memory.dmp	xmrig
behavioral2/memory/4484-140-0x00007FF6370F0000-0x00007FF637441000-memory.dmp	xmrig
behavioral2/memory/732-141-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp	xmrig
behavioral2/memory/3912-142-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/448-143-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp	xmrig
behavioral2/memory/3744-144-0x00007FF639040000-0x00007FF639391000-memory.dmp	xmrig
behavioral2/memory/2388-148-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	xmrig
behavioral2/memory/2280-160-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp	xmrig
behavioral2/memory/4464-164-0x00007FF6204F0000-0x00007FF620841000-memory.dmp	xmrig
behavioral2/memory/3168-165-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	xmrig
behavioral2/memory/3744-170-0x00007FF639040000-0x00007FF639391000-memory.dmp	xmrig
behavioral2/memory/1952-221-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp	xmrig
behavioral2/memory/3092-223-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	xmrig
behavioral2/memory/1396-225-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp	xmrig
behavioral2/memory/1884-239-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp	xmrig
behavioral2/memory/3160-241-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp	xmrig
behavioral2/memory/3988-243-0x00007FF754CD0000-0x00007FF755021000-memory.dmp	xmrig
behavioral2/memory/4704-245-0x00007FF734160000-0x00007FF7344B1000-memory.dmp	xmrig
behavioral2/memory/4564-247-0x00007FF620DC0000-0x00007FF621111000-memory.dmp	xmrig
behavioral2/memory/924-249-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp	xmrig
behavioral2/memory/1128-251-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp	xmrig
behavioral2/memory/2144-253-0x00007FF787DF0000-0x00007FF788141000-memory.dmp	xmrig
behavioral2/memory/732-255-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp	xmrig
behavioral2/memory/4484-257-0x00007FF6370F0000-0x00007FF637441000-memory.dmp	xmrig
behavioral2/memory/3912-259-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	xmrig
behavioral2/memory/448-261-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp	xmrig
behavioral2/memory/2388-263-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	xmrig
behavioral2/memory/2280-269-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp	xmrig
behavioral2/memory/2528-271-0x00007FF749570000-0x00007FF7498C1000-memory.dmp	xmrig
behavioral2/memory/3168-273-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	xmrig
behavioral2/memory/4572-275-0x00007FF670540000-0x00007FF670891000-memory.dmp	xmrig
behavioral2/memory/4464-277-0x00007FF6204F0000-0x00007FF620841000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1952	fSGunfB.exe
3092	iUwRiUB.exe
1396	NGvZCvi.exe
1884	ZuqwoPw.exe
4704	TmgIuZX.exe
3160	wqrDkAS.exe
3988	tSGViSL.exe
4564	ZWEWILA.exe
924	pBNhuGS.exe
1128	dHfrfAy.exe
2144	nkDJBfd.exe
732	uMxWAVQ.exe
4484	jMhfxyD.exe
3912	jRMuWPY.exe
448	XzBiNZF.exe
2388	GPcHBMc.exe
2280	HLSmgoB.exe
2528	BXBgRzU.exe
4464	WpULPUU.exe
3168	gihsQhN.exe
4572	ipOLGul.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3744-0-0x00007FF639040000-0x00007FF639391000-memory.dmp	upx
behavioral2/files/0x000b000000023b81-4.dat	upx
behavioral2/memory/1952-8-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-11.dat	upx
behavioral2/files/0x000a000000023b82-12.dat	upx
behavioral2/memory/3092-14-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	upx
behavioral2/memory/1396-20-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-24.dat	upx
behavioral2/memory/1884-25-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-31.dat	upx
behavioral2/files/0x000a000000023b87-37.dat	upx
behavioral2/files/0x000a000000023b88-44.dat	upx
behavioral2/files/0x000a000000023b89-50.dat	upx
behavioral2/memory/3988-46-0x00007FF754CD0000-0x00007FF755021000-memory.dmp	upx
behavioral2/memory/924-59-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-64.dat	upx
behavioral2/files/0x000a000000023b8b-76.dat	upx
behavioral2/memory/732-78-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp	upx
behavioral2/memory/3092-86-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-93.dat	upx
behavioral2/files/0x000a000000023b8f-97.dat	upx
behavioral2/memory/2388-103-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	upx
behavioral2/memory/3160-102-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp	upx
behavioral2/memory/4704-101-0x00007FF734160000-0x00007FF7344B1000-memory.dmp	upx
behavioral2/memory/448-96-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-92.dat	upx
behavioral2/memory/1884-91-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp	upx
behavioral2/memory/1396-88-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp	upx
behavioral2/memory/3912-87-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-80.dat	upx
behavioral2/files/0x000b000000023b7f-79.dat	upx
behavioral2/memory/4484-75-0x00007FF6370F0000-0x00007FF637441000-memory.dmp	upx
behavioral2/memory/1952-74-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp	upx
behavioral2/memory/2144-73-0x00007FF787DF0000-0x00007FF788141000-memory.dmp	upx
behavioral2/memory/1128-68-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp	upx
behavioral2/memory/3744-62-0x00007FF639040000-0x00007FF639391000-memory.dmp	upx
behavioral2/memory/4564-51-0x00007FF620DC0000-0x00007FF621111000-memory.dmp	upx
behavioral2/memory/3160-42-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp	upx
behavioral2/memory/4704-36-0x00007FF734160000-0x00007FF7344B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-35.dat	upx
behavioral2/files/0x000a000000023b90-108.dat	upx
behavioral2/memory/3988-111-0x00007FF754CD0000-0x00007FF755021000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-125.dat	upx
behavioral2/memory/3168-131-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	upx
behavioral2/memory/2528-129-0x00007FF749570000-0x00007FF7498C1000-memory.dmp	upx
behavioral2/memory/924-127-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp	upx
behavioral2/memory/4464-123-0x00007FF6204F0000-0x00007FF620841000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-132.dat	upx
behavioral2/memory/2144-139-0x00007FF787DF0000-0x00007FF788141000-memory.dmp	upx
behavioral2/memory/4572-138-0x00007FF670540000-0x00007FF670891000-memory.dmp	upx
behavioral2/memory/1128-136-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-133.dat	upx
behavioral2/files/0x000a000000023b92-122.dat	upx
behavioral2/memory/2280-121-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp	upx
behavioral2/memory/4564-114-0x00007FF620DC0000-0x00007FF621111000-memory.dmp	upx
behavioral2/memory/4484-140-0x00007FF6370F0000-0x00007FF637441000-memory.dmp	upx
behavioral2/memory/732-141-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp	upx
behavioral2/memory/3912-142-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp	upx
behavioral2/memory/448-143-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp	upx
behavioral2/memory/3744-144-0x00007FF639040000-0x00007FF639391000-memory.dmp	upx
behavioral2/memory/2388-148-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	upx
behavioral2/memory/2280-160-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp	upx
behavioral2/memory/4464-164-0x00007FF6204F0000-0x00007FF620841000-memory.dmp	upx
behavioral2/memory/3168-165-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TmgIuZX.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRMuWPY.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XzBiNZF.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GPcHBMc.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ipOLGul.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSGunfB.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NGvZCvi.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tSGViSL.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLSmgoB.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WpULPUU.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jMhfxyD.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gihsQhN.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZuqwoPw.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqrDkAS.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZWEWILA.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pBNhuGS.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkDJBfd.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iUwRiUB.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dHfrfAy.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uMxWAVQ.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXBgRzU.exe	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 1952	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3744 wrote to memory of 1952	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3744 wrote to memory of 3092	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3744 wrote to memory of 3092	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3744 wrote to memory of 1396	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3744 wrote to memory of 1396	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3744 wrote to memory of 1884	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3744 wrote to memory of 1884	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3744 wrote to memory of 4704	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3744 wrote to memory of 4704	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3744 wrote to memory of 3160	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3744 wrote to memory of 3160	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3744 wrote to memory of 3988	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3744 wrote to memory of 3988	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3744 wrote to memory of 4564	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3744 wrote to memory of 4564	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3744 wrote to memory of 924	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3744 wrote to memory of 924	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3744 wrote to memory of 1128	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3744 wrote to memory of 1128	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3744 wrote to memory of 2144	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3744 wrote to memory of 2144	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3744 wrote to memory of 732	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3744 wrote to memory of 732	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3744 wrote to memory of 4484	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3744 wrote to memory of 4484	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3744 wrote to memory of 3912	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3744 wrote to memory of 3912	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3744 wrote to memory of 448	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3744 wrote to memory of 448	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3744 wrote to memory of 2388	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3744 wrote to memory of 2388	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3744 wrote to memory of 2280	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3744 wrote to memory of 2280	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3744 wrote to memory of 2528	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3744 wrote to memory of 2528	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3744 wrote to memory of 4464	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3744 wrote to memory of 4464	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3744 wrote to memory of 3168	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3744 wrote to memory of 3168	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3744 wrote to memory of 4572	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3744 wrote to memory of 4572	3744	2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_3054f3ae6a8df22d4b14bb93cd900504_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\System\fSGunfB.exe
  C:\Windows\System\fSGunfB.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\iUwRiUB.exe
  C:\Windows\System\iUwRiUB.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\NGvZCvi.exe
  C:\Windows\System\NGvZCvi.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\ZuqwoPw.exe
  C:\Windows\System\ZuqwoPw.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\TmgIuZX.exe
  C:\Windows\System\TmgIuZX.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\wqrDkAS.exe
  C:\Windows\System\wqrDkAS.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\tSGViSL.exe
  C:\Windows\System\tSGViSL.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\ZWEWILA.exe
  C:\Windows\System\ZWEWILA.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\pBNhuGS.exe
  C:\Windows\System\pBNhuGS.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\dHfrfAy.exe
  C:\Windows\System\dHfrfAy.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\nkDJBfd.exe
  C:\Windows\System\nkDJBfd.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\uMxWAVQ.exe
  C:\Windows\System\uMxWAVQ.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\jMhfxyD.exe
  C:\Windows\System\jMhfxyD.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\jRMuWPY.exe
  C:\Windows\System\jRMuWPY.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\XzBiNZF.exe
  C:\Windows\System\XzBiNZF.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\GPcHBMc.exe
  C:\Windows\System\GPcHBMc.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\HLSmgoB.exe
  C:\Windows\System\HLSmgoB.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\BXBgRzU.exe
  C:\Windows\System\BXBgRzU.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\WpULPUU.exe
  C:\Windows\System\WpULPUU.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\gihsQhN.exe
  C:\Windows\System\gihsQhN.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\ipOLGul.exe
  C:\Windows\System\ipOLGul.exe
  2⤵
  - Executes dropped EXE
  PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXBgRzU.exe

Filesize
5.2MB

MD5
765fe62ab491e943ab6910d210cff1b2

SHA1
f494351959d7e6836a103fbbfb86b9fe93ce133d

SHA256
334c9225a4af0de37d9d968debbe3d5d2219b52c6c066c386eade38b6ffa35f1

SHA512
c9a069e62b6ba8239e1d0970086dcec1d2af79a6b9befa2d777805189b079f8c6fa67cccb3478789d0b4065d0f23f8e03a14df00809914b292cade5a35ad74ac

Download Submit
C:\Windows\System\GPcHBMc.exe

Filesize
5.2MB

MD5
a6534d9dea520cd187e01cf6d0e78c6d

SHA1
dc659282a30402c1e24586a31b5a0c9da06f0957

SHA256
442128bfa105c3f402ea40dc0da672df7046b0a6aa6b861b8db016ef39e703b9

SHA512
2076e5013ef787ef8628d016c3a964ca53ad8533784e5c81071affa55c20edd2d71d6034efd055a332afd418021e5347e2c8d195e81b6f97c19b47b1778e1296

Download Submit
C:\Windows\System\HLSmgoB.exe

Filesize
5.2MB

MD5
c3745382f07afe500b72df2f15f04ae9

SHA1
7207001f2e1fa9299c149745532e965cae5e8134

SHA256
8c052924b7b55541e1281d4c33ff749729f6dff4b5daa28b80a2f10a071cc7b5

SHA512
0f71d583434ca000f61cdaf1abbc5aa638768182710f59cde70d2df813ead29ebe127690e2a64f1f587dc12092e241f61dac9bdbd71557801d6a5f4b185231c1

Download Submit
C:\Windows\System\NGvZCvi.exe

Filesize
5.2MB

MD5
3f6f6652cb6c348b21d446ce149838b6

SHA1
1b54dc244a1f581f5e4a7df0daba4166c2c5d6c8

SHA256
598e2d5554d0ada5093b3d8374f5444dcc6e1d7ed3cfa439a3b56cde9c58a99a

SHA512
458c54e388306c55b9c7db987616a99f5575ba5f8877917805fb273ac1b4ce8b1f80b1089d342f41c52e13902a1c34cbdf112cb20e24ddd160e6ec35f2f0fd8a

Download Submit
C:\Windows\System\TmgIuZX.exe

Filesize
5.2MB

MD5
b3c33dc049888a17e20ebe0d2c03b5d6

SHA1
6da3d44289d3882318f1a823e8182b46295ab3da

SHA256
c916b5ca4aab46d21b6288ad04cfa278b2d95b1f247e088289a65f0ea02d4e57

SHA512
b671d74962ec23f33971fbcadbf18adae47be2d53ab8629a72519ca4e7f48588e579134564ef5e40ba9c0633a83434176592f1bbec914832961d65a9c2ad18c1

Download Submit
C:\Windows\System\WpULPUU.exe

Filesize
5.2MB

MD5
5be90b52a65587a9fbc9afdded4fb3ee

SHA1
fcaacd96c6af2474b995546c64e1e77b60ff7905

SHA256
469dc454a8758a031fb262bd6bd4775c79b345433e4cca4a3675931455c027eb

SHA512
d72cab62982fcdb6976c719d1fca25950e8ff5c764808b3a5c79e8982458189744e9bb24fe39ef58f6beb2ec96883eccd2689bca3dd71ecc3afd0f34f594baaa

Download Submit
C:\Windows\System\XzBiNZF.exe

Filesize
5.2MB

MD5
f239e728886c393716f76924670b4c82

SHA1
a477f776076641d1da16ce8547b205ba444eed45

SHA256
5b72c919466fe366fdf38456c94ea051fae5e7f1c8b6d7bd4dfa8f8fb08185a5

SHA512
e242916cf343db4ee67004bc9f9164de6bbe3e0922d564d94b345237590821692b0065dce33f00b51f1db22d6fa5ba014973f9c8c8e3596e333ffa85acc5a66b

Download Submit
C:\Windows\System\ZWEWILA.exe

Filesize
5.2MB

MD5
a2b90dedaa3c521d61f8b2905b83440d

SHA1
8d7c5ffdfa681995988905b59e9b5ad53d344aa7

SHA256
a7a3cf6ce112532e18004cdb4fbaad50b206bacfcdecfd85d094719b91832145

SHA512
6f1e1a732b8825fe13b7dd9ca3f917e85b448acf8be8c1be9f1b3aa73109fc3b614bf4d42643c054cf1c7de3010051808c2f2ccbb378bbe65b5b68ff4cfe15b9

Download Submit
C:\Windows\System\ZuqwoPw.exe

Filesize
5.2MB

MD5
24dfa13e07b8268f9fd47bc9c215996e

SHA1
3d18b57daefbd4c65466684729d1c155fcbffd69

SHA256
84d02aebfd14736e09e8e8874b9a94e59297ef25ad5a0beae263859bfc03dbab

SHA512
d8ee1e14e507969a8cadb1f2dabc7c79bd4386fe66b9ec48bce3128cf668b8891467c9e9c7800684ff6e5d1b1fb250317bfa89cbc660fa297f2b8948a85863de

Download Submit
C:\Windows\System\dHfrfAy.exe

Filesize
5.2MB

MD5
86f53711ee30ea3292e8e373f1b777a2

SHA1
31757f0f8b2cbe593af8c658c01c9d8aea7e771a

SHA256
59ef1e9c5ae3638625d8d5df7373252a74f02d29db4c9862629c4a2337a63f87

SHA512
49c5f5f4581805bcdb29944387c10ac7abf352409cf42b1cd6e90a83300b24bf3f0e0c9d133817377c2be30791c44715d71b64ce965adbeaeac9232dd8170d29

Download Submit
C:\Windows\System\fSGunfB.exe

Filesize
5.2MB

MD5
c50ac2570ded836126a5d60389c4e025

SHA1
6146e9964e8ef7a2a5d3a69be1bda1335244c18c

SHA256
c85a020ff751c9679cddb8a7e0c2e223423318b9c5e0346ce09757be2a1ca855

SHA512
ceed3a682c2898dcef81d9708ddabebf38d51a309eea7557097dd92b5f35f89aae1beee5cd941aa5a8748eb86523497e44ce9e5a3e3e0f38536db112cf8f7441

Download Submit
C:\Windows\System\gihsQhN.exe

Filesize
5.2MB

MD5
8eaa8e7c42beba73d1974c931b6d6dcf

SHA1
61ce19043d3dbbdb4b9a3cb3585d46c2e68dd3e9

SHA256
fba59e2a150049a16061f7aa9e7698b56eaf21e3bea982b3c9d1e159b3b65c77

SHA512
1ff161cc8c5e2a58b2f2c7ce008223113b8f616ea81d0404c2a8b30d83f6041e09a15ec288c34890f69392dae7cad63e464d26e45e8ac31784a3c7dc741c3de7

Download Submit
C:\Windows\System\iUwRiUB.exe

Filesize
5.2MB

MD5
92c47a667de29d13e8a78f7f3aea101a

SHA1
36dffb43ae009e5bd1f0471369dd0106090c89a5

SHA256
ee908553d26319ad346010cbf18b028deef2f0b13921133b1f3ee38ecdc491c2

SHA512
91348c9506ec185d2af423fed5431e34514a68727dc0ed76058d767aa8b49d756858de1c0d03c2f45ff0b4491a63d8266731c73f17730571cba780b855d308f0

Download Submit
C:\Windows\System\ipOLGul.exe

Filesize
5.2MB

MD5
f6ecf6e29ff01a920c2ee82f180f29f1

SHA1
7c4fead769a6200e3c82b2b9d6be3a987a733ae9

SHA256
a05a3c857766acf03829769f125c102c831d3f9a622cc442d0f093d94f38ea4f

SHA512
b117fbbcbda374a8886f4a376502c96a43f54ce0a244cbc8ac13aff20f6d7826f2d1681976904649acc5a46a9215e47c4573425f6614354d9adfc8432e321208

Download Submit
C:\Windows\System\jMhfxyD.exe

Filesize
5.2MB

MD5
b2be5b82aad75e6b452847d66b5c97dc

SHA1
fda23ea606e2e115cc0d7b076d7f401a83cc9d42

SHA256
94a4314fbbb07626d9ae476cff554c7f4f52c03f17ab0cff506aac2668bb7131

SHA512
9e4fd29371da6f9d6381818c2c0c82a8be0d95d34a487064c33298829cd188c44505f3b730a9802e81b0bb7899bfe3a7bacc681198d44c0385e691c69c3ed5c6

Download Submit
C:\Windows\System\jRMuWPY.exe

Filesize
5.2MB

MD5
bd8aa07b3b1ca03f68a40cd392699699

SHA1
7bc009e105915fa6866f8c12be1ef17831d70361

SHA256
f8572c462c2b6644c812b469666ff0f26477c6ed4570092a29fc947971e97c0d

SHA512
59a5eca12a2910b83ccae800894eed2622bfe48bb8b417dff4cdb851f497d93922375eac430646a726c088f479397eea82d52977276670d150c56c408a7efa58

Download Submit
C:\Windows\System\nkDJBfd.exe

Filesize
5.2MB

MD5
159b7229727938f74caf9d692e7c2f09

SHA1
9d7c67ddbe712a1395272d4c5e74b117d5d35150

SHA256
0bf695c572c2098200bac6557632925dff65e301db05f5a49b6288187041cf18

SHA512
e91eef215f37d6d7ca609a9151e201290eea2f1654c1e544a9c764d02ae9787c61d9bd3333b395e2590e2a37ce962a1a8eb61f54ce712b380533edf01382d4f1

Download Submit
C:\Windows\System\pBNhuGS.exe

Filesize
5.2MB

MD5
7dc27fb3e2915bb395c402e26f2e42a2

SHA1
2f1a21062521050a9f4641c0101dfcf9540d173a

SHA256
4fc62f743478b930b513135390e4a0b3edfc788925de63ecbc2931cec81775fe

SHA512
7dc4ffbe5a5a27050eecdf2f9c85b2857c48a6bff3d22946202248dfcfda89334e94ca03a77cf083a5d5675b1ae90d737e218699b61cc51ff311e644ce8156a4

Download Submit
C:\Windows\System\tSGViSL.exe

Filesize
5.2MB

MD5
9b0b9e09fa02cf2fe9a1c414e953927e

SHA1
3ed901c9f8ec0c81a23eb6adce3a8e5631e1adbc

SHA256
9632a8ff7a949cede49eacb9bffa92ff6d9a999b8071ec6921ee6e1cda0af5d5

SHA512
435e83dd7d4e07ff51db2870896a4aa15e3a9cdb05408479c6d7d6b35c69b53eada16d7285789460cad468335263f27d4e9353105f8659d90b013021a3024cd3

Download Submit
C:\Windows\System\uMxWAVQ.exe

Filesize
5.2MB

MD5
62a483fa686334db49322a25b1e23a86

SHA1
205938549f8a2b3417e5956e917ff12e0851d598

SHA256
e3451223ad85c3b0b6d436f1c2113103ce00e791594d23f3096adc1848eab861

SHA512
626901a0b8fa05b57dedd42ec2a2ec22b94f74c39373982ed0cc4cbec206056d2ea9df1297cc2ba6619d8f1326dd8e4dfd16a3a11fc2e4759f7e5112a21e1fcb

Download Submit
C:\Windows\System\wqrDkAS.exe

Filesize
5.2MB

MD5
812f3637185de0955a2735454902c22d

SHA1
22b90ed64224a9c00f3f2b724856d3ed31f776bb

SHA256
27a34894442d38e8e438206edd5d07064704a140f27bb9e2897dd384b683bacd

SHA512
831a71f3d4757ea8be77a52af13892084b3d1356eb28c4443a7e54c81c12b0c168c9f4f6f1b5a14f886225489012f8d9eb5539c7cdc00742ba48fa1a58c8351f

Download Submit
memory/448-96-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/448-261-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/448-143-0x00007FF73AA70000-0x00007FF73ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/732-255-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/732-78-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/732-141-0x00007FF7EDC70000-0x00007FF7EDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/924-249-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp

Filesize
3.3MB

Download
memory/924-127-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp

Filesize
3.3MB

Download
memory/924-59-0x00007FF79D0C0000-0x00007FF79D411000-memory.dmp

Filesize
3.3MB

Download
memory/1128-68-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp

Filesize
3.3MB

Download
memory/1128-136-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp

Filesize
3.3MB

Download
memory/1128-251-0x00007FF78E2F0000-0x00007FF78E641000-memory.dmp

Filesize
3.3MB

Download
memory/1396-20-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-225-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-88-0x00007FF7D9070000-0x00007FF7D93C1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-25-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp

Filesize
3.3MB

Download
memory/1884-239-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp

Filesize
3.3MB

Download
memory/1884-91-0x00007FF7AF0D0000-0x00007FF7AF421000-memory.dmp

Filesize
3.3MB

Download
memory/1952-74-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp

Filesize
3.3MB

Download
memory/1952-8-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp

Filesize
3.3MB

Download
memory/1952-221-0x00007FF75F2F0000-0x00007FF75F641000-memory.dmp

Filesize
3.3MB

Download
memory/2144-139-0x00007FF787DF0000-0x00007FF788141000-memory.dmp

Filesize
3.3MB

Download
memory/2144-73-0x00007FF787DF0000-0x00007FF788141000-memory.dmp

Filesize
3.3MB

Download
memory/2144-253-0x00007FF787DF0000-0x00007FF788141000-memory.dmp

Filesize
3.3MB

Download
memory/2280-121-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-160-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-269-0x00007FF763F70000-0x00007FF7642C1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-103-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/2388-263-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/2388-148-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/2528-129-0x00007FF749570000-0x00007FF7498C1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-271-0x00007FF749570000-0x00007FF7498C1000-memory.dmp

Filesize
3.3MB

Download
memory/3092-14-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3092-86-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3092-223-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-42-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-102-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-241-0x00007FF7019A0000-0x00007FF701CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-273-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/3168-131-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/3168-165-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/3744-144-0x00007FF639040000-0x00007FF639391000-memory.dmp

Filesize
3.3MB

Download
memory/3744-0-0x00007FF639040000-0x00007FF639391000-memory.dmp

Filesize
3.3MB

Download
memory/3744-1-0x0000026A3B0F0000-0x0000026A3B100000-memory.dmp

Filesize
64KB

Download
memory/3744-62-0x00007FF639040000-0x00007FF639391000-memory.dmp

Filesize
3.3MB

Download
memory/3744-170-0x00007FF639040000-0x00007FF639391000-memory.dmp

Filesize
3.3MB

Download
memory/3912-259-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/3912-87-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/3912-142-0x00007FF617BE0000-0x00007FF617F31000-memory.dmp

Filesize
3.3MB

Download
memory/3988-46-0x00007FF754CD0000-0x00007FF755021000-memory.dmp

Filesize
3.3MB

Download
memory/3988-111-0x00007FF754CD0000-0x00007FF755021000-memory.dmp

Filesize
3.3MB

Download
memory/3988-243-0x00007FF754CD0000-0x00007FF755021000-memory.dmp

Filesize
3.3MB

Download
memory/4464-164-0x00007FF6204F0000-0x00007FF620841000-memory.dmp

Filesize
3.3MB

Download
memory/4464-123-0x00007FF6204F0000-0x00007FF620841000-memory.dmp

Filesize
3.3MB

Download
memory/4464-277-0x00007FF6204F0000-0x00007FF620841000-memory.dmp

Filesize
3.3MB

Download
memory/4484-140-0x00007FF6370F0000-0x00007FF637441000-memory.dmp

Filesize
3.3MB

Download
memory/4484-257-0x00007FF6370F0000-0x00007FF637441000-memory.dmp

Filesize
3.3MB

Download
memory/4484-75-0x00007FF6370F0000-0x00007FF637441000-memory.dmp

Filesize
3.3MB

Download
memory/4564-247-0x00007FF620DC0000-0x00007FF621111000-memory.dmp

Filesize
3.3MB

Download
memory/4564-51-0x00007FF620DC0000-0x00007FF621111000-memory.dmp

Filesize
3.3MB

Download
memory/4564-114-0x00007FF620DC0000-0x00007FF621111000-memory.dmp

Filesize
3.3MB

Download
memory/4572-138-0x00007FF670540000-0x00007FF670891000-memory.dmp

Filesize
3.3MB

Download
memory/4572-275-0x00007FF670540000-0x00007FF670891000-memory.dmp

Filesize
3.3MB

Download
memory/4704-245-0x00007FF734160000-0x00007FF7344B1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-101-0x00007FF734160000-0x00007FF7344B1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-36-0x00007FF734160000-0x00007FF7344B1000-memory.dmp

Filesize
3.3MB

Download