cobaltstrike | 85591d0f8567eadafdf51cb881ef28b93a06265f89573555a5c9843a713b4f9c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e727c9b5becd56c434ce1d7d4247f8d4
SHA1

0a5e86323da25deb53d0227bb296aedf81be0884
SHA256

85591d0f8567eadafdf51cb881ef28b93a06265f89573555a5c9843a713b4f9c
SHA512

f42ed876d2b8c6d4af72e68667d29adc9d23a30647e8819e7dfc2aa128bcbd77e0f75d9db3ea572e5cab7cd6d1c83f15e5ab8d087f06c8b5f76b5b5dc2834091
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b88-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-91.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b89-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1104-83-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp	xmrig
behavioral2/memory/3896-88-0x00007FF63CC90000-0x00007FF63CFE1000-memory.dmp	xmrig
behavioral2/memory/2620-93-0x00007FF650460000-0x00007FF6507B1000-memory.dmp	xmrig
behavioral2/memory/4516-97-0x00007FF6B41B0000-0x00007FF6B4501000-memory.dmp	xmrig
behavioral2/memory/2736-96-0x00007FF615480000-0x00007FF6157D1000-memory.dmp	xmrig
behavioral2/memory/4392-95-0x00007FF778D50000-0x00007FF7790A1000-memory.dmp	xmrig
behavioral2/memory/3548-94-0x00007FF6EE530000-0x00007FF6EE881000-memory.dmp	xmrig
behavioral2/memory/3712-87-0x00007FF668D20000-0x00007FF669071000-memory.dmp	xmrig
behavioral2/memory/228-84-0x00007FF772F30000-0x00007FF773281000-memory.dmp	xmrig
behavioral2/memory/4100-127-0x00007FF6E2560000-0x00007FF6E28B1000-memory.dmp	xmrig
behavioral2/memory/4596-122-0x00007FF601160000-0x00007FF6014B1000-memory.dmp	xmrig
behavioral2/memory/2932-121-0x00007FF642780000-0x00007FF642AD1000-memory.dmp	xmrig
behavioral2/memory/2656-102-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	xmrig
behavioral2/memory/208-107-0x00007FF71DF50000-0x00007FF71E2A1000-memory.dmp	xmrig
behavioral2/memory/3840-132-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp	xmrig
behavioral2/memory/372-131-0x00007FF663010000-0x00007FF663361000-memory.dmp	xmrig
behavioral2/memory/3240-126-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp	xmrig
behavioral2/memory/4284-134-0x00007FF635650000-0x00007FF6359A1000-memory.dmp	xmrig
behavioral2/memory/2444-133-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp	xmrig
behavioral2/memory/324-136-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp	xmrig
behavioral2/memory/1080-145-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp	xmrig
behavioral2/memory/2656-146-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	xmrig
behavioral2/memory/5096-159-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp	xmrig
behavioral2/memory/2656-168-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	xmrig
behavioral2/memory/4596-208-0x00007FF601160000-0x00007FF6014B1000-memory.dmp	xmrig
behavioral2/memory/372-210-0x00007FF663010000-0x00007FF663361000-memory.dmp	xmrig
behavioral2/memory/3240-212-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp	xmrig
behavioral2/memory/3840-214-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp	xmrig
behavioral2/memory/2444-216-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp	xmrig
behavioral2/memory/1104-219-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp	xmrig
behavioral2/memory/4284-225-0x00007FF635650000-0x00007FF6359A1000-memory.dmp	xmrig
behavioral2/memory/324-227-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp	xmrig
behavioral2/memory/228-229-0x00007FF772F30000-0x00007FF773281000-memory.dmp	xmrig
behavioral2/memory/2736-233-0x00007FF615480000-0x00007FF6157D1000-memory.dmp	xmrig
behavioral2/memory/3712-235-0x00007FF668D20000-0x00007FF669071000-memory.dmp	xmrig
behavioral2/memory/3896-231-0x00007FF63CC90000-0x00007FF63CFE1000-memory.dmp	xmrig
behavioral2/memory/4392-238-0x00007FF778D50000-0x00007FF7790A1000-memory.dmp	xmrig
behavioral2/memory/2620-241-0x00007FF650460000-0x00007FF6507B1000-memory.dmp	xmrig
behavioral2/memory/3548-239-0x00007FF6EE530000-0x00007FF6EE881000-memory.dmp	xmrig
behavioral2/memory/4516-243-0x00007FF6B41B0000-0x00007FF6B4501000-memory.dmp	xmrig
behavioral2/memory/208-251-0x00007FF71DF50000-0x00007FF71E2A1000-memory.dmp	xmrig
behavioral2/memory/2932-253-0x00007FF642780000-0x00007FF642AD1000-memory.dmp	xmrig
behavioral2/memory/1080-255-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp	xmrig
behavioral2/memory/4100-257-0x00007FF6E2560000-0x00007FF6E28B1000-memory.dmp	xmrig
behavioral2/memory/5096-259-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4596	YOHSvol.exe
3240	bNTUnvR.exe
372	gstqHdt.exe
3840	eHtnVSC.exe
2444	qUgnHFP.exe
4284	IRzhcyH.exe
1104	QEUDAKN.exe
324	dSkMhOS.exe
228	RQBcZsd.exe
2736	BOszIsF.exe
3712	lOabNkh.exe
3896	clNwlgD.exe
4516	RnZjPdu.exe
2620	mqtlhkw.exe
3548	WJWSooI.exe
4392	YryFXUo.exe
208	CienTUY.exe
1080	reQvRVk.exe
2932	zdCAQrD.exe
4100	CuIDshM.exe
5096	IdxyEkZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2656-0-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	upx
behavioral2/files/0x000b000000023b88-4.dat	upx
behavioral2/files/0x000a000000023b8d-9.dat	upx
behavioral2/memory/3240-15-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-23.dat	upx
behavioral2/files/0x000a000000023b90-30.dat	upx
behavioral2/files/0x000a000000023b92-39.dat	upx
behavioral2/files/0x000a000000023b93-62.dat	upx
behavioral2/files/0x000a000000023b97-67.dat	upx
behavioral2/files/0x000a000000023b95-69.dat	upx
behavioral2/memory/1104-83-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp	upx
behavioral2/memory/3896-88-0x00007FF63CC90000-0x00007FF63CFE1000-memory.dmp	upx
behavioral2/memory/2620-93-0x00007FF650460000-0x00007FF6507B1000-memory.dmp	upx
behavioral2/memory/4516-97-0x00007FF6B41B0000-0x00007FF6B4501000-memory.dmp	upx
behavioral2/memory/2736-96-0x00007FF615480000-0x00007FF6157D1000-memory.dmp	upx
behavioral2/memory/4392-95-0x00007FF778D50000-0x00007FF7790A1000-memory.dmp	upx
behavioral2/memory/3548-94-0x00007FF6EE530000-0x00007FF6EE881000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-91.dat	upx
behavioral2/files/0x000b000000023b89-89.dat	upx
behavioral2/memory/3712-87-0x00007FF668D20000-0x00007FF669071000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-85.dat	upx
behavioral2/memory/228-84-0x00007FF772F30000-0x00007FF773281000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-66.dat	upx
behavioral2/files/0x000a000000023b94-64.dat	upx
behavioral2/memory/4284-59-0x00007FF635650000-0x00007FF6359A1000-memory.dmp	upx
behavioral2/memory/324-48-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp	upx
behavioral2/memory/2444-41-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-38.dat	upx
behavioral2/memory/3840-34-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-36.dat	upx
behavioral2/memory/372-21-0x00007FF663010000-0x00007FF663361000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-18.dat	upx
behavioral2/memory/4596-11-0x00007FF601160000-0x00007FF6014B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-100.dat	upx
behavioral2/files/0x000a000000023b9c-111.dat	upx
behavioral2/files/0x000a000000023b9d-123.dat	upx
behavioral2/memory/4100-127-0x00007FF6E2560000-0x00007FF6E28B1000-memory.dmp	upx
behavioral2/memory/4596-122-0x00007FF601160000-0x00007FF6014B1000-memory.dmp	upx
behavioral2/memory/2932-121-0x00007FF642780000-0x00007FF642AD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-119.dat	upx
behavioral2/memory/1080-116-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp	upx
behavioral2/memory/2656-102-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	upx
behavioral2/memory/208-107-0x00007FF71DF50000-0x00007FF71E2A1000-memory.dmp	upx
behavioral2/memory/3840-132-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp	upx
behavioral2/memory/372-131-0x00007FF663010000-0x00007FF663361000-memory.dmp	upx
behavioral2/memory/5096-130-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-128.dat	upx
behavioral2/memory/3240-126-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp	upx
behavioral2/memory/4284-134-0x00007FF635650000-0x00007FF6359A1000-memory.dmp	upx
behavioral2/memory/2444-133-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp	upx
behavioral2/memory/324-136-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp	upx
behavioral2/memory/1080-145-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp	upx
behavioral2/memory/2656-146-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	upx
behavioral2/memory/5096-159-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp	upx
behavioral2/memory/2656-168-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp	upx
behavioral2/memory/4596-208-0x00007FF601160000-0x00007FF6014B1000-memory.dmp	upx
behavioral2/memory/372-210-0x00007FF663010000-0x00007FF663361000-memory.dmp	upx
behavioral2/memory/3240-212-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp	upx
behavioral2/memory/3840-214-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp	upx
behavioral2/memory/2444-216-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp	upx
behavioral2/memory/1104-219-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp	upx
behavioral2/memory/4284-225-0x00007FF635650000-0x00007FF6359A1000-memory.dmp	upx
behavioral2/memory/324-227-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp	upx
behavioral2/memory/228-229-0x00007FF772F30000-0x00007FF773281000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zdCAQrD.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuIDshM.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bNTUnvR.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUgnHFP.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IRzhcyH.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YryFXUo.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\reQvRVk.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WJWSooI.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdxyEkZ.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eHtnVSC.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QEUDAKN.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BOszIsF.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOabNkh.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\clNwlgD.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YOHSvol.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gstqHdt.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQBcZsd.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnZjPdu.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dSkMhOS.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mqtlhkw.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CienTUY.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4596	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2656 wrote to memory of 4596	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2656 wrote to memory of 3240	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2656 wrote to memory of 3240	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2656 wrote to memory of 372	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2656 wrote to memory of 372	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2656 wrote to memory of 3840	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2656 wrote to memory of 3840	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2656 wrote to memory of 2444	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2656 wrote to memory of 2444	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2656 wrote to memory of 4284	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2656 wrote to memory of 4284	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2656 wrote to memory of 1104	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2656 wrote to memory of 1104	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2656 wrote to memory of 324	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2656 wrote to memory of 324	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2656 wrote to memory of 228	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2656 wrote to memory of 228	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2656 wrote to memory of 2736	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2656 wrote to memory of 2736	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2656 wrote to memory of 3712	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2656 wrote to memory of 3712	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2656 wrote to memory of 3896	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2656 wrote to memory of 3896	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2656 wrote to memory of 4516	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2656 wrote to memory of 4516	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2656 wrote to memory of 2620	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2656 wrote to memory of 2620	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2656 wrote to memory of 3548	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2656 wrote to memory of 3548	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2656 wrote to memory of 4392	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2656 wrote to memory of 4392	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2656 wrote to memory of 208	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2656 wrote to memory of 208	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2656 wrote to memory of 1080	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2656 wrote to memory of 1080	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2656 wrote to memory of 2932	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2656 wrote to memory of 2932	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2656 wrote to memory of 4100	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2656 wrote to memory of 4100	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2656 wrote to memory of 5096	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2656 wrote to memory of 5096	2656	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System\YOHSvol.exe
  C:\Windows\System\YOHSvol.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\bNTUnvR.exe
  C:\Windows\System\bNTUnvR.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\gstqHdt.exe
  C:\Windows\System\gstqHdt.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\eHtnVSC.exe
  C:\Windows\System\eHtnVSC.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\qUgnHFP.exe
  C:\Windows\System\qUgnHFP.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\IRzhcyH.exe
  C:\Windows\System\IRzhcyH.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\QEUDAKN.exe
  C:\Windows\System\QEUDAKN.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\dSkMhOS.exe
  C:\Windows\System\dSkMhOS.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\RQBcZsd.exe
  C:\Windows\System\RQBcZsd.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\BOszIsF.exe
  C:\Windows\System\BOszIsF.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\lOabNkh.exe
  C:\Windows\System\lOabNkh.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\clNwlgD.exe
  C:\Windows\System\clNwlgD.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\RnZjPdu.exe
  C:\Windows\System\RnZjPdu.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\mqtlhkw.exe
  C:\Windows\System\mqtlhkw.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\WJWSooI.exe
  C:\Windows\System\WJWSooI.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\YryFXUo.exe
  C:\Windows\System\YryFXUo.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\CienTUY.exe
  C:\Windows\System\CienTUY.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\reQvRVk.exe
  C:\Windows\System\reQvRVk.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\zdCAQrD.exe
  C:\Windows\System\zdCAQrD.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\CuIDshM.exe
  C:\Windows\System\CuIDshM.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\IdxyEkZ.exe
  C:\Windows\System\IdxyEkZ.exe
  2⤵
  - Executes dropped EXE
  PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BOszIsF.exe

Filesize
5.2MB

MD5
552f74d2f6daa9b113ba17c9d283d838

SHA1
a25dc7da4d1025a76c7f671b0fab887fe4d3dfba

SHA256
c94239ae672994248e6c3092c97976b1e0ce89956bf9c033dfc5041a502849cb

SHA512
7a1fc205719473a5d49db24d1c98d57b2dc2e539ffdf35d2491e22764d01d1b372c697f59b3bc791bc29bb0edee3489bd73e767db844c2d6991b13508a2ebfa1

Download Submit
C:\Windows\System\CienTUY.exe

Filesize
5.2MB

MD5
d06a7f5cd8edc2679e2d80bc203963ef

SHA1
ebc799c8e8bce87bcf31d92d3d0d0c77f69a3ae9

SHA256
c0b22ec85d002011da947c652a31de10dd9619cc30a267217cc86b640fee8a31

SHA512
0386819993b8aea606cb1018ed9db7ec615d287773428d50523418309fb47bb48cbddcbc74748809af5213a16e5963e8827d4f3562de2f28be9629309bf8b2aa

Download Submit
C:\Windows\System\CuIDshM.exe

Filesize
5.2MB

MD5
40e6663be87f89fc219234624946ed2b

SHA1
e5e36b4557df5c06f397131514b6cedd79b29367

SHA256
95a4f6a5c697bba0b107bd95e76df837c205db49e4a0a501e90f41bd1bdffe73

SHA512
e6f11a0a90c5d63ed8bdc26cfc0f87af48244c1a2f456d57ad03c60dc05f30540b8b6f7a254e61876c502f50806a8eb09e2f822ef60feabeaf1a1ced86ceaa0b

Download Submit
C:\Windows\System\IRzhcyH.exe

Filesize
5.2MB

MD5
f984f561a718b7df711c766d39fbc73d

SHA1
b05907442871a6522fd7e6166ee2fe4b1aa391be

SHA256
2d7854f02d657c5d5f17b66de6b66b363fc0aa3053ed3d8b40253fe7690804fd

SHA512
213bc07d6cc9ff306a207992fd504c599a4a3b8d76958847607b112aadfd44aed1c1bf429f0801083717641020e1c784e4d91e5606391cce794266a2081050a4

Download Submit
C:\Windows\System\IdxyEkZ.exe

Filesize
5.2MB

MD5
3aa8bda37d59dc83224c21ba00cfbb68

SHA1
77d3462cd4a49c59fbca8cf4d908a0f5348d493a

SHA256
46a0750508859519562e70ca81a1ec96e098d9d74c106414ed6953aeafea8e0a

SHA512
052f550d7c9c4488d783ee657c2a36fc6302a43827119ac6a2ec547ecf4a6016fc38ac707c2fd767053d0b07c60fcaa28d5e0378376e11c104799618f062ff07

Download Submit
C:\Windows\System\QEUDAKN.exe

Filesize
5.2MB

MD5
e86962dbf0c3876bdfd4990802d7cd7b

SHA1
71c8d6ebf08c1d2afe6ad6e423b7da68792cb10c

SHA256
f665ea4cfecd0fc5e96881ae7b8eb55ab3e253dc16eeaf5d1fa0b59cb310338a

SHA512
d84e339e48d3019ed913125fe06132afcd4a37b73440ba0a39c2fa019d8bf9b33e9dc2c4b1910a2b32b9ee97da2712678f46042018b317d2241b14012e73e587

Download Submit
C:\Windows\System\RQBcZsd.exe

Filesize
5.2MB

MD5
841292b616dd40d484fc40d584f9c558

SHA1
bc6fbbb5f7c6d2a882551fb90f359f1c06a64dc5

SHA256
6c9ebd9b03ba0d643bba2b8c1762c149d8e4b4db50847944e933d377af35c454

SHA512
d43c232ffbf5b1da3f43129b4e66c6ffc9d8d1db6b7da4fcaa43303c909e289f087fced1fd5b4510032211bad2f89db4863706b505b36651b9592beaee46bab1

Download Submit
C:\Windows\System\RnZjPdu.exe

Filesize
5.2MB

MD5
9fc827eede731093efdd4d06a3827668

SHA1
da0329af5284e9fe02bff20a1f76591ff1cc1c5d

SHA256
e720bf0754e06004ae7f48763b6e9ecbcb6e604b6d2510f04c023bcb83cdfe64

SHA512
20bb476b005fcd3c97ea49a8f09e0bdec15b8d15d0a90aba7d329ea4e767fbbaa35ad1e5eaad1b1659490bcd02cd50af11010f1d972eb59b1256b841c27304cd

Download Submit
C:\Windows\System\WJWSooI.exe

Filesize
5.2MB

MD5
ca1ef2df3f728033b3e67a0e21cad305

SHA1
9da5f08652b8dfe224382afbb83a0608cfe6c90b

SHA256
38533341be14167306d67812cd2c3aae80c3a7007063e598e81cdbb378eb439d

SHA512
9b9d837eea6118c3d89d80a4f7068f22fe8766ba5ef8ea525ff8d73716719e53080c1e89faf30e37b90e56cd518304200ff425b6c2026b8f197ce23e6e49ef2e

Download Submit
C:\Windows\System\YOHSvol.exe

Filesize
5.2MB

MD5
e50960197eac044da9a7af7054021199

SHA1
3296578a3fab7529f035e8cac5762f4b74de044a

SHA256
98141431a7ee1e288dbfb2193cccd6e58a3a623d74de991576d55edc0190daa8

SHA512
5614fd1e32709cbc0a03987b19c5521a95b3d0e17544528c12bdb810f592c3675a210264150cdb748402b785f66a0a0fec44f059f7a37036da0c0296e2e105f3

Download Submit
C:\Windows\System\YryFXUo.exe

Filesize
5.2MB

MD5
02ad4a36ea220691b754295b0217cdc4

SHA1
de606356b2daba4078ba63033136eb72214f9b1b

SHA256
3d4292847f69d0855428184b8d0614e2dc1c21d1422efaba454d33494b17a012

SHA512
e1cee51012038360b1a113916ee1a76ae803df5b47bc80da6695e4f198c934e26bc83b1899a85310a106cb2072214cff4ad7847626a101e6ed917aad4d022930

Download Submit
C:\Windows\System\bNTUnvR.exe

Filesize
5.2MB

MD5
d1bd080c1ff54cded8b189e270cabf21

SHA1
60fd84ad7eb0d9b4dd2ed9b7433be0076a3b9395

SHA256
2060a2e5867ff06e935770e4871ba7a8d9d43f019b6b17a29c7923e7845109a3

SHA512
01421f0be26422ac07e3d6a97094b496f3132b3aff9204d6a1f4fa0e28844e827f3cbf5ebe6944e9288c2ce9f151f04fb7f3c71057ba75e3660ab5df386fef2a

Download Submit
C:\Windows\System\clNwlgD.exe

Filesize
5.2MB

MD5
cc35fd0765e1af9223076c62ed786398

SHA1
bdae741d27a1658b86706f179490cc74da1b0cc8

SHA256
bfa1c8a7a88a453382022fd605bc839069ba5f8fd9f02a93527d55854a42392d

SHA512
408e911482c1343189f77f4b721240561b73dfa96911cf480b5b70932e483280b748ccbdc14a2ea9dbdc980fb3ce889493a635c6d5178176b4682dbb50d0d9a1

Download Submit
C:\Windows\System\dSkMhOS.exe

Filesize
5.2MB

MD5
89c279ad63627c9b762f71ed8f5bb147

SHA1
f141ed94a4c802a4c6daad41c6606886fbdeabb2

SHA256
09fc8d39791192ee8c8decacbdac64313875a52f732d569ca5a68406dd8d074c

SHA512
774ec1f70e85e5471d0e49655e28fc1ef2d76efe58b858a39e3bd4d04e53241ae1c8608df81017b5250bb78a0b56980b77684cf840e6d0bb426549bce6f73f25

Download Submit
C:\Windows\System\eHtnVSC.exe

Filesize
5.2MB

MD5
0ec6f659a383b208b877b153378dd3be

SHA1
38969be46aa93b5fd9724ca3d4d824226524a193

SHA256
fda8d000371aeb9a695bf44177950b8154416262f58f42bcbc0bd95b3232e4ba

SHA512
a38abe2edd45d4c787927faf7a2fde8371b8015a55e5b1e64c624d9e3fbe34bd239963ab7c0e5598754d8ff261fb508908473a2750d4d21f916f770ec9618f86

Download Submit
C:\Windows\System\gstqHdt.exe

Filesize
5.2MB

MD5
16bf5d5a79b0a60f4119fcdb578c9772

SHA1
8b9c7511b93da22a8fab8d9be0f269e9920e6f79

SHA256
cca6778c1c49e6939cc6aa423dd4ea0487d7fb4b0315b09e857c128b11d09c13

SHA512
400d929fac1140edfcf077f9476060b5bf37bcb7518918d5abc55f73b5af1e5720f55ce7b1fea2b8fbfe653dbe382b0214b41f9c0e8e30a85831aedd34ab772c

Download Submit
C:\Windows\System\lOabNkh.exe

Filesize
5.2MB

MD5
4461f1331069bd1a9d5b08d342969e47

SHA1
1ea11f5a724415f25e593e560b05665897239bc2

SHA256
2efa8690748f385014d1d9cd2a56e5755b3b68262529fa224fd4d71df1d9f6b7

SHA512
4c0281b665495e8c343abf9cd7da1a9997838dadca9b18f1ea53190c41615dbd57edfd14335ced3db135e549d1df056bd79d407f439e29768a971f64320a6d41

Download Submit
C:\Windows\System\mqtlhkw.exe

Filesize
5.2MB

MD5
c802987ad8baef20fd9403be6666e613

SHA1
fb591f9cd5b61d63552f7c5a8ae187368d311fd6

SHA256
c76a3e5e38bb55c8b0a1893c6897eb064da7fb8a298ba73f30eebd5d665c1cf1

SHA512
22a0455ce9c1248b14f933a9c3561a6cbd2c39c07f8dda21d3a69a669cd3a48029ea7328b45272999a3f7239a456c4505b16b610e9899064c7b194e911933302

Download Submit
C:\Windows\System\qUgnHFP.exe

Filesize
5.2MB

MD5
662c4c74ff00caeb02a2084968091c49

SHA1
73f603bdc418b45214c14864ac48bbfa4d523f12

SHA256
9a6cadceb01ef0960da09af6a92738e7f39f2c65d01f4608da76923221dbadc6

SHA512
d59304c3a750a2056d0d336e1105f0ab1b1d103a64169b6393e51bbb30b29eecf2dfc988712dd950a81646cef9173f28dbbae7c37ec18d872702842c8927dc1a

Download Submit
C:\Windows\System\reQvRVk.exe

Filesize
5.2MB

MD5
c9d744dc8342453c9961140af121980c

SHA1
2c37aecd89882633034398d0d9e419a2be2b9ef2

SHA256
91fdbda5af1df981563c50c51d0337ffb0acbae5432b0daf364c495c3a99da0c

SHA512
fec3a3ea981fc2a6def5a3f157660e8a5b7274a6dc7681db2896224898ffcc88cfff4a520b0acd520d50a00ab4c25970a3492647d595b1d34ea419600709631b

Download Submit
C:\Windows\System\zdCAQrD.exe

Filesize
5.2MB

MD5
ea1c097f5eb44c0016d61277724085e4

SHA1
d501e7a7da98bfcd7ee9d1ae86ca4f0dc41a118a

SHA256
e9ccbd3c4d72e5e2cbfa3b2753123d5ee4b920c14b9adec07a7a5101b711940c

SHA512
9d8998163a4d92cd834e6cd95927ffb9bc298a5969eb4d6d985e2498d5f2aaf433da00c5cf76f2977b72a03efa0627ee0a830c58d11a922626ba47a9b0470e17

Download Submit
memory/208-251-0x00007FF71DF50000-0x00007FF71E2A1000-memory.dmp

Filesize
3.3MB

Download
memory/208-107-0x00007FF71DF50000-0x00007FF71E2A1000-memory.dmp

Filesize
3.3MB

Download
memory/228-84-0x00007FF772F30000-0x00007FF773281000-memory.dmp

Filesize
3.3MB

Download
memory/228-229-0x00007FF772F30000-0x00007FF773281000-memory.dmp

Filesize
3.3MB

Download
memory/324-136-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp

Filesize
3.3MB

Download
memory/324-227-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp

Filesize
3.3MB

Download
memory/324-48-0x00007FF7A3850000-0x00007FF7A3BA1000-memory.dmp

Filesize
3.3MB

Download
memory/372-21-0x00007FF663010000-0x00007FF663361000-memory.dmp

Filesize
3.3MB

Download
memory/372-131-0x00007FF663010000-0x00007FF663361000-memory.dmp

Filesize
3.3MB

Download
memory/372-210-0x00007FF663010000-0x00007FF663361000-memory.dmp

Filesize
3.3MB

Download
memory/1080-145-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1080-116-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1080-255-0x00007FF7E18D0000-0x00007FF7E1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1104-219-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp

Filesize
3.3MB

Download
memory/1104-83-0x00007FF71E4F0000-0x00007FF71E841000-memory.dmp

Filesize
3.3MB

Download
memory/2444-216-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-133-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-41-0x00007FF7DC750000-0x00007FF7DCAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-93-0x00007FF650460000-0x00007FF6507B1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-241-0x00007FF650460000-0x00007FF6507B1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-102-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp

Filesize
3.3MB

Download
memory/2656-0-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp

Filesize
3.3MB

Download
memory/2656-168-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp

Filesize
3.3MB

Download
memory/2656-146-0x00007FF7FD0C0000-0x00007FF7FD411000-memory.dmp

Filesize
3.3MB

Download
memory/2656-1-0x000001FDCE090000-0x000001FDCE0A0000-memory.dmp

Filesize
64KB

Download
memory/2736-96-0x00007FF615480000-0x00007FF6157D1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-233-0x00007FF615480000-0x00007FF6157D1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-121-0x00007FF642780000-0x00007FF642AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-253-0x00007FF642780000-0x00007FF642AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-212-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp

Filesize
3.3MB

Download
memory/3240-126-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp

Filesize
3.3MB

Download
memory/3240-15-0x00007FF6A0120000-0x00007FF6A0471000-memory.dmp

Filesize
3.3MB

Download
memory/3548-239-0x00007FF6EE530000-0x00007FF6EE881000-memory.dmp

Filesize
3.3MB

Download
memory/3548-94-0x00007FF6EE530000-0x00007FF6EE881000-memory.dmp

Filesize
3.3MB

Download
memory/3712-235-0x00007FF668D20000-0x00007FF669071000-memory.dmp

Filesize
3.3MB

Download
memory/3712-87-0x00007FF668D20000-0x00007FF669071000-memory.dmp

Filesize
3.3MB

Download
memory/3840-214-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp

Filesize
3.3MB

Download
memory/3840-34-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp

Filesize
3.3MB

Download
memory/3840-132-0x00007FF73D8D0000-0x00007FF73DC21000-memory.dmp

Filesize
3.3MB

Download
memory/3896-231-0x00007FF63CC90000-0x00007FF63CFE1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-88-0x00007FF63CC90000-0x00007FF63CFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-127-0x00007FF6E2560000-0x00007FF6E28B1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-257-0x00007FF6E2560000-0x00007FF6E28B1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-134-0x00007FF635650000-0x00007FF6359A1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-225-0x00007FF635650000-0x00007FF6359A1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-59-0x00007FF635650000-0x00007FF6359A1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-95-0x00007FF778D50000-0x00007FF7790A1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-238-0x00007FF778D50000-0x00007FF7790A1000-memory.dmp

Filesize
3.3MB

Download
memory/4516-243-0x00007FF6B41B0000-0x00007FF6B4501000-memory.dmp

Filesize
3.3MB

Download
memory/4516-97-0x00007FF6B41B0000-0x00007FF6B4501000-memory.dmp

Filesize
3.3MB

Download
memory/4596-11-0x00007FF601160000-0x00007FF6014B1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-122-0x00007FF601160000-0x00007FF6014B1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-208-0x00007FF601160000-0x00007FF6014B1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-159-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp

Filesize
3.3MB

Download
memory/5096-130-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp

Filesize
3.3MB

Download
memory/5096-259-0x00007FF6E4410000-0x00007FF6E4761000-memory.dmp

Filesize
3.3MB

Download