cobaltstrike | 50d8caf4913b2bae990f4c22523f585704b8112a8ba312fa55b2e4a4d43003a1

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

01d67b8fc67892470bb0a2fd602310cc
SHA1

e0dcfaf5effbad19944442483f5f2dc7e8dad369
SHA256

50d8caf4913b2bae990f4c22523f585704b8112a8ba312fa55b2e4a4d43003a1
SHA512

a94c6f3a989e51ee66b2a09550e1f2b5685f4ab882d2f1ac1af18938c699a439e53f513a38287542758b9bf361be5dd8f4b123321ecf3d4e65d16f867082d1f8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bf9-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cc1-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-37.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4840-53-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	xmrig
behavioral2/memory/4820-87-0x00007FF727F00000-0x00007FF728251000-memory.dmp	xmrig
behavioral2/memory/4188-101-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp	xmrig
behavioral2/memory/1216-129-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp	xmrig
behavioral2/memory/1644-128-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp	xmrig
behavioral2/memory/2804-124-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp	xmrig
behavioral2/memory/808-111-0x00007FF658870000-0x00007FF658BC1000-memory.dmp	xmrig
behavioral2/memory/2924-104-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp	xmrig
behavioral2/memory/1824-88-0x00007FF693460000-0x00007FF6937B1000-memory.dmp	xmrig
behavioral2/memory/3040-75-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp	xmrig
behavioral2/memory/4196-67-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp	xmrig
behavioral2/memory/4992-64-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	xmrig
behavioral2/memory/4820-26-0x00007FF727F00000-0x00007FF728251000-memory.dmp	xmrig
behavioral2/memory/5056-153-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp	xmrig
behavioral2/memory/3868-156-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp	xmrig
behavioral2/memory/2432-155-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp	xmrig
behavioral2/memory/216-154-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp	xmrig
behavioral2/memory/1760-152-0x00007FF777780000-0x00007FF777AD1000-memory.dmp	xmrig
behavioral2/memory/4840-140-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	xmrig
behavioral2/memory/4548-161-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	xmrig
behavioral2/memory/3996-160-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp	xmrig
behavioral2/memory/4956-159-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig
behavioral2/memory/3112-158-0x00007FF796010000-0x00007FF796361000-memory.dmp	xmrig
behavioral2/memory/1464-157-0x00007FF785160000-0x00007FF7854B1000-memory.dmp	xmrig
behavioral2/memory/4840-162-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	xmrig
behavioral2/memory/4992-210-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	xmrig
behavioral2/memory/4196-214-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp	xmrig
behavioral2/memory/3040-216-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp	xmrig
behavioral2/memory/4820-225-0x00007FF727F00000-0x00007FF728251000-memory.dmp	xmrig
behavioral2/memory/1824-227-0x00007FF693460000-0x00007FF6937B1000-memory.dmp	xmrig
behavioral2/memory/4188-229-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp	xmrig
behavioral2/memory/808-231-0x00007FF658870000-0x00007FF658BC1000-memory.dmp	xmrig
behavioral2/memory/2804-233-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp	xmrig
behavioral2/memory/2924-235-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp	xmrig
behavioral2/memory/1216-248-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp	xmrig
behavioral2/memory/1644-249-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp	xmrig
behavioral2/memory/1760-251-0x00007FF777780000-0x00007FF777AD1000-memory.dmp	xmrig
behavioral2/memory/2432-255-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp	xmrig
behavioral2/memory/216-254-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp	xmrig
behavioral2/memory/3868-259-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp	xmrig
behavioral2/memory/1464-257-0x00007FF785160000-0x00007FF7854B1000-memory.dmp	xmrig
behavioral2/memory/3112-261-0x00007FF796010000-0x00007FF796361000-memory.dmp	xmrig
behavioral2/memory/4548-263-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	xmrig
behavioral2/memory/3996-265-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp	xmrig
behavioral2/memory/4956-267-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	xmrig
behavioral2/memory/5056-271-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4992	gLTLOJx.exe
4196	QeIcwQy.exe
3040	mPeZgiD.exe
4820	XbIyQct.exe
1824	ColwVix.exe
4188	jEyhlrZ.exe
2924	QTHVsOR.exe
808	cohlijq.exe
2804	WPCAfwC.exe
1644	vXwDZhj.exe
1216	CtHRuoj.exe
1760	Enmxzfa.exe
5056	ustVjDA.exe
216	StSssTa.exe
2432	qDYZbwn.exe
3868	dZVOwaN.exe
1464	zRPxxbA.exe
3112	WuSOXOY.exe
4956	dRyHGTj.exe
3996	qaitxcv.exe
4548	kIRrXiN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4840-0-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	upx
behavioral2/files/0x000a000000023bf9-4.dat	upx
behavioral2/memory/4992-7-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-10.dat	upx
behavioral2/files/0x0008000000023cc1-11.dat	upx
behavioral2/memory/4196-14-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp	upx
behavioral2/memory/3040-20-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-23.dat	upx
behavioral2/files/0x0007000000023cc6-34.dat	upx
behavioral2/memory/4188-40-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-50.dat	upx
behavioral2/memory/808-49-0x00007FF658870000-0x00007FF658BC1000-memory.dmp	upx
behavioral2/memory/4840-53-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	upx
behavioral2/memory/2804-54-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-52.dat	upx
behavioral2/files/0x0007000000023cc9-48.dat	upx
behavioral2/memory/2924-44-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-62.dat	upx
behavioral2/memory/1644-65-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-69.dat	upx
behavioral2/files/0x0007000000023cce-79.dat	upx
behavioral2/memory/5056-82-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp	upx
behavioral2/memory/4820-87-0x00007FF727F00000-0x00007FF728251000-memory.dmp	upx
behavioral2/memory/216-89-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-96.dat	upx
behavioral2/memory/4188-101-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-108.dat	upx
behavioral2/files/0x0007000000023cd5-125.dat	upx
behavioral2/memory/3996-133-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd6-137.dat	upx
behavioral2/memory/4548-134-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-130.dat	upx
behavioral2/memory/1216-129-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp	upx
behavioral2/memory/1644-128-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp	upx
behavioral2/memory/4956-127-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx
behavioral2/memory/2804-124-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-122.dat	upx
behavioral2/memory/3112-118-0x00007FF796010000-0x00007FF796361000-memory.dmp	upx
behavioral2/memory/1464-112-0x00007FF785160000-0x00007FF7854B1000-memory.dmp	upx
behavioral2/memory/808-111-0x00007FF658870000-0x00007FF658BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd1-106.dat	upx
behavioral2/memory/3868-105-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp	upx
behavioral2/memory/2924-104-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-94.dat	upx
behavioral2/memory/2432-93-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp	upx
behavioral2/memory/1824-88-0x00007FF693460000-0x00007FF6937B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-80.dat	upx
behavioral2/memory/1760-78-0x00007FF777780000-0x00007FF777AD1000-memory.dmp	upx
behavioral2/memory/3040-75-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp	upx
behavioral2/memory/4196-67-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp	upx
behavioral2/memory/1216-66-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp	upx
behavioral2/memory/4992-64-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-37.dat	upx
behavioral2/memory/1824-33-0x00007FF693460000-0x00007FF6937B1000-memory.dmp	upx
behavioral2/memory/4820-26-0x00007FF727F00000-0x00007FF728251000-memory.dmp	upx
behavioral2/memory/5056-153-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp	upx
behavioral2/memory/3868-156-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp	upx
behavioral2/memory/2432-155-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp	upx
behavioral2/memory/216-154-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp	upx
behavioral2/memory/1760-152-0x00007FF777780000-0x00007FF777AD1000-memory.dmp	upx
behavioral2/memory/4840-140-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp	upx
behavioral2/memory/4548-161-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	upx
behavioral2/memory/3996-160-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp	upx
behavioral2/memory/4956-159-0x00007FF774C00000-0x00007FF774F51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qDYZbwn.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dZVOwaN.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qaitxcv.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ColwVix.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTHVsOR.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vXwDZhj.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ustVjDA.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\StSssTa.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kIRrXiN.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dRyHGTj.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLTLOJx.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QeIcwQy.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mPeZgiD.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtHRuoj.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zRPxxbA.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XbIyQct.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cohlijq.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WPCAfwC.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WuSOXOY.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEyhlrZ.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Enmxzfa.exe	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4992	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4840 wrote to memory of 4992	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4840 wrote to memory of 4196	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4840 wrote to memory of 4196	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4840 wrote to memory of 3040	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4840 wrote to memory of 3040	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4840 wrote to memory of 4820	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4840 wrote to memory of 4820	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4840 wrote to memory of 1824	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4840 wrote to memory of 1824	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4840 wrote to memory of 4188	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4840 wrote to memory of 4188	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4840 wrote to memory of 808	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4840 wrote to memory of 808	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4840 wrote to memory of 2924	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4840 wrote to memory of 2924	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4840 wrote to memory of 2804	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4840 wrote to memory of 2804	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4840 wrote to memory of 1644	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4840 wrote to memory of 1644	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4840 wrote to memory of 1216	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4840 wrote to memory of 1216	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4840 wrote to memory of 1760	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4840 wrote to memory of 1760	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4840 wrote to memory of 5056	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4840 wrote to memory of 5056	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4840 wrote to memory of 216	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4840 wrote to memory of 216	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4840 wrote to memory of 2432	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4840 wrote to memory of 2432	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4840 wrote to memory of 3868	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4840 wrote to memory of 3868	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4840 wrote to memory of 1464	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4840 wrote to memory of 1464	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4840 wrote to memory of 3112	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4840 wrote to memory of 3112	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4840 wrote to memory of 4956	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4840 wrote to memory of 4956	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4840 wrote to memory of 3996	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4840 wrote to memory of 3996	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4840 wrote to memory of 4548	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4840 wrote to memory of 4548	4840	2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_01d67b8fc67892470bb0a2fd602310cc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\System\gLTLOJx.exe
  C:\Windows\System\gLTLOJx.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\QeIcwQy.exe
  C:\Windows\System\QeIcwQy.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\mPeZgiD.exe
  C:\Windows\System\mPeZgiD.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\XbIyQct.exe
  C:\Windows\System\XbIyQct.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\ColwVix.exe
  C:\Windows\System\ColwVix.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\jEyhlrZ.exe
  C:\Windows\System\jEyhlrZ.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\cohlijq.exe
  C:\Windows\System\cohlijq.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\QTHVsOR.exe
  C:\Windows\System\QTHVsOR.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\WPCAfwC.exe
  C:\Windows\System\WPCAfwC.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\vXwDZhj.exe
  C:\Windows\System\vXwDZhj.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\CtHRuoj.exe
  C:\Windows\System\CtHRuoj.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\Enmxzfa.exe
  C:\Windows\System\Enmxzfa.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\ustVjDA.exe
  C:\Windows\System\ustVjDA.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\StSssTa.exe
  C:\Windows\System\StSssTa.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\qDYZbwn.exe
  C:\Windows\System\qDYZbwn.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\dZVOwaN.exe
  C:\Windows\System\dZVOwaN.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\zRPxxbA.exe
  C:\Windows\System\zRPxxbA.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\WuSOXOY.exe
  C:\Windows\System\WuSOXOY.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\dRyHGTj.exe
  C:\Windows\System\dRyHGTj.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\qaitxcv.exe
  C:\Windows\System\qaitxcv.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\kIRrXiN.exe
  C:\Windows\System\kIRrXiN.exe
  2⤵
  - Executes dropped EXE
  PID:4548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ColwVix.exe

Filesize
5.2MB

MD5
9e1d426aa9cd748cde21e961b3922048

SHA1
a1be33dfc1db8f280f8861febfa8ca4d044a0782

SHA256
e9eb84e76d90034d8412c476887ce89ba9af6b09fe74e5e08e7cd8b2b7cf17c1

SHA512
d33281366d0bc574a7d63ed6a2c3958be47f55320ac92c5bc2bfba3e42b291cbd1357c87798f9dfb1ab44fde70f3fbcc21023c1b48b205ca4f4b129c9a9bf267

Download Submit
C:\Windows\System\CtHRuoj.exe

Filesize
5.2MB

MD5
44cf98e88ac40521df0711069a74097e

SHA1
9afe3c6f4c7a21c0c3996aa4b49dd9fa95257dc0

SHA256
ec9f90783235e00e68aaa2bc238fec59d8d2ae44e33f2dfc37c19acb1bf78536

SHA512
ff72ba907ed3fe5c04fd6daf893050a3dba45c233ec96b3a4bdef48f353db66f3c2c5c5d21f366fb45c29bedfc69b53b9fe5eefe0de3cd6cc40ebcb9536a2a78

Download Submit
C:\Windows\System\Enmxzfa.exe

Filesize
5.2MB

MD5
e5b2dd7751589f4cd78b5d14a66b7207

SHA1
8f7aa1cce7a7280211f82a5ce87b67dafa6cf63c

SHA256
d3136237932aca173ae30cfef601d3d9babbdd5a30e0170f3fce035a527e4a58

SHA512
f75741e88562cf58c5b88a0f37318328c73ae04e91c3f10adcfaf50c0f5b951658d3936000915adf91b3f329248dd28cf6364f23edfe0a48837a19b82410dd9d

Download Submit
C:\Windows\System\QTHVsOR.exe

Filesize
5.2MB

MD5
964f736eb5ea610f658d7a0e02e0d628

SHA1
06a6f9c3c3e7afa75e942c0f768b84d506e6fe30

SHA256
9dc69c42c82490d7dcdba418bf3afd46bb6088a9c9ef5dde5af1fae7a621bc92

SHA512
c5a658ba50f7f9244f800a9a0735fc1b2dc29f3284381fb15724c8f3b288a2042962b22db06192c946c72d6d35d686d08e74a753a13864c6f17b9de4cbd51e5f

Download Submit
C:\Windows\System\QeIcwQy.exe

Filesize
5.2MB

MD5
9404b9c67ff7142145e525885c82e2c3

SHA1
d196728dac2b06a30d336b32e35feca25aed703a

SHA256
cb7fe75fb7d39ec84abe5e126e2516ddd753d124d6f3791973101cbe5084b27d

SHA512
1a0a966446856fc51efbe10ea6ca66897d2bbe9af176bede84ba43790a6b3ace5a9adc4748013fcd99b50929deae7595e9729759ad1c501fde18dc2a4b664323

Download Submit
C:\Windows\System\StSssTa.exe

Filesize
5.2MB

MD5
ad85a70200eb2c61f19e462c6f7c0ba1

SHA1
41ea9c26411e1050bda04025e36a82eca161c350

SHA256
4f72d2940dbb16a6f414188fdb083c1ef31e5d5e1aba7f19721442c4dcbf5352

SHA512
83ea157ccb8b20e65b5a1bcabc724e2b5908806baf549af9d79ec9d2821de62802b5294bef1f9de2fc83e982b4aee550916489e1339d477a3f38d9cecc3e67ee

Download Submit
C:\Windows\System\WPCAfwC.exe

Filesize
5.2MB

MD5
4d733b4e666e9634533f4cf885218f16

SHA1
9e305e5a64415a3c165bcbc9207900304d706222

SHA256
1f2432e13eae595b4e4a3a4164910c04c471c662529b804cbf3e04a758d57f47

SHA512
130448e08ce28b1a9cd03e38e8ea90806a6cc4a29a671909b2e0de37a084d0f0c896661cbaa744d19667f9610d15a9c7da4add2c50ee60f9bc68c87b0521ec91

Download Submit
C:\Windows\System\WuSOXOY.exe

Filesize
5.2MB

MD5
a2ad40ed4cdb0b967f323e2d19d2738a

SHA1
0a7e18cb3dc5b02caf2a894e69d97d3bf33d2fc2

SHA256
7bd829c5ec55a5a013a5c7b8d1276e11b0a2b58e3671b3dc41da8f546b8fcec7

SHA512
292628eb7543258db76b601fa60d69873ee8923ae5b9d6b5574734f0ce0227efc119dff222fbc32b637193610088f645b2d75de00485653c1f8a286824161d75

Download Submit
C:\Windows\System\XbIyQct.exe

Filesize
5.2MB

MD5
1978ee1f97054d8acb4c9d90518cffa7

SHA1
89547e7b2d2c7c5ec72c273f4264be5ac2368432

SHA256
297f79a72f3328533f082a49acc75501993918aab0b20cea2bb6736ab0e9f941

SHA512
dd69821f07ff8bbdf5d57c4ff59f1fd92ad6c2f4d2d4753960e4a403dc53eceb11cc54206a6130f5fb80eb6066cf132270ac76942a3fa095a1fa51036d804c1e

Download Submit
C:\Windows\System\cohlijq.exe

Filesize
5.2MB

MD5
4ae8b4cab9989f96fbc9d71b64e23300

SHA1
0c823a152e678a057207d203d513e0c59cc1bab8

SHA256
1a3aaed4eda166e311d59f77a3c57206fb513260a0a59372439e2ab04eee42ad

SHA512
d6fd6e8186c6a077aeac45013161398bb60f025bc5d30a322f21b793a74e8983b7a684ea67d11411a394bfd1f785e7f9180a51147f4a4f31fb8034840a508886

Download Submit
C:\Windows\System\dRyHGTj.exe

Filesize
5.2MB

MD5
46b7f1755c872ee5996de66121af9953

SHA1
1173b4205df2cdaeb95d786947cc4d3f31236487

SHA256
9a18273f134dc2361c1689cc4675fd218961a8b44af80a5ddf5242db7f1b1f6c

SHA512
714c41c94ef7b2b2a834401fb4e261bc2d4f4735e27c7d505b10d94da13c47170e1401dd4e29f7ef1b1a3ae07a5ed09e87ba6209a4e8ba01c0928222007f7709

Download Submit
C:\Windows\System\dZVOwaN.exe

Filesize
5.2MB

MD5
3f32b8925627293104d6f010c5c2060e

SHA1
bdd5d4ba425314519cd40fc55072de66f5a63cea

SHA256
ebafc963025bf60b2e3309adc783c6fddb7dc4ad7a8d630d85ddb95b92dd6819

SHA512
9cbe26c871175e0d223456cc7cc83facb04ece9d0fa1b67bd0bc9dfb258f654aafb78f1e24d1ac23cbf2de02da8974c6d40b39167113871a29314ac9ead510cf

Download Submit
C:\Windows\System\gLTLOJx.exe

Filesize
5.2MB

MD5
f5061d49219193993245879dcdbd1d49

SHA1
d2158bfec5ccf674ceb9e20518249a189dbbf844

SHA256
6220ada958ed138c251ad36c2f40a25d66901e3b652671603c76dea89d83809b

SHA512
67c1962d39e0b6bafbc39f9cb9ced3485ca76e48608a949347ff3c18fee39d64a17cd3b30d1a129087ac8a1b5255298bd599a2b6a43031314542c7c9b3c7958a

Download Submit
C:\Windows\System\jEyhlrZ.exe

Filesize
5.2MB

MD5
28f38b68d2c046e869de88107ccec6fc

SHA1
26c143f483e1fe80bd98f42c5f50fdc715d97a8e

SHA256
2dc931866ab105c8a51b7b29f73b0319488bb6076c53a6b8584dc0bacefc832c

SHA512
9de80270f73400803bc988a8fd56e10261a6c5eb90dd2690053bbbbfdc0299ce234ed2454fcae9b953043f7931c52e73459e80f5177ad02b25385ea6d7677364

Download Submit
C:\Windows\System\kIRrXiN.exe

Filesize
5.2MB

MD5
3995ea8908e04a32dac4838f1d9c3345

SHA1
cb5170f13f6416074d6eaabe3255659a2c42af0e

SHA256
9732a629f7715dd3fe7d6bbc169d184de98d4f60f7582a8ab2a4d9757cc41072

SHA512
30acf49ecc842c5ee153b8dd7b1b267e8c08bbabb7d16349b63b449158daba3e156fb987aa9431a301673a9bac5c49aad6657e3da1174b2de80898b7f3973507

Download Submit
C:\Windows\System\mPeZgiD.exe

Filesize
5.2MB

MD5
34cc43b115594b9c44ca8b1fe8bb079e

SHA1
7a9b295687e76447e7c05c911630ad50016d569a

SHA256
c55fd5690bf81c6e3228a98c366f927b3019aa704ac77fae00b4a7009d2bb3fc

SHA512
3921278a7b3fa8e039b5f01742ce756a60daa11144cc5b5a3d3a6d8387b8e859f001f99b87b5c8042869e6bf18e9c4450b9c9035401fbb376104a540452ac3ee

Download Submit
C:\Windows\System\qDYZbwn.exe

Filesize
5.2MB

MD5
9485cc351a09391ea4b7bd5385253986

SHA1
8831fb9a45d00474e9dae21f998fcf9b78dc6f59

SHA256
76a25396b1ea2fadc84ff08be50b5437f7acc5ff599c2e7aa78b69ec8c5c69fd

SHA512
bf05e47a949ed98944ac47ee5ba6d47800b6501dbf527060b676f38add234a6c8813f2778c603e119cffec683fb40ee1e5a262777453f6bd6c467010450fc469

Download Submit
C:\Windows\System\qaitxcv.exe

Filesize
5.2MB

MD5
571b7e50eff342e65ba4aa1b098aa2fe

SHA1
c6bf5a6d28a9536626f8fe70bf5607531aa26972

SHA256
b1e6a25feeb56fabd025cb9d0787dff87c5ca012584f43e510ca65b11d1ad3a6

SHA512
ab0e3964d1f3f37f7c2da1f20728b22c24bad27f71b7d727cd591ae84a80491b99d0b2eeae2fab7cb44c9e7cb3147eb40e5f7bdbb5dca6577f1a4f20b43f5c7f

Download Submit
C:\Windows\System\ustVjDA.exe

Filesize
5.2MB

MD5
4bf09ca2170f3ebd9352913546ba0dc1

SHA1
3935ddd709be0b04671f69f1a9cd4eecc7caa5d8

SHA256
a88e8a560c9d4417597c9f41f5b9446bb66e18936ec4f1f0105926a47e295838

SHA512
1d37fdad9e37fe64a63b82ab6eda817d394e0aea0f9bffc8ad56d82d06dd69fb8912736a1c17848b9197cb922f9e21975f482b666e8600952c9707ce495dee88

Download Submit
C:\Windows\System\vXwDZhj.exe

Filesize
5.2MB

MD5
a61611c50949fe735e721e5a6d940282

SHA1
d845c8277c5c4fc71f1f165427aa1562e34d7d35

SHA256
1402fd464094c79654089d8e78bc68af3b818bbfde0706cbd18d3191b9170fb5

SHA512
fa1db1fc7b57c12a530a37597b5a60702cac5b1ec6b0c912359bb4f2b0e59df99cf7f37196a47d94507727e10c9b2e5232961fca6a73df2d1d5a87d868137c91

Download Submit
C:\Windows\System\zRPxxbA.exe

Filesize
5.2MB

MD5
a855a6d5d2e32ec9ae4fef09fe9cd948

SHA1
31a6898126ef5964e4f8f8bd7587dc35100215ef

SHA256
579820fd249140989168cf34a06dc6f79e644bb7af940fe92944e4e4a47db1a1

SHA512
2a458b5a2d62009045ce7aa582091ccf4aa4a982a22acd945b27729773f47cfb3f65b59719e1d0e56468613865c7ddc278b74ea63e4268b96ee11d46a9077eb3

Download Submit
memory/216-89-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/216-154-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/216-254-0x00007FF699F90000-0x00007FF69A2E1000-memory.dmp

Filesize
3.3MB

Download
memory/808-111-0x00007FF658870000-0x00007FF658BC1000-memory.dmp

Filesize
3.3MB

Download
memory/808-49-0x00007FF658870000-0x00007FF658BC1000-memory.dmp

Filesize
3.3MB

Download
memory/808-231-0x00007FF658870000-0x00007FF658BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-248-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp

Filesize
3.3MB

Download
memory/1216-129-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp

Filesize
3.3MB

Download
memory/1216-66-0x00007FF6087B0000-0x00007FF608B01000-memory.dmp

Filesize
3.3MB

Download
memory/1464-157-0x00007FF785160000-0x00007FF7854B1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-112-0x00007FF785160000-0x00007FF7854B1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-257-0x00007FF785160000-0x00007FF7854B1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-65-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-128-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-249-0x00007FF6E7090000-0x00007FF6E73E1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-78-0x00007FF777780000-0x00007FF777AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-251-0x00007FF777780000-0x00007FF777AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-152-0x00007FF777780000-0x00007FF777AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-227-0x00007FF693460000-0x00007FF6937B1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-33-0x00007FF693460000-0x00007FF6937B1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-88-0x00007FF693460000-0x00007FF6937B1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-255-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp

Filesize
3.3MB

Download
memory/2432-93-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp

Filesize
3.3MB

Download
memory/2432-155-0x00007FF73DF40000-0x00007FF73E291000-memory.dmp

Filesize
3.3MB

Download
memory/2804-124-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-54-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-233-0x00007FF70D250000-0x00007FF70D5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-104-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-44-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-235-0x00007FF6C7A90000-0x00007FF6C7DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-75-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-20-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-216-0x00007FF75A180000-0x00007FF75A4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-158-0x00007FF796010000-0x00007FF796361000-memory.dmp

Filesize
3.3MB

Download
memory/3112-261-0x00007FF796010000-0x00007FF796361000-memory.dmp

Filesize
3.3MB

Download
memory/3112-118-0x00007FF796010000-0x00007FF796361000-memory.dmp

Filesize
3.3MB

Download
memory/3868-156-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-259-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-105-0x00007FF695F70000-0x00007FF6962C1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-160-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-265-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-133-0x00007FF6690A0000-0x00007FF6693F1000-memory.dmp

Filesize
3.3MB

Download
memory/4188-40-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4188-101-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4188-229-0x00007FF609BA0000-0x00007FF609EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4196-67-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4196-14-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4196-214-0x00007FF73F260000-0x00007FF73F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-134-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-263-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-161-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-87-0x00007FF727F00000-0x00007FF728251000-memory.dmp

Filesize
3.3MB

Download
memory/4820-26-0x00007FF727F00000-0x00007FF728251000-memory.dmp

Filesize
3.3MB

Download
memory/4820-225-0x00007FF727F00000-0x00007FF728251000-memory.dmp

Filesize
3.3MB

Download
memory/4840-1-0x000001B82BAA0000-0x000001B82BAB0000-memory.dmp

Filesize
64KB

Download
memory/4840-140-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-53-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-0-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-162-0x00007FF6E5390000-0x00007FF6E56E1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-127-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/4956-159-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/4956-267-0x00007FF774C00000-0x00007FF774F51000-memory.dmp

Filesize
3.3MB

Download
memory/4992-7-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/4992-64-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/4992-210-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/5056-153-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-82-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-271-0x00007FF622C70000-0x00007FF622FC1000-memory.dmp

Filesize
3.3MB

Download