cobaltstrike | 58c6a80cec0ec5d19dc3e168803dfb14c620faae018a5f183f5f3bc1222fba62

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c7aa3bc583b413aacef9dfaddb577895
SHA1

850958564cbd06bdbda2a3fb0e9e9583fd828268
SHA256

58c6a80cec0ec5d19dc3e168803dfb14c620faae018a5f183f5f3bc1222fba62
SHA512

ff0b0df34da90b160378d5b0850c6b75ad04a8fb7382c93d50cc9fc9264f8ea710bf87235b15f66799979e53027c87358be1160782c816a42685e4891d45af94
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lI:RWWBibf56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b36-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-108.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023ba4-109.dat	cobalt_reflective_dll
behavioral2/files/0x0058000000023ba6-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1872-50-0x00007FF63C860000-0x00007FF63CBB1000-memory.dmp	xmrig
behavioral2/memory/3108-59-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	xmrig
behavioral2/memory/2352-68-0x00007FF6C8BA0000-0x00007FF6C8EF1000-memory.dmp	xmrig
behavioral2/memory/1976-77-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp	xmrig
behavioral2/memory/3496-93-0x00007FF771470000-0x00007FF7717C1000-memory.dmp	xmrig
behavioral2/memory/4216-90-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp	xmrig
behavioral2/memory/3376-83-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp	xmrig
behavioral2/memory/628-73-0x00007FF624050000-0x00007FF6243A1000-memory.dmp	xmrig
behavioral2/memory/2536-69-0x00007FF723670000-0x00007FF7239C1000-memory.dmp	xmrig
behavioral2/memory/5064-134-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	xmrig
behavioral2/memory/220-135-0x00007FF7B8970000-0x00007FF7B8CC1000-memory.dmp	xmrig
behavioral2/memory/4508-138-0x00007FF7A1660000-0x00007FF7A19B1000-memory.dmp	xmrig
behavioral2/memory/2432-139-0x00007FF620EA0000-0x00007FF6211F1000-memory.dmp	xmrig
behavioral2/memory/3228-140-0x00007FF6BCC80000-0x00007FF6BCFD1000-memory.dmp	xmrig
behavioral2/memory/3848-141-0x00007FF70B410000-0x00007FF70B761000-memory.dmp	xmrig
behavioral2/memory/4548-136-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp	xmrig
behavioral2/memory/2156-133-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp	xmrig
behavioral2/memory/3220-144-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp	xmrig
behavioral2/memory/2184-147-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	xmrig
behavioral2/memory/2436-150-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	xmrig
behavioral2/memory/4804-149-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp	xmrig
behavioral2/memory/2368-148-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	xmrig
behavioral2/memory/3108-152-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	xmrig
behavioral2/memory/3848-164-0x00007FF70B410000-0x00007FF70B761000-memory.dmp	xmrig
behavioral2/memory/3108-174-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	xmrig
behavioral2/memory/2536-205-0x00007FF723670000-0x00007FF7239C1000-memory.dmp	xmrig
behavioral2/memory/1976-207-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp	xmrig
behavioral2/memory/3376-209-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp	xmrig
behavioral2/memory/4216-211-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp	xmrig
behavioral2/memory/5064-213-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	xmrig
behavioral2/memory/3496-215-0x00007FF771470000-0x00007FF7717C1000-memory.dmp	xmrig
behavioral2/memory/2156-229-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp	xmrig
behavioral2/memory/1872-228-0x00007FF63C860000-0x00007FF63CBB1000-memory.dmp	xmrig
behavioral2/memory/628-239-0x00007FF624050000-0x00007FF6243A1000-memory.dmp	xmrig
behavioral2/memory/3220-237-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp	xmrig
behavioral2/memory/2352-236-0x00007FF6C8BA0000-0x00007FF6C8EF1000-memory.dmp	xmrig
behavioral2/memory/2184-241-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	xmrig
behavioral2/memory/2368-243-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	xmrig
behavioral2/memory/4804-247-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp	xmrig
behavioral2/memory/2436-246-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	xmrig
behavioral2/memory/4548-255-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp	xmrig
behavioral2/memory/220-257-0x00007FF7B8970000-0x00007FF7B8CC1000-memory.dmp	xmrig
behavioral2/memory/4508-260-0x00007FF7A1660000-0x00007FF7A19B1000-memory.dmp	xmrig
behavioral2/memory/2432-261-0x00007FF620EA0000-0x00007FF6211F1000-memory.dmp	xmrig
behavioral2/memory/3228-263-0x00007FF6BCC80000-0x00007FF6BCFD1000-memory.dmp	xmrig
behavioral2/memory/3848-265-0x00007FF70B410000-0x00007FF70B761000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2536	PVtRHpr.exe
1976	SXHQZgG.exe
3376	FkMKOsr.exe
4216	okfcqDd.exe
3496	eabuBSl.exe
5064	YcDRQMF.exe
2156	pEQVaZZ.exe
1872	UuZLxQo.exe
3220	ayvGbja.exe
2352	MUETlin.exe
628	eilFWfL.exe
2184	VnpNrWq.exe
2368	GpdHvVL.exe
4804	OWsRUhx.exe
2436	UnQAPFR.exe
220	cACuVUk.exe
4548	OGtRHoy.exe
4508	ArsonuR.exe
2432	NELUyyO.exe
3228	jFPPXPO.exe
3848	gjkXnzB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3108-0-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	upx
behavioral2/files/0x000c000000023b36-4.dat	upx
behavioral2/memory/2536-8-0x00007FF723670000-0x00007FF7239C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-10.dat	upx
behavioral2/files/0x000a000000023b96-11.dat	upx
behavioral2/memory/3376-18-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-26.dat	upx
behavioral2/files/0x000a000000023b9a-32.dat	upx
behavioral2/memory/3496-33-0x00007FF771470000-0x00007FF7717C1000-memory.dmp	upx
behavioral2/memory/5064-34-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-30.dat	upx
behavioral2/memory/4216-28-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp	upx
behavioral2/memory/1976-12-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-41.dat	upx
behavioral2/memory/2156-42-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-47.dat	upx
behavioral2/memory/1872-50-0x00007FF63C860000-0x00007FF63CBB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-54.dat	upx
behavioral2/files/0x000a000000023b9e-56.dat	upx
behavioral2/memory/3108-59-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	upx
behavioral2/memory/2352-68-0x00007FF6C8BA0000-0x00007FF6C8EF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-70.dat	upx
behavioral2/memory/1976-77-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp	upx
behavioral2/memory/2368-78-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	upx
behavioral2/memory/2184-80-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-88.dat	upx
behavioral2/memory/3496-93-0x00007FF771470000-0x00007FF7717C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-97.dat	upx
behavioral2/files/0x000a000000023ba2-95.dat	upx
behavioral2/memory/2436-94-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	upx
behavioral2/memory/4804-91-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp	upx
behavioral2/memory/4216-90-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp	upx
behavioral2/memory/3376-83-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-79.dat	upx
behavioral2/memory/628-73-0x00007FF624050000-0x00007FF6243A1000-memory.dmp	upx
behavioral2/memory/2536-69-0x00007FF723670000-0x00007FF7239C1000-memory.dmp	upx
behavioral2/memory/3220-64-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-108.dat	upx
behavioral2/files/0x0031000000023ba4-109.dat	upx
behavioral2/files/0x0058000000023ba6-115.dat	upx
behavioral2/files/0x000a000000023ba7-121.dat	upx
behavioral2/files/0x000a000000023ba8-126.dat	upx
behavioral2/files/0x000a000000023ba9-129.dat	upx
behavioral2/memory/5064-134-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	upx
behavioral2/memory/220-135-0x00007FF7B8970000-0x00007FF7B8CC1000-memory.dmp	upx
behavioral2/memory/4508-138-0x00007FF7A1660000-0x00007FF7A19B1000-memory.dmp	upx
behavioral2/memory/2432-139-0x00007FF620EA0000-0x00007FF6211F1000-memory.dmp	upx
behavioral2/memory/3228-140-0x00007FF6BCC80000-0x00007FF6BCFD1000-memory.dmp	upx
behavioral2/memory/3848-141-0x00007FF70B410000-0x00007FF70B761000-memory.dmp	upx
behavioral2/memory/4548-136-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp	upx
behavioral2/memory/2156-133-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp	upx
behavioral2/memory/3220-144-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp	upx
behavioral2/memory/2184-147-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	upx
behavioral2/memory/2436-150-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	upx
behavioral2/memory/4804-149-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp	upx
behavioral2/memory/2368-148-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	upx
behavioral2/memory/3108-152-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	upx
behavioral2/memory/3848-164-0x00007FF70B410000-0x00007FF70B761000-memory.dmp	upx
behavioral2/memory/3108-174-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp	upx
behavioral2/memory/2536-205-0x00007FF723670000-0x00007FF7239C1000-memory.dmp	upx
behavioral2/memory/1976-207-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp	upx
behavioral2/memory/3376-209-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp	upx
behavioral2/memory/4216-211-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp	upx
behavioral2/memory/5064-213-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cACuVUk.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NELUyyO.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\okfcqDd.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UuZLxQo.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eilFWfL.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pEQVaZZ.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnpNrWq.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpdHvVL.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFPPXPO.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PVtRHpr.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SXHQZgG.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eabuBSl.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OGtRHoy.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArsonuR.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjkXnzB.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FkMKOsr.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ayvGbja.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OWsRUhx.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YcDRQMF.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUETlin.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UnQAPFR.exe	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2536	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3108 wrote to memory of 2536	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3108 wrote to memory of 1976	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3108 wrote to memory of 1976	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3108 wrote to memory of 3376	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3108 wrote to memory of 3376	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3108 wrote to memory of 4216	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3108 wrote to memory of 4216	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3108 wrote to memory of 3496	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3108 wrote to memory of 3496	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3108 wrote to memory of 5064	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3108 wrote to memory of 5064	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3108 wrote to memory of 2156	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3108 wrote to memory of 2156	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3108 wrote to memory of 1872	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3108 wrote to memory of 1872	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3108 wrote to memory of 3220	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3108 wrote to memory of 3220	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3108 wrote to memory of 2352	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3108 wrote to memory of 2352	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3108 wrote to memory of 628	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3108 wrote to memory of 628	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3108 wrote to memory of 2184	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3108 wrote to memory of 2184	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3108 wrote to memory of 2368	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3108 wrote to memory of 2368	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3108 wrote to memory of 4804	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3108 wrote to memory of 4804	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3108 wrote to memory of 2436	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3108 wrote to memory of 2436	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3108 wrote to memory of 220	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3108 wrote to memory of 220	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3108 wrote to memory of 4548	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3108 wrote to memory of 4548	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3108 wrote to memory of 4508	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3108 wrote to memory of 4508	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3108 wrote to memory of 2432	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3108 wrote to memory of 2432	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3108 wrote to memory of 3228	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3108 wrote to memory of 3228	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3108 wrote to memory of 3848	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3108 wrote to memory of 3848	3108	2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-27_c7aa3bc583b413aacef9dfaddb577895_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\System\PVtRHpr.exe
  C:\Windows\System\PVtRHpr.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\SXHQZgG.exe
  C:\Windows\System\SXHQZgG.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\FkMKOsr.exe
  C:\Windows\System\FkMKOsr.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\okfcqDd.exe
  C:\Windows\System\okfcqDd.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\eabuBSl.exe
  C:\Windows\System\eabuBSl.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\YcDRQMF.exe
  C:\Windows\System\YcDRQMF.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\pEQVaZZ.exe
  C:\Windows\System\pEQVaZZ.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\UuZLxQo.exe
  C:\Windows\System\UuZLxQo.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\ayvGbja.exe
  C:\Windows\System\ayvGbja.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\MUETlin.exe
  C:\Windows\System\MUETlin.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\eilFWfL.exe
  C:\Windows\System\eilFWfL.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\VnpNrWq.exe
  C:\Windows\System\VnpNrWq.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\GpdHvVL.exe
  C:\Windows\System\GpdHvVL.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\OWsRUhx.exe
  C:\Windows\System\OWsRUhx.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\UnQAPFR.exe
  C:\Windows\System\UnQAPFR.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\cACuVUk.exe
  C:\Windows\System\cACuVUk.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\OGtRHoy.exe
  C:\Windows\System\OGtRHoy.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\ArsonuR.exe
  C:\Windows\System\ArsonuR.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\NELUyyO.exe
  C:\Windows\System\NELUyyO.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\jFPPXPO.exe
  C:\Windows\System\jFPPXPO.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\gjkXnzB.exe
  C:\Windows\System\gjkXnzB.exe
  2⤵
  - Executes dropped EXE
  PID:3848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArsonuR.exe

Filesize
5.2MB

MD5
715a4d15e2ece05862b501e1ba067584

SHA1
6a995129ef5d1c25539cea1b5e83368f953691c5

SHA256
1239da0bfb3bce6918de046b8331dbee264e7909de8d68d0dea570c398d2ccd2

SHA512
d3594190e97ec4268dae87ef793f8d9418579d2bfeadd2ec7e0a83bc16b66fed7565e4028fa00ad8f7b3c1bfe795d7e2b9fb8ac659098221aaf8a171b9765824

Download Submit
C:\Windows\System\FkMKOsr.exe

Filesize
5.2MB

MD5
a6ee8ab27301345884cb6fc6fe234266

SHA1
7bda4c29bc0e6d873e244f19ecccf47206677e9b

SHA256
8bc1cc60533868b602b54cc74bb232000277294763fdf0b6a7665ecdb3f2fe3b

SHA512
5a4a8123394a79b0aeba58f34ebdd895ef363cac96eab591e34a2209f851f5a79535a963fd091ade5237f9da8d6b791ffaffaf4fded2525deb813da4c280b373

Download Submit
C:\Windows\System\GpdHvVL.exe

Filesize
5.2MB

MD5
2cced7d42dee5b9831c5d5c9aa5a0865

SHA1
8c1c4d55275c7fe2b9adb42eb40072b0a904df93

SHA256
d218ea52d317c76fdcf4d59c653eac1a77b498c6877fda8f8d1377e2c18f725a

SHA512
bef954ccbc85f9ab2f4c63ac56547732b01b1eb05635ee8f5c532754b6c47c34675a16f8fe78a8056b6c6a6f34b3b2e754db78aa3a2fc93d17e1020628ce0e0f

Download Submit
C:\Windows\System\MUETlin.exe

Filesize
5.2MB

MD5
f4e62a18f8bf6b9851476b852a833713

SHA1
06fd620889294de2fe0e88023eed6bd035e55902

SHA256
3fba28618164be5d8818157c62f0d6eab9e5e77a911c78b352b297e2c7a1b6ae

SHA512
4312445c7f3d357a4e108f02ce864c4890bd60b40330e0307a93949c80c894fe493c060be9b50aad5fcea845161c5d7716940f999e448d296d8a2d10a07359c3

Download Submit
C:\Windows\System\NELUyyO.exe

Filesize
5.2MB

MD5
eaaaa6f3c70ad18f2e2a407085739318

SHA1
b2c4d177bf38ed3e9ed98db75b06a0cfcecebf6a

SHA256
f095e57097d25bb45989b91e87fc800268c059991607fb7ed2378dd23bc79229

SHA512
d9a1f254ad7f4e3a266f258d8d0a1d426ee5488a8760e913fe662f7708f31d2b450f5dc9674e4f3e1b226766f751d7bfedbd5cabad001fbcfb1a079464410e69

Download Submit
C:\Windows\System\OGtRHoy.exe

Filesize
5.2MB

MD5
ad33da85c4d7d4810b314982396efd6b

SHA1
ce4e4fd29c1fd6d739300ee49375223d1712459e

SHA256
65a5ce0ff9339f291b590e518fbf9c56888a5dcfb68d2329323728b426381707

SHA512
447536f28cc6521a8e80f726fd641e504e3f58902e7bc3463a77caf05879d3ceda38cb5b0ed73fad4a8e4ff6954f4c0c9b2b60a0f099ad89f9da24c883f13839

Download Submit
C:\Windows\System\OWsRUhx.exe

Filesize
5.2MB

MD5
d887dc479fb7dabfe823b3c91a22b773

SHA1
603145c4376f1a20ab9392c6c38d8e0ffc33af2b

SHA256
0477822e3e1fa708b316a5e80b12e225b9027a0df640559b195728b519ddbe61

SHA512
d2b9b0337454165250bb9ba32574975c3e5e6754e0523ea2a7adec985d7864981864a3d38f686d650fa9eded65fc87310d63f5815779b5457c64256a14e1ab4b

Download Submit
C:\Windows\System\PVtRHpr.exe

Filesize
5.2MB

MD5
c907affed8ca98bbf8164e266283340a

SHA1
5048a62f1deb6acd73e75fd8a035a60dc6f7a252

SHA256
642365947873cd7d74238dff8ebb74196669a3b9987369e665711d4ccf901e5f

SHA512
e41b7b0383d0a0171fb79454ecf9a46904d76d70f696dc78258e5eac1f3e762f0aed9ffcc5243f513c1810bb101371f5bd8dd741fdbd9ccb127ac5bc1407d45a

Download Submit
C:\Windows\System\SXHQZgG.exe

Filesize
5.2MB

MD5
e0869b11df66ea426b3331f17c81f244

SHA1
9bd8ad166ee08befb2e96e6178bc557f9c512a16

SHA256
dc7e4aa79abfc525511a9d5d41707d73ce8a97136e49183f17232df40b5a41a8

SHA512
b98dc29c5bab049f0364d45cfb282388f69b68ad035c5b5b2287e97873d09c09144647a1db36263b92dc19c45cd0e4f046d9b7f46cc5044906ec878a36d7bba8

Download Submit
C:\Windows\System\UnQAPFR.exe

Filesize
5.2MB

MD5
0ebd5957d9d29461fdaf2f78793648b8

SHA1
3b13f4587ec216bb67b8c0b568c6d1d33e74e178

SHA256
305b66afdcf96e220dd2094d4c164e6e1ed56f53801c7e17027307fe56df7528

SHA512
f7384b440f5dbce6c20b1bddd6155af3e251ac408b13be40e09db27cfe5f585eeea2b05482824f355c2b764e618abbd2b2aaf44d6470502cd2b740c062227082

Download Submit
C:\Windows\System\UuZLxQo.exe

Filesize
5.2MB

MD5
180a54a6f3c36f0d2dcc6db3465da7b6

SHA1
a099b7e92bf66c2e63cf3a447281acee04e7d4aa

SHA256
35608b8ca871387f3764fce8ef806fda194d9bd0c7bfe71e75b37310f85234e3

SHA512
243430684b8f6706a77323271f906147b29dc5a34390b53f5b7a3401e7e72d07e808fcfb1f3146fc9fea0e6c1d7bc0d2c941b591fc7fef0875dffdf315245f41

Download Submit
C:\Windows\System\VnpNrWq.exe

Filesize
5.2MB

MD5
64c798d5979dd0b4bc75385d4831350c

SHA1
386f4293f2dbf3b01c6fb704778516e1f13fe1f1

SHA256
a16321963b92b7bc09edbc05a5c148c6e1fd8eaed6cd677b77d8278aa0a8a9f1

SHA512
0323e57f662b337ea7fa96b87c5d8274572e21a993fb53602b725e63b103f3a7681e8147e85e51983f877b8d05aa5ca5c77920d48468d825005a0011e5cec72a

Download Submit
C:\Windows\System\YcDRQMF.exe

Filesize
5.2MB

MD5
5750eb225457311cd4706255b018f589

SHA1
1a8c1b413b714e1563df02a40a6b521dfc912135

SHA256
8c285a05465430a35ac6899dca4dec77a1d17d3f0a48004ad13f2842fb1c4ad2

SHA512
111afb9392c8737d52649a5485c769666e43419089165f6406fb87833265d08468c3831749e3b14cfcce841c9d5d34affe208c5699dae23621b1ca9ed2eda92e

Download Submit
C:\Windows\System\ayvGbja.exe

Filesize
5.2MB

MD5
bcbbcf034612fed9080de003f388606e

SHA1
8240be1348c1bf839f6394caedb3a2c4febaed0d

SHA256
e11e761eecd42829e1e3955e8777f6bdd89025f14d10f4f8829bc925103df731

SHA512
378f7739122c4253d7c86aff5a9ac8c9511b204f94de30a01f8ee81bc5644910ca83ff730a43e38594971af23f97d16ee9d8c9a1b7ad274187de17645eaccad7

Download Submit
C:\Windows\System\cACuVUk.exe

Filesize
5.2MB

MD5
844949989984fd1ac6395ea49087b3f4

SHA1
deb052d2c8b3b542394ef8d4f54c16f0b0fe5e63

SHA256
9ac7ba2fcdb34fe1ea9b965084df65e6945903b9d1a0d24022e3a834f4ea9dd9

SHA512
2ce2c77a95b7b7f0a48fd6992e28eea067864c8852f1a161c5b55f6fd619851fe34679ee887f791bb06040de8a98dcd18b10a411207e7e2d3e7b2d6cbaa8b662

Download Submit
C:\Windows\System\eabuBSl.exe

Filesize
5.2MB

MD5
2808f22ddefe6c1026bcf3a5f4de9a1e

SHA1
276b2db0c5c1c58036e73cd72594b277cc5b817e

SHA256
1afaace3f6a047a0bb7f4497a30bd748102b4213e098ac5de2558c9b21b1cf2f

SHA512
9496ee4d7ee854842207670c950b80799afde4c9f07916b4cd7706ff5a15b404e86df318ca69b5b8e5870dc203abfa09c8452799cb830ba4e1048a3b9462a467

Download Submit
C:\Windows\System\eilFWfL.exe

Filesize
5.2MB

MD5
129a117be22e2b77fb6cbf95e50144fb

SHA1
8456caee445cff029625e6a4154e4816a9946101

SHA256
e41c7357bb6dfd6f243df035e1d3f3ae67daf7efdcfc5b86f18dd141d8d5d0b6

SHA512
0d0560813a8023b3236d7ebc26ce5e48f988d16366547e3262e352d4c33b051854abb59db3dbf700a53e17e8fdf7190b85fa5a923da9e7df35cd314ac654fc79

Download Submit
C:\Windows\System\gjkXnzB.exe

Filesize
5.2MB

MD5
c809a7f69969ad2b4d8bb61c3f0fe613

SHA1
35f3e8c80cd410ce48aeea62796e29ae6b47cfe1

SHA256
e1ab53480ab82556b05355532f02d880a17fb6f9f785cabd790947184ff652f7

SHA512
d8ce2403805fa502232f4d61908232336ba497625c03f01c037eba80d1eef3e453837cd92a50713006bbde7bb75804b7cbac19f470a01e6369cf211af9dce745

Download Submit
C:\Windows\System\jFPPXPO.exe

Filesize
5.2MB

MD5
4be429a1566d3415d87e19972bba14f8

SHA1
9ee0a852eda4bbb425be0c56df0bd73d14e9031e

SHA256
e4815df7b26fbd4144046830d7c12f89a06b326950cf9e682e90a8d206a23862

SHA512
4ab8ce8e8688b5b03cba483caaefa7895df0006c2833e5f576a3278e09c6c05f98d1bf8444920285d49d5c6d0d1939f039dade0ccd90edca642701719f03794e

Download Submit
C:\Windows\System\okfcqDd.exe

Filesize
5.2MB

MD5
3c7759ec6d0b35cfefb9c4d2fc9e94eb

SHA1
1087c2472c5355045e544f9bb2204251e38472db

SHA256
0a5eece9a0e9dda7b8a18f9bc103444f0cf602cfd3a22d413aa83f2eea371e1e

SHA512
275d504b14dd3727817553efaa41c4fd5c5cc754d2738d833a1d1da9570d9b14d4b84aea1fb3555b2902b0ee3f28105797d7d405de08af4a90c63f2f41e0c287

Download Submit
C:\Windows\System\pEQVaZZ.exe

Filesize
5.2MB

MD5
44e1034beea658700ea629cf0713312f

SHA1
21da48d4cf77577627dc39c18aa712eae4c89962

SHA256
bb148cbc777e8b174f80a19faac7baed2c30034c7fd47b70af0841f8c900cb58

SHA512
46b586aadb6ebf9bcae0591f175ad1d134010d33dc077c01ddc1b61afb014d98dfcaf179f311e4e8b90c64a1b24474227758dd7dc951f1d9ef2cc35d11ee7b2b

Download Submit
memory/220-135-0x00007FF7B8970000-0x00007FF7B8CC1000-memory.dmp

Filesize
3.3MB

Download
memory/220-257-0x00007FF7B8970000-0x00007FF7B8CC1000-memory.dmp

Filesize
3.3MB

Download
memory/628-73-0x00007FF624050000-0x00007FF6243A1000-memory.dmp

Filesize
3.3MB

Download
memory/628-239-0x00007FF624050000-0x00007FF6243A1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-228-0x00007FF63C860000-0x00007FF63CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-50-0x00007FF63C860000-0x00007FF63CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-207-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-12-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-77-0x00007FF7118A0000-0x00007FF711BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-229-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-42-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-133-0x00007FF653AA0000-0x00007FF653DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-147-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-241-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-80-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-68-0x00007FF6C8BA0000-0x00007FF6C8EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-236-0x00007FF6C8BA0000-0x00007FF6C8EF1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-243-0x00007FF7660C0000-0x00007FF766411000-memory.dmp

Filesize
3.3MB

Download
memory/2368-78-0x00007FF7660C0000-0x00007FF766411000-memory.dmp

Filesize
3.3MB

Download
memory/2368-148-0x00007FF7660C0000-0x00007FF766411000-memory.dmp

Filesize
3.3MB

Download
memory/2432-261-0x00007FF620EA0000-0x00007FF6211F1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-139-0x00007FF620EA0000-0x00007FF6211F1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-150-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp

Filesize
3.3MB

Download
memory/2436-246-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp

Filesize
3.3MB

Download
memory/2436-94-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp

Filesize
3.3MB

Download
memory/2536-69-0x00007FF723670000-0x00007FF7239C1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-8-0x00007FF723670000-0x00007FF7239C1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-205-0x00007FF723670000-0x00007FF7239C1000-memory.dmp

Filesize
3.3MB

Download
memory/3108-174-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp

Filesize
3.3MB

Download
memory/3108-0-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp

Filesize
3.3MB

Download
memory/3108-59-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp

Filesize
3.3MB

Download
memory/3108-152-0x00007FF6E26D0000-0x00007FF6E2A21000-memory.dmp

Filesize
3.3MB

Download
memory/3108-1-0x0000022AC4CE0000-0x0000022AC4CF0000-memory.dmp

Filesize
64KB

Download
memory/3220-144-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp

Filesize
3.3MB

Download
memory/3220-64-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp

Filesize
3.3MB

Download
memory/3220-237-0x00007FF7A71F0000-0x00007FF7A7541000-memory.dmp

Filesize
3.3MB

Download
memory/3228-263-0x00007FF6BCC80000-0x00007FF6BCFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-140-0x00007FF6BCC80000-0x00007FF6BCFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-209-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-83-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3376-18-0x00007FF7CE170000-0x00007FF7CE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-93-0x00007FF771470000-0x00007FF7717C1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-215-0x00007FF771470000-0x00007FF7717C1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-33-0x00007FF771470000-0x00007FF7717C1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-265-0x00007FF70B410000-0x00007FF70B761000-memory.dmp

Filesize
3.3MB

Download
memory/3848-141-0x00007FF70B410000-0x00007FF70B761000-memory.dmp

Filesize
3.3MB

Download
memory/3848-164-0x00007FF70B410000-0x00007FF70B761000-memory.dmp

Filesize
3.3MB

Download
memory/4216-90-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-28-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-211-0x00007FF72AD80000-0x00007FF72B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-138-0x00007FF7A1660000-0x00007FF7A19B1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-260-0x00007FF7A1660000-0x00007FF7A19B1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-136-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-255-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-247-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp

Filesize
3.3MB

Download
memory/4804-91-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp

Filesize
3.3MB

Download
memory/4804-149-0x00007FF6B47C0000-0x00007FF6B4B11000-memory.dmp

Filesize
3.3MB

Download
memory/5064-134-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp

Filesize
3.3MB

Download
memory/5064-34-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp

Filesize
3.3MB

Download
memory/5064-213-0x00007FF73C0E0000-0x00007FF73C431000-memory.dmp

Filesize
3.3MB

Download