cobaltstrike | 3af20af6b5aeca5f6458725934eced4bc92c875295ac4b71cd95f7b722365d4d

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d31fb6c2cf82b4e857decd78bcef96d2
SHA1

184c68738f7fad8f8525ca08754d481ca506178d
SHA256

3af20af6b5aeca5f6458725934eced4bc92c875295ac4b71cd95f7b722365d4d
SHA512

e00b9ff7a147a30c775c3b941724a8cb11c04f8b457a696599dbf9c000324418137a45ae2207cc0337ce353c14a96845ed016cbf68f5d3d42fd685e0521285e5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c90-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-57.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c91-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1388-74-0x00007FF670EE0000-0x00007FF671231000-memory.dmp	xmrig
behavioral2/memory/4272-58-0x00007FF74A690000-0x00007FF74A9E1000-memory.dmp	xmrig
behavioral2/memory/5060-92-0x00007FF623C60000-0x00007FF623FB1000-memory.dmp	xmrig
behavioral2/memory/4744-127-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp	xmrig
behavioral2/memory/4228-126-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp	xmrig
behavioral2/memory/2364-122-0x00007FF760030000-0x00007FF760381000-memory.dmp	xmrig
behavioral2/memory/1512-42-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp	xmrig
behavioral2/memory/4396-131-0x00007FF652430000-0x00007FF652781000-memory.dmp	xmrig
behavioral2/memory/4544-133-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp	xmrig
behavioral2/memory/3180-132-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp	xmrig
behavioral2/memory/648-135-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp	xmrig
behavioral2/memory/3868-136-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp	xmrig
behavioral2/memory/1512-134-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp	xmrig
behavioral2/memory/2364-137-0x00007FF760030000-0x00007FF760381000-memory.dmp	xmrig
behavioral2/memory/2916-143-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp	xmrig
behavioral2/memory/1388-153-0x00007FF670EE0000-0x00007FF671231000-memory.dmp	xmrig
behavioral2/memory/1776-154-0x00007FF731D00000-0x00007FF732051000-memory.dmp	xmrig
behavioral2/memory/5040-155-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp	xmrig
behavioral2/memory/756-151-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp	xmrig
behavioral2/memory/324-157-0x00007FF74E010000-0x00007FF74E361000-memory.dmp	xmrig
behavioral2/memory/316-161-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp	xmrig
behavioral2/memory/4628-159-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp	xmrig
behavioral2/memory/764-158-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp	xmrig
behavioral2/memory/2556-156-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp	xmrig
behavioral2/memory/1864-160-0x00007FF649520000-0x00007FF649871000-memory.dmp	xmrig
behavioral2/memory/2364-162-0x00007FF760030000-0x00007FF760381000-memory.dmp	xmrig
behavioral2/memory/4228-220-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp	xmrig
behavioral2/memory/4744-222-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp	xmrig
behavioral2/memory/4396-224-0x00007FF652430000-0x00007FF652781000-memory.dmp	xmrig
behavioral2/memory/3180-228-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp	xmrig
behavioral2/memory/4272-226-0x00007FF74A690000-0x00007FF74A9E1000-memory.dmp	xmrig
behavioral2/memory/1512-230-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp	xmrig
behavioral2/memory/4544-232-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp	xmrig
behavioral2/memory/3868-239-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp	xmrig
behavioral2/memory/648-241-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp	xmrig
behavioral2/memory/1388-243-0x00007FF670EE0000-0x00007FF671231000-memory.dmp	xmrig
behavioral2/memory/1776-245-0x00007FF731D00000-0x00007FF732051000-memory.dmp	xmrig
behavioral2/memory/2916-247-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp	xmrig
behavioral2/memory/5060-251-0x00007FF623C60000-0x00007FF623FB1000-memory.dmp	xmrig
behavioral2/memory/756-249-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp	xmrig
behavioral2/memory/2556-255-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp	xmrig
behavioral2/memory/5040-253-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp	xmrig
behavioral2/memory/324-261-0x00007FF74E010000-0x00007FF74E361000-memory.dmp	xmrig
behavioral2/memory/764-263-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp	xmrig
behavioral2/memory/1864-265-0x00007FF649520000-0x00007FF649871000-memory.dmp	xmrig
behavioral2/memory/4628-267-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp	xmrig
behavioral2/memory/316-269-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4228	TaNjuln.exe
4744	hhhsiYn.exe
4396	liUfrbO.exe
3180	OOajgtx.exe
1512	ltyiHre.exe
4272	nNYQlLS.exe
4544	NVzbDkk.exe
3868	mwfnWtO.exe
648	upHyOBS.exe
1388	gUShUhR.exe
1776	MIgJcOl.exe
2916	xeSyyvm.exe
756	UicRlTG.exe
5060	ycbZBxn.exe
5040	osEXCxB.exe
2556	VboygTJ.exe
324	VouFIyd.exe
764	wqJEzSf.exe
4628	EQaskrl.exe
1864	XdhbSBj.exe
316	yRtnxAn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2364-0-0x00007FF760030000-0x00007FF760381000-memory.dmp	upx
behavioral2/files/0x0008000000023c90-7.dat	upx
behavioral2/files/0x0007000000023c96-27.dat	upx
behavioral2/files/0x0007000000023c98-29.dat	upx
behavioral2/files/0x0007000000023c9a-55.dat	upx
behavioral2/files/0x0007000000023c9d-60.dat	upx
behavioral2/files/0x0007000000023c9c-71.dat	upx
behavioral2/memory/1388-74-0x00007FF670EE0000-0x00007FF671231000-memory.dmp	upx
behavioral2/memory/1776-75-0x00007FF731D00000-0x00007FF732051000-memory.dmp	upx
behavioral2/memory/2916-72-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp	upx
behavioral2/memory/3868-67-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-66.dat	upx
behavioral2/memory/4272-58-0x00007FF74A690000-0x00007FF74A9E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-57.dat	upx
behavioral2/memory/756-89-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp	upx
behavioral2/memory/5060-92-0x00007FF623C60000-0x00007FF623FB1000-memory.dmp	upx
behavioral2/memory/2556-93-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp	upx
behavioral2/files/0x0008000000023c91-97.dat	upx
behavioral2/files/0x0007000000023ca1-95.dat	upx
behavioral2/memory/5040-94-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-106.dat	upx
behavioral2/memory/764-112-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-118.dat	upx
behavioral2/files/0x0007000000023ca7-123.dat	upx
behavioral2/memory/4744-127-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp	upx
behavioral2/memory/316-128-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp	upx
behavioral2/memory/4228-126-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp	upx
behavioral2/memory/4628-125-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp	upx
behavioral2/memory/2364-122-0x00007FF760030000-0x00007FF760381000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-120.dat	upx
behavioral2/memory/1864-117-0x00007FF649520000-0x00007FF649871000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-113.dat	upx
behavioral2/memory/324-111-0x00007FF74E010000-0x00007FF74E361000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-84.dat	upx
behavioral2/files/0x0007000000023c9f-83.dat	upx
behavioral2/files/0x0007000000023c99-49.dat	upx
behavioral2/memory/648-48-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp	upx
behavioral2/memory/4544-47-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp	upx
behavioral2/memory/1512-42-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-38.dat	upx
behavioral2/memory/3180-31-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-24.dat	upx
behavioral2/memory/4396-22-0x00007FF652430000-0x00007FF652781000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-19.dat	upx
behavioral2/memory/4744-17-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp	upx
behavioral2/memory/4228-6-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp	upx
behavioral2/memory/4396-131-0x00007FF652430000-0x00007FF652781000-memory.dmp	upx
behavioral2/memory/4544-133-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp	upx
behavioral2/memory/3180-132-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp	upx
behavioral2/memory/648-135-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp	upx
behavioral2/memory/3868-136-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp	upx
behavioral2/memory/1512-134-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp	upx
behavioral2/memory/2364-137-0x00007FF760030000-0x00007FF760381000-memory.dmp	upx
behavioral2/memory/2916-143-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp	upx
behavioral2/memory/1388-153-0x00007FF670EE0000-0x00007FF671231000-memory.dmp	upx
behavioral2/memory/1776-154-0x00007FF731D00000-0x00007FF732051000-memory.dmp	upx
behavioral2/memory/5040-155-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp	upx
behavioral2/memory/756-151-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp	upx
behavioral2/memory/324-157-0x00007FF74E010000-0x00007FF74E361000-memory.dmp	upx
behavioral2/memory/316-161-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp	upx
behavioral2/memory/4628-159-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp	upx
behavioral2/memory/764-158-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp	upx
behavioral2/memory/2556-156-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp	upx
behavioral2/memory/1864-160-0x00007FF649520000-0x00007FF649871000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TaNjuln.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIgJcOl.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdhbSBj.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VouFIyd.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\liUfrbO.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nNYQlLS.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gUShUhR.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ycbZBxn.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltyiHre.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UicRlTG.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqJEzSf.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQaskrl.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\upHyOBS.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xeSyyvm.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\osEXCxB.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VboygTJ.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhhsiYn.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOajgtx.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVzbDkk.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwfnWtO.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yRtnxAn.exe	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4228	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2364 wrote to memory of 4228	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2364 wrote to memory of 4744	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2364 wrote to memory of 4744	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2364 wrote to memory of 4396	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2364 wrote to memory of 4396	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2364 wrote to memory of 1512	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2364 wrote to memory of 1512	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2364 wrote to memory of 3180	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2364 wrote to memory of 3180	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2364 wrote to memory of 4272	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2364 wrote to memory of 4272	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2364 wrote to memory of 4544	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2364 wrote to memory of 4544	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2364 wrote to memory of 3868	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2364 wrote to memory of 3868	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2364 wrote to memory of 648	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2364 wrote to memory of 648	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2364 wrote to memory of 1388	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2364 wrote to memory of 1388	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2364 wrote to memory of 1776	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2364 wrote to memory of 1776	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2364 wrote to memory of 2916	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2364 wrote to memory of 2916	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2364 wrote to memory of 756	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2364 wrote to memory of 756	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2364 wrote to memory of 5060	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2364 wrote to memory of 5060	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2364 wrote to memory of 5040	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2364 wrote to memory of 5040	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2364 wrote to memory of 2556	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2364 wrote to memory of 2556	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2364 wrote to memory of 324	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2364 wrote to memory of 324	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2364 wrote to memory of 764	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2364 wrote to memory of 764	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2364 wrote to memory of 4628	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2364 wrote to memory of 4628	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2364 wrote to memory of 1864	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2364 wrote to memory of 1864	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2364 wrote to memory of 316	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2364 wrote to memory of 316	2364	2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-27_d31fb6c2cf82b4e857decd78bcef96d2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System\TaNjuln.exe
  C:\Windows\System\TaNjuln.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\hhhsiYn.exe
  C:\Windows\System\hhhsiYn.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\liUfrbO.exe
  C:\Windows\System\liUfrbO.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\ltyiHre.exe
  C:\Windows\System\ltyiHre.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\OOajgtx.exe
  C:\Windows\System\OOajgtx.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\nNYQlLS.exe
  C:\Windows\System\nNYQlLS.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\NVzbDkk.exe
  C:\Windows\System\NVzbDkk.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\mwfnWtO.exe
  C:\Windows\System\mwfnWtO.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\upHyOBS.exe
  C:\Windows\System\upHyOBS.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\gUShUhR.exe
  C:\Windows\System\gUShUhR.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\MIgJcOl.exe
  C:\Windows\System\MIgJcOl.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\xeSyyvm.exe
  C:\Windows\System\xeSyyvm.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\UicRlTG.exe
  C:\Windows\System\UicRlTG.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\ycbZBxn.exe
  C:\Windows\System\ycbZBxn.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\osEXCxB.exe
  C:\Windows\System\osEXCxB.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\VboygTJ.exe
  C:\Windows\System\VboygTJ.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\VouFIyd.exe
  C:\Windows\System\VouFIyd.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\wqJEzSf.exe
  C:\Windows\System\wqJEzSf.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\EQaskrl.exe
  C:\Windows\System\EQaskrl.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\XdhbSBj.exe
  C:\Windows\System\XdhbSBj.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\yRtnxAn.exe
  C:\Windows\System\yRtnxAn.exe
  2⤵
  - Executes dropped EXE
  PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EQaskrl.exe

Filesize
5.2MB

MD5
5c3cfb7515d5d1ce46f6a400d7181f7f

SHA1
bc8bf039b60f686ecd986da9532dde53a8e0234e

SHA256
3185fbafbc6d271f866fde83f637a1e35e5f14c2eba36f6b35db519f5ac30c45

SHA512
84ae70e103f48a022da80409486e55163f030682619b74df2b2cae8a46ff3d177231917e83d0e4626e5ad862f08a98624af49bbc2b54bf5050c046d4c4263b42

Download Submit
C:\Windows\System\MIgJcOl.exe

Filesize
5.2MB

MD5
da990872ff0b6889d46260d8a3372035

SHA1
14a858121ffb6ef1af38906d2f5f4a53c30c5f9c

SHA256
7f26632b15408a540ef04788d7a2768463cc2b6784651d35fb9bcbc51de14990

SHA512
ccbc333aae049a2c7c17c2e2f06ed89b91d65233ddca675fa4f453618a4044bc0b22e592b8f45ded864ac648894bf06adae13ae4a534df16995d0c63c5e74b6c

Download Submit
C:\Windows\System\NVzbDkk.exe

Filesize
5.2MB

MD5
91aa3f2c42d1a58c873c2908908aec4a

SHA1
8b7ca63baccab4722b2364020f9b6edc55d8e000

SHA256
53706ec6564b6b30687693bb5c9a33f426d78baff72a606965010bdc9d863005

SHA512
bb9e29a389244c797fc556b8549728fd5670d9e2f288419721a3820ba85131c164499b82b634256d38458e7aee91c5b4656cebdf783c1049aec5cabac9ec2202

Download Submit
C:\Windows\System\OOajgtx.exe

Filesize
5.2MB

MD5
9f738b39b048d237a20584245ac56ca3

SHA1
cb3016bf5a1f321aa77f72a8d7b896071dcd1551

SHA256
6d03d9fe37f9df9f4d9948f899e9c852e6628b3afa0dd12e645802853d0ca5ea

SHA512
0264fe5d51acb36b992ed4ae75184497577946e4ce40f5824dbb5328e7c518857d8d1c001e0c1eff92f03ae6c901c678503ab060207bae7b8636bd72fec1db66

Download Submit
C:\Windows\System\TaNjuln.exe

Filesize
5.2MB

MD5
c1d3a8c38b0ae51c1f8e58af49f7dca1

SHA1
4ac0bb9db281387e6fa2ebcf3ff674a699cbf1ec

SHA256
de97737613062a3835e614621eab166e571e3f8cf2e6dd0e1d559be3cb9785dd

SHA512
0c47aed4b64282d41cf27c69388b41798166e2295294cde038da808ac1431ae9476692e0b6d093162a9aa23c5a1c57381d46932094677028592330d4f109c36c

Download Submit
C:\Windows\System\UicRlTG.exe

Filesize
5.2MB

MD5
9c8f4e4844c8a2d8096f27ed6abe6c51

SHA1
8b3350005b837a228753e6874a9ae47aa3c7c986

SHA256
4377bd627aa4994075855c3428b38364178541d78df1172651eddda0eb0ebd86

SHA512
73d277131ac4abd9dfd58b41345d1c8ed53814b41496a553cbaf325763fc75cd3ee0536dc46c99e10f126081f93787f893d2c87ebb5abc2cb33a8d5f2aeb64cd

Download Submit
C:\Windows\System\VboygTJ.exe

Filesize
5.2MB

MD5
dc40b36e00b9ce58ed1b210dd75cc78b

SHA1
2ecee91201cbdc438933a2c9209cee7ebd4b1175

SHA256
52cb36de537f712ec3f33422476a1466b2c11526a05c02a125db06993205b919

SHA512
cdadd1330970e51e5c70ce9744c7fc48105c7f2c4eb8217c1ba67d3d6c80ecf6998527c4fbbf70c73291a87e0d29e9ac2f9046a686604a0615caf61e303a1aec

Download Submit
C:\Windows\System\VouFIyd.exe

Filesize
5.2MB

MD5
a9c46edc2f9718b718626641b89fadb7

SHA1
ff971eb33ae6cf2f98be25f791810e14da855464

SHA256
1a83bc5005e74f76719531f0dd3d56a95c3f7898b6b05c7acc2c0d708c99d058

SHA512
32f65b6663b75140703e842dd13d6c79c28ddaeaf09daa4c524646b525adb2e78677e9abea07178602220d1ef985ee79f838a5ba8b3ca01183934e5a21a2e4c4

Download Submit
C:\Windows\System\XdhbSBj.exe

Filesize
5.2MB

MD5
e39505efcb343644ff76ce9e5e424733

SHA1
2e599d3d6893a65a431b23713336f08446045b14

SHA256
4f547353b166c2308876b97de42ab354acd9f8f581ecd73f5cd31164a8f5013c

SHA512
3336994838bbc8d562729289df6c240e3fe04fe6123d37bbcb6f9f6ebf82ec0c0af23cb759faf95f4b1dfff221481871ae9bb080b0df9ae56773055f0e9c79d4

Download Submit
C:\Windows\System\gUShUhR.exe

Filesize
5.2MB

MD5
fd126aea574ab7a2f2a615ace940cfe0

SHA1
992cc67e143cff103208a0f85658b233c237ab2f

SHA256
08abf408af1711423fe6938dabc1355a6856b889d47b9fa0f0d9f7aa761825f4

SHA512
1b19c45bf6ca630ccf77d5d2e0dba0d17a9dc1846fbdc0ce513050ab3c828639553f6e3ec132140cf7f643ea0a178010b570cf06fbfe3b05e32936407ac33875

Download Submit
C:\Windows\System\hhhsiYn.exe

Filesize
5.2MB

MD5
aeedf3fba457d369c0455301c64857d9

SHA1
a58aa1cb7db5370a28b51cff85c9e5d1b0ab186a

SHA256
1c12c2d9a2f083ffaad11bc98dba4d978d887c193618e29ba001623f3b006703

SHA512
eb2932c87eb41c167baca3e50ace1955b082339972c514cfdc98f87fee82438466138cdc31201287d4c3ec45248b523bb1d5007ee578af96f27439c493a19696

Download Submit
C:\Windows\System\liUfrbO.exe

Filesize
5.2MB

MD5
ebbb6dcb4539d6b5f0ba1a504251a5e0

SHA1
8ed515fa2813f8a1534a6cf0b5a95c4401a020e9

SHA256
10a14a2abfe2ef5b0e640659e23c69156647c2beba4f9ad4b9c20903a26fccf2

SHA512
8bb46c89c220b17019899f32d0ceb47b22f2067726f305d92dd6ddf9b8bd207b207f53e7a8ca02f4585bd0ac56315e7fe95b024d5361c47c73bda9bfa037b611

Download Submit
C:\Windows\System\ltyiHre.exe

Filesize
5.2MB

MD5
b34a37f17e9b359b636363f3d68c3b77

SHA1
d08214a084d2f9f70869a434355680baf45e898f

SHA256
38202191bfee76a0fd0c7bf4483e08854ae922ebd656bcd1c5aab9b41fa1cfd3

SHA512
6a39d98070e26b64bee5c3c93f4cec74af7bb2c4fb11a9ed77d7830b5ce26aec4d6341b220d8ca8a5136f6a89028ccc7eafa3683e04ce66cefe84e48c2318887

Download Submit
C:\Windows\System\mwfnWtO.exe

Filesize
5.2MB

MD5
aa358783353d5719775c603e8db59508

SHA1
ec8292b3e471afe151278c32c2f787e0edb77b0f

SHA256
c2508c4e5f476496b788ddbda2fb26899bfd453d4bb85038e3e9cad65860ceeb

SHA512
00183e8d912ad3a112c08e7b58c3f2e5a6ba55715af3a17768b247c4ac0d1ed0e3e058d55f1d1372dd2f880d781e30e3513d4de22da66a6d755407fe9c54bbba

Download Submit
C:\Windows\System\nNYQlLS.exe

Filesize
5.2MB

MD5
8009b7e29d03c0e679699d78e5bf2518

SHA1
5eaf26a85ee206cc773de336ab7a1fe1d246baaa

SHA256
c4a2203996f5a7c7c222a793eccefdc95bedfdbe426ce7c54a3849b1894a8fdf

SHA512
db1d12b10974596971c977fee6a3a23f1410379b0ee6bf1e26d66b65fbcfdd6b2c33c121e184a901a32642d202ba83a36572fb7db99814599f7ea05507cd43bf

Download Submit
C:\Windows\System\osEXCxB.exe

Filesize
5.2MB

MD5
b212dd58f1a50c9886ea35319f54409d

SHA1
3789ca30ae883670b463769618ceab4a2a84b67a

SHA256
a5245089910adcfe292f8471be02a366bb40535c1ec1f59ec2a5c232e3d6a758

SHA512
5a3bf6fc552091cd4c0121defa206fa9160e037a9fe77d41cd703e29ec72b70803a9ea7eb6a777c6835242a79c9397b9d2ada098e397f6635c015deeffc9597c

Download Submit
C:\Windows\System\upHyOBS.exe

Filesize
5.2MB

MD5
b427154c9b8979c4a183512e6c9604c1

SHA1
70ac288c2d0ff76b6971dca3054a7fe2e8e91a78

SHA256
174c63480c9a57f8c8d08eebbcfaf51ea29e9a647a484e883e1ea021376b9570

SHA512
8b632c388723e1a72f4252251663ce37785d3f93ba6731c63e9c30be8c7eac4a147a6b8f9ed17fcd0dca792bb3ef5e7f90fbdd14342a68a1276482c7fcab1b97

Download Submit
C:\Windows\System\wqJEzSf.exe

Filesize
5.2MB

MD5
4e17a06f043c8576be9b0d47b2b0dd32

SHA1
cbb792a510865f19da288b070cec882fb08023d8

SHA256
857b0577ca843d205420a400a6973b7f0487048cf4e4bef0e949c415758286dc

SHA512
8fc5e3accf268a26d8fa157542e8c43a0bf55bddcdedc1031126b123aaa61e77823b2b928cacbe135189f4df52fa754b42c81922cf8eecede413bf1c973539ac

Download Submit
C:\Windows\System\xeSyyvm.exe

Filesize
5.2MB

MD5
672a91677a6ee2a91e91292685311913

SHA1
a5da9533d9cfef0d4153e092326ecab9d18674c4

SHA256
f9e94b10662654583d14c676a62fd319a8505d47262b2f405d9f280d395dd5aa

SHA512
1f1dcadbc2bafb155ee0ddb5cb0217578450663b74bc641fb7243eba1e50fa23e3b965b1de361ba8441bb1e23bb93b90eb1ed4e8abe7186e419cd169330c543d

Download Submit
C:\Windows\System\yRtnxAn.exe

Filesize
5.2MB

MD5
21c1fbaa3d3bc71da3765e44ac65699f

SHA1
381a78f4c31509cf9b3f65b65713f9d5a116972a

SHA256
988d103779d10e5ea9f7194270e25db5924450b178c19394161be657c583764f

SHA512
d98ef1d861c2145b2d908243d26adeabc7e871e6f033182296edb080f4717381407b4dadfafc427c0c4b7a989cfa9974d1966ec1b0744ca3ca28c88e05cb029a

Download Submit
C:\Windows\System\ycbZBxn.exe

Filesize
5.2MB

MD5
76e764ed05828f5a0baa1f334e3b94f7

SHA1
87a18f18747200063767d5b654a54cfdabf76fd0

SHA256
79c9bf023f0e519382f1ad98a38ecb5cea80db70585e4cb65b3dcf3edbd00425

SHA512
8ded0eed444b0f0c0ef3908669b8d9c9ab79c6963969db7d4a023bc94438ac1d6320d1724766da6790c625159d79968455d073258b8a774ce3727350817f95ac

Download Submit
memory/316-161-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp

Filesize
3.3MB

Download
memory/316-128-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp

Filesize
3.3MB

Download
memory/316-269-0x00007FF6496B0000-0x00007FF649A01000-memory.dmp

Filesize
3.3MB

Download
memory/324-111-0x00007FF74E010000-0x00007FF74E361000-memory.dmp

Filesize
3.3MB

Download
memory/324-261-0x00007FF74E010000-0x00007FF74E361000-memory.dmp

Filesize
3.3MB

Download
memory/324-157-0x00007FF74E010000-0x00007FF74E361000-memory.dmp

Filesize
3.3MB

Download
memory/648-135-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp

Filesize
3.3MB

Download
memory/648-48-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp

Filesize
3.3MB

Download
memory/648-241-0x00007FF6A2500000-0x00007FF6A2851000-memory.dmp

Filesize
3.3MB

Download
memory/756-249-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp

Filesize
3.3MB

Download
memory/756-151-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp

Filesize
3.3MB

Download
memory/756-89-0x00007FF6EE850000-0x00007FF6EEBA1000-memory.dmp

Filesize
3.3MB

Download
memory/764-263-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp

Filesize
3.3MB

Download
memory/764-158-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp

Filesize
3.3MB

Download
memory/764-112-0x00007FF7EF5D0000-0x00007FF7EF921000-memory.dmp

Filesize
3.3MB

Download
memory/1388-243-0x00007FF670EE0000-0x00007FF671231000-memory.dmp

Filesize
3.3MB

Download
memory/1388-153-0x00007FF670EE0000-0x00007FF671231000-memory.dmp

Filesize
3.3MB

Download
memory/1388-74-0x00007FF670EE0000-0x00007FF671231000-memory.dmp

Filesize
3.3MB

Download
memory/1512-42-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp

Filesize
3.3MB

Download
memory/1512-230-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp

Filesize
3.3MB

Download
memory/1512-134-0x00007FF6AA2F0000-0x00007FF6AA641000-memory.dmp

Filesize
3.3MB

Download
memory/1776-245-0x00007FF731D00000-0x00007FF732051000-memory.dmp

Filesize
3.3MB

Download
memory/1776-154-0x00007FF731D00000-0x00007FF732051000-memory.dmp

Filesize
3.3MB

Download
memory/1776-75-0x00007FF731D00000-0x00007FF732051000-memory.dmp

Filesize
3.3MB

Download
memory/1864-160-0x00007FF649520000-0x00007FF649871000-memory.dmp

Filesize
3.3MB

Download
memory/1864-265-0x00007FF649520000-0x00007FF649871000-memory.dmp

Filesize
3.3MB

Download
memory/1864-117-0x00007FF649520000-0x00007FF649871000-memory.dmp

Filesize
3.3MB

Download
memory/2364-0-0x00007FF760030000-0x00007FF760381000-memory.dmp

Filesize
3.3MB

Download
memory/2364-122-0x00007FF760030000-0x00007FF760381000-memory.dmp

Filesize
3.3MB

Download
memory/2364-1-0x000001DA44350000-0x000001DA44360000-memory.dmp

Filesize
64KB

Download
memory/2364-137-0x00007FF760030000-0x00007FF760381000-memory.dmp

Filesize
3.3MB

Download
memory/2364-162-0x00007FF760030000-0x00007FF760381000-memory.dmp

Filesize
3.3MB

Download
memory/2556-93-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp

Filesize
3.3MB

Download
memory/2556-255-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp

Filesize
3.3MB

Download
memory/2556-156-0x00007FF70CEF0000-0x00007FF70D241000-memory.dmp

Filesize
3.3MB

Download
memory/2916-247-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp

Filesize
3.3MB

Download
memory/2916-143-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp

Filesize
3.3MB

Download
memory/2916-72-0x00007FF6B76B0000-0x00007FF6B7A01000-memory.dmp

Filesize
3.3MB

Download
memory/3180-228-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp

Filesize
3.3MB

Download
memory/3180-132-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp

Filesize
3.3MB

Download
memory/3180-31-0x00007FF7AFCE0000-0x00007FF7B0031000-memory.dmp

Filesize
3.3MB

Download
memory/3868-136-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-67-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-239-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-220-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-6-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-126-0x00007FF6804A0000-0x00007FF6807F1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-58-0x00007FF74A690000-0x00007FF74A9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-226-0x00007FF74A690000-0x00007FF74A9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-224-0x00007FF652430000-0x00007FF652781000-memory.dmp

Filesize
3.3MB

Download
memory/4396-131-0x00007FF652430000-0x00007FF652781000-memory.dmp

Filesize
3.3MB

Download
memory/4396-22-0x00007FF652430000-0x00007FF652781000-memory.dmp

Filesize
3.3MB

Download
memory/4544-47-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-232-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-133-0x00007FF6B9050000-0x00007FF6B93A1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-159-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp

Filesize
3.3MB

Download
memory/4628-267-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp

Filesize
3.3MB

Download
memory/4628-125-0x00007FF7AFCB0000-0x00007FF7B0001000-memory.dmp

Filesize
3.3MB

Download
memory/4744-127-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-222-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-17-0x00007FF637F90000-0x00007FF6382E1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-253-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-155-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-94-0x00007FF699D50000-0x00007FF69A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-251-0x00007FF623C60000-0x00007FF623FB1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-92-0x00007FF623C60000-0x00007FF623FB1000-memory.dmp

Filesize
3.3MB

Download