cobaltstrike | 60b57b4b161faa5bdde560756c8855a6a1bcae122fd1859131b9c93acce8c7f1

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

64bd96235d45e802567ae4a24a0641ee
SHA1

720781fe0b4581cc94f4059430edb2df4741276f
SHA256

60b57b4b161faa5bdde560756c8855a6a1bcae122fd1859131b9c93acce8c7f1
SHA512

184a6bf927ad1bd097bd84ef5998bf5af9d5ca3635d5aa3b0a758a2fe3ca34d9145798cad336210044bb729016fd502b60d640fce53d22a17ead8ffe829b6229
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c86-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c8a-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-62.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c87-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-150.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/2832-69-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp	xmrig
behavioral2/memory/2020-75-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp	xmrig
behavioral2/memory/2228-88-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp	xmrig
behavioral2/memory/1360-109-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp	xmrig
behavioral2/memory/4416-124-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	xmrig
behavioral2/memory/1264-128-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp	xmrig
behavioral2/memory/3224-108-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp	xmrig
behavioral2/memory/4100-101-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp	xmrig
behavioral2/memory/1460-96-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp	xmrig
behavioral2/memory/3376-95-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp	xmrig
behavioral2/memory/2980-87-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp	xmrig
behavioral2/memory/972-85-0x00007FF7AE970000-0x00007FF7AECC1000-memory.dmp	xmrig
behavioral2/memory/4800-82-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	xmrig
behavioral2/memory/3832-149-0x00007FF791620000-0x00007FF791971000-memory.dmp	xmrig
behavioral2/memory/1076-154-0x00007FF738870000-0x00007FF738BC1000-memory.dmp	xmrig
behavioral2/memory/2704-155-0x00007FF7710D0000-0x00007FF771421000-memory.dmp	xmrig
behavioral2/memory/4888-161-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp	xmrig
behavioral2/memory/1588-164-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp	xmrig
behavioral2/memory/1528-163-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp	xmrig
behavioral2/memory/8-162-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	xmrig
behavioral2/memory/4076-160-0x00007FF696300000-0x00007FF696651000-memory.dmp	xmrig
behavioral2/memory/2832-165-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp	xmrig
behavioral2/memory/748-178-0x00007FF693130000-0x00007FF693481000-memory.dmp	xmrig
behavioral2/memory/2020-216-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp	xmrig
behavioral2/memory/4800-218-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	xmrig
behavioral2/memory/2980-220-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp	xmrig
behavioral2/memory/3376-229-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp	xmrig
behavioral2/memory/2228-231-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp	xmrig
behavioral2/memory/1460-233-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp	xmrig
behavioral2/memory/4100-235-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp	xmrig
behavioral2/memory/1360-238-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp	xmrig
behavioral2/memory/3224-239-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp	xmrig
behavioral2/memory/4416-241-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	xmrig
behavioral2/memory/1264-245-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp	xmrig
behavioral2/memory/3832-244-0x00007FF791620000-0x00007FF791971000-memory.dmp	xmrig
behavioral2/memory/972-252-0x00007FF7AE970000-0x00007FF7AECC1000-memory.dmp	xmrig
behavioral2/memory/1076-257-0x00007FF738870000-0x00007FF738BC1000-memory.dmp	xmrig
behavioral2/memory/2704-260-0x00007FF7710D0000-0x00007FF771421000-memory.dmp	xmrig
behavioral2/memory/1588-263-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp	xmrig
behavioral2/memory/4076-264-0x00007FF696300000-0x00007FF696651000-memory.dmp	xmrig
behavioral2/memory/4888-266-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp	xmrig
behavioral2/memory/8-268-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	xmrig
behavioral2/memory/1528-270-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp	xmrig
behavioral2/memory/748-274-0x00007FF693130000-0x00007FF693481000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2020	fcIMIeB.exe
4800	UVYYroX.exe
2980	TGEIuET.exe
3376	tdFCUtr.exe
2228	czydCIO.exe
1460	wNougXm.exe
4100	zTgIxGi.exe
3224	LKUIqMt.exe
1360	MJWzsUt.exe
4416	vYDdMAx.exe
1264	WegCgNk.exe
3832	VfOikmc.exe
972	tLCHybD.exe
1076	GlKdcTP.exe
2704	TepGzLu.exe
1588	xqAukTI.exe
4076	tcWPnVR.exe
4888	UNcReCZ.exe
8	WOHDXHz.exe
1528	CCfcPOr.exe
748	RwMmEzt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2832-0-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp	upx
behavioral2/files/0x0009000000023c86-4.dat	upx
behavioral2/files/0x0007000000023c93-10.dat	upx
behavioral2/files/0x0008000000023c8a-11.dat	upx
behavioral2/memory/4800-14-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	upx
behavioral2/memory/2020-8-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-27.dat	upx
behavioral2/files/0x0007000000023c98-47.dat	upx
behavioral2/files/0x0007000000023c99-50.dat	upx
behavioral2/files/0x0007000000023c9b-63.dat	upx
behavioral2/memory/1264-65-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-73.dat	upx
behavioral2/memory/3832-70-0x00007FF791620000-0x00007FF791971000-memory.dmp	upx
behavioral2/memory/2832-69-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-62.dat	upx
behavioral2/memory/4416-60-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/files/0x0009000000023c87-54.dat	upx
behavioral2/memory/1360-52-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp	upx
behavioral2/memory/3224-51-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp	upx
behavioral2/memory/4100-44-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-40.dat	upx
behavioral2/memory/1460-38-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp	upx
behavioral2/memory/2228-32-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-35.dat	upx
behavioral2/memory/3376-30-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp	upx
behavioral2/memory/2980-18-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp	upx
behavioral2/memory/2020-75-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-80.dat	upx
behavioral2/files/0x0007000000023c9e-86.dat	upx
behavioral2/memory/2228-88-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp	upx
behavioral2/memory/1076-94-0x00007FF738870000-0x00007FF738BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-100.dat	upx
behavioral2/memory/1588-102-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-107.dat	upx
behavioral2/memory/1360-109-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp	upx
behavioral2/memory/4416-124-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-127.dat	upx
behavioral2/files/0x0007000000023ca3-130.dat	upx
behavioral2/memory/1528-129-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp	upx
behavioral2/memory/1264-128-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp	upx
behavioral2/memory/8-126-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-119.dat	upx
behavioral2/memory/4888-118-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp	upx
behavioral2/memory/4076-112-0x00007FF696300000-0x00007FF696651000-memory.dmp	upx
behavioral2/memory/3224-108-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-105.dat	upx
behavioral2/memory/4100-101-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp	upx
behavioral2/memory/2704-97-0x00007FF7710D0000-0x00007FF771421000-memory.dmp	upx
behavioral2/memory/1460-96-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp	upx
behavioral2/memory/3376-95-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp	upx
behavioral2/memory/2980-87-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp	upx
behavioral2/memory/972-85-0x00007FF7AE970000-0x00007FF7AECC1000-memory.dmp	upx
behavioral2/memory/4800-82-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	upx
behavioral2/memory/3832-149-0x00007FF791620000-0x00007FF791971000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-150.dat	upx
behavioral2/memory/748-151-0x00007FF693130000-0x00007FF693481000-memory.dmp	upx
behavioral2/memory/1076-154-0x00007FF738870000-0x00007FF738BC1000-memory.dmp	upx
behavioral2/memory/2704-155-0x00007FF7710D0000-0x00007FF771421000-memory.dmp	upx
behavioral2/memory/4888-161-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp	upx
behavioral2/memory/1588-164-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp	upx
behavioral2/memory/1528-163-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp	upx
behavioral2/memory/8-162-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/memory/4076-160-0x00007FF696300000-0x00007FF696651000-memory.dmp	upx
behavioral2/memory/2832-165-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xqAukTI.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNcReCZ.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJWzsUt.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlKdcTP.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TepGzLu.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTgIxGi.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VfOikmc.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tLCHybD.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tcWPnVR.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCfcPOr.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcIMIeB.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TGEIuET.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\czydCIO.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wNougXm.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RwMmEzt.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vYDdMAx.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WegCgNk.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOHDXHz.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVYYroX.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tdFCUtr.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LKUIqMt.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2020	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2832 wrote to memory of 2020	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2832 wrote to memory of 4800	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2832 wrote to memory of 4800	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2832 wrote to memory of 2980	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2832 wrote to memory of 2980	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2832 wrote to memory of 3376	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2832 wrote to memory of 3376	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2832 wrote to memory of 2228	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2832 wrote to memory of 2228	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2832 wrote to memory of 1460	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2832 wrote to memory of 1460	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2832 wrote to memory of 4100	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2832 wrote to memory of 4100	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2832 wrote to memory of 3224	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2832 wrote to memory of 3224	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2832 wrote to memory of 1360	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2832 wrote to memory of 1360	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2832 wrote to memory of 4416	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2832 wrote to memory of 4416	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2832 wrote to memory of 1264	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2832 wrote to memory of 1264	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2832 wrote to memory of 3832	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2832 wrote to memory of 3832	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2832 wrote to memory of 972	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2832 wrote to memory of 972	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2832 wrote to memory of 1076	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2832 wrote to memory of 1076	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2832 wrote to memory of 2704	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2832 wrote to memory of 2704	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2832 wrote to memory of 1588	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2832 wrote to memory of 1588	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2832 wrote to memory of 4076	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2832 wrote to memory of 4076	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2832 wrote to memory of 4888	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2832 wrote to memory of 4888	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2832 wrote to memory of 8	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2832 wrote to memory of 8	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2832 wrote to memory of 1528	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2832 wrote to memory of 1528	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2832 wrote to memory of 748	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2832 wrote to memory of 748	2832	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\System\fcIMIeB.exe
  C:\Windows\System\fcIMIeB.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\UVYYroX.exe
  C:\Windows\System\UVYYroX.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\TGEIuET.exe
  C:\Windows\System\TGEIuET.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\tdFCUtr.exe
  C:\Windows\System\tdFCUtr.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\czydCIO.exe
  C:\Windows\System\czydCIO.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\wNougXm.exe
  C:\Windows\System\wNougXm.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\zTgIxGi.exe
  C:\Windows\System\zTgIxGi.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\LKUIqMt.exe
  C:\Windows\System\LKUIqMt.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\MJWzsUt.exe
  C:\Windows\System\MJWzsUt.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\vYDdMAx.exe
  C:\Windows\System\vYDdMAx.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\WegCgNk.exe
  C:\Windows\System\WegCgNk.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\VfOikmc.exe
  C:\Windows\System\VfOikmc.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\tLCHybD.exe
  C:\Windows\System\tLCHybD.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\GlKdcTP.exe
  C:\Windows\System\GlKdcTP.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\TepGzLu.exe
  C:\Windows\System\TepGzLu.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\xqAukTI.exe
  C:\Windows\System\xqAukTI.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\tcWPnVR.exe
  C:\Windows\System\tcWPnVR.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\UNcReCZ.exe
  C:\Windows\System\UNcReCZ.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\WOHDXHz.exe
  C:\Windows\System\WOHDXHz.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\CCfcPOr.exe
  C:\Windows\System\CCfcPOr.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\RwMmEzt.exe
  C:\Windows\System\RwMmEzt.exe
  2⤵
  - Executes dropped EXE
  PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CCfcPOr.exe

Filesize
5.2MB

MD5
2cacda4277554402cb36f0065fe05b9d

SHA1
ce115b01e7315ea3330f99cf8f3d81bae34a8153

SHA256
4c15dd4020ae4824b4fa9fa337ca0c7c9b7433422833e7dcc4f3aef808cac8fc

SHA512
314ef61c8690464a8f9253fb7d30f0ef6ff5501aceeeb04d0d1fc5abce8ca47acedf588df183fe67d4b583fda1a059c1ded350069e929edc85470bc99f1f7ad1

Download Submit
C:\Windows\System\GlKdcTP.exe

Filesize
5.2MB

MD5
58cf8e13004d5d08956cf3b39f745282

SHA1
b2349382314a1b4c8dc39a44a74e3f6c89c34997

SHA256
07757f7b63bd3a56379c48fe07e61b2b6efaa5c42c49febe1c64f7d4374d5dc7

SHA512
30b247a1bf2dccfff0c33b20a05acc2225aa96a1f750b7feaab1f02bd2ff68d0b975fe2e46cc97ca223945169aae20418d30914daf7d53092838b434d1e39218

Download Submit
C:\Windows\System\LKUIqMt.exe

Filesize
5.2MB

MD5
c1efdfe7bb301d27120b6b8e39a333e4

SHA1
df436f3b1d245f232ca1a223940a91e3bae29bb3

SHA256
1860fdef8d4f7d5f1471636f4e3762c5c2d3d96c8e292f0995132a1758cbc9f6

SHA512
c48e3ee18fc840e7987a0519fb2b8857d39dcaab8b23a705633a33fd70ac8715c2a687695d0ee6d99e1564d80761ebc731dfe029e8483a36b955bef19d8db18b

Download Submit
C:\Windows\System\MJWzsUt.exe

Filesize
5.2MB

MD5
15f35cfbe288e541909aed84e1947ee3

SHA1
88b0a1841c53559a12e13d8892787ac9f80f5c03

SHA256
3bff5df3216b04227edf9d783f2acdf9c7a79948fd062a0d5a22696c527dfdb4

SHA512
4ab237463ad111d9e6e238ffae7837a7fccdd0118af7bbcd25ecad3fc2fd077ab03ca2fdc41801abdfcb26844d8dc1f35e4600224ddd97caf66d5b465d16f84e

Download Submit
C:\Windows\System\RwMmEzt.exe

Filesize
5.2MB

MD5
b5c06f9fedd4faa2d7679bc306d408e7

SHA1
3a4d4a5d031875bae64ca6cc92a325adf27afaaf

SHA256
ddfe58827f629a3e2db85f2ce7d30a90f9155fb9a8ca264a14da294ae8d7634b

SHA512
48ae5a50c92d55eda895a5d0180ad304b8d70634dc34542d0e168a2e91c2ce348cf5443259bda9ff71d9b73f76845223f05d309e18db37d9af1e898bac2a76fa

Download Submit
C:\Windows\System\TGEIuET.exe

Filesize
5.2MB

MD5
0bf2f58f05cbb40d343301168ff72c7a

SHA1
785e8e9b0e5434d2fabaf6908d588b993ac0bb78

SHA256
84edae6cff2ee62d9eb38b2968e3f5066dca42503be464b4386f1d0e199407fa

SHA512
6f0f0de08f2f60689763a1902cbd24325c5942dce48304dccf17fd0221dd5a8eea5bd04ed2d656e049cec94140e7675105f4bdd4d35e8b92aa87e5b477d4f090

Download Submit
C:\Windows\System\TepGzLu.exe

Filesize
5.2MB

MD5
ce9b5e3babd3cecc10e29258f8bae590

SHA1
97f26472abb2256fab7463cf93c4f7bbc59c606f

SHA256
98161d5b26638f4b908ebb6085089516f5619c452144bef639d4d3c53fd82aae

SHA512
dcef8a9a6a6bb90f0337f63e3a9ef75370ebe8b42c05ae7702d0fbb9094bea327758ad34a48383f061bbe317e745da87e5112ec2a21c6f35ae6de1b96e4c0bfa

Download Submit
C:\Windows\System\UNcReCZ.exe

Filesize
5.2MB

MD5
6c187bf8f6299f843b836b3584968369

SHA1
8b679228a7e21e27963125498cd533ddf7985b38

SHA256
4d595fa3c851bab802b6f70b705def1a6d2a5a3146c1cd2c378204025912454a

SHA512
4d536f3a5cefac5a07beb1ae8f80df36a9d85665ccd8112c98d2870b8947323ab7058744c46e08ae33086da23297ad8b926f76b292208c30c955ca89b52dcd59

Download Submit
C:\Windows\System\UVYYroX.exe

Filesize
5.2MB

MD5
d1cb011ff123ac7b254049f2f3390e72

SHA1
c93e38d799b53d8baedc91f8d509f0dc30c95caa

SHA256
c74122a09db7d5300e99e94668e8d5cdf6cf6c60de7a47d028179ddc06115daf

SHA512
e1c0f9119ec5e4075d7105ddd3ef67d594abf8e8c92d4c73779aa1a0b2bdfc5f01417f721ab1e3ed75cd6554c3100335f43eb42c6eb2dfe836b406526e7b39c4

Download Submit
C:\Windows\System\VfOikmc.exe

Filesize
5.2MB

MD5
f499a5e918433c22a1415ca11ac45b9c

SHA1
d8287f07006c7906156580c82402e20e828f0359

SHA256
24dab97c40d696a20d57b3aa79fd38bdb3efe3311076faed0fca32984b2eb8de

SHA512
22aa625ce8f9d5e5f6117062b71ef00ac40b1876e0279a44d176f88fa30213fc2d3e0ad567c4f474677dcf9ae4dfd4cddc1b4a6683b2bfdb7a1a12aa09415dea

Download Submit
C:\Windows\System\WOHDXHz.exe

Filesize
5.2MB

MD5
ef6028693e3ca842f71fd5da5f855f1a

SHA1
c9a4e60c91313986c3fcb6c2fbfccc2e1613601b

SHA256
78f84928706c3131ac96541a8188af16a5d29acc7f83841a13f2fbdc5ca3c743

SHA512
324c40454c50c4b8a12a2e29330193dda63e0d486cfd46dc97113e1bc12c953f118614268df69b31e697fe6c4b9ac35c7b22d33d16efdbf5a83ce4ede0ce07c7

Download Submit
C:\Windows\System\WegCgNk.exe

Filesize
5.2MB

MD5
ee61fdd4f1b605c2ece9bd0c005846c3

SHA1
7bb3d9acec172ca395fa4dbb737e9405b806db0b

SHA256
4f3b4d18f6d41cfb409a500efe080239f6c5d0c5279198280963686cbe4ba8f6

SHA512
908b8c4ae75328a55ff66e2e093f362dc7edfd6ddca023693e98c10066e0b8be1160540ebd97adebf819b7c8f57ab7556a9b9fd17f3259685344022914511580

Download Submit
C:\Windows\System\czydCIO.exe

Filesize
5.2MB

MD5
376baa017470c1c44293542a8c3bcaad

SHA1
69ed83bf4d247cd1b682e182400ca5036ca1e514

SHA256
3c1123e31ab98c97b18655a2edacb64062793174c4877331842338f6b73e8f3f

SHA512
f78b9a6ff222383cd9d73bc283797723501315f853596ba3ac9efd53926548119e9ff92befb23d2402901fba30d58563360e32bed6fee8c51437f6aa78a73aaf

Download Submit
C:\Windows\System\fcIMIeB.exe

Filesize
5.2MB

MD5
af85df1abee5fb5494cd07ba8ac8cdf7

SHA1
4f058ea6f54a5009a00c0a1a13fffd34504e72ae

SHA256
283a32f9e5bcad6a8ca2b425eeede0b9f7b88b8231583aa65920358771eb73bf

SHA512
b166ce26610eabe1423993dffa7d8d72c6d4dc3630343acb2fadb5dce5acce14812aa3ff9df2812f99cbf68ebb16296edda0751187e6fb0e8c41819d13af4331

Download Submit
C:\Windows\System\tLCHybD.exe

Filesize
5.2MB

MD5
c5c27748ef98bc4861b30cbeb60e00d4

SHA1
8281000b653f7c29a8e0ffb795d6e8f23158e4dd

SHA256
21f7c63cb9c62bfa3719edb296c5f3e144d7071a246566458c490ea8c878e094

SHA512
1ed180305a4487c4d6185942be7e3f9d643752a7ef732b7ea1dc78dae299ff5483bf0b4118b75265135b38c49cbdf00a0d43f158fe67127f04047654128a11a6

Download Submit
C:\Windows\System\tcWPnVR.exe

Filesize
5.2MB

MD5
7bcfddd58d3b1da409b6ea8d9ab07e13

SHA1
eed9171d2e8673a0c6436091bd42bb9fe17bd7d2

SHA256
a150b7967629bf6d75352f26ed0a70d7fb008c48b6443e8aaa426623533c754a

SHA512
b88ebeefe2483cacbf474d89dadf22a15c660a7be83935b7855d4ef8049f853984445f45176982a497c2b613785e66b72984b3680da92df47a75ac563c08a45d

Download Submit
C:\Windows\System\tdFCUtr.exe

Filesize
5.2MB

MD5
1fbc4582a39601fff36e50920306cfb8

SHA1
f6dcd6b1f22686ae4fc1cdaefffff27904919c05

SHA256
e664d947c65aa700acd10b97e30ee47f0348f2908e36067989c8753ec3a8ad81

SHA512
c3f6667b119706f72e69f40d4744712691749635a9c81c34b661006b7c448c9bc2fd66ed79aa98517bdae1a98de51211ddcfa4c6ce1decbe919cc1d758d64919

Download Submit
C:\Windows\System\vYDdMAx.exe

Filesize
5.2MB

MD5
f323b8880651778bb095a67b40c37686

SHA1
d5cc2a2d0eb01a647b6f3aea7b6d69735d8f3188

SHA256
f00e70e0d40df44bc9358e2fbdd9964c8409c7f92ee4325ca3e19cd3c1bd176c

SHA512
c6a3398e3001e486284c62876a354f93c471381efd1b76c1bf4c60efcf5bb74839b81ae0f56112680c1b43cc1d4bb59d2259188bfcc0ee0aabfda31d9250e507

Download Submit
C:\Windows\System\wNougXm.exe

Filesize
5.2MB

MD5
2fbaedebfd01653867365824609e0f3c

SHA1
679e7579c22cda260d66ea08d641893d0aa8839d

SHA256
9092691250becf4ea985aedf31e70f5cd222a2007cfd2e949c5a42f3d0ed34bb

SHA512
2dc1c7fb653044b9f7b0fd486a7ce990546d39e4f59e242d56ac0acda006c0186bf43c8c1a12b81e178091f3f7f7264431accdd32d2e19efb2fca704f8658b53

Download Submit
C:\Windows\System\xqAukTI.exe

Filesize
5.2MB

MD5
cdfe90e03032df7d42f40c99d2863f7e

SHA1
5f0e4e6d68c11fe5c23532cbd06ad0f71c44be01

SHA256
d293d5bdb8903dee29f5341ddc2b39c05edd4b1d7ad5c238aa8dfc0113c49e34

SHA512
b741ea583161b60f94211460b58b6c72288ee3ced2aa70b85a8b647605594658fc9241058cb85a4086da9b229c0772eb3e6db59cd691a73bb8d067dd9178d30b

Download Submit
C:\Windows\System\zTgIxGi.exe

Filesize
5.2MB

MD5
5bab9e7762e3278f7c82b74f19b740b7

SHA1
59f4be245350db7b9813429fc6fd27f0e674c811

SHA256
322b4e569d2b206d8fcf1b6c15348681d26e6391e7384c7c138c4a89a27ecc73

SHA512
a4c0834eab5edf23bff427ddb270b535e967da9bbb35c87aa4244edd21d3678fb918b4de9890d718649e5c0ae312d04b7faeb4502423005d5c12cfecf3ca0724

Download Submit
memory/8-162-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/8-268-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/8-126-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/748-178-0x00007FF693130000-0x00007FF693481000-memory.dmp

Filesize
3.3MB

Download
memory/748-274-0x00007FF693130000-0x00007FF693481000-memory.dmp

Filesize
3.3MB

Download
memory/748-151-0x00007FF693130000-0x00007FF693481000-memory.dmp

Filesize
3.3MB

Download
memory/972-85-0x00007FF7AE970000-0x00007FF7AECC1000-memory.dmp

Filesize
3.3MB

Download
memory/972-252-0x00007FF7AE970000-0x00007FF7AECC1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-94-0x00007FF738870000-0x00007FF738BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-257-0x00007FF738870000-0x00007FF738BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-154-0x00007FF738870000-0x00007FF738BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1264-65-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1264-245-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1264-128-0x00007FF65FBC0000-0x00007FF65FF11000-memory.dmp

Filesize
3.3MB

Download
memory/1360-238-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1360-109-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1360-52-0x00007FF69E670000-0x00007FF69E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-38-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-233-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-96-0x00007FF6E7560000-0x00007FF6E78B1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-163-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-270-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-129-0x00007FF7B0050000-0x00007FF7B03A1000-memory.dmp

Filesize
3.3MB

Download
memory/1588-102-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp

Filesize
3.3MB

Download
memory/1588-263-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp

Filesize
3.3MB

Download
memory/1588-164-0x00007FF7CD5E0000-0x00007FF7CD931000-memory.dmp

Filesize
3.3MB

Download
memory/2020-8-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp

Filesize
3.3MB

Download
memory/2020-75-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp

Filesize
3.3MB

Download
memory/2020-216-0x00007FF6F7A10000-0x00007FF6F7D61000-memory.dmp

Filesize
3.3MB

Download
memory/2228-88-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-231-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-32-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-260-0x00007FF7710D0000-0x00007FF771421000-memory.dmp

Filesize
3.3MB

Download
memory/2704-97-0x00007FF7710D0000-0x00007FF771421000-memory.dmp

Filesize
3.3MB

Download
memory/2704-155-0x00007FF7710D0000-0x00007FF771421000-memory.dmp

Filesize
3.3MB

Download
memory/2832-1-0x0000024C7BC20000-0x0000024C7BC30000-memory.dmp

Filesize
64KB

Download
memory/2832-0-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp

Filesize
3.3MB

Download
memory/2832-69-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp

Filesize
3.3MB

Download
memory/2832-165-0x00007FF7D73D0000-0x00007FF7D7721000-memory.dmp

Filesize
3.3MB

Download
memory/2980-18-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp

Filesize
3.3MB

Download
memory/2980-220-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp

Filesize
3.3MB

Download
memory/2980-87-0x00007FF64B6B0000-0x00007FF64BA01000-memory.dmp

Filesize
3.3MB

Download
memory/3224-239-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp

Filesize
3.3MB

Download
memory/3224-51-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp

Filesize
3.3MB

Download
memory/3224-108-0x00007FF71BC10000-0x00007FF71BF61000-memory.dmp

Filesize
3.3MB

Download
memory/3376-95-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp

Filesize
3.3MB

Download
memory/3376-229-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp

Filesize
3.3MB

Download
memory/3376-30-0x00007FF65D6F0000-0x00007FF65DA41000-memory.dmp

Filesize
3.3MB

Download
memory/3832-244-0x00007FF791620000-0x00007FF791971000-memory.dmp

Filesize
3.3MB

Download
memory/3832-149-0x00007FF791620000-0x00007FF791971000-memory.dmp

Filesize
3.3MB

Download
memory/3832-70-0x00007FF791620000-0x00007FF791971000-memory.dmp

Filesize
3.3MB

Download
memory/4076-160-0x00007FF696300000-0x00007FF696651000-memory.dmp

Filesize
3.3MB

Download
memory/4076-112-0x00007FF696300000-0x00007FF696651000-memory.dmp

Filesize
3.3MB

Download
memory/4076-264-0x00007FF696300000-0x00007FF696651000-memory.dmp

Filesize
3.3MB

Download
memory/4100-235-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp

Filesize
3.3MB

Download
memory/4100-44-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp

Filesize
3.3MB

Download
memory/4100-101-0x00007FF6D1EB0000-0x00007FF6D2201000-memory.dmp

Filesize
3.3MB

Download
memory/4416-241-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-60-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-124-0x00007FF639C50000-0x00007FF639FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-218-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/4800-82-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/4800-14-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/4888-266-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp

Filesize
3.3MB

Download
memory/4888-118-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp

Filesize
3.3MB

Download
memory/4888-161-0x00007FF6AFC40000-0x00007FF6AFF91000-memory.dmp

Filesize
3.3MB

Download