cobaltstrike | 6b50805582da8255bf717a4b80f8925ae632376ea9d407cc072d3c2309e8daf7

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4e31a219500575b3eb13cd199f5bd857
SHA1

45c578aaeb4ffeef21bc01228676ea32c08bec6c
SHA256

6b50805582da8255bf717a4b80f8925ae632376ea9d407cc072d3c2309e8daf7
SHA512

4d172f0e2b1a42aa8bf5e9a5b80381f5cd435b52e8950cb0724127569162960bbe30562f85ffdbeed6323d7b207b27cc658df5fe7f2c421027d8ee5427f793fb
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibd56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b96-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c83-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-141.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3504-52-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	xmrig
behavioral2/memory/904-61-0x00007FF6600B0000-0x00007FF660401000-memory.dmp	xmrig
behavioral2/memory/1052-74-0x00007FF614450000-0x00007FF6147A1000-memory.dmp	xmrig
behavioral2/memory/3400-68-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp	xmrig
behavioral2/memory/4664-79-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp	xmrig
behavioral2/memory/2808-84-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp	xmrig
behavioral2/memory/4460-91-0x00007FF666120000-0x00007FF666471000-memory.dmp	xmrig
behavioral2/memory/1376-103-0x00007FF608840000-0x00007FF608B91000-memory.dmp	xmrig
behavioral2/memory/2716-104-0x00007FF670940000-0x00007FF670C91000-memory.dmp	xmrig
behavioral2/memory/2584-86-0x00007FF7DDB00000-0x00007FF7DDE51000-memory.dmp	xmrig
behavioral2/memory/1508-113-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp	xmrig
behavioral2/memory/1164-122-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp	xmrig
behavioral2/memory/4256-127-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp	xmrig
behavioral2/memory/1108-125-0x00007FF71E560000-0x00007FF71E8B1000-memory.dmp	xmrig
behavioral2/memory/4804-133-0x00007FF655600000-0x00007FF655951000-memory.dmp	xmrig
behavioral2/memory/100-137-0x00007FF658E40000-0x00007FF659191000-memory.dmp	xmrig
behavioral2/memory/372-149-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp	xmrig
behavioral2/memory/1588-155-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp	xmrig
behavioral2/memory/532-156-0x00007FF629370000-0x00007FF6296C1000-memory.dmp	xmrig
behavioral2/memory/1508-157-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp	xmrig
behavioral2/memory/1608-163-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp	xmrig
behavioral2/memory/3504-164-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	xmrig
behavioral2/memory/2820-171-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp	xmrig
behavioral2/memory/856-174-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp	xmrig
behavioral2/memory/3504-188-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	xmrig
behavioral2/memory/904-218-0x00007FF6600B0000-0x00007FF660401000-memory.dmp	xmrig
behavioral2/memory/3400-220-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp	xmrig
behavioral2/memory/1052-224-0x00007FF614450000-0x00007FF6147A1000-memory.dmp	xmrig
behavioral2/memory/4664-229-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp	xmrig
behavioral2/memory/2808-231-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp	xmrig
behavioral2/memory/4460-233-0x00007FF666120000-0x00007FF666471000-memory.dmp	xmrig
behavioral2/memory/1376-238-0x00007FF608840000-0x00007FF608B91000-memory.dmp	xmrig
behavioral2/memory/2716-242-0x00007FF670940000-0x00007FF670C91000-memory.dmp	xmrig
behavioral2/memory/1164-244-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp	xmrig
behavioral2/memory/4256-246-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp	xmrig
behavioral2/memory/4804-248-0x00007FF655600000-0x00007FF655951000-memory.dmp	xmrig
behavioral2/memory/100-250-0x00007FF658E40000-0x00007FF659191000-memory.dmp	xmrig
behavioral2/memory/2584-257-0x00007FF7DDB00000-0x00007FF7DDE51000-memory.dmp	xmrig
behavioral2/memory/372-259-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp	xmrig
behavioral2/memory/1588-261-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp	xmrig
behavioral2/memory/532-263-0x00007FF629370000-0x00007FF6296C1000-memory.dmp	xmrig
behavioral2/memory/1508-265-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp	xmrig
behavioral2/memory/1108-271-0x00007FF71E560000-0x00007FF71E8B1000-memory.dmp	xmrig
behavioral2/memory/1608-273-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp	xmrig
behavioral2/memory/2820-276-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp	xmrig
behavioral2/memory/856-278-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
904	MXXUjXY.exe
3400	lJagHkG.exe
1052	zMAfpBR.exe
4664	qdBFJYq.exe
2808	TrKPYbd.exe
4460	kiBktKe.exe
1376	NRydHxm.exe
2716	GcHbLix.exe
1164	EcFqhhE.exe
4256	xRApmAj.exe
4804	xnNJyFf.exe
100	aMdaFgl.exe
2584	LvlhcEd.exe
372	UiSSAFi.exe
1588	yXvbFCm.exe
532	UGXErbB.exe
1508	lACflPZ.exe
1108	ilrrKdu.exe
1608	ImyHWWR.exe
2820	fojVByd.exe
856	wpwPiDa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3504-0-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	upx
behavioral2/files/0x000c000000023b96-5.dat	upx
behavioral2/memory/904-8-0x00007FF6600B0000-0x00007FF660401000-memory.dmp	upx
behavioral2/files/0x0008000000023c83-11.dat	upx
behavioral2/memory/3400-12-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-10.dat	upx
behavioral2/memory/1052-18-0x00007FF614450000-0x00007FF6147A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-23.dat	upx
behavioral2/memory/4664-24-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp	upx
behavioral2/memory/2808-30-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-29.dat	upx
behavioral2/files/0x0007000000023c8a-35.dat	upx
behavioral2/memory/4460-36-0x00007FF666120000-0x00007FF666471000-memory.dmp	upx
behavioral2/memory/1376-43-0x00007FF608840000-0x00007FF608B91000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-46.dat	upx
behavioral2/memory/3504-52-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	upx
behavioral2/memory/1164-59-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-60.dat	upx
behavioral2/memory/904-61-0x00007FF6600B0000-0x00007FF660401000-memory.dmp	upx
behavioral2/memory/4256-62-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-67.dat	upx
behavioral2/files/0x0007000000023c91-73.dat	upx
behavioral2/memory/100-75-0x00007FF658E40000-0x00007FF659191000-memory.dmp	upx
behavioral2/memory/1052-74-0x00007FF614450000-0x00007FF6147A1000-memory.dmp	upx
behavioral2/memory/4804-72-0x00007FF655600000-0x00007FF655951000-memory.dmp	upx
behavioral2/memory/3400-68-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-56.dat	upx
behavioral2/memory/2716-51-0x00007FF670940000-0x00007FF670C91000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-44.dat	upx
behavioral2/memory/4664-79-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp	upx
behavioral2/memory/2808-84-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-83.dat	upx
behavioral2/files/0x0007000000023c93-88.dat	upx
behavioral2/memory/4460-91-0x00007FF666120000-0x00007FF666471000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-96.dat	upx
behavioral2/memory/1588-98-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp	upx
behavioral2/memory/1376-103-0x00007FF608840000-0x00007FF608B91000-memory.dmp	upx
behavioral2/memory/532-105-0x00007FF629370000-0x00007FF6296C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-106.dat	upx
behavioral2/memory/2716-104-0x00007FF670940000-0x00007FF670C91000-memory.dmp	upx
behavioral2/memory/372-93-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp	upx
behavioral2/memory/2584-86-0x00007FF7DDB00000-0x00007FF7DDE51000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-109.dat	upx
behavioral2/memory/1508-113-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp	upx
behavioral2/memory/1164-122-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-115.dat	upx
behavioral2/files/0x0007000000023c98-126.dat	upx
behavioral2/memory/4256-127-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp	upx
behavioral2/memory/1608-128-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp	upx
behavioral2/memory/1108-125-0x00007FF71E560000-0x00007FF71E8B1000-memory.dmp	upx
behavioral2/memory/4804-133-0x00007FF655600000-0x00007FF655951000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-136.dat	upx
behavioral2/memory/2820-139-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-141.dat	upx
behavioral2/memory/856-143-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp	upx
behavioral2/memory/100-137-0x00007FF658E40000-0x00007FF659191000-memory.dmp	upx
behavioral2/memory/372-149-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp	upx
behavioral2/memory/1588-155-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp	upx
behavioral2/memory/532-156-0x00007FF629370000-0x00007FF6296C1000-memory.dmp	upx
behavioral2/memory/1508-157-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp	upx
behavioral2/memory/1608-163-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp	upx
behavioral2/memory/3504-164-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp	upx
behavioral2/memory/2820-171-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp	upx
behavioral2/memory/856-174-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TrKPYbd.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NRydHxm.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xRApmAj.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xnNJyFf.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMdaFgl.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilrrKdu.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJagHkG.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kiBktKe.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UiSSAFi.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lACflPZ.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qdBFJYq.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcHbLix.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImyHWWR.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wpwPiDa.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXXUjXY.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zMAfpBR.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcFqhhE.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvlhcEd.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yXvbFCm.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGXErbB.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fojVByd.exe	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 904	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3504 wrote to memory of 904	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3504 wrote to memory of 3400	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3504 wrote to memory of 3400	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3504 wrote to memory of 1052	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3504 wrote to memory of 1052	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3504 wrote to memory of 4664	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3504 wrote to memory of 4664	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3504 wrote to memory of 2808	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3504 wrote to memory of 2808	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3504 wrote to memory of 4460	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3504 wrote to memory of 4460	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3504 wrote to memory of 1376	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3504 wrote to memory of 1376	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3504 wrote to memory of 2716	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3504 wrote to memory of 2716	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3504 wrote to memory of 1164	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3504 wrote to memory of 1164	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3504 wrote to memory of 4256	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3504 wrote to memory of 4256	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3504 wrote to memory of 4804	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3504 wrote to memory of 4804	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3504 wrote to memory of 100	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3504 wrote to memory of 100	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3504 wrote to memory of 2584	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3504 wrote to memory of 2584	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3504 wrote to memory of 372	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3504 wrote to memory of 372	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3504 wrote to memory of 1588	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3504 wrote to memory of 1588	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3504 wrote to memory of 532	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3504 wrote to memory of 532	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3504 wrote to memory of 1508	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3504 wrote to memory of 1508	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3504 wrote to memory of 1108	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3504 wrote to memory of 1108	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3504 wrote to memory of 1608	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3504 wrote to memory of 1608	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3504 wrote to memory of 2820	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3504 wrote to memory of 2820	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3504 wrote to memory of 856	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3504 wrote to memory of 856	3504	2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_4e31a219500575b3eb13cd199f5bd857_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\System\MXXUjXY.exe
  C:\Windows\System\MXXUjXY.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\lJagHkG.exe
  C:\Windows\System\lJagHkG.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\zMAfpBR.exe
  C:\Windows\System\zMAfpBR.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\qdBFJYq.exe
  C:\Windows\System\qdBFJYq.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\TrKPYbd.exe
  C:\Windows\System\TrKPYbd.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\kiBktKe.exe
  C:\Windows\System\kiBktKe.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\NRydHxm.exe
  C:\Windows\System\NRydHxm.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\GcHbLix.exe
  C:\Windows\System\GcHbLix.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\EcFqhhE.exe
  C:\Windows\System\EcFqhhE.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\xRApmAj.exe
  C:\Windows\System\xRApmAj.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\xnNJyFf.exe
  C:\Windows\System\xnNJyFf.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\aMdaFgl.exe
  C:\Windows\System\aMdaFgl.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System\LvlhcEd.exe
  C:\Windows\System\LvlhcEd.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\UiSSAFi.exe
  C:\Windows\System\UiSSAFi.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\yXvbFCm.exe
  C:\Windows\System\yXvbFCm.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\UGXErbB.exe
  C:\Windows\System\UGXErbB.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\lACflPZ.exe
  C:\Windows\System\lACflPZ.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\ilrrKdu.exe
  C:\Windows\System\ilrrKdu.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\ImyHWWR.exe
  C:\Windows\System\ImyHWWR.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\fojVByd.exe
  C:\Windows\System\fojVByd.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\wpwPiDa.exe
  C:\Windows\System\wpwPiDa.exe
  2⤵
  - Executes dropped EXE
  PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EcFqhhE.exe

Filesize
5.2MB

MD5
10ab61d179a84e295e8a9169665e51e4

SHA1
3ea65e7fd8ab1a01c9fb85905b3445b63f085e93

SHA256
abfea6b08d89c56f8c9fde75ef8cfaf982bdfc808db3b843ef4525ca4de02e31

SHA512
855ff92b35b0648664264ac108ed0da7b6092cda2e46868041063d54f616c4a23282b186d6b031fa49a3222dd95445fcf210d20e1db2405ba4e86bae4ea25552

Download Submit
C:\Windows\System\GcHbLix.exe

Filesize
5.2MB

MD5
b10249bbc0f99c4a0b398bf5bd69501b

SHA1
6000af92aec30c25cc7c21053f690fa8db850835

SHA256
14854f47e1ca78dbba6435644085f60ae87cadcd916142774a2384761c308feb

SHA512
f0428b1f91fd8ac5cb32bb1f398afd4bba8a53ed8d8c5a15712e9f6abdd9ab80908850325935502bc0fb4439ccc25056e659ee991ba885e018672bbe9ac06340

Download Submit
C:\Windows\System\ImyHWWR.exe

Filesize
5.2MB

MD5
28273bca6f16f1cb4601d66049ab19b2

SHA1
ea7ddb52d36d07f9433d0efd49658bd3d19f2488

SHA256
f3d7cc41d3b1df73dd05e0a3b21da66128e83fb17921e3c23f017c598559bb0e

SHA512
8230d975225a531e2e83b9f78cb7f914c4081d7dacf7f4c8bab17f2014458daa9adc3efb91b86af5a37897dfe635c1728a4ca48337277a4b12a9c1a77c43c340

Download Submit
C:\Windows\System\LvlhcEd.exe

Filesize
5.2MB

MD5
4d48be03aadaaeb0f9486fe81cc8c706

SHA1
7f16d3020bdd86c20e54d90a3155db64d3d7c690

SHA256
e77602925b612f0302989212ce7f6d54de1a3a084b111868570907cf0412c6ef

SHA512
85682ac50571d1db7ed9974772c83952121e083db51377c0b36a32474e40af30430b2b5cf302a90b4b3f59f95ff438b4227cda789654bb1a385641402e4e50f3

Download Submit
C:\Windows\System\MXXUjXY.exe

Filesize
5.2MB

MD5
086a8b69b697ef7960d15e3eb74e4868

SHA1
d5efcd2b0422065754419a70bbab4de0c1765a13

SHA256
2c90dfa6b19a7f8563cf93a796bcda492f83bda4281b1d618cb15b91100eeaeb

SHA512
0ef7347cfde3266fc26f5a0ce8341131bbf4079443589edf142e6aeeb20c65399db33dad0cbf802e48048ceef1cbe4f71ca4ebc76beb3632eb2e1f7229f8d369

Download Submit
C:\Windows\System\NRydHxm.exe

Filesize
5.2MB

MD5
b23981535d98e7f1bfdfd2e432dcdfbd

SHA1
47c8085534b14e0929ee5b5e700de6356ddb5719

SHA256
963f8191e1b8f70f7c512c267432db2c81496d0335d03788e29775268952e5a7

SHA512
52c05bb32f0a7e66045c443ecfbce4648a93a3da5d6b336cc490164f6d4937032e78baa4574e0b2efaa6faf2f3c81a1e79d878e487c8795e71b114ecf99e6761

Download Submit
C:\Windows\System\TrKPYbd.exe

Filesize
5.2MB

MD5
fd1edbfe4c7abe08db3ea754a4e7faaa

SHA1
dff8cee23a6743e908482fe1e2a94635b190ec4d

SHA256
d53233c3d81ce42e1f57349e9bbdcacb8ad6552729f2753402f33933262115c1

SHA512
c8748301a1b17348e973f626574a2f0e00ad6fc44b5b53cd405a49a07661d9e24f6ebaaf41b6dd31f482d6b2239d4573fee5f205998fd4a45103d0eb5ae7f147

Download Submit
C:\Windows\System\UGXErbB.exe

Filesize
5.2MB

MD5
a1023ec438edac0286d22a141bf132d0

SHA1
bea570ec09fcce9d176ff5dd539a67005887c2b2

SHA256
cc59a5c4b53cc7e135944cd4a201804149a9853f60324eedc5873041150ac705

SHA512
3a96df587f05eed9eb7ae67fab6bb9a556d3c906089a66349e72b80912794065e9e7ceef3dc5438952618bd2b44b2d8dd7bedca624b432b67d2798f5a3225641

Download Submit
C:\Windows\System\UiSSAFi.exe

Filesize
5.2MB

MD5
a00d0552c58cbfa84cb062fe3f2d8ede

SHA1
daed121f45bc06f75fc6bad5d3d2f1119d3b95d4

SHA256
9c5df1260ad8ba7dbb75fbec6bc2d2e4e82732cf0fb36d9ce0935075ebd7f85a

SHA512
44f70327adcf625eb5f7cbb840e5a03394acae52bf0c7138fb42f0f852e8a049a9bb4abcb5abba84918c6c13de561c6005746cef1c0ebd38f124cebcab2a2cf6

Download Submit
C:\Windows\System\aMdaFgl.exe

Filesize
5.2MB

MD5
9de75a223992a19acbf14646d1922ded

SHA1
7c837ec536e8f9afd7d113a9e5239f56c877415a

SHA256
d2af12e0c5fbdf54c797f160d02a5a95efe78a3df1bf41c79de9f00ee6514240

SHA512
a4d3681d3ad239129c6b0409c3a726e782cccaa2ded421083d35aee87b7cf9fbdd5bc08f04bfbb9b5a76adb3008111d75284dab54aed88429c5e6670008c34b3

Download Submit
C:\Windows\System\fojVByd.exe

Filesize
5.2MB

MD5
8b206e913f626a51b770f8d530eed2f0

SHA1
28dda9aa6a4873f385445fc476249092443b862f

SHA256
6cffabfed83c3e66404d6b1c0d9954c824b0fe0f0fb5634c038d08fc8daeb543

SHA512
1b1ab9358bb0b7243a97dd291ae9fb2d933ba466ab07c6c41d7078bbfa0d1c6b4dc82cebebf12a098fabc6f9f5f1e20b72e148c5e6dd5d929e115886e2e92ea1

Download Submit
C:\Windows\System\ilrrKdu.exe

Filesize
5.2MB

MD5
2321f6fb9409f505156a359040361914

SHA1
b84ef5bd07c09e9ab8de75aa0cff9c05bf69ffc9

SHA256
ce518f37c705374b6427ef0bc7e1b430c02066f152c391d6d36bfb9dad25aa1c

SHA512
bf25831a0ff6644e248b817db07c9ac08e6e95f111f663d3d7f0a11384c6169dee324f3d223a34cf20281e4888b4b69de695b0141fdfd597f6a65df039cea07b

Download Submit
C:\Windows\System\kiBktKe.exe

Filesize
5.2MB

MD5
dc0acdc1544482b8865e55b5f213c088

SHA1
74e07019cf34814fe7d60acee24c4ce362b8b66e

SHA256
27ff4d0b95ed57084f94b8c36147593511ed1d79c98e9501ff7cc4e17111e193

SHA512
dfabc38448376587cebe04639519f196104ca313541697d8b3dc6c3afb09480f44127ae096d003f33e59924bb540da9adc961946bae312bde18fdc8494c4207a

Download Submit
C:\Windows\System\lACflPZ.exe

Filesize
5.2MB

MD5
0965d314ad95a8e8465d56c4238c360e

SHA1
d5a7d1682506d6242b2207cd17a184a5d58bbf55

SHA256
2d0e4613b1bab2a4c196b603ab9ee3de53267648dcbc6d40ff6f2aac59e3b273

SHA512
64c6ce41846e51430ff35095e37ed970a91f230f3b0380cbf257da6514c5e295c25fb703e61b29a2e2da48d31405d9d9fa9235a2b63815e4b01a97520754df4a

Download Submit
C:\Windows\System\lJagHkG.exe

Filesize
5.2MB

MD5
f9f7364a040a858cff09d3867a589d48

SHA1
4dd691b39dbd97ce7c953b9338c27745ff9759de

SHA256
b8fcdaf189334bbe93dc4e9bf4cea5f1312ac5de136cd763b61c537d9cc20657

SHA512
eb850f6715e5ad82605b3e3e1e3039b9ccf85c3d648908d85b71731e214407bc895232177bde630397d3d7fb6bda80fad6c4fb32674c2c24ee816ce96dd5fd03

Download Submit
C:\Windows\System\qdBFJYq.exe

Filesize
5.2MB

MD5
e676c70039c1dd9f2f1bb78eb70c17b5

SHA1
04788167b3718f69df4af5b1a1569503b3c31ad1

SHA256
f92b9e4fbff1b6d3d584b1a757e98d71b1befebcd421d1adab7f37cd23fe34df

SHA512
8ddef816bd9d705c1f55f49e372b44136df3f5cb24b4ed7a0af30a19db453c150b70708fc8bc8e42cc447404953e3bdaa5a1f1569b152f66509081c57dfeefed

Download Submit
C:\Windows\System\wpwPiDa.exe

Filesize
5.2MB

MD5
52b44056bff8b523ed87f70d2d18e65a

SHA1
f56862828a325ab94e98bebf55f19754a7e73fbb

SHA256
0f1be77e7c4580e0fd36f9ef5c9804e6efad3f5e47d87703758a5f9f6255cb03

SHA512
b29c44d3f1cbf8f383da6ea67573c497a2f8c2de87e43d2b66ccf4e4f66868b0553a8f893b2dfdcab0335b85b7dfa7c4ca50259c534d65c52568f5e1a87df978

Download Submit
C:\Windows\System\xRApmAj.exe

Filesize
5.2MB

MD5
509d6da175db4cf73a0e0a94838aa666

SHA1
41c613551a280533628ebfdebb71b5dd24534499

SHA256
f2ed1967a19103d3b8e78310d04e083a78952cbc7fdb876df543f88b35788833

SHA512
1f02f6216037a872885407655560c71f9216f7c602de73895c5e1e50c5b00953e0957a5cfcd4fd0a79dfe7fba03361be09766f091dbe0c4088ae55e22906fdb0

Download Submit
C:\Windows\System\xnNJyFf.exe

Filesize
5.2MB

MD5
26d36a8095a96bd83a5e1ba327d8e531

SHA1
8eaf56ad05f8c5ddbda57b22ddbf657df2c91bb3

SHA256
7027eacdb2667e1c94c338d78ff022bed4480c1510184cd0ecdf9631dad0a9cb

SHA512
6b1bcfa48b59c1db59536e2b0632099b26609be64f2a6332706a92934ff6d14f622eefa443104f6b31c91f0beddf795c1afa6181420c92e5a0a0a6a0e34daa3f

Download Submit
C:\Windows\System\yXvbFCm.exe

Filesize
5.2MB

MD5
c68926fae85990af030761478b3136ce

SHA1
b9a565fb26bbebbe26c326dd5f1e54f22aafd5a9

SHA256
db6c185795c301eee4ff9ba49b7c4122f9314330cbbbfb478fce66756fb060c9

SHA512
2bb4421ace9e4341a6ddcc3e2fe76a4e2ca04c6e34c0db5194a377c159bda714f9438ecca6a9e72223fae1de40a5eb8593dd9d57f5631c138493e2b46acedc3a

Download Submit
C:\Windows\System\zMAfpBR.exe

Filesize
5.2MB

MD5
2096236226122a638d2e1d61b3317843

SHA1
67c34b9f1a345ec392e832fde6eb0119dd9394d8

SHA256
0f7d2a5d093fb3702457522d90a13468da9241b617b22aae548412251baa45e3

SHA512
c655385d6bc3f1128591915e616ed2f511b66625d7351c4a3951837563521bb8ce70cc263d79a13ce9e1275d5d8f5111961de55d9d7b707cd6c70d286ce99bcd

Download Submit
memory/100-137-0x00007FF658E40000-0x00007FF659191000-memory.dmp

Filesize
3.3MB

Download
memory/100-250-0x00007FF658E40000-0x00007FF659191000-memory.dmp

Filesize
3.3MB

Download
memory/100-75-0x00007FF658E40000-0x00007FF659191000-memory.dmp

Filesize
3.3MB

Download
memory/372-93-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp

Filesize
3.3MB

Download
memory/372-149-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp

Filesize
3.3MB

Download
memory/372-259-0x00007FF6B2F90000-0x00007FF6B32E1000-memory.dmp

Filesize
3.3MB

Download
memory/532-263-0x00007FF629370000-0x00007FF6296C1000-memory.dmp

Filesize
3.3MB

Download
memory/532-156-0x00007FF629370000-0x00007FF6296C1000-memory.dmp

Filesize
3.3MB

Download
memory/532-105-0x00007FF629370000-0x00007FF6296C1000-memory.dmp

Filesize
3.3MB

Download
memory/856-174-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp

Filesize
3.3MB

Download
memory/856-143-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp

Filesize
3.3MB

Download
memory/856-278-0x00007FF79EB10000-0x00007FF79EE61000-memory.dmp

Filesize
3.3MB

Download
memory/904-8-0x00007FF6600B0000-0x00007FF660401000-memory.dmp

Filesize
3.3MB

Download
memory/904-61-0x00007FF6600B0000-0x00007FF660401000-memory.dmp

Filesize
3.3MB

Download
memory/904-218-0x00007FF6600B0000-0x00007FF660401000-memory.dmp

Filesize
3.3MB

Download
memory/1052-74-0x00007FF614450000-0x00007FF6147A1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-224-0x00007FF614450000-0x00007FF6147A1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-18-0x00007FF614450000-0x00007FF6147A1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-271-0x00007FF71E560000-0x00007FF71E8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-125-0x00007FF71E560000-0x00007FF71E8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-244-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp

Filesize
3.3MB

Download
memory/1164-122-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp

Filesize
3.3MB

Download
memory/1164-59-0x00007FF68A2C0000-0x00007FF68A611000-memory.dmp

Filesize
3.3MB

Download
memory/1376-103-0x00007FF608840000-0x00007FF608B91000-memory.dmp

Filesize
3.3MB

Download
memory/1376-238-0x00007FF608840000-0x00007FF608B91000-memory.dmp

Filesize
3.3MB

Download
memory/1376-43-0x00007FF608840000-0x00007FF608B91000-memory.dmp

Filesize
3.3MB

Download
memory/1508-113-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1508-265-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1508-157-0x00007FF7DA7F0000-0x00007FF7DAB41000-memory.dmp

Filesize
3.3MB

Download
memory/1588-155-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp

Filesize
3.3MB

Download
memory/1588-98-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp

Filesize
3.3MB

Download
memory/1588-261-0x00007FF77F940000-0x00007FF77FC91000-memory.dmp

Filesize
3.3MB

Download
memory/1608-163-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp

Filesize
3.3MB

Download
memory/1608-128-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp

Filesize
3.3MB

Download
memory/1608-273-0x00007FF65F7D0000-0x00007FF65FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2584-257-0x00007FF7DDB00000-0x00007FF7DDE51000-memory.dmp

Filesize
3.3MB

Download
memory/2584-86-0x00007FF7DDB00000-0x00007FF7DDE51000-memory.dmp

Filesize
3.3MB

Download
memory/2716-104-0x00007FF670940000-0x00007FF670C91000-memory.dmp

Filesize
3.3MB

Download
memory/2716-242-0x00007FF670940000-0x00007FF670C91000-memory.dmp

Filesize
3.3MB

Download
memory/2716-51-0x00007FF670940000-0x00007FF670C91000-memory.dmp

Filesize
3.3MB

Download
memory/2808-30-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-84-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-231-0x00007FF625DA0000-0x00007FF6260F1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-139-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp

Filesize
3.3MB

Download
memory/2820-171-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp

Filesize
3.3MB

Download
memory/2820-276-0x00007FF7DDB40000-0x00007FF7DDE91000-memory.dmp

Filesize
3.3MB

Download
memory/3400-220-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp

Filesize
3.3MB

Download
memory/3400-68-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp

Filesize
3.3MB

Download
memory/3400-12-0x00007FF6F6300000-0x00007FF6F6651000-memory.dmp

Filesize
3.3MB

Download
memory/3504-52-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp

Filesize
3.3MB

Download
memory/3504-188-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp

Filesize
3.3MB

Download
memory/3504-164-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp

Filesize
3.3MB

Download
memory/3504-0-0x00007FF7F36C0000-0x00007FF7F3A11000-memory.dmp

Filesize
3.3MB

Download
memory/3504-1-0x000001DBF4EB0000-0x000001DBF4EC0000-memory.dmp

Filesize
64KB

Download
memory/4256-127-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp

Filesize
3.3MB

Download
memory/4256-62-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp

Filesize
3.3MB

Download
memory/4256-246-0x00007FF7178C0000-0x00007FF717C11000-memory.dmp

Filesize
3.3MB

Download
memory/4460-91-0x00007FF666120000-0x00007FF666471000-memory.dmp

Filesize
3.3MB

Download
memory/4460-36-0x00007FF666120000-0x00007FF666471000-memory.dmp

Filesize
3.3MB

Download
memory/4460-233-0x00007FF666120000-0x00007FF666471000-memory.dmp

Filesize
3.3MB

Download
memory/4664-79-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp

Filesize
3.3MB

Download
memory/4664-229-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp

Filesize
3.3MB

Download
memory/4664-24-0x00007FF6DA210000-0x00007FF6DA561000-memory.dmp

Filesize
3.3MB

Download
memory/4804-72-0x00007FF655600000-0x00007FF655951000-memory.dmp

Filesize
3.3MB

Download
memory/4804-248-0x00007FF655600000-0x00007FF655951000-memory.dmp

Filesize
3.3MB

Download
memory/4804-133-0x00007FF655600000-0x00007FF655951000-memory.dmp

Filesize
3.3MB

Download