cobaltstrike | 9bce67a462c971df9893bfaf767a9b3d2ac57c20c2dc03816f7438bc1795e3ff

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

24462c5ad530fcb2014dbc3209bc96ce
SHA1

3401fc9919beb9cb20eb65b437fbc68616576de2
SHA256

9bce67a462c971df9893bfaf767a9b3d2ac57c20c2dc03816f7438bc1795e3ff
SHA512

851b918589f33ca3dccf26107e50e3b0d242eb081a289e32364c176304d9aa8dbf071500379c2fff4028f0f99d4287c90a160b5013e342ac8568f2c6470b4409
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBib+56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000e000000023b6a-3.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-9.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b70-23.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b72-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-106.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b6b-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-43.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b71-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-13.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3292-58-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	xmrig
behavioral2/memory/1224-61-0x00007FF616770000-0x00007FF616AC1000-memory.dmp	xmrig
behavioral2/memory/1076-98-0x00007FF789630000-0x00007FF789981000-memory.dmp	xmrig
behavioral2/memory/1624-74-0x00007FF6E9140000-0x00007FF6E9491000-memory.dmp	xmrig
behavioral2/memory/1904-71-0x00007FF78CCD0000-0x00007FF78D021000-memory.dmp	xmrig
behavioral2/memory/1072-70-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp	xmrig
behavioral2/memory/4324-65-0x00007FF750140000-0x00007FF750491000-memory.dmp	xmrig
behavioral2/memory/2232-50-0x00007FF793110000-0x00007FF793461000-memory.dmp	xmrig
behavioral2/memory/3540-42-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp	xmrig
behavioral2/memory/2416-37-0x00007FF670D00000-0x00007FF671051000-memory.dmp	xmrig
behavioral2/memory/2412-124-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	xmrig
behavioral2/memory/4492-125-0x00007FF7871D0000-0x00007FF787521000-memory.dmp	xmrig
behavioral2/memory/3052-126-0x00007FF788D00000-0x00007FF789051000-memory.dmp	xmrig
behavioral2/memory/3292-132-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	xmrig
behavioral2/memory/560-134-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp	xmrig
behavioral2/memory/228-144-0x00007FF608CE0000-0x00007FF609031000-memory.dmp	xmrig
behavioral2/memory/4424-143-0x00007FF648630000-0x00007FF648981000-memory.dmp	xmrig
behavioral2/memory/4416-145-0x00007FF788780000-0x00007FF788AD1000-memory.dmp	xmrig
behavioral2/memory/1188-142-0x00007FF72BFB0000-0x00007FF72C301000-memory.dmp	xmrig
behavioral2/memory/1792-141-0x00007FF719210000-0x00007FF719561000-memory.dmp	xmrig
behavioral2/memory/1648-139-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp	xmrig
behavioral2/memory/1220-137-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp	xmrig
behavioral2/memory/2952-140-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp	xmrig
behavioral2/memory/2412-146-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	xmrig
behavioral2/memory/2412-147-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	xmrig
behavioral2/memory/4492-205-0x00007FF7871D0000-0x00007FF787521000-memory.dmp	xmrig
behavioral2/memory/3052-207-0x00007FF788D00000-0x00007FF789051000-memory.dmp	xmrig
behavioral2/memory/2416-209-0x00007FF670D00000-0x00007FF671051000-memory.dmp	xmrig
behavioral2/memory/3540-212-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp	xmrig
behavioral2/memory/1224-213-0x00007FF616770000-0x00007FF616AC1000-memory.dmp	xmrig
behavioral2/memory/2232-215-0x00007FF793110000-0x00007FF793461000-memory.dmp	xmrig
behavioral2/memory/4324-219-0x00007FF750140000-0x00007FF750491000-memory.dmp	xmrig
behavioral2/memory/3292-218-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	xmrig
behavioral2/memory/1072-221-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp	xmrig
behavioral2/memory/560-234-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp	xmrig
behavioral2/memory/1624-236-0x00007FF6E9140000-0x00007FF6E9491000-memory.dmp	xmrig
behavioral2/memory/1904-233-0x00007FF78CCD0000-0x00007FF78D021000-memory.dmp	xmrig
behavioral2/memory/1220-239-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp	xmrig
behavioral2/memory/1076-242-0x00007FF789630000-0x00007FF789981000-memory.dmp	xmrig
behavioral2/memory/1648-241-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp	xmrig
behavioral2/memory/228-249-0x00007FF608CE0000-0x00007FF609031000-memory.dmp	xmrig
behavioral2/memory/2952-253-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp	xmrig
behavioral2/memory/1188-254-0x00007FF72BFB0000-0x00007FF72C301000-memory.dmp	xmrig
behavioral2/memory/1792-251-0x00007FF719210000-0x00007FF719561000-memory.dmp	xmrig
behavioral2/memory/4416-245-0x00007FF788780000-0x00007FF788AD1000-memory.dmp	xmrig
behavioral2/memory/4424-247-0x00007FF648630000-0x00007FF648981000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4492	zKiAQDf.exe
3052	DKuhKnM.exe
2416	uRQHejU.exe
1224	FxflCZr.exe
3540	YWWZMaC.exe
2232	xhIUgDW.exe
4324	tpjEOLk.exe
3292	NwubEZy.exe
1072	dNUJMTf.exe
560	ardWxon.exe
1904	PIVynIb.exe
1624	iglIbkQ.exe
1220	WYQJVQO.exe
1076	yXuHUZD.exe
1648	foCoAXx.exe
2952	fxzWOio.exe
1792	MmwIdxO.exe
1188	jRkrzbQ.exe
4424	ObaYQmB.exe
228	vsPJSnI.exe
4416	ePrmoGb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2412-0-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	upx
behavioral2/files/0x000e000000023b6a-3.dat	upx
behavioral2/memory/4492-7-0x00007FF7871D0000-0x00007FF787521000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-9.dat	upx
behavioral2/memory/3052-19-0x00007FF788D00000-0x00007FF789051000-memory.dmp	upx
behavioral2/files/0x0031000000023b70-23.dat	upx
behavioral2/files/0x0031000000023b72-33.dat	upx
behavioral2/files/0x000a000000023b74-41.dat	upx
behavioral2/files/0x000a000000023b75-52.dat	upx
behavioral2/memory/3292-58-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	upx
behavioral2/memory/1224-61-0x00007FF616770000-0x00007FF616AC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-69.dat	upx
behavioral2/files/0x000a000000023b7a-83.dat	upx
behavioral2/files/0x000a000000023b79-91.dat	upx
behavioral2/memory/1076-98-0x00007FF789630000-0x00007FF789981000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-111.dat	upx
behavioral2/files/0x000a000000023b7e-119.dat	upx
behavioral2/files/0x000a000000023b80-121.dat	upx
behavioral2/files/0x000a000000023b7d-113.dat	upx
behavioral2/files/0x000a000000023b7c-108.dat	upx
behavioral2/files/0x000a000000023b7b-106.dat	upx
behavioral2/memory/1792-101-0x00007FF719210000-0x00007FF719561000-memory.dmp	upx
behavioral2/files/0x000b000000023b6b-95.dat	upx
behavioral2/memory/1648-87-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp	upx
behavioral2/memory/1220-81-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp	upx
behavioral2/memory/1624-74-0x00007FF6E9140000-0x00007FF6E9491000-memory.dmp	upx
behavioral2/memory/1904-71-0x00007FF78CCD0000-0x00007FF78D021000-memory.dmp	upx
behavioral2/memory/1072-70-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-67.dat	upx
behavioral2/memory/4324-65-0x00007FF750140000-0x00007FF750491000-memory.dmp	upx
behavioral2/memory/560-60-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-62.dat	upx
behavioral2/memory/2232-50-0x00007FF793110000-0x00007FF793461000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-43.dat	upx
behavioral2/memory/3540-42-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp	upx
behavioral2/memory/2416-37-0x00007FF670D00000-0x00007FF671051000-memory.dmp	upx
behavioral2/files/0x0031000000023b71-27.dat	upx
behavioral2/files/0x000a000000023b6e-13.dat	upx
behavioral2/memory/2952-123-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp	upx
behavioral2/memory/2412-124-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	upx
behavioral2/memory/4492-125-0x00007FF7871D0000-0x00007FF787521000-memory.dmp	upx
behavioral2/memory/3052-126-0x00007FF788D00000-0x00007FF789051000-memory.dmp	upx
behavioral2/memory/3292-132-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	upx
behavioral2/memory/560-134-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp	upx
behavioral2/memory/228-144-0x00007FF608CE0000-0x00007FF609031000-memory.dmp	upx
behavioral2/memory/4424-143-0x00007FF648630000-0x00007FF648981000-memory.dmp	upx
behavioral2/memory/4416-145-0x00007FF788780000-0x00007FF788AD1000-memory.dmp	upx
behavioral2/memory/1188-142-0x00007FF72BFB0000-0x00007FF72C301000-memory.dmp	upx
behavioral2/memory/1792-141-0x00007FF719210000-0x00007FF719561000-memory.dmp	upx
behavioral2/memory/1648-139-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp	upx
behavioral2/memory/1220-137-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp	upx
behavioral2/memory/2952-140-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp	upx
behavioral2/memory/2412-146-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	upx
behavioral2/memory/2412-147-0x00007FF768870000-0x00007FF768BC1000-memory.dmp	upx
behavioral2/memory/4492-205-0x00007FF7871D0000-0x00007FF787521000-memory.dmp	upx
behavioral2/memory/3052-207-0x00007FF788D00000-0x00007FF789051000-memory.dmp	upx
behavioral2/memory/2416-209-0x00007FF670D00000-0x00007FF671051000-memory.dmp	upx
behavioral2/memory/3540-212-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp	upx
behavioral2/memory/1224-213-0x00007FF616770000-0x00007FF616AC1000-memory.dmp	upx
behavioral2/memory/2232-215-0x00007FF793110000-0x00007FF793461000-memory.dmp	upx
behavioral2/memory/4324-219-0x00007FF750140000-0x00007FF750491000-memory.dmp	upx
behavioral2/memory/3292-218-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp	upx
behavioral2/memory/1072-221-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp	upx
behavioral2/memory/560-234-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iglIbkQ.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fxzWOio.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmwIdxO.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObaYQmB.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePrmoGb.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwubEZy.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PIVynIb.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yXuHUZD.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRkrzbQ.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsPJSnI.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zKiAQDf.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRQHejU.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FxflCZr.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xhIUgDW.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tpjEOLk.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\foCoAXx.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKuhKnM.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNUJMTf.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ardWxon.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WYQJVQO.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YWWZMaC.exe	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4492	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2412 wrote to memory of 4492	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2412 wrote to memory of 3052	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2412 wrote to memory of 3052	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2412 wrote to memory of 2416	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2412 wrote to memory of 2416	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2412 wrote to memory of 1224	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2412 wrote to memory of 1224	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2412 wrote to memory of 3540	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2412 wrote to memory of 3540	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2412 wrote to memory of 2232	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2412 wrote to memory of 2232	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2412 wrote to memory of 4324	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2412 wrote to memory of 4324	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2412 wrote to memory of 3292	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2412 wrote to memory of 3292	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2412 wrote to memory of 1072	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2412 wrote to memory of 1072	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2412 wrote to memory of 560	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2412 wrote to memory of 560	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2412 wrote to memory of 1904	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2412 wrote to memory of 1904	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2412 wrote to memory of 1624	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2412 wrote to memory of 1624	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2412 wrote to memory of 1220	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2412 wrote to memory of 1220	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2412 wrote to memory of 1076	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2412 wrote to memory of 1076	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2412 wrote to memory of 1648	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2412 wrote to memory of 1648	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2412 wrote to memory of 2952	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2412 wrote to memory of 2952	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2412 wrote to memory of 1792	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2412 wrote to memory of 1792	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2412 wrote to memory of 1188	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2412 wrote to memory of 1188	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2412 wrote to memory of 4424	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2412 wrote to memory of 4424	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2412 wrote to memory of 228	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2412 wrote to memory of 228	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2412 wrote to memory of 4416	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2412 wrote to memory of 4416	2412	2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_24462c5ad530fcb2014dbc3209bc96ce_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\System\zKiAQDf.exe
  C:\Windows\System\zKiAQDf.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\DKuhKnM.exe
  C:\Windows\System\DKuhKnM.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\uRQHejU.exe
  C:\Windows\System\uRQHejU.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\FxflCZr.exe
  C:\Windows\System\FxflCZr.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\YWWZMaC.exe
  C:\Windows\System\YWWZMaC.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\xhIUgDW.exe
  C:\Windows\System\xhIUgDW.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\tpjEOLk.exe
  C:\Windows\System\tpjEOLk.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\NwubEZy.exe
  C:\Windows\System\NwubEZy.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\dNUJMTf.exe
  C:\Windows\System\dNUJMTf.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\ardWxon.exe
  C:\Windows\System\ardWxon.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\PIVynIb.exe
  C:\Windows\System\PIVynIb.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\iglIbkQ.exe
  C:\Windows\System\iglIbkQ.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\WYQJVQO.exe
  C:\Windows\System\WYQJVQO.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\yXuHUZD.exe
  C:\Windows\System\yXuHUZD.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\foCoAXx.exe
  C:\Windows\System\foCoAXx.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\fxzWOio.exe
  C:\Windows\System\fxzWOio.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\MmwIdxO.exe
  C:\Windows\System\MmwIdxO.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\jRkrzbQ.exe
  C:\Windows\System\jRkrzbQ.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\ObaYQmB.exe
  C:\Windows\System\ObaYQmB.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\vsPJSnI.exe
  C:\Windows\System\vsPJSnI.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\ePrmoGb.exe
  C:\Windows\System\ePrmoGb.exe
  2⤵
  - Executes dropped EXE
  PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DKuhKnM.exe

Filesize
5.2MB

MD5
3a20893349eacd026a42f73967ca036e

SHA1
957aeeb8cbb0299e70e99c6d68a214390541317b

SHA256
2e03f356014abbddadf8efcc8a6c99ce2ae4f71ba8a9fb4cc89ce1a3d60c1cfa

SHA512
d48766032069fe926b35975788e6b8336474571320a020d80f14602397554fad011b6adef770605697c5d729c7d40129a54ec112cc87c4794e05fbcd985cc7c8

Download Submit
C:\Windows\System\FxflCZr.exe

Filesize
5.2MB

MD5
11ad3301fdc65c4a8d6fb5ab037d3126

SHA1
e1e2d948cf84e0a0e5d9e0b965ad82567bfef14b

SHA256
68d0bc299f73ef507ae2c85f0fd39fd7ae2db936ee729720e76d10294ddfa414

SHA512
f6337cb59b53692bb5206aab9eef04af98f9ce4e2f3b3eff20462876c153456702860bffbc5b0501e9b83dc2aa97ca763918f4d26a74753c4affcc53fa0190ac

Download Submit
C:\Windows\System\MmwIdxO.exe

Filesize
5.2MB

MD5
e5872e65b2bc8b0ef3dea42daf5e65c6

SHA1
342ebea3d3fd66384417669b1955eae20611cd4a

SHA256
a5889868154157f89106c58ae3ba848eaca87e8ccea7933defb49ead35a85fd0

SHA512
22e6d224b79546f6711757b1e63fc96ecc7fca6e51faabb5e805dfd78e30e96d2214712d731e67da04533a7e50cb9d29e1f253718d9a50ce81c23711a5fa9224

Download Submit
C:\Windows\System\NwubEZy.exe

Filesize
5.2MB

MD5
67df4e772ba3bac59a1852aeecace8c8

SHA1
3d60a09eac286051b5c90f99d1c1e39ac38b8ec3

SHA256
8c8be080a405f686a86ae2637f0eb697515ea01d685c059926dce1a95239dd69

SHA512
8ce0b21be54aa0c8fb75a5a3ce747a8155b0fd6ce9cc99abe3504774430395d12fc51ab1d386ca4b91a9ce41c299e48b1252d451521d143b5d9ef5c4b7084365

Download Submit
C:\Windows\System\ObaYQmB.exe

Filesize
5.2MB

MD5
7a21e66360af75d80611a76c9f46c086

SHA1
719f151e7bacd24d002f05d4e22ef5f8f173ff02

SHA256
e6926a6023b0f03fb07c7a89c4aa1ec7df02bc55bf5ab049a1fe14e1c925e13d

SHA512
26cdfaf7bda881f843ff17d7d7b20fadcabf17a91f566b830b92156016f0551d9a5036bdd9bd2768f0f9346c93c885e830f313ffa19f3a1097d5fb0cdbdc112e

Download Submit
C:\Windows\System\PIVynIb.exe

Filesize
5.2MB

MD5
d6784c8f59f00c3afa2d2bb5b0266a5c

SHA1
27a92a6bb03849f6ba67c6017999bf9e33388385

SHA256
b5386de73efaeff20ac713dfed548d109b0c2593423bb936644892c22f6a1c74

SHA512
aa4a8591442788b1d1ce8b8b53369b14c367432d5d8fc4802ba6d78ad6b13cac4da450a39d5eac9b48fe9b9f0cff8e42f7d8f46f6395dbceb52706b1ad1f44c0

Download Submit
C:\Windows\System\WYQJVQO.exe

Filesize
5.2MB

MD5
a93c389d1b2eac89d2ddff44e0aa4ac5

SHA1
0083dde10dd56f2fa28bea1a2213a6b226a7030e

SHA256
f328b9f7d5f2835422ba0a53f339184088fb9339c2143fa91bd2eb372595921c

SHA512
224dafd89ed14dccaaa69e8f71902fe1620fbdb13dfdd36bce2d9c62090ea01527f140a7c23296f186d5397469628e06d709f3d6334b26662877826b36af2964

Download Submit
C:\Windows\System\YWWZMaC.exe

Filesize
5.2MB

MD5
34675fda0d267a67bf131af1795ada64

SHA1
3e3d576697032c5b0dad5427d656b3c4882c59e8

SHA256
c9220e5ff469f0313ab912e876b7454ff70ff4213e81df6dba67d41c3874006b

SHA512
53019bbc99eb170423f4c63796f90f1606697b5228aa8f26fab808f85365fbfdf495b18f56b4aa113d6b36094501f561e021913fb66490ce7040e7499fdac3bb

Download Submit
C:\Windows\System\ardWxon.exe

Filesize
5.2MB

MD5
9484cb3fefba73d28e27692722a27481

SHA1
494d41ae03446e786b96a910750c86d48c6f83df

SHA256
073842e6ccf8b210faa34176de74e8a44e69395a94d2c71d6c59c61a6336059a

SHA512
3d9c815776eabfd7a8c73b1c96a6e13d62f3a18fbe5c4de7609054b924da03c15801e8c30944b0a41228e5216af2b5a1184c9c98d74bedc7b49763c7cbb13033

Download Submit
C:\Windows\System\dNUJMTf.exe

Filesize
5.2MB

MD5
24124c2f8a948d02a77ae98419f69d0c

SHA1
b6e102554b2b0e315617a5ffab9f106bead33c8b

SHA256
1c5223330908c59dba2300629572f93c71cc91c44e192b6d493437489df3fec4

SHA512
86258858abfb38e08b0e5b16d275a72eba848a4a29f7367964143a7928615196d5a7b93ca719b16a25c80977102496d05ab6ee11e58d4f3df4d5cf2da0c56c64

Download Submit
C:\Windows\System\ePrmoGb.exe

Filesize
5.2MB

MD5
d6e802937a5dfd828c778d1ebe688356

SHA1
faff42742c3f0c04912e1d1c441fb607d9ca0953

SHA256
49c7029417051bea480d184085495cf7b9fd708ea6b473be3a9cbcbf87404f7c

SHA512
710437dc5315a758dea0b17114f5e9535aa2cb17e53ae5fc4f86bd2b2448f398193efa0910f33d337b3b58ddb5962a4647a77964da44f06b007ad24ce643b423

Download Submit
C:\Windows\System\foCoAXx.exe

Filesize
5.2MB

MD5
2f3b6e28c980a9949c2a43d3aa328b82

SHA1
52eb9f3d6d572d1c072d044610e5e55f9dc8e264

SHA256
52aecb00f525fe6b7370cce03057d221ae37e3617f8ddacf357ebb5458a4e088

SHA512
7e8c03933e55e46f43f2d51b306ab4be44f6fb6c76f96849138b0e0aacdc4d2eb8786ef7fa42e98bf962bd066c822fe3058b3e286cc1e77d6dd177e487187fee

Download Submit
C:\Windows\System\fxzWOio.exe

Filesize
5.2MB

MD5
9943a78db4ac3eef6b6dca0512ec79bc

SHA1
3eb3e5130645f693a209dd9f52525fa14972d755

SHA256
54f9ec799ebf29a6efd8710758839390e0807ccefe649b8c6f94cc97f30f6a95

SHA512
d7431d43d40ecf8e711347f88f3f157c6b7a94bf0396cf7dc2206df233e3ef5497067758eb4c1c237272d583a0a721404fa185a3b97410097f324caa8042a275

Download Submit
C:\Windows\System\iglIbkQ.exe

Filesize
5.2MB

MD5
85ffd688c0df4ffd64b87cf22d549ec8

SHA1
373f7b781c05c1472a6be934c8aa62cdb23084be

SHA256
941620143fb8b078a242b48660d8e913b7ebf425f997fec56bee504eebdc52f0

SHA512
950ea6de7ba8788961387cf514ae37cf30d4c302927a84bf14ff6922700436dc58da0ffdcae98b80f6fb68d57c9c3966ab74f42be35b036ee8b877121c5f578c

Download Submit
C:\Windows\System\jRkrzbQ.exe

Filesize
5.2MB

MD5
68bb0127e8310b246e2c7c5f1e35a5a0

SHA1
677515cbefa5e298d2219b9295af2cdc5fa66370

SHA256
aaf26577109d5a60a7799ceaeb955c53e5e388bce344ef170ed077781229f8d2

SHA512
1dbaf8fc371976911cb2ab536be18fb6527116da316251202f1a72b62d5165c2d40ffd6d9f45579d2a4dd4c0b456e937fa8170f298c81709448e7bf4eef54f71

Download Submit
C:\Windows\System\tpjEOLk.exe

Filesize
5.2MB

MD5
4f2d50f83cd3fb235f69a9d7c401848e

SHA1
09a1950b2c5b661e6decade9fa440744d42e5a2f

SHA256
c03695cce4439fcd0b9a0190f84d1a87fb909b8cf2bc0d8b88aff55019e36a7d

SHA512
ed0cd3182ef36a3d020e3b1fa7f9a9233770db3d253cfea8dad0c64be58c9f79adb5599dd7088411822d046c81786068c62ed49a36be5453aef57a849edc926c

Download Submit
C:\Windows\System\uRQHejU.exe

Filesize
5.2MB

MD5
a15a794cf5a0c8ca9c66d169e57d8980

SHA1
3d8b9188829fb630f353d4c747ac1e051138a813

SHA256
694721071165447b73a4aba7696c96974e215cdc16cd1998bf2d3fb04cff50ac

SHA512
f99ec46887603dd1a1192933bc4fd401763c321ae91d836219c96b19a290bf0634e7c4c38b0cc5fcaac94f60490e9d07a4be2dbaff29762c230abb8fa4aceb7a

Download Submit
C:\Windows\System\vsPJSnI.exe

Filesize
5.2MB

MD5
b254f0e97b6515c6f579074ad4655d29

SHA1
487d3b3715ae2ae2df5f83c2d2d2dec1398c354d

SHA256
ed16630c9f121189dfb7c7370a7351d085f24eb7fd7ed3711ec8c993f442ff11

SHA512
39f1ae4dde4172ae3a1c32e35453625b2818eff9269e3b2c52afcc83389196afb7944e9194cc5fbea5b7e4c7489684662963fdca196ddea8061703da21b08128

Download Submit
C:\Windows\System\xhIUgDW.exe

Filesize
5.2MB

MD5
9c8f9911a705f4b901feb4927ddfc0d1

SHA1
2ac8915ededb96bd8966d65bfa4b230807f653c8

SHA256
e6e8b701ec7711541e006b62cce40562197eeae1629b902271febca4fca084ac

SHA512
34d0a9eb628bb2155c44b0d92d857867764426b35315b34d74bf5bee466989dcdc16ab9497c2bc7b5eabfd6c2e41a5f99a39e9b4c81c5074474cd88d08f2df7f

Download Submit
C:\Windows\System\yXuHUZD.exe

Filesize
5.2MB

MD5
3a6bddabd60612ff375d6e2f4a489ba5

SHA1
4b58b37bd4de33912163d3686b89fb94d0d909b0

SHA256
1a635d11570f9372320dab514d96037e5d837039c1fea2b19d39fda1624bcbe5

SHA512
c3618e142c1a90e56279d78f078ecf0a37608ae90b57baa98c5cb6e827f2e68102fa7b91581931c500db241a79d7ba53ac146fca88c7c5d38e43da643793ddd1

Download Submit
C:\Windows\System\zKiAQDf.exe

Filesize
5.2MB

MD5
3c7f973d19a55554a476073e900a65b3

SHA1
4588a0b114f0cfff6ad2f3215d4e9d9132ca1196

SHA256
35d7770b6abb623366231805470cb9f97fe7c19c555e60ab010dee6a9447bdc5

SHA512
a8dc2769334920636863366a9bf916b2e643cae815acec09e817e5f30061137100f176580c58c5827adf75711cdcb698cb8f076408435cefc062385739aa803d

Download Submit
memory/228-249-0x00007FF608CE0000-0x00007FF609031000-memory.dmp

Filesize
3.3MB

Download
memory/228-144-0x00007FF608CE0000-0x00007FF609031000-memory.dmp

Filesize
3.3MB

Download
memory/560-60-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp

Filesize
3.3MB

Download
memory/560-234-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp

Filesize
3.3MB

Download
memory/560-134-0x00007FF7FC620000-0x00007FF7FC971000-memory.dmp

Filesize
3.3MB

Download
memory/1072-221-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp

Filesize
3.3MB

Download
memory/1072-70-0x00007FF70B4E0000-0x00007FF70B831000-memory.dmp

Filesize
3.3MB

Download
memory/1076-98-0x00007FF789630000-0x00007FF789981000-memory.dmp

Filesize
3.3MB

Download
memory/1076-242-0x00007FF789630000-0x00007FF789981000-memory.dmp

Filesize
3.3MB

Download
memory/1188-254-0x00007FF72BFB0000-0x00007FF72C301000-memory.dmp

Filesize
3.3MB

Download
memory/1188-142-0x00007FF72BFB0000-0x00007FF72C301000-memory.dmp

Filesize
3.3MB

Download
memory/1220-137-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp

Filesize
3.3MB

Download
memory/1220-81-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp

Filesize
3.3MB

Download
memory/1220-239-0x00007FF7E47C0000-0x00007FF7E4B11000-memory.dmp

Filesize
3.3MB

Download
memory/1224-61-0x00007FF616770000-0x00007FF616AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-213-0x00007FF616770000-0x00007FF616AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-236-0x00007FF6E9140000-0x00007FF6E9491000-memory.dmp

Filesize
3.3MB

Download
memory/1624-74-0x00007FF6E9140000-0x00007FF6E9491000-memory.dmp

Filesize
3.3MB

Download
memory/1648-241-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp

Filesize
3.3MB

Download
memory/1648-87-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp

Filesize
3.3MB

Download
memory/1648-139-0x00007FF7E6F10000-0x00007FF7E7261000-memory.dmp

Filesize
3.3MB

Download
memory/1792-101-0x00007FF719210000-0x00007FF719561000-memory.dmp

Filesize
3.3MB

Download
memory/1792-251-0x00007FF719210000-0x00007FF719561000-memory.dmp

Filesize
3.3MB

Download
memory/1792-141-0x00007FF719210000-0x00007FF719561000-memory.dmp

Filesize
3.3MB

Download
memory/1904-233-0x00007FF78CCD0000-0x00007FF78D021000-memory.dmp

Filesize
3.3MB

Download
memory/1904-71-0x00007FF78CCD0000-0x00007FF78D021000-memory.dmp

Filesize
3.3MB

Download
memory/2232-215-0x00007FF793110000-0x00007FF793461000-memory.dmp

Filesize
3.3MB

Download
memory/2232-50-0x00007FF793110000-0x00007FF793461000-memory.dmp

Filesize
3.3MB

Download
memory/2412-1-0x000001F428090000-0x000001F4280A0000-memory.dmp

Filesize
64KB

Download
memory/2412-124-0x00007FF768870000-0x00007FF768BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-146-0x00007FF768870000-0x00007FF768BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-147-0x00007FF768870000-0x00007FF768BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-0-0x00007FF768870000-0x00007FF768BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-209-0x00007FF670D00000-0x00007FF671051000-memory.dmp

Filesize
3.3MB

Download
memory/2416-37-0x00007FF670D00000-0x00007FF671051000-memory.dmp

Filesize
3.3MB

Download
memory/2952-140-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp

Filesize
3.3MB

Download
memory/2952-253-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp

Filesize
3.3MB

Download
memory/2952-123-0x00007FF71E5E0000-0x00007FF71E931000-memory.dmp

Filesize
3.3MB

Download
memory/3052-207-0x00007FF788D00000-0x00007FF789051000-memory.dmp

Filesize
3.3MB

Download
memory/3052-126-0x00007FF788D00000-0x00007FF789051000-memory.dmp

Filesize
3.3MB

Download
memory/3052-19-0x00007FF788D00000-0x00007FF789051000-memory.dmp

Filesize
3.3MB

Download
memory/3292-218-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp

Filesize
3.3MB

Download
memory/3292-132-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp

Filesize
3.3MB

Download
memory/3292-58-0x00007FF6616F0000-0x00007FF661A41000-memory.dmp

Filesize
3.3MB

Download
memory/3540-212-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-42-0x00007FF6E2F80000-0x00007FF6E32D1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-65-0x00007FF750140000-0x00007FF750491000-memory.dmp

Filesize
3.3MB

Download
memory/4324-219-0x00007FF750140000-0x00007FF750491000-memory.dmp

Filesize
3.3MB

Download
memory/4416-145-0x00007FF788780000-0x00007FF788AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-245-0x00007FF788780000-0x00007FF788AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-143-0x00007FF648630000-0x00007FF648981000-memory.dmp

Filesize
3.3MB

Download
memory/4424-247-0x00007FF648630000-0x00007FF648981000-memory.dmp

Filesize
3.3MB

Download
memory/4492-7-0x00007FF7871D0000-0x00007FF787521000-memory.dmp

Filesize
3.3MB

Download
memory/4492-125-0x00007FF7871D0000-0x00007FF787521000-memory.dmp

Filesize
3.3MB

Download
memory/4492-205-0x00007FF7871D0000-0x00007FF787521000-memory.dmp

Filesize
3.3MB

Download