cobaltstrike | 4d482d59019c45e6926b2a6579e729a3f8f5703a6b4d93a5ecdbbb57b2095668

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

11820b811474f18165eaffc602eb5dfa
SHA1

49b0999957265d592677ccce4ec83a70e0b86960
SHA256

4d482d59019c45e6926b2a6579e729a3f8f5703a6b4d93a5ecdbbb57b2095668
SHA512

77c2f1bd084d2b7b918cc493114663e59c49249480ae04b2885f5a6d36668646724bed89353508bd28ec70b1585d288be73faa98b8576844075c1307e22ccc09
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibd56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023ca0-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-116.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023ca1-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2060-49-0x00007FF623F20000-0x00007FF624271000-memory.dmp	xmrig
behavioral2/memory/3276-118-0x00007FF71B330000-0x00007FF71B681000-memory.dmp	xmrig
behavioral2/memory/2188-121-0x00007FF7BCDC0000-0x00007FF7BD111000-memory.dmp	xmrig
behavioral2/memory/2072-120-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	xmrig
behavioral2/memory/4184-119-0x00007FF6F97D0000-0x00007FF6F9B21000-memory.dmp	xmrig
behavioral2/memory/3056-113-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp	xmrig
behavioral2/memory/1824-110-0x00007FF6E86D0000-0x00007FF6E8A21000-memory.dmp	xmrig
behavioral2/memory/3792-109-0x00007FF6AAD00000-0x00007FF6AB051000-memory.dmp	xmrig
behavioral2/memory/3336-104-0x00007FF7EA830000-0x00007FF7EAB81000-memory.dmp	xmrig
behavioral2/memory/3980-91-0x00007FF779970000-0x00007FF779CC1000-memory.dmp	xmrig
behavioral2/memory/2756-50-0x00007FF693620000-0x00007FF693971000-memory.dmp	xmrig
behavioral2/memory/4200-124-0x00007FF722050000-0x00007FF7223A1000-memory.dmp	xmrig
behavioral2/memory/468-125-0x00007FF657580000-0x00007FF6578D1000-memory.dmp	xmrig
behavioral2/memory/2980-139-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp	xmrig
behavioral2/memory/2484-132-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp	xmrig
behavioral2/memory/2820-127-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp	xmrig
behavioral2/memory/4948-140-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp	xmrig
behavioral2/memory/4688-136-0x00007FF786560000-0x00007FF7868B1000-memory.dmp	xmrig
behavioral2/memory/2464-131-0x00007FF669E30000-0x00007FF66A181000-memory.dmp	xmrig
behavioral2/memory/2172-126-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp	xmrig
behavioral2/memory/4028-123-0x00007FF766810000-0x00007FF766B61000-memory.dmp	xmrig
behavioral2/memory/4028-149-0x00007FF766810000-0x00007FF766B61000-memory.dmp	xmrig
behavioral2/memory/4028-150-0x00007FF766810000-0x00007FF766B61000-memory.dmp	xmrig
behavioral2/memory/5084-172-0x00007FF6023F0000-0x00007FF602741000-memory.dmp	xmrig
behavioral2/memory/4200-207-0x00007FF722050000-0x00007FF7223A1000-memory.dmp	xmrig
behavioral2/memory/468-209-0x00007FF657580000-0x00007FF6578D1000-memory.dmp	xmrig
behavioral2/memory/2172-211-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp	xmrig
behavioral2/memory/2820-213-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp	xmrig
behavioral2/memory/2060-215-0x00007FF623F20000-0x00007FF624271000-memory.dmp	xmrig
behavioral2/memory/2756-227-0x00007FF693620000-0x00007FF693971000-memory.dmp	xmrig
behavioral2/memory/3056-232-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp	xmrig
behavioral2/memory/2464-233-0x00007FF669E30000-0x00007FF66A181000-memory.dmp	xmrig
behavioral2/memory/3792-237-0x00007FF6AAD00000-0x00007FF6AB051000-memory.dmp	xmrig
behavioral2/memory/1824-239-0x00007FF6E86D0000-0x00007FF6E8A21000-memory.dmp	xmrig
behavioral2/memory/2484-236-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp	xmrig
behavioral2/memory/3336-229-0x00007FF7EA830000-0x00007FF7EAB81000-memory.dmp	xmrig
behavioral2/memory/2980-253-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp	xmrig
behavioral2/memory/4948-252-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp	xmrig
behavioral2/memory/4184-255-0x00007FF6F97D0000-0x00007FF6F9B21000-memory.dmp	xmrig
behavioral2/memory/2072-250-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	xmrig
behavioral2/memory/2188-248-0x00007FF7BCDC0000-0x00007FF7BD111000-memory.dmp	xmrig
behavioral2/memory/3980-246-0x00007FF779970000-0x00007FF779CC1000-memory.dmp	xmrig
behavioral2/memory/4688-244-0x00007FF786560000-0x00007FF7868B1000-memory.dmp	xmrig
behavioral2/memory/3276-242-0x00007FF71B330000-0x00007FF71B681000-memory.dmp	xmrig
behavioral2/memory/5084-260-0x00007FF6023F0000-0x00007FF602741000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4200	xkyAVHx.exe
468	cmxwOxl.exe
2172	UsYRehv.exe
2820	NMvfqql.exe
2060	argPgiY.exe
2756	lfFqdqI.exe
3336	CbNWwOp.exe
2464	fcBpkqg.exe
2484	JGLqLDX.exe
3792	fetxoMT.exe
1824	KlikPzz.exe
3056	jkPuKst.exe
4688	VHKxNdG.exe
3980	yhExpRA.exe
3276	KjTGwOW.exe
2980	pyVcDJk.exe
4948	YMeSFzi.exe
2072	OWSZrIS.exe
2188	iTANTRL.exe
4184	peiXmli.exe
5084	jxHiPog.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4028-0-0x00007FF766810000-0x00007FF766B61000-memory.dmp	upx
behavioral2/files/0x0009000000023ca0-5.dat	upx
behavioral2/files/0x0007000000023cb3-9.dat	upx
behavioral2/files/0x0007000000023cb2-10.dat	upx
behavioral2/memory/4200-11-0x00007FF722050000-0x00007FF7223A1000-memory.dmp	upx
behavioral2/memory/2172-22-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-31.dat	upx
behavioral2/memory/2060-49-0x00007FF623F20000-0x00007FF624271000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-72.dat	upx
behavioral2/files/0x0007000000023cc1-90.dat	upx
behavioral2/files/0x0007000000023cbf-93.dat	upx
behavioral2/files/0x0007000000023cc2-111.dat	upx
behavioral2/memory/3276-118-0x00007FF71B330000-0x00007FF71B681000-memory.dmp	upx
behavioral2/memory/2188-121-0x00007FF7BCDC0000-0x00007FF7BD111000-memory.dmp	upx
behavioral2/memory/2072-120-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp	upx
behavioral2/memory/4184-119-0x00007FF6F97D0000-0x00007FF6F9B21000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-116.dat	upx
behavioral2/files/0x0009000000023ca1-114.dat	upx
behavioral2/memory/3056-113-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp	upx
behavioral2/memory/1824-110-0x00007FF6E86D0000-0x00007FF6E8A21000-memory.dmp	upx
behavioral2/memory/3792-109-0x00007FF6AAD00000-0x00007FF6AB051000-memory.dmp	upx
behavioral2/memory/3336-104-0x00007FF7EA830000-0x00007FF7EAB81000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-99.dat	upx
behavioral2/memory/4948-97-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp	upx
behavioral2/memory/2980-92-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp	upx
behavioral2/memory/3980-91-0x00007FF779970000-0x00007FF779CC1000-memory.dmp	upx
behavioral2/memory/4688-85-0x00007FF786560000-0x00007FF7868B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-81.dat	upx
behavioral2/memory/2484-78-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-76.dat	upx
behavioral2/files/0x0007000000023cba-70.dat	upx
behavioral2/files/0x0007000000023cbc-61.dat	upx
behavioral2/files/0x0007000000023cb8-60.dat	upx
behavioral2/memory/2464-58-0x00007FF669E30000-0x00007FF66A181000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-66.dat	upx
behavioral2/memory/2756-50-0x00007FF693620000-0x00007FF693971000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-56.dat	upx
behavioral2/files/0x0007000000023cb6-42.dat	upx
behavioral2/memory/2820-38-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-33.dat	upx
behavioral2/memory/468-21-0x00007FF657580000-0x00007FF6578D1000-memory.dmp	upx
behavioral2/memory/4200-124-0x00007FF722050000-0x00007FF7223A1000-memory.dmp	upx
behavioral2/memory/468-125-0x00007FF657580000-0x00007FF6578D1000-memory.dmp	upx
behavioral2/memory/2980-139-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-145.dat	upx
behavioral2/memory/2484-132-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp	upx
behavioral2/memory/2820-127-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp	upx
behavioral2/memory/4948-140-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp	upx
behavioral2/memory/4688-136-0x00007FF786560000-0x00007FF7868B1000-memory.dmp	upx
behavioral2/memory/2464-131-0x00007FF669E30000-0x00007FF66A181000-memory.dmp	upx
behavioral2/memory/2172-126-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp	upx
behavioral2/memory/4028-123-0x00007FF766810000-0x00007FF766B61000-memory.dmp	upx
behavioral2/memory/5084-148-0x00007FF6023F0000-0x00007FF602741000-memory.dmp	upx
behavioral2/memory/4028-149-0x00007FF766810000-0x00007FF766B61000-memory.dmp	upx
behavioral2/memory/4028-150-0x00007FF766810000-0x00007FF766B61000-memory.dmp	upx
behavioral2/memory/5084-172-0x00007FF6023F0000-0x00007FF602741000-memory.dmp	upx
behavioral2/memory/4200-207-0x00007FF722050000-0x00007FF7223A1000-memory.dmp	upx
behavioral2/memory/468-209-0x00007FF657580000-0x00007FF6578D1000-memory.dmp	upx
behavioral2/memory/2172-211-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp	upx
behavioral2/memory/2820-213-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp	upx
behavioral2/memory/2060-215-0x00007FF623F20000-0x00007FF624271000-memory.dmp	upx
behavioral2/memory/2756-227-0x00007FF693620000-0x00007FF693971000-memory.dmp	upx
behavioral2/memory/3056-232-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp	upx
behavioral2/memory/2464-233-0x00007FF669E30000-0x00007FF66A181000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cmxwOxl.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fetxoMT.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OWSZrIS.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\peiXmli.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NMvfqql.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CbNWwOp.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KjTGwOW.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YMeSFzi.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iTANTRL.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\argPgiY.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfFqdqI.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcBpkqg.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHKxNdG.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxHiPog.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yhExpRA.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pyVcDJk.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xkyAVHx.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UsYRehv.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JGLqLDX.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KlikPzz.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkPuKst.exe	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4200	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4028 wrote to memory of 4200	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4028 wrote to memory of 468	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4028 wrote to memory of 468	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4028 wrote to memory of 2172	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4028 wrote to memory of 2172	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4028 wrote to memory of 2820	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4028 wrote to memory of 2820	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4028 wrote to memory of 2060	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4028 wrote to memory of 2060	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4028 wrote to memory of 2756	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4028 wrote to memory of 2756	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4028 wrote to memory of 3336	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4028 wrote to memory of 3336	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4028 wrote to memory of 2464	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4028 wrote to memory of 2464	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4028 wrote to memory of 2484	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4028 wrote to memory of 2484	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4028 wrote to memory of 3792	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4028 wrote to memory of 3792	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4028 wrote to memory of 1824	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4028 wrote to memory of 1824	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4028 wrote to memory of 3056	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4028 wrote to memory of 3056	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4028 wrote to memory of 4688	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4028 wrote to memory of 4688	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4028 wrote to memory of 3980	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4028 wrote to memory of 3980	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4028 wrote to memory of 3276	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4028 wrote to memory of 3276	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4028 wrote to memory of 2980	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4028 wrote to memory of 2980	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4028 wrote to memory of 4948	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4028 wrote to memory of 4948	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4028 wrote to memory of 2072	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4028 wrote to memory of 2072	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4028 wrote to memory of 2188	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4028 wrote to memory of 2188	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4028 wrote to memory of 4184	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4028 wrote to memory of 4184	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4028 wrote to memory of 5084	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4028 wrote to memory of 5084	4028	2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_11820b811474f18165eaffc602eb5dfa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System\xkyAVHx.exe
  C:\Windows\System\xkyAVHx.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\cmxwOxl.exe
  C:\Windows\System\cmxwOxl.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\UsYRehv.exe
  C:\Windows\System\UsYRehv.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\NMvfqql.exe
  C:\Windows\System\NMvfqql.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\argPgiY.exe
  C:\Windows\System\argPgiY.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\lfFqdqI.exe
  C:\Windows\System\lfFqdqI.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\CbNWwOp.exe
  C:\Windows\System\CbNWwOp.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\fcBpkqg.exe
  C:\Windows\System\fcBpkqg.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\JGLqLDX.exe
  C:\Windows\System\JGLqLDX.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\fetxoMT.exe
  C:\Windows\System\fetxoMT.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\KlikPzz.exe
  C:\Windows\System\KlikPzz.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\jkPuKst.exe
  C:\Windows\System\jkPuKst.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\VHKxNdG.exe
  C:\Windows\System\VHKxNdG.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\yhExpRA.exe
  C:\Windows\System\yhExpRA.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\KjTGwOW.exe
  C:\Windows\System\KjTGwOW.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\pyVcDJk.exe
  C:\Windows\System\pyVcDJk.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\YMeSFzi.exe
  C:\Windows\System\YMeSFzi.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\OWSZrIS.exe
  C:\Windows\System\OWSZrIS.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\iTANTRL.exe
  C:\Windows\System\iTANTRL.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\peiXmli.exe
  C:\Windows\System\peiXmli.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\jxHiPog.exe
  C:\Windows\System\jxHiPog.exe
  2⤵
  - Executes dropped EXE
  PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbNWwOp.exe

Filesize
5.2MB

MD5
2199067acec7f86ac9d59383b453300e

SHA1
0a1a983ec3274b640a1ae4a5ec378d65b7f0ecda

SHA256
98191297cf6e9ee1df151ff15f188ff9f3413d8b6e0590809317dc5f84ad90a4

SHA512
ab8c8ecd265be0fe3118b04bb698b95a32edc5a724dbe9d14166398fce2863491c0abfa91e1c1ed762d244591491ea8b15295b11ba5d91e1e415c9404a6cfdde

Download Submit
C:\Windows\System\JGLqLDX.exe

Filesize
5.2MB

MD5
86557ade16196258bb43ffe3beb3b4eb

SHA1
b854cc5c51aea73018b934ea35d2912f024f20f5

SHA256
765ac8f2ac17f5b275e090a1adcd3ac5c2bd4483a9766a0e89f4aced78f143a3

SHA512
4c0428530ec0b0c8311a524b708df6e348a3f924fe6ed02ce2355b5ed3ef4aba11a7820c32bff9f18eb5868146ed5392d5bf16f65c3eb499309060a717afd4c4

Download Submit
C:\Windows\System\KjTGwOW.exe

Filesize
5.2MB

MD5
114b1ea3f2e299e61e78e47a5c8e54e2

SHA1
9a512620eb6d974ab846728dc029330d75292b72

SHA256
37559c2cd44d47523fe507c2a00e0ecaabec49d9b218ea33e24229669249ce62

SHA512
da9c0d12b7ebf57157b897d9ddda8788f19204e42a5bc85334064362bd22f4755e28c375dd7e28f2d90c958d18053afd046a16ec91bda7c46f000e39e3f75546

Download Submit
C:\Windows\System\KlikPzz.exe

Filesize
5.2MB

MD5
3af629e34f39c4477cde3b12c7b147e4

SHA1
a7fc86d80525c81d7e1d1911a7c0523c6b706008

SHA256
10881bb04ad1d94bd2404a021e12b01432c3a3f253c054daee9e328fead08d3c

SHA512
47c46f3bebcc413b0fba06a5dcf8152de171943896320cedfba4da9ca3e3718b6aff33b2a6ae187dd35eea621a8b54aa94f373c9f77424ba2097be52da9b6acc

Download Submit
C:\Windows\System\NMvfqql.exe

Filesize
5.2MB

MD5
3b3911f9a7a4b861d3dfdd6c3134b350

SHA1
28220543670e17e6c6608016c19340a4b58eb20f

SHA256
5ddc6051cdea4b42b58f6b0be51162a2b5632964a120a21f790eeff47820d307

SHA512
d75741571263f96217210f57a7bf2c3365a32a7bb555cf90468ec276d3ec76fe945d18e7dfcb543fa28444d7a99f04f76938475a447bc32c9b2a115242fac0bd

Download Submit
C:\Windows\System\OWSZrIS.exe

Filesize
5.2MB

MD5
00e885d6b85c58e2fd763878cc3c14a1

SHA1
78241c76544b75ec11ba3bc41cd61c0e3cc161b4

SHA256
541e5e562abf127f922877376be641b78822164a5dbd244acc0d388e71781d52

SHA512
779b142e8fb57d921915c73a4539245c2d18121b46f6bba6e2074071b0c56ed736d87c66b0222f7bbe4bd5d439b9f18974bb1da106e20e7a6f0ea66e45c5d10b

Download Submit
C:\Windows\System\UsYRehv.exe

Filesize
5.2MB

MD5
dd6f1de0d5698509ccf8a7b64307d8f1

SHA1
a12afd9b98a203181d54833fbaddcc192194ec62

SHA256
81d919f9e76368ea1b590e66dcca219f92128871f72601c9e65ef241af230cab

SHA512
d0298fbed386d97e575d203b86ac81b4e24b8d3bb475aa838151329949fc97f5d7aab49eae6f4bd19bdb2654d9a29e4616bdc6bf7d20963884a2d374796f6d03

Download Submit
C:\Windows\System\VHKxNdG.exe

Filesize
5.2MB

MD5
22d4ec61145588bb6d1f2f2c130b9e10

SHA1
8f781f128729723da85f6f416041f47bb9df5673

SHA256
1f045d3c37764f231e869274dcdad9e3cb3028a48b97861f467b9662df6a8745

SHA512
bb843e46051776127a8fe64f9a6924b1bd894f66274d6b8f243ddccd491c9ee84b790b66e8b2fc0a8ad16e91618a9e7459c7b5c1eb9c07070f726c73d44e4577

Download Submit
C:\Windows\System\YMeSFzi.exe

Filesize
5.2MB

MD5
d88def822cd29c839a5cf694d1c06b5c

SHA1
9f2f8f1f2a5b9556862c2718722a89a55c455f1a

SHA256
9998bdee8935b5e465941a51c78617a20652ee5cf54f0a784f4641eb19727ba2

SHA512
a2bdf9d5c30676409077257f6b3951323f7712fda3dd71f0fcd4d0d4bdbd52144e61634feb39954b893852ed71775c3296581836fd80bc5d7ce68d53f7293fe9

Download Submit
C:\Windows\System\argPgiY.exe

Filesize
5.2MB

MD5
6bf05e6b63d3797f919e4e1460b057a0

SHA1
abc55bfbdce51318b04c28a07b801d0dc4f03ddd

SHA256
96a2c3e6ca88d02dc5db2baba60a092b9275c0d8b0d6a762a3dd2dc81caa1423

SHA512
19c9dc784edb8042d48aed1057f003e52a6ec775037cc3a5497ecd01406f542be0abd8b8b2ab730dbd5c90613632e2994da4558f05daca61b4ef5ca216c1761b

Download Submit
C:\Windows\System\cmxwOxl.exe

Filesize
5.2MB

MD5
f034deb3635818a6cd8f2d2f2c186442

SHA1
436b108142e39ab97527696d27f36bc8c61f31ab

SHA256
1bef15f4dd70eb449b694074c9df2d7014c6e1bba7eed73aac7ea85c87a31b6a

SHA512
79edbca4631ca5a6ee449cf9def50baf86f8be1029c4619f1785cd1cb4f946a6c224dc0c1cdce775e23458ac9f0d9d76b94dfb28be143d98604e6329ae564d06

Download Submit
C:\Windows\System\fcBpkqg.exe

Filesize
5.2MB

MD5
c3ff699e1fe15822d745eca44b1f130e

SHA1
5417bf5b4a9ce3073e619837b71d666b3573d1d2

SHA256
8f1251428eb0155a187f282b563a8a37f89ebdb6b17f268098f5587e48e71e62

SHA512
5c9976c4b2cfc00312295999c6081041996aea778ef85a73ed893e015eec457453344d61e21c4fce5721ce26de9b8dada72d174b2dcb0c9fe63c943b2f422591

Download Submit
C:\Windows\System\fetxoMT.exe

Filesize
5.2MB

MD5
a4a451508e01ff52becbf4fd4fa7c62a

SHA1
8f712dc1b416718404165f98f3c5c586f104b4f6

SHA256
20615307838c5fa612c9f6f6615c74c44d143192d089874faac89c71d8c369a8

SHA512
44f76355fb960ba34ed6645364ca854be40c737b4eaa0c5a1f8973da1a56c71975faad9ecf8fad0477873e27436dd491d0210a67ec4c6dd797f394f11f7e82ae

Download Submit
C:\Windows\System\iTANTRL.exe

Filesize
5.2MB

MD5
c403061688bbd9ec22f46d971ed33973

SHA1
a45d8b4a7d432782ef30ed4df87731c828057391

SHA256
7752eb3830e261d59c271e7cd6305ad9df0be5986bd3f876940abe7b99c1104c

SHA512
23d3b8e34365ff1bc12e618a253f71d08bb828c8a069d4e0e9dd29931155fce8ae1d5a627fa56a5711bb0463c7382dd922a76e45406e4211d630318323aaa10a

Download Submit
C:\Windows\System\jkPuKst.exe

Filesize
5.2MB

MD5
c9769bb450b4d19d4810a3f314fd6e99

SHA1
4a5a7638ab15c58d8a523bc277efa38a72d0452a

SHA256
cdf69af4bd7d622bc90c47043b457db6e0adb95dcd67d45fbfc00c39a67fddf7

SHA512
182b00f30e697c00e47160c3063f4f2b5590c7d673cd4a3d04857500e250ac74b192fe8563963c197e90f5bf0632cccbf900efa73787682f6a23e1a17a7857bb

Download Submit
C:\Windows\System\jxHiPog.exe

Filesize
5.2MB

MD5
79a751359e632434382ce7eea5b1f02d

SHA1
6ef92fb0e590e259cf6dfebe8299dd26b1e7347d

SHA256
46286f54360afa61d767e611193788f10acd8b9c7962a87a295ebdc9d5fbf85a

SHA512
3618b59efd765762853c107e310f39ed5989c8d64b865b55596baa01bc2bff4d767afb7f2efa4b87532ed86824d7a1876859dcdcf21c8614ea14f5dd4732ec52

Download Submit
C:\Windows\System\lfFqdqI.exe

Filesize
5.2MB

MD5
9994bb974158c7763f6d7431670e874f

SHA1
970915e51d8045dd2f4bc6dac58684288022d223

SHA256
2ef6f6f2dff4bdc0940079efb8e23c5a5944b9c1687696056138cc25e61ef037

SHA512
76eb1a4322ff3f44f61c407dabccb3e595b472045465873a211272c3e916be4f92c30b51087eb770f2da52758be11aa9f30739034eee2b87bbc093f7d13a6e1d

Download Submit
C:\Windows\System\peiXmli.exe

Filesize
5.2MB

MD5
ec05a853ec0db3def2d2563dd8d63204

SHA1
b98e3b3762cc62648bace64e5e01964c30c52780

SHA256
205948e3cbdb285a084fd4e4ca9cf10bf5ddf925cb3c3ffdc9f27c6bc27ed982

SHA512
f89cd867000af9d665db8f29624d409555f1f9b8dab097f7da5edbf70d54dcdf99df58f0594113a66dfb3de40d7a422d746141f91aff1299e8400b842daa4703

Download Submit
C:\Windows\System\pyVcDJk.exe

Filesize
5.2MB

MD5
760faa9b0fb943ba595fc175f17b417c

SHA1
6769387483ec4feab3aa170f46c2e9714a7887df

SHA256
21162fa2530e6d215162546defbe07293a1a2694d4137faaaf8d20b9b486a71f

SHA512
f6a413ceef1699e5ccbcc4f229145eb14fa1572ecc7d030d1b78e881bbc0326377e9689b3374e3bfbeff10d003c9d43b744885403eacc17deb90a3ec9d88e8b5

Download Submit
C:\Windows\System\xkyAVHx.exe

Filesize
5.2MB

MD5
e374cfbd2ca57151abda8f25baff1f91

SHA1
e13157a5aee1efa3d9ad9ed617833d9beaa951a7

SHA256
fcbc3e7995ebe7147ac7d013ab85ab1ab3231f6d3db346d178760b19e1acf56e

SHA512
30c36c391930b18d97046e72d2c8f9195187c8b2bb922b2ef72adb11793d3a19c1a088936f2449bc7685439dc7fadcce7fe680d8729bab4203709473c7cc9296

Download Submit
C:\Windows\System\yhExpRA.exe

Filesize
5.2MB

MD5
542d1a68161a5773a38073d285939f97

SHA1
c259624a5863c8c7342577c19a8fd4aba12ae101

SHA256
9a632623ab79c20d95dbf367ac0d1535cb15b1081e161c4dfb6a46265dc7e585

SHA512
d6ba54fe2e18b1d088d03af40f3d5c0e0467454797c360070ca329119c11b41500927f8c14c6f8017f4757f25a3b66c5ce7ac29a802b1b8a318cbd475c9d6d3f

Download Submit
memory/468-21-0x00007FF657580000-0x00007FF6578D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-125-0x00007FF657580000-0x00007FF6578D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-209-0x00007FF657580000-0x00007FF6578D1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-110-0x00007FF6E86D0000-0x00007FF6E8A21000-memory.dmp

Filesize
3.3MB

Download
memory/1824-239-0x00007FF6E86D0000-0x00007FF6E8A21000-memory.dmp

Filesize
3.3MB

Download
memory/2060-215-0x00007FF623F20000-0x00007FF624271000-memory.dmp

Filesize
3.3MB

Download
memory/2060-49-0x00007FF623F20000-0x00007FF624271000-memory.dmp

Filesize
3.3MB

Download
memory/2072-120-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp

Filesize
3.3MB

Download
memory/2072-250-0x00007FF77E4D0000-0x00007FF77E821000-memory.dmp

Filesize
3.3MB

Download
memory/2172-211-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-126-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-22-0x00007FF720E70000-0x00007FF7211C1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-248-0x00007FF7BCDC0000-0x00007FF7BD111000-memory.dmp

Filesize
3.3MB

Download
memory/2188-121-0x00007FF7BCDC0000-0x00007FF7BD111000-memory.dmp

Filesize
3.3MB

Download
memory/2464-131-0x00007FF669E30000-0x00007FF66A181000-memory.dmp

Filesize
3.3MB

Download
memory/2464-233-0x00007FF669E30000-0x00007FF66A181000-memory.dmp

Filesize
3.3MB

Download
memory/2464-58-0x00007FF669E30000-0x00007FF66A181000-memory.dmp

Filesize
3.3MB

Download
memory/2484-132-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp

Filesize
3.3MB

Download
memory/2484-78-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp

Filesize
3.3MB

Download
memory/2484-236-0x00007FF6B49C0000-0x00007FF6B4D11000-memory.dmp

Filesize
3.3MB

Download
memory/2756-50-0x00007FF693620000-0x00007FF693971000-memory.dmp

Filesize
3.3MB

Download
memory/2756-227-0x00007FF693620000-0x00007FF693971000-memory.dmp

Filesize
3.3MB

Download
memory/2820-38-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp

Filesize
3.3MB

Download
memory/2820-213-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp

Filesize
3.3MB

Download
memory/2820-127-0x00007FF6D4F10000-0x00007FF6D5261000-memory.dmp

Filesize
3.3MB

Download
memory/2980-139-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-253-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-92-0x00007FF647B80000-0x00007FF647ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-113-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-232-0x00007FF7261A0000-0x00007FF7264F1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-242-0x00007FF71B330000-0x00007FF71B681000-memory.dmp

Filesize
3.3MB

Download
memory/3276-118-0x00007FF71B330000-0x00007FF71B681000-memory.dmp

Filesize
3.3MB

Download
memory/3336-229-0x00007FF7EA830000-0x00007FF7EAB81000-memory.dmp

Filesize
3.3MB

Download
memory/3336-104-0x00007FF7EA830000-0x00007FF7EAB81000-memory.dmp

Filesize
3.3MB

Download
memory/3792-109-0x00007FF6AAD00000-0x00007FF6AB051000-memory.dmp

Filesize
3.3MB

Download
memory/3792-237-0x00007FF6AAD00000-0x00007FF6AB051000-memory.dmp

Filesize
3.3MB

Download
memory/3980-246-0x00007FF779970000-0x00007FF779CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-91-0x00007FF779970000-0x00007FF779CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-149-0x00007FF766810000-0x00007FF766B61000-memory.dmp

Filesize
3.3MB

Download
memory/4028-1-0x000001F117CE0000-0x000001F117CF0000-memory.dmp

Filesize
64KB

Download
memory/4028-150-0x00007FF766810000-0x00007FF766B61000-memory.dmp

Filesize
3.3MB

Download
memory/4028-123-0x00007FF766810000-0x00007FF766B61000-memory.dmp

Filesize
3.3MB

Download
memory/4028-0-0x00007FF766810000-0x00007FF766B61000-memory.dmp

Filesize
3.3MB

Download
memory/4184-119-0x00007FF6F97D0000-0x00007FF6F9B21000-memory.dmp

Filesize
3.3MB

Download
memory/4184-255-0x00007FF6F97D0000-0x00007FF6F9B21000-memory.dmp

Filesize
3.3MB

Download
memory/4200-207-0x00007FF722050000-0x00007FF7223A1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-11-0x00007FF722050000-0x00007FF7223A1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-124-0x00007FF722050000-0x00007FF7223A1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-85-0x00007FF786560000-0x00007FF7868B1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-244-0x00007FF786560000-0x00007FF7868B1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-136-0x00007FF786560000-0x00007FF7868B1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-97-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-252-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-140-0x00007FF7A5490000-0x00007FF7A57E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-172-0x00007FF6023F0000-0x00007FF602741000-memory.dmp

Filesize
3.3MB

Download
memory/5084-148-0x00007FF6023F0000-0x00007FF602741000-memory.dmp

Filesize
3.3MB

Download
memory/5084-260-0x00007FF6023F0000-0x00007FF602741000-memory.dmp

Filesize
3.3MB

Download