cobaltstrike | 08b1559f4c4337885ee8a1547aeb313137a721fd9f27cb1a5e31cead3728e3a1

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d6b6b2a7f86d0672fae650dbf4589082
SHA1

f1f3d52548b22736a36fafe50d49a40905390153
SHA256

08b1559f4c4337885ee8a1547aeb313137a721fd9f27cb1a5e31cead3728e3a1
SHA512

1b3b29d96ec3c9ad34cda8f15d25e3a97ac19fe190c28f5b0a45c616ba6a43b24cfd71569b7c9f2d825ce799aed3e2a391d98e166617140ee1bcdfd0839ac937
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibd56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bbe-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9b-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-79.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3620-48-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	xmrig
behavioral2/memory/1532-60-0x00007FF606810000-0x00007FF606B61000-memory.dmp	xmrig
behavioral2/memory/4912-55-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp	xmrig
behavioral2/memory/3620-121-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	xmrig
behavioral2/memory/4816-129-0x00007FF6C6310000-0x00007FF6C6661000-memory.dmp	xmrig
behavioral2/memory/2124-128-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	xmrig
behavioral2/memory/4008-130-0x00007FF6CC210000-0x00007FF6CC561000-memory.dmp	xmrig
behavioral2/memory/3684-131-0x00007FF739260000-0x00007FF7395B1000-memory.dmp	xmrig
behavioral2/memory/3624-127-0x00007FF6C6CC0000-0x00007FF6C7011000-memory.dmp	xmrig
behavioral2/memory/1196-126-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp	xmrig
behavioral2/memory/4868-125-0x00007FF721900000-0x00007FF721C51000-memory.dmp	xmrig
behavioral2/memory/608-124-0x00007FF770810000-0x00007FF770B61000-memory.dmp	xmrig
behavioral2/memory/4104-132-0x00007FF6894E0000-0x00007FF689831000-memory.dmp	xmrig
behavioral2/memory/1052-133-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp	xmrig
behavioral2/memory/4872-135-0x00007FF6BB0E0000-0x00007FF6BB431000-memory.dmp	xmrig
behavioral2/memory/1280-134-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp	xmrig
behavioral2/memory/3988-137-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp	xmrig
behavioral2/memory/2428-138-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp	xmrig
behavioral2/memory/8-136-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	xmrig
behavioral2/memory/2168-139-0x00007FF77E430000-0x00007FF77E781000-memory.dmp	xmrig
behavioral2/memory/4680-142-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp	xmrig
behavioral2/memory/2424-140-0x00007FF660C00000-0x00007FF660F51000-memory.dmp	xmrig
behavioral2/memory/3468-141-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	xmrig
behavioral2/memory/3620-153-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	xmrig
behavioral2/memory/4912-201-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp	xmrig
behavioral2/memory/1532-204-0x00007FF606810000-0x00007FF606B61000-memory.dmp	xmrig
behavioral2/memory/608-207-0x00007FF770810000-0x00007FF770B61000-memory.dmp	xmrig
behavioral2/memory/1196-211-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp	xmrig
behavioral2/memory/1052-213-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp	xmrig
behavioral2/memory/1280-220-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp	xmrig
behavioral2/memory/3988-222-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp	xmrig
behavioral2/memory/2428-224-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp	xmrig
behavioral2/memory/2424-226-0x00007FF660C00000-0x00007FF660F51000-memory.dmp	xmrig
behavioral2/memory/3468-228-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	xmrig
behavioral2/memory/4680-240-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp	xmrig
behavioral2/memory/3624-243-0x00007FF6C6CC0000-0x00007FF6C7011000-memory.dmp	xmrig
behavioral2/memory/2168-246-0x00007FF77E430000-0x00007FF77E781000-memory.dmp	xmrig
behavioral2/memory/4868-245-0x00007FF721900000-0x00007FF721C51000-memory.dmp	xmrig
behavioral2/memory/8-248-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	xmrig
behavioral2/memory/2124-260-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	xmrig
behavioral2/memory/4816-259-0x00007FF6C6310000-0x00007FF6C6661000-memory.dmp	xmrig
behavioral2/memory/4008-256-0x00007FF6CC210000-0x00007FF6CC561000-memory.dmp	xmrig
behavioral2/memory/3684-255-0x00007FF739260000-0x00007FF7395B1000-memory.dmp	xmrig
behavioral2/memory/4104-253-0x00007FF6894E0000-0x00007FF689831000-memory.dmp	xmrig
behavioral2/memory/4872-251-0x00007FF6BB0E0000-0x00007FF6BB431000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4912	DlJiMWa.exe
1532	wPrhPqa.exe
608	qqagSqL.exe
1196	VNnLZjn.exe
1052	aELDhqh.exe
1280	vfNcuID.exe
3988	dCRPPas.exe
2428	ZCeNQpN.exe
2424	lFENnLf.exe
3468	uWuvAXq.exe
4680	jfDdPdx.exe
2168	Vkdcxpb.exe
4868	mUVlrop.exe
3624	shSJdXz.exe
2124	MoNAlnQ.exe
4816	YaSDOCT.exe
4008	SaElHXV.exe
3684	uIEbwAU.exe
4104	rOyfDaC.exe
4872	oTaOIFB.exe
8	bvZvhUI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3620-0-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	upx
behavioral2/files/0x000c000000023bbe-5.dat	upx
behavioral2/memory/4912-7-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-11.dat	upx
behavioral2/files/0x0007000000023c9f-10.dat	upx
behavioral2/memory/1532-14-0x00007FF606810000-0x00007FF606B61000-memory.dmp	upx
behavioral2/memory/608-19-0x00007FF770810000-0x00007FF770B61000-memory.dmp	upx
behavioral2/files/0x0008000000023c9b-22.dat	upx
behavioral2/memory/1196-26-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-30.dat	upx
behavioral2/memory/1052-32-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-34.dat	upx
behavioral2/memory/1280-37-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-42.dat	upx
behavioral2/memory/3988-45-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-46.dat	upx
behavioral2/memory/2428-49-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp	upx
behavioral2/memory/3620-48-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	upx
behavioral2/memory/2424-56-0x00007FF660C00000-0x00007FF660F51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-59.dat	upx
behavioral2/files/0x0007000000023ca5-63.dat	upx
behavioral2/files/0x0007000000023ca7-69.dat	upx
behavioral2/files/0x0007000000023ca8-74.dat	upx
behavioral2/files/0x0007000000023caa-84.dat	upx
behavioral2/files/0x0007000000023cab-88.dat	upx
behavioral2/files/0x0007000000023cad-98.dat	upx
behavioral2/files/0x0007000000023cae-103.dat	upx
behavioral2/files/0x0007000000023caf-109.dat	upx
behavioral2/files/0x0007000000023cb0-114.dat	upx
behavioral2/files/0x0007000000023cb1-118.dat	upx
behavioral2/files/0x0007000000023cac-94.dat	upx
behavioral2/files/0x0007000000023ca9-79.dat	upx
behavioral2/memory/3468-61-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	upx
behavioral2/memory/1532-60-0x00007FF606810000-0x00007FF606B61000-memory.dmp	upx
behavioral2/memory/4912-55-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp	upx
behavioral2/memory/4680-120-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp	upx
behavioral2/memory/3620-121-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	upx
behavioral2/memory/4816-129-0x00007FF6C6310000-0x00007FF6C6661000-memory.dmp	upx
behavioral2/memory/2124-128-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp	upx
behavioral2/memory/4008-130-0x00007FF6CC210000-0x00007FF6CC561000-memory.dmp	upx
behavioral2/memory/3684-131-0x00007FF739260000-0x00007FF7395B1000-memory.dmp	upx
behavioral2/memory/3624-127-0x00007FF6C6CC0000-0x00007FF6C7011000-memory.dmp	upx
behavioral2/memory/1196-126-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp	upx
behavioral2/memory/4868-125-0x00007FF721900000-0x00007FF721C51000-memory.dmp	upx
behavioral2/memory/608-124-0x00007FF770810000-0x00007FF770B61000-memory.dmp	upx
behavioral2/memory/4104-132-0x00007FF6894E0000-0x00007FF689831000-memory.dmp	upx
behavioral2/memory/1052-133-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp	upx
behavioral2/memory/4872-135-0x00007FF6BB0E0000-0x00007FF6BB431000-memory.dmp	upx
behavioral2/memory/1280-134-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp	upx
behavioral2/memory/3988-137-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp	upx
behavioral2/memory/2428-138-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp	upx
behavioral2/memory/8-136-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	upx
behavioral2/memory/2168-139-0x00007FF77E430000-0x00007FF77E781000-memory.dmp	upx
behavioral2/memory/4680-142-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp	upx
behavioral2/memory/2424-140-0x00007FF660C00000-0x00007FF660F51000-memory.dmp	upx
behavioral2/memory/3468-141-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	upx
behavioral2/memory/3620-153-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp	upx
behavioral2/memory/4912-201-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp	upx
behavioral2/memory/1532-204-0x00007FF606810000-0x00007FF606B61000-memory.dmp	upx
behavioral2/memory/608-207-0x00007FF770810000-0x00007FF770B61000-memory.dmp	upx
behavioral2/memory/1196-211-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp	upx
behavioral2/memory/1052-213-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp	upx
behavioral2/memory/1280-220-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp	upx
behavioral2/memory/3988-222-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uWuvAXq.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jfDdPdx.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shSJdXz.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MoNAlnQ.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SaElHXV.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOyfDaC.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTaOIFB.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCeNQpN.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dCRPPas.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUVlrop.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aELDhqh.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qqagSqL.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNnLZjn.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lFENnLf.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Vkdcxpb.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uIEbwAU.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvZvhUI.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DlJiMWa.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfNcuID.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YaSDOCT.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wPrhPqa.exe	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4912	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3620 wrote to memory of 4912	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3620 wrote to memory of 1532	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3620 wrote to memory of 1532	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3620 wrote to memory of 608	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3620 wrote to memory of 608	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3620 wrote to memory of 1196	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3620 wrote to memory of 1196	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3620 wrote to memory of 1052	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3620 wrote to memory of 1052	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3620 wrote to memory of 1280	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3620 wrote to memory of 1280	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3620 wrote to memory of 3988	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3620 wrote to memory of 3988	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3620 wrote to memory of 2428	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3620 wrote to memory of 2428	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3620 wrote to memory of 2424	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3620 wrote to memory of 2424	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3620 wrote to memory of 3468	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3620 wrote to memory of 3468	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3620 wrote to memory of 4680	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3620 wrote to memory of 4680	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3620 wrote to memory of 2168	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3620 wrote to memory of 2168	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3620 wrote to memory of 4868	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3620 wrote to memory of 4868	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3620 wrote to memory of 3624	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3620 wrote to memory of 3624	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3620 wrote to memory of 2124	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3620 wrote to memory of 2124	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3620 wrote to memory of 4816	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3620 wrote to memory of 4816	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3620 wrote to memory of 4008	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3620 wrote to memory of 4008	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3620 wrote to memory of 3684	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3620 wrote to memory of 3684	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3620 wrote to memory of 4104	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3620 wrote to memory of 4104	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3620 wrote to memory of 4872	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3620 wrote to memory of 4872	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3620 wrote to memory of 8	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3620 wrote to memory of 8	3620	2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_d6b6b2a7f86d0672fae650dbf4589082_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System\DlJiMWa.exe
  C:\Windows\System\DlJiMWa.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\wPrhPqa.exe
  C:\Windows\System\wPrhPqa.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\qqagSqL.exe
  C:\Windows\System\qqagSqL.exe
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\System\VNnLZjn.exe
  C:\Windows\System\VNnLZjn.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\aELDhqh.exe
  C:\Windows\System\aELDhqh.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\vfNcuID.exe
  C:\Windows\System\vfNcuID.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\dCRPPas.exe
  C:\Windows\System\dCRPPas.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\ZCeNQpN.exe
  C:\Windows\System\ZCeNQpN.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\lFENnLf.exe
  C:\Windows\System\lFENnLf.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\uWuvAXq.exe
  C:\Windows\System\uWuvAXq.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\jfDdPdx.exe
  C:\Windows\System\jfDdPdx.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\Vkdcxpb.exe
  C:\Windows\System\Vkdcxpb.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\mUVlrop.exe
  C:\Windows\System\mUVlrop.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\shSJdXz.exe
  C:\Windows\System\shSJdXz.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\MoNAlnQ.exe
  C:\Windows\System\MoNAlnQ.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\YaSDOCT.exe
  C:\Windows\System\YaSDOCT.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\SaElHXV.exe
  C:\Windows\System\SaElHXV.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\uIEbwAU.exe
  C:\Windows\System\uIEbwAU.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\rOyfDaC.exe
  C:\Windows\System\rOyfDaC.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\oTaOIFB.exe
  C:\Windows\System\oTaOIFB.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\bvZvhUI.exe
  C:\Windows\System\bvZvhUI.exe
  2⤵
  - Executes dropped EXE
  PID:8

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DlJiMWa.exe

Filesize
5.2MB

MD5
8067c034fbf171075664aeb8f1d25176

SHA1
dde2e705e82b9917707a4f710e224ca2d37df094

SHA256
184ec5a66521a38e18c09485c1fdf6d52d0e8467f09beaf25041eaf28cb8b43b

SHA512
26eb28a20c7d11ae26bff8d56af245e8e62a16339c9df43aeb823e16969e8c7dfd828b34d35234245a760fdefde8efee122e4ce5085fcac4e168c5968e0cb3a3

Download Submit
C:\Windows\System\MoNAlnQ.exe

Filesize
5.2MB

MD5
51d8a1c3b9384110ddb8921bcc34216f

SHA1
1488de242e1382104891d28543e508a7c80d3161

SHA256
80f10d72bbaa36354210dbb594ec3709d4d98a0eaf6551205d05f518544a95c6

SHA512
274699f750e420b49dd952527ddfd9b02c1da826dfd8272ee564d529a0f0cabc2c9047618b7d4e2f27d78c58fe393b7fd862c6f7f5bf4c22b8fcd0ef2afb36d5

Download Submit
C:\Windows\System\SaElHXV.exe

Filesize
5.2MB

MD5
b8ae1df5d6ad8880fc3dc73c6150385f

SHA1
7d8378437de074ad7d452e14ad95b505f514f442

SHA256
6bed4d3a1959677f4d8469979d776d0b88a5192730f816d36f4f02cfd1e44a4e

SHA512
e200ba31681182ae67da5c800ebf5baa636a7fef7b3af026de354eeebbc4a3b8d5a37f304a07da34bec8845200c259ca9d827ffc02e8d8929961240c07beae09

Download Submit
C:\Windows\System\VNnLZjn.exe

Filesize
5.2MB

MD5
6533668c3530d60b33d65d4a2f63fe07

SHA1
f64ce6f31bddda4fbbcfaa516261b0df44f92f5b

SHA256
75938978b5c6f299900149215b7b9368e4aa45430f1fef0157141e6bdddf8f43

SHA512
b916961293af1bcaebd080caa972b4e269a243db2e028e5911c82bf4883fbd37be6d5b680f4d2ce212d23ef2db4b82f9e643cb49afc95c9b321d832c63750a5b

Download Submit
C:\Windows\System\Vkdcxpb.exe

Filesize
5.2MB

MD5
67a29e8c305ab0478d283f6a29feb8ea

SHA1
888f9c97e113d80d48f1ac9443e7537edc667370

SHA256
e9ef1ea79e4965de91be17e93ac1c0008c74b255bf2176e183f8329084a0ebcf

SHA512
20e308b4d70f63b41e20819444789ec8a2de759c8812158eadc12820f56bd26ccf85d86df0a9c83a5eef9587cd914c631f84779a204302dfc051f29cd3c56745

Download Submit
C:\Windows\System\YaSDOCT.exe

Filesize
5.2MB

MD5
1bacfe3b55555189e598edd7b62c5de7

SHA1
ddf272c9cd10a3fc7ba05577bdfe83ff5a10d270

SHA256
4c1cd824753a438589e1b6fba9af11a4fb2f0d7bde9a48e797f7d2b9346aaba4

SHA512
f7af4a2addc92814f7a02808723c689a320e421506a6c53d883e8176b73af2ec4f6f92478a794deaaf5f193168f3c6acf2a240e7d356e6af8fce22729129088a

Download Submit
C:\Windows\System\ZCeNQpN.exe

Filesize
5.2MB

MD5
694f335752f8a60f161448457a975dfe

SHA1
6ba213f9f34cbd601544f3d27963f96c2fe9176c

SHA256
bc3cbd8205d4b8b4918748c96898dd597de9697bbcf6667fb770c8e0aea1dd38

SHA512
56ffe2aa11d6f575452a9a98711aa231810bd77c842a094c3e4cbcd4df9812b75c133e223ca410c8a2e2c56f306a9bc2d6ab3486cab527b2c1ac91e612151702

Download Submit
C:\Windows\System\aELDhqh.exe

Filesize
5.2MB

MD5
4bcc7f1ddae92c8101a236f12b4ca8a5

SHA1
bfe6e03ac4c2cb898b3c769e231dc7a57f37d747

SHA256
ef0254b902fbf86e7fdc4dca74132f7c266a61cc24ca3c98938dc87bc0ae9064

SHA512
f351919218edf68d798d2281d135ffe1c7a65ca5451d30ebeee4a2bdc357364397f69732f6e8a4b31276c1d005adab810dc4cfd3b5f570cc1816ad319d7d5942

Download Submit
C:\Windows\System\bvZvhUI.exe

Filesize
5.2MB

MD5
f4173a2f52f9951ef9da1c97ff5328ff

SHA1
ea2c1d61f634e494da06f54990a71b7eee1c4b71

SHA256
3918ef4aee5e675f307f50d254c3e0482a52347311af2b63ee7b9a0d88cb8a2e

SHA512
609e0816900d7457699c8980ce13b44a48911836b28b323e0b14e2ae0d16913dc6a6815e73db26a4c07c6004435d5441f45594c8172bb016bb1457c802a82147

Download Submit
C:\Windows\System\dCRPPas.exe

Filesize
5.2MB

MD5
86e33ee61cae8f62a645cccf30c6db07

SHA1
be53043a86e8107fab383d3b37ff0ca24e3a6070

SHA256
3405c2da551395f4771dbd921909b6f96538db498ab90028ebfa2374cfc69226

SHA512
6c3456a17bba888cd09414cb917f5d159e8e157af6ab26fe089df69d29e54af859bf7135e4f4ac9c19a8fe81681781ac27d3c2e80b5ef22cfcd3fdf30a25427d

Download Submit
C:\Windows\System\jfDdPdx.exe

Filesize
5.2MB

MD5
33dd46c092b4602296444cc7bd298699

SHA1
23d6339fae9e76615d9b41c328f88b565434efdd

SHA256
15e62a06d970816e5e0aa09dfe79b3d097a6aa4ab8dbedea2233e5eaf0d4a445

SHA512
ccdf2f63c8926d73d38196c3fb646b6cee2ab25aecd3f39a117e0e020b3b179074f6ce0e6774156b5fe7d6cd9f52b8177d04873a93044a247ca4ca5e8cd3a8e4

Download Submit
C:\Windows\System\lFENnLf.exe

Filesize
5.2MB

MD5
7a3556c1a1107f94c67122821bd0b4e3

SHA1
3cd737c365442b924c99284dd96f69f5551f1c77

SHA256
e344a097b7b135f4332031a43d59ad5f473ba57e248a05bc6f58aef392577fa2

SHA512
d69111dfaf5c293284686a429d72b70830cdd0b5124874cf19a7a1d9479a6bf74a3d5ffd09daf73fe792b0ddce0166172134de931f01f368710367f0960767fc

Download Submit
C:\Windows\System\mUVlrop.exe

Filesize
5.2MB

MD5
8cde4211141b6940425b6fc13fbab18c

SHA1
f66570702487d44dfd7e463953bd8b300ac449c7

SHA256
66f34b98806ea44e0239a5bd548eef3bcf97214e4d7e1133d0cb083a672340d8

SHA512
32ce84c688cf533d0832fbef56768414e73858ff157adfb5061cff74e850abf12a7e0f285b51f2c9c5882da58818ba5baaf1db3dfe3ad6a31134af5759ca3310

Download Submit
C:\Windows\System\oTaOIFB.exe

Filesize
5.2MB

MD5
b45cd21c1fc031b84a65bb693a9bcdeb

SHA1
512c7414af562e68790900f0889d2d7579895afa

SHA256
933f6696941630b590db3579b5d3380be8380cfbfb8aaaad82668db77c5f4297

SHA512
00799f97e45589712ad937d0e3eb4cee96a7e8f7569b1e2b4a8276a0efcfac7cfa5a6ec42d2675c35e75e19aeadd1448449d260572a86c5c5221357a26eb9407

Download Submit
C:\Windows\System\qqagSqL.exe

Filesize
5.2MB

MD5
9ba8df909900c7f75d8495922183c512

SHA1
00f6e20f51035c446b43b73cbe58d072f5cdc5b7

SHA256
3a3e0cecc49e6832becf45b5496c89d1c6f54e793b6f04e9bfcd3e1fd0da22c5

SHA512
d47e5ed5509d945de31985f3bf81cbabf8f4cac9d21db77f70ee93a788e2ece4bb3a5d9fa96835da65ffd5f22a78df729fc54afff21d9d92a9b7c6b575b09c8d

Download Submit
C:\Windows\System\rOyfDaC.exe

Filesize
5.2MB

MD5
a115c32b9e6e6e94e363f61082be7101

SHA1
ad91e60d820ccbbf9001eee4a8d78385f7143de2

SHA256
bef7f5fbe817183f4ddbe7bcd93653f071ebe1ad54e3d75af4fad82e94b72fbd

SHA512
762bdc5ec7395b12972a30428a61b5c27e6a78a0ef065db908e8764375f4f315d62fe8a0f01e90a286dce6250e278d3678c0f2f5781e71c2850ef69bf44b35de

Download Submit
C:\Windows\System\shSJdXz.exe

Filesize
5.2MB

MD5
6ead04dfcfbc5fa1cb7e31d6e25199c5

SHA1
5300a8b5c3dfb975751706e6a23a0090d9ec8408

SHA256
0bf232a249fc231697eae8ffa56ebb6aeae180081a46d7721003d0bc2aefcd35

SHA512
e9d11f97d1cc691374bcf0e8d2ea19406f965b274dc4e7f2396d1fd4056b64e9bbcdb308381e30e8b26dd5a4bcf9485639f007a51779d3c0ccf61b7e40619118

Download Submit
C:\Windows\System\uIEbwAU.exe

Filesize
5.2MB

MD5
3cf822f252b0ea5c933e165b39bd9e40

SHA1
290f40922d2a26c81cccf0adb9690debd07eb7b6

SHA256
cc0570751446cf6423cd2ac91a05a072e7dd047355dece44dc004ed7fc7a57bd

SHA512
cfb57c09bb0a3c53cb0efe42e101aa53d24090694b3a5536ad12840b4591aaa7d19d9163795c155dc0969f8fa3d81077a7c29ae7c2de2f7e6dfac98ee4390aa8

Download Submit
C:\Windows\System\uWuvAXq.exe

Filesize
5.2MB

MD5
810e3749903db361daee174278dab605

SHA1
2f7b35111ff1a933ec72f08efd4ca5733ec29d3f

SHA256
c07582e3570b415d3cb6d05ea7ea54ae8a36b75ac04495d52d3024b84ada3a22

SHA512
81216caea9aff2f6b530f6762da9c7c7d6ffa235c496a7502673fd613f67b2a973601de0c1bb0f437708f800edad28e85b4adf81c8c7dce9bd3fcdc2751cd6c1

Download Submit
C:\Windows\System\vfNcuID.exe

Filesize
5.2MB

MD5
a2f0cfcb0b044bd4cacf09e682134d8c

SHA1
3a8040063e509dbd60bc650f91310de5ce92ac46

SHA256
de3139942d1754c811b7c8742da6ec4f06dc0b1e520ecdcf8edd9126ccd7139f

SHA512
98a978f6fd5b4c8de629c10a1c8063baf2aaed266705b8a5889478639776fe8559f1f4f3173f6d83e4b038257895f879258edaec5bf34368943be500232ac593

Download Submit
C:\Windows\System\wPrhPqa.exe

Filesize
5.2MB

MD5
d0a1fb67221f7d73fdf9a3403a12c9b5

SHA1
0273d3b9a48eeed8b84e2feef6641adabebbc8ef

SHA256
ce81cf964bd18277e45506af729805d8a6cfea882113815612622f2457ebb9a1

SHA512
341aa9a7c43623d6c7dd3c46e9bc98de752936203f6ed97a59629aaaf7eaced8fb03a2eba615477b01d5676f7e1c88b412b5ce951776b8a43e1d4e5a698a9525

Download Submit
memory/8-248-0x00007FF614080000-0x00007FF6143D1000-memory.dmp

Filesize
3.3MB

Download
memory/8-136-0x00007FF614080000-0x00007FF6143D1000-memory.dmp

Filesize
3.3MB

Download
memory/608-207-0x00007FF770810000-0x00007FF770B61000-memory.dmp

Filesize
3.3MB

Download
memory/608-19-0x00007FF770810000-0x00007FF770B61000-memory.dmp

Filesize
3.3MB

Download
memory/608-124-0x00007FF770810000-0x00007FF770B61000-memory.dmp

Filesize
3.3MB

Download
memory/1052-32-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp

Filesize
3.3MB

Download
memory/1052-213-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp

Filesize
3.3MB

Download
memory/1052-133-0x00007FF6B1BB0000-0x00007FF6B1F01000-memory.dmp

Filesize
3.3MB

Download
memory/1196-126-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-26-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-211-0x00007FF6B8D90000-0x00007FF6B90E1000-memory.dmp

Filesize
3.3MB

Download
memory/1280-134-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1280-37-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1280-220-0x00007FF60A680000-0x00007FF60A9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-14-0x00007FF606810000-0x00007FF606B61000-memory.dmp

Filesize
3.3MB

Download
memory/1532-204-0x00007FF606810000-0x00007FF606B61000-memory.dmp

Filesize
3.3MB

Download
memory/1532-60-0x00007FF606810000-0x00007FF606B61000-memory.dmp

Filesize
3.3MB

Download
memory/2124-128-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-260-0x00007FF7FB780000-0x00007FF7FBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-246-0x00007FF77E430000-0x00007FF77E781000-memory.dmp

Filesize
3.3MB

Download
memory/2168-139-0x00007FF77E430000-0x00007FF77E781000-memory.dmp

Filesize
3.3MB

Download
memory/2424-56-0x00007FF660C00000-0x00007FF660F51000-memory.dmp

Filesize
3.3MB

Download
memory/2424-226-0x00007FF660C00000-0x00007FF660F51000-memory.dmp

Filesize
3.3MB

Download
memory/2424-140-0x00007FF660C00000-0x00007FF660F51000-memory.dmp

Filesize
3.3MB

Download
memory/2428-224-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp

Filesize
3.3MB

Download
memory/2428-138-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp

Filesize
3.3MB

Download
memory/2428-49-0x00007FF7B8EC0000-0x00007FF7B9211000-memory.dmp

Filesize
3.3MB

Download
memory/3468-61-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download
memory/3468-141-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download
memory/3468-228-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download
memory/3620-121-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp

Filesize
3.3MB

Download
memory/3620-1-0x000001C9C65B0000-0x000001C9C65C0000-memory.dmp

Filesize
64KB

Download
memory/3620-48-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp

Filesize
3.3MB

Download
memory/3620-153-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp

Filesize
3.3MB

Download
memory/3620-0-0x00007FF7A5030000-0x00007FF7A5381000-memory.dmp

Filesize
3.3MB

Download
memory/3624-243-0x00007FF6C6CC0000-0x00007FF6C7011000-memory.dmp

Filesize
3.3MB

Download
memory/3624-127-0x00007FF6C6CC0000-0x00007FF6C7011000-memory.dmp

Filesize
3.3MB

Download
memory/3684-131-0x00007FF739260000-0x00007FF7395B1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-255-0x00007FF739260000-0x00007FF7395B1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-45-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp

Filesize
3.3MB

Download
memory/3988-222-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp

Filesize
3.3MB

Download
memory/3988-137-0x00007FF6818D0000-0x00007FF681C21000-memory.dmp

Filesize
3.3MB

Download
memory/4008-256-0x00007FF6CC210000-0x00007FF6CC561000-memory.dmp

Filesize
3.3MB

Download
memory/4008-130-0x00007FF6CC210000-0x00007FF6CC561000-memory.dmp

Filesize
3.3MB

Download
memory/4104-132-0x00007FF6894E0000-0x00007FF689831000-memory.dmp

Filesize
3.3MB

Download
memory/4104-253-0x00007FF6894E0000-0x00007FF689831000-memory.dmp

Filesize
3.3MB

Download
memory/4680-120-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp

Filesize
3.3MB

Download
memory/4680-240-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp

Filesize
3.3MB

Download
memory/4680-142-0x00007FF76CF10000-0x00007FF76D261000-memory.dmp

Filesize
3.3MB

Download
memory/4816-259-0x00007FF6C6310000-0x00007FF6C6661000-memory.dmp

Filesize
3.3MB

Download
memory/4816-129-0x00007FF6C6310000-0x00007FF6C6661000-memory.dmp

Filesize
3.3MB

Download
memory/4868-125-0x00007FF721900000-0x00007FF721C51000-memory.dmp

Filesize
3.3MB

Download
memory/4868-245-0x00007FF721900000-0x00007FF721C51000-memory.dmp

Filesize
3.3MB

Download
memory/4872-135-0x00007FF6BB0E0000-0x00007FF6BB431000-memory.dmp

Filesize
3.3MB

Download
memory/4872-251-0x00007FF6BB0E0000-0x00007FF6BB431000-memory.dmp

Filesize
3.3MB

Download
memory/4912-55-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp

Filesize
3.3MB

Download
memory/4912-7-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp

Filesize
3.3MB

Download
memory/4912-201-0x00007FF7D0CF0000-0x00007FF7D1041000-memory.dmp

Filesize
3.3MB

Download