cobaltstrike | 9cb82f9e4b66bb0d2b6366ff484781b6a0c4fc31f0a6059172d36c98c558b2b5

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6a8338a74de8bdf1a6359a19d0255423
SHA1

7123bece008f50e5628716fb50caac822e8ad924
SHA256

9cb82f9e4b66bb0d2b6366ff484781b6a0c4fc31f0a6059172d36c98c558b2b5
SHA512

51dedfacc4dd83369006168888dbd5565eadc69f46bb6d0fabcf6f11241b23180273b5ea2d50762d8917d17b58b57387cd6cea722aab4d17edcdd02468d223bb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c07-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023caa-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cab-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/4600-125-0x00007FF72C270000-0x00007FF72C5C1000-memory.dmp	xmrig
behavioral2/memory/4840-127-0x00007FF6A16F0000-0x00007FF6A1A41000-memory.dmp	xmrig
behavioral2/memory/4248-126-0x00007FF764AD0000-0x00007FF764E21000-memory.dmp	xmrig
behavioral2/memory/4016-120-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	xmrig
behavioral2/memory/4408-119-0x00007FF6A89E0000-0x00007FF6A8D31000-memory.dmp	xmrig
behavioral2/memory/4896-112-0x00007FF651D50000-0x00007FF6520A1000-memory.dmp	xmrig
behavioral2/memory/384-98-0x00007FF650B80000-0x00007FF650ED1000-memory.dmp	xmrig
behavioral2/memory/4576-96-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp	xmrig
behavioral2/memory/3488-88-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp	xmrig
behavioral2/memory/3784-87-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	xmrig
behavioral2/memory/1580-83-0x00007FF6180C0000-0x00007FF618411000-memory.dmp	xmrig
behavioral2/memory/2012-60-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp	xmrig
behavioral2/memory/1268-36-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp	xmrig
behavioral2/memory/1440-131-0x00007FF693F10000-0x00007FF694261000-memory.dmp	xmrig
behavioral2/memory/1696-132-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	xmrig
behavioral2/memory/2648-135-0x00007FF711420000-0x00007FF711771000-memory.dmp	xmrig
behavioral2/memory/4888-146-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	xmrig
behavioral2/memory/756-140-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp	xmrig
behavioral2/memory/4884-134-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp	xmrig
behavioral2/memory/1356-130-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp	xmrig
behavioral2/memory/468-129-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp	xmrig
behavioral2/memory/2480-128-0x00007FF755180000-0x00007FF7554D1000-memory.dmp	xmrig
behavioral2/memory/2480-150-0x00007FF755180000-0x00007FF7554D1000-memory.dmp	xmrig
behavioral2/memory/468-199-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp	xmrig
behavioral2/memory/1356-216-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp	xmrig
behavioral2/memory/1440-218-0x00007FF693F10000-0x00007FF694261000-memory.dmp	xmrig
behavioral2/memory/1268-220-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp	xmrig
behavioral2/memory/1696-222-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	xmrig
behavioral2/memory/2012-228-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp	xmrig
behavioral2/memory/2648-226-0x00007FF711420000-0x00007FF711771000-memory.dmp	xmrig
behavioral2/memory/4884-225-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp	xmrig
behavioral2/memory/1580-230-0x00007FF6180C0000-0x00007FF618411000-memory.dmp	xmrig
behavioral2/memory/4576-235-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp	xmrig
behavioral2/memory/3488-238-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp	xmrig
behavioral2/memory/3784-237-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	xmrig
behavioral2/memory/756-233-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp	xmrig
behavioral2/memory/4840-251-0x00007FF6A16F0000-0x00007FF6A1A41000-memory.dmp	xmrig
behavioral2/memory/384-257-0x00007FF650B80000-0x00007FF650ED1000-memory.dmp	xmrig
behavioral2/memory/4016-255-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	xmrig
behavioral2/memory/4896-254-0x00007FF651D50000-0x00007FF6520A1000-memory.dmp	xmrig
behavioral2/memory/4248-250-0x00007FF764AD0000-0x00007FF764E21000-memory.dmp	xmrig
behavioral2/memory/4408-247-0x00007FF6A89E0000-0x00007FF6A8D31000-memory.dmp	xmrig
behavioral2/memory/4888-245-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	xmrig
behavioral2/memory/4600-244-0x00007FF72C270000-0x00007FF72C5C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
468	uwQIwyS.exe
1356	PKgEiZj.exe
1440	uOUlFWd.exe
1696	HQdcYGf.exe
1268	AiLkyLt.exe
2648	KUTCfNp.exe
4884	NDnEPeT.exe
2012	cqBCGlP.exe
1580	qkIVKIq.exe
3784	jBKyjRn.exe
3488	wNkbfZZ.exe
756	KOtkmvK.exe
4576	LPUpeUQ.exe
4896	HFfwLwU.exe
384	wpGWIlU.exe
4408	ZsmbQOn.exe
4016	ENnIhHG.exe
4888	aCFPrEW.exe
4600	ieuQTGr.exe
4840	szejfCl.exe
4248	mVlcOSw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2480-0-0x00007FF755180000-0x00007FF7554D1000-memory.dmp	upx
behavioral2/files/0x000a000000023c07-4.dat	upx
behavioral2/files/0x0008000000023caa-11.dat	upx
behavioral2/memory/468-12-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-20.dat	upx
behavioral2/files/0x0007000000023cb0-26.dat	upx
behavioral2/files/0x0007000000023cb1-40.dat	upx
behavioral2/files/0x0007000000023cb2-48.dat	upx
behavioral2/files/0x0007000000023cb5-69.dat	upx
behavioral2/files/0x0007000000023cb9-89.dat	upx
behavioral2/files/0x0007000000023cbb-102.dat	upx
behavioral2/memory/4888-108-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-117.dat	upx
behavioral2/memory/4600-125-0x00007FF72C270000-0x00007FF72C5C1000-memory.dmp	upx
behavioral2/memory/4840-127-0x00007FF6A16F0000-0x00007FF6A1A41000-memory.dmp	upx
behavioral2/memory/4248-126-0x00007FF764AD0000-0x00007FF764E21000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-123.dat	upx
behavioral2/files/0x0007000000023cbe-121.dat	upx
behavioral2/memory/4016-120-0x00007FF7660C0000-0x00007FF766411000-memory.dmp	upx
behavioral2/memory/4408-119-0x00007FF6A89E0000-0x00007FF6A8D31000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-115.dat	upx
behavioral2/memory/4896-112-0x00007FF651D50000-0x00007FF6520A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-100.dat	upx
behavioral2/memory/384-98-0x00007FF650B80000-0x00007FF650ED1000-memory.dmp	upx
behavioral2/memory/4576-96-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp	upx
behavioral2/files/0x0008000000023cab-91.dat	upx
behavioral2/memory/3488-88-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp	upx
behavioral2/memory/3784-87-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-84.dat	upx
behavioral2/memory/1580-83-0x00007FF6180C0000-0x00007FF618411000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-76.dat	upx
behavioral2/memory/756-68-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-67.dat	upx
behavioral2/files/0x0007000000023cb4-64.dat	upx
behavioral2/memory/2012-60-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp	upx
behavioral2/memory/4884-58-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-54.dat	upx
behavioral2/memory/2648-43-0x00007FF711420000-0x00007FF711771000-memory.dmp	upx
behavioral2/memory/1268-36-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-34.dat	upx
behavioral2/memory/1696-27-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	upx
behavioral2/memory/1440-25-0x00007FF693F10000-0x00007FF694261000-memory.dmp	upx
behavioral2/memory/1356-19-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp	upx
behavioral2/memory/1440-131-0x00007FF693F10000-0x00007FF694261000-memory.dmp	upx
behavioral2/memory/1696-132-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	upx
behavioral2/memory/2648-135-0x00007FF711420000-0x00007FF711771000-memory.dmp	upx
behavioral2/memory/4888-146-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	upx
behavioral2/memory/756-140-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp	upx
behavioral2/memory/4884-134-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp	upx
behavioral2/memory/1356-130-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp	upx
behavioral2/memory/468-129-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp	upx
behavioral2/memory/2480-128-0x00007FF755180000-0x00007FF7554D1000-memory.dmp	upx
behavioral2/memory/2480-150-0x00007FF755180000-0x00007FF7554D1000-memory.dmp	upx
behavioral2/memory/468-199-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp	upx
behavioral2/memory/1356-216-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp	upx
behavioral2/memory/1440-218-0x00007FF693F10000-0x00007FF694261000-memory.dmp	upx
behavioral2/memory/1268-220-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp	upx
behavioral2/memory/1696-222-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp	upx
behavioral2/memory/2012-228-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp	upx
behavioral2/memory/2648-226-0x00007FF711420000-0x00007FF711771000-memory.dmp	upx
behavioral2/memory/4884-225-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp	upx
behavioral2/memory/1580-230-0x00007FF6180C0000-0x00007FF618411000-memory.dmp	upx
behavioral2/memory/4576-235-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp	upx
behavioral2/memory/3488-238-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uOUlFWd.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HQdcYGf.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wNkbfZZ.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZsmbQOn.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwQIwyS.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PKgEiZj.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AiLkyLt.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NDnEPeT.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqBCGlP.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jBKyjRn.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KOtkmvK.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENnIhHG.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mVlcOSw.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KUTCfNp.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFfwLwU.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkIVKIq.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPUpeUQ.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wpGWIlU.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aCFPrEW.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ieuQTGr.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\szejfCl.exe	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 468	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2480 wrote to memory of 468	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2480 wrote to memory of 1356	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2480 wrote to memory of 1356	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2480 wrote to memory of 1440	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2480 wrote to memory of 1440	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2480 wrote to memory of 1696	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2480 wrote to memory of 1696	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2480 wrote to memory of 1268	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2480 wrote to memory of 1268	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2480 wrote to memory of 4884	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2480 wrote to memory of 4884	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2480 wrote to memory of 2648	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2480 wrote to memory of 2648	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2480 wrote to memory of 2012	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2480 wrote to memory of 2012	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2480 wrote to memory of 1580	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2480 wrote to memory of 1580	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2480 wrote to memory of 3784	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2480 wrote to memory of 3784	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2480 wrote to memory of 3488	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2480 wrote to memory of 3488	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2480 wrote to memory of 756	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2480 wrote to memory of 756	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2480 wrote to memory of 4576	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2480 wrote to memory of 4576	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2480 wrote to memory of 4896	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2480 wrote to memory of 4896	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2480 wrote to memory of 384	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2480 wrote to memory of 384	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2480 wrote to memory of 4408	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2480 wrote to memory of 4408	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2480 wrote to memory of 4016	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2480 wrote to memory of 4016	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2480 wrote to memory of 4888	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2480 wrote to memory of 4888	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2480 wrote to memory of 4600	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2480 wrote to memory of 4600	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2480 wrote to memory of 4840	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2480 wrote to memory of 4840	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2480 wrote to memory of 4248	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2480 wrote to memory of 4248	2480	2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_6a8338a74de8bdf1a6359a19d0255423_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System\uwQIwyS.exe
  C:\Windows\System\uwQIwyS.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\PKgEiZj.exe
  C:\Windows\System\PKgEiZj.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\uOUlFWd.exe
  C:\Windows\System\uOUlFWd.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\HQdcYGf.exe
  C:\Windows\System\HQdcYGf.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\AiLkyLt.exe
  C:\Windows\System\AiLkyLt.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\NDnEPeT.exe
  C:\Windows\System\NDnEPeT.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\KUTCfNp.exe
  C:\Windows\System\KUTCfNp.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\cqBCGlP.exe
  C:\Windows\System\cqBCGlP.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\qkIVKIq.exe
  C:\Windows\System\qkIVKIq.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\jBKyjRn.exe
  C:\Windows\System\jBKyjRn.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\wNkbfZZ.exe
  C:\Windows\System\wNkbfZZ.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\KOtkmvK.exe
  C:\Windows\System\KOtkmvK.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\LPUpeUQ.exe
  C:\Windows\System\LPUpeUQ.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\HFfwLwU.exe
  C:\Windows\System\HFfwLwU.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\wpGWIlU.exe
  C:\Windows\System\wpGWIlU.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\ZsmbQOn.exe
  C:\Windows\System\ZsmbQOn.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\ENnIhHG.exe
  C:\Windows\System\ENnIhHG.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\aCFPrEW.exe
  C:\Windows\System\aCFPrEW.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\ieuQTGr.exe
  C:\Windows\System\ieuQTGr.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\szejfCl.exe
  C:\Windows\System\szejfCl.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\mVlcOSw.exe
  C:\Windows\System\mVlcOSw.exe
  2⤵
  - Executes dropped EXE
  PID:4248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AiLkyLt.exe

Filesize
5.2MB

MD5
bd46a77c70b9110ff44c496bad07ee9c

SHA1
b2224f04a9c8199f8d4f22cede5f90a8b0ea05f3

SHA256
42e717ca0da8064533aaaca239889fe86cd107c7ad6d09f5f60b59c27783168d

SHA512
0e06e8795660814528d8f7b87f74fa2a936b0dd7d9f59ab70cb0adf8caac3ac895d48b7dfd4389b2acf499de39573963699f1aee6448382e36ad790d7a692ae7

Download Submit
C:\Windows\System\ENnIhHG.exe

Filesize
5.2MB

MD5
21de69c2d48245066ef42ea2af2acb28

SHA1
f024e9dad9987887f52be23fe23778d84f72a4c1

SHA256
a4c5a0d247682c4421847922224e33ab45c833d443d015f43818848a7329f51d

SHA512
05369c5751dab45899fc7d7b088d932d816c699040c5891ac25e91017078b2f77e5e9246a132e3bbc7526f5ea16754d87453bbaf6a7d818536ddb50a8aa21b9a

Download Submit
C:\Windows\System\HFfwLwU.exe

Filesize
5.2MB

MD5
8cf1c7d99b552c7cadedbf2c6464cfde

SHA1
d8242f95d5a8210b6dbc0d267fb6cbb6ef5582c0

SHA256
fc2616899b673e64a26530226463837f2c4046acb8640c49c9c7c09ca3bbcfaa

SHA512
d942f5a6009c14a64c689f38e79a1c8f76fa042ce3cbda8b389141c6678cbadb05b4ced11558f3bad741219c3b81260c87e32cba221b691efe7e3d36a17ed90d

Download Submit
C:\Windows\System\HQdcYGf.exe

Filesize
5.2MB

MD5
cf9041250089f0db6fbc39751b02cb07

SHA1
79da02141520b2334863790472b5760b1b1343c9

SHA256
6879eee5c04fbaf213d8dc4dfda69d414f9851c9654e1f08d5a41322a7c57673

SHA512
9dca5d0f4795548f157e29ee7357922d76ceede00df969bb8cd01ff23d9d4dccadb965e97e0d7a10dc57b683e7f198180d2b2c845a2b481f0961b11eaa3187d2

Download Submit
C:\Windows\System\KOtkmvK.exe

Filesize
5.2MB

MD5
c3b2829019033e64a704c1e2fd9d056b

SHA1
3bd7fdca345c62823663e2f3d5b93d75dc2fb7ee

SHA256
90d079971546c6e71a4d7bdde0f5176ca3b786dc839b5f726c039fbfc07f6227

SHA512
4986185f7af9cfe20096ce6e4905f984e3ff652239873aeebcea06b5d324d02d1e1e57d8fbcfcc2a5dee41f4034bd47be425d062a53701b8a159090950535fe0

Download Submit
C:\Windows\System\KUTCfNp.exe

Filesize
5.2MB

MD5
92ea3b1a319acfdbbf94321bd6255436

SHA1
af203abc867e9c2cae24421b7aaf9383e6b494e1

SHA256
73f3696a790f70102ebd16df070aaf6676f741437220aab654243ec4fcfbc2e0

SHA512
69f7a3a1a238320a8d2e1e9955722064bd8a2a02236a1a2819291f3a1f231af6c498b73a2a66dc244b5b6e31d7d3e573fbc56a4ea318910f9a96e286cf953c4c

Download Submit
C:\Windows\System\LPUpeUQ.exe

Filesize
5.2MB

MD5
86c029f46c05d30230303e0e2c6bbcc1

SHA1
94cdee29e982788b9a14126364f856d0d74360f1

SHA256
2b6649039fa9f0e8b51e373eb50af38f2dd6440116d4b7149ca5c9a422f77067

SHA512
bf6aed73b1a9fecb4bad150e361e8ce1b29003e38ff67787f90f11c108de0cd5990f994bb9f3b6a494ab94ccb8a8ab50106e8f9bd75943c7ae8d4ba90e3a7d4c

Download Submit
C:\Windows\System\NDnEPeT.exe

Filesize
5.2MB

MD5
579bdee8bc60b7a012cbd1a30103f5cc

SHA1
5ba18205ac54a66d1b598c6a03ee83c1ea908ab7

SHA256
7eb247914326114a58189584ee791db1253851d8a67675885878f1aeda93e9d1

SHA512
ac1b92b0cf428ded3bbb98849edb8ed6304ebcc806c18c19809d461f4e4190af2ff31b7ed2e7c71cd539aa203810b7213b995539c26591e1667b29b12722c2d8

Download Submit
C:\Windows\System\PKgEiZj.exe

Filesize
5.2MB

MD5
484e33f676cc0baefc31bdc0b523284a

SHA1
f4fb6b1c2331da54c301e64d1da1e52df775f77c

SHA256
e684f26b05ee4311387e32bd21ae6dcd46117b2be8c2e6c261afb954ad48d914

SHA512
c4b8ed1761892ffdc4cebc871280889eb14a76b8d9dbdcdf245b6de24eb7faaa95570b5627675be16a11f2c0178b40226cf2d3921b8f4fca711ec732ad4acc7e

Download Submit
C:\Windows\System\ZsmbQOn.exe

Filesize
5.2MB

MD5
3716c2eef54dde712107a4ad5e048324

SHA1
badea2bb5b4b143c183ba272225126362255036b

SHA256
3e4e583fa151051328696e70fce973eb0e9c638f15a2f2351a3ec9a39865a046

SHA512
b60b99c392ea5b32971b41f76a9c5882282699818f4477a585dbf75028781d65e70906d5e9e7877a840c89338cbd721c0184c171f3dfcf877120786eaac0bf7b

Download Submit
C:\Windows\System\aCFPrEW.exe

Filesize
5.2MB

MD5
3466a85db5ba070be83af43610a6e436

SHA1
d6137c1e31e20218af926bd56658f72da3d6f370

SHA256
1849583fce4664796c06a091abf8f4e8f8ce3aa5d40df4aef8b6d13995ac867d

SHA512
a049ce32f96e51ace921a57eeb8d148e68b5407d783ab5d4224c1fab2a078abfddcc19ece59df0f58dd895ec80573194888c5050c443c21159fa3880bb8adc7a

Download Submit
C:\Windows\System\cqBCGlP.exe

Filesize
5.2MB

MD5
137851f4d262b6028d6ad6a94b2ea18d

SHA1
fd68c48656037b9179802c8e01fe53cabe99de68

SHA256
308cf856675abd082e987ecdea53dc61ccc3974a00ab3b5a4bab45a55068fac4

SHA512
c5abf3c486bdf6e4d68e10dd4da99dab58a93401b1ad2d26bf02a96ee40fd2b6caeee4b62fe6d30baa8efc77f5113bb0cd1e887c42be85af07a3a6ab2dbfe5de

Download Submit
C:\Windows\System\ieuQTGr.exe

Filesize
5.2MB

MD5
b547eb015fff6e0c4f3fdf883a53595a

SHA1
def6dbdb9976cd8ddbdaa40fb4004b874121696b

SHA256
836cdbe05256680b017e85c3102958d7d98b3355ceeb17e655093be620117e75

SHA512
0d2a95bcb3444e514e79081bf9fe996537eeb86b26b32f5c503fded444d67908d68f9ccd07566afd8be6e504880565f4f7f188382541c5025712e0dbdfde2e54

Download Submit
C:\Windows\System\jBKyjRn.exe

Filesize
5.2MB

MD5
0b1c1926df539df42c32296e9c5bcb50

SHA1
0d57b5f38005d2bd6cd32cac49c09bb93e556089

SHA256
4ec2eff7bdd357010b42ad4a01207a2de023ad9f9f402f30b513513d20ee401c

SHA512
795497d9209fb7a413b35d4840b3f91965c4519c17104b9856b71332cb16cdca2c06662adef14ee1957fce575f9f4e979b911b0649a7efdb3233ea37e065b301

Download Submit
C:\Windows\System\mVlcOSw.exe

Filesize
5.2MB

MD5
c64db773c04e3b2dd144b37b323c4bff

SHA1
b3e702f3b960eecbc498e995a0462bf2d5f810c2

SHA256
b8b2572eff79d2d4732381e9f31e19ef2fc7a025531c48f74440bce66dcf29a5

SHA512
8357ea0d56a912541e813b3406a62562d437aba5a977e04c1bf0c99abb0478e73b3102b9fb6007e4b580773e8e77af1e082a9bfcf513ff44a569c0e12bec1e24

Download Submit
C:\Windows\System\qkIVKIq.exe

Filesize
5.2MB

MD5
08b2695cce9dd6bb4c7b4671d4218997

SHA1
0f463286140ee643aa99daaddc9fbc5f47547842

SHA256
0aacab3cabaea0b3b02b1aa9084ddefed080d9dcf65500a25f6e4f2f57033886

SHA512
c0cbe1af86799beabd7c67fbd2040cf07728e5acefaf3a747b284cb320b04c0654c17ce866851939d3b038ba9f6b52902c32a798e4ab55b0b820fa542f13d63b

Download Submit
C:\Windows\System\szejfCl.exe

Filesize
5.2MB

MD5
c51cd0c17d8734a273dfab6ce57a0b38

SHA1
cc81714f30be1d27d6a6a8dc59bec74b34753584

SHA256
9256d90abedec2777772de9ab352db957e3c6dacb35c2f8e388c1ec95815df70

SHA512
f300b44be7e7c1bcb6dd432145be291246308a5a0ef9450d97cfd800be14ce23f116f56b648da440093b420c1493bd4b21117768b9d9bd1650b84a970c0a620a

Download Submit
C:\Windows\System\uOUlFWd.exe

Filesize
5.2MB

MD5
ed3090beb320cd5dd25cb02667c27459

SHA1
053b04ab5f323f3637bdef73c7dfb7ed65ba1763

SHA256
d6542dd04eb635eaae2a2820eb940d2746c1fa968d828d3e570a715922bb3920

SHA512
fe7ba9f1ae89231bde5bd2505d9db6310f5eaf52fce7f2cdab758ebab0cbb177f18ebee6161046b4efc19e554cd66b405dac09c4d35cab7193b8f492f6dc6443

Download Submit
C:\Windows\System\uwQIwyS.exe

Filesize
5.2MB

MD5
0fffc55e4b3a1a432578c98537d6de7d

SHA1
3d4be425c5d3612afe965e3ca9355f6a87a66834

SHA256
944ae4bf1896cbcab030320cfab3901c611ab5e939dbb6782b56f8284fc277c1

SHA512
891124ddfab0403f5f5415be1274c47c54198c5cafa9a953bffd0848149d221a8ea048fd5115b7bfbec1073ffdf2613a3b9d27560b08587bfacd943905961bdb

Download Submit
C:\Windows\System\wNkbfZZ.exe

Filesize
5.2MB

MD5
1588e358573b4f030c65783ff8367441

SHA1
ddfaf304f3523260f2acc0c4a7dd1184121cf05e

SHA256
0dad7b5ec1c1265038730561bc9e47258c3831e0f769e8213e09d5d542b6fb6e

SHA512
ced60c6e9df430febce29a378fc30070456e08ebfcfb659923baa11a967d53fd81814fc069891518ee2885f8c907b16de0e1b5ad024bf42d364bffb17d9b99b8

Download Submit
C:\Windows\System\wpGWIlU.exe

Filesize
5.2MB

MD5
9c35da0ab444b8fe94373dcd7defa0f1

SHA1
399d025616116b29872bd106890232ddcfe14532

SHA256
b71771863d47fd59c58e6698e476a77cbc04225c4ff160a662779c97049b170b

SHA512
9afffba1bcf26511bd3469fd5e03b274ca2dfa06c0e30e42f37c864214da278cbccb467fc467494708afa2330c9da327f60d69c4f87885dc266a4a181b5fea4f

Download Submit
memory/384-257-0x00007FF650B80000-0x00007FF650ED1000-memory.dmp

Filesize
3.3MB

Download
memory/384-98-0x00007FF650B80000-0x00007FF650ED1000-memory.dmp

Filesize
3.3MB

Download
memory/468-129-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp

Filesize
3.3MB

Download
memory/468-12-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp

Filesize
3.3MB

Download
memory/468-199-0x00007FF72B1C0000-0x00007FF72B511000-memory.dmp

Filesize
3.3MB

Download
memory/756-140-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp

Filesize
3.3MB

Download
memory/756-233-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp

Filesize
3.3MB

Download
memory/756-68-0x00007FF6AC090000-0x00007FF6AC3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-36-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp

Filesize
3.3MB

Download
memory/1268-220-0x00007FF7FB8E0000-0x00007FF7FBC31000-memory.dmp

Filesize
3.3MB

Download
memory/1356-216-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-130-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-19-0x00007FF6A0C70000-0x00007FF6A0FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-25-0x00007FF693F10000-0x00007FF694261000-memory.dmp

Filesize
3.3MB

Download
memory/1440-218-0x00007FF693F10000-0x00007FF694261000-memory.dmp

Filesize
3.3MB

Download
memory/1440-131-0x00007FF693F10000-0x00007FF694261000-memory.dmp

Filesize
3.3MB

Download
memory/1580-230-0x00007FF6180C0000-0x00007FF618411000-memory.dmp

Filesize
3.3MB

Download
memory/1580-83-0x00007FF6180C0000-0x00007FF618411000-memory.dmp

Filesize
3.3MB

Download
memory/1696-222-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

Filesize
3.3MB

Download
memory/1696-132-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

Filesize
3.3MB

Download
memory/1696-27-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp

Filesize
3.3MB

Download
memory/2012-60-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp

Filesize
3.3MB

Download
memory/2012-228-0x00007FF7BD330000-0x00007FF7BD681000-memory.dmp

Filesize
3.3MB

Download
memory/2480-150-0x00007FF755180000-0x00007FF7554D1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-1-0x00000218C5C00000-0x00000218C5C10000-memory.dmp

Filesize
64KB

Download
memory/2480-0-0x00007FF755180000-0x00007FF7554D1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-128-0x00007FF755180000-0x00007FF7554D1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-43-0x00007FF711420000-0x00007FF711771000-memory.dmp

Filesize
3.3MB

Download
memory/2648-135-0x00007FF711420000-0x00007FF711771000-memory.dmp

Filesize
3.3MB

Download
memory/2648-226-0x00007FF711420000-0x00007FF711771000-memory.dmp

Filesize
3.3MB

Download
memory/3488-238-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp

Filesize
3.3MB

Download
memory/3488-88-0x00007FF615BE0000-0x00007FF615F31000-memory.dmp

Filesize
3.3MB

Download
memory/3784-237-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp

Filesize
3.3MB

Download
memory/3784-87-0x00007FF73EEB0000-0x00007FF73F201000-memory.dmp

Filesize
3.3MB

Download
memory/4016-255-0x00007FF7660C0000-0x00007FF766411000-memory.dmp

Filesize
3.3MB

Download
memory/4016-120-0x00007FF7660C0000-0x00007FF766411000-memory.dmp

Filesize
3.3MB

Download
memory/4248-250-0x00007FF764AD0000-0x00007FF764E21000-memory.dmp

Filesize
3.3MB

Download
memory/4248-126-0x00007FF764AD0000-0x00007FF764E21000-memory.dmp

Filesize
3.3MB

Download
memory/4408-119-0x00007FF6A89E0000-0x00007FF6A8D31000-memory.dmp

Filesize
3.3MB

Download
memory/4408-247-0x00007FF6A89E0000-0x00007FF6A8D31000-memory.dmp

Filesize
3.3MB

Download
memory/4576-235-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-96-0x00007FF6DA980000-0x00007FF6DACD1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-125-0x00007FF72C270000-0x00007FF72C5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-244-0x00007FF72C270000-0x00007FF72C5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-251-0x00007FF6A16F0000-0x00007FF6A1A41000-memory.dmp

Filesize
3.3MB

Download
memory/4840-127-0x00007FF6A16F0000-0x00007FF6A1A41000-memory.dmp

Filesize
3.3MB

Download
memory/4884-134-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-225-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-58-0x00007FF66F7A0000-0x00007FF66FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-146-0x00007FF63C200000-0x00007FF63C551000-memory.dmp

Filesize
3.3MB

Download
memory/4888-245-0x00007FF63C200000-0x00007FF63C551000-memory.dmp

Filesize
3.3MB

Download
memory/4888-108-0x00007FF63C200000-0x00007FF63C551000-memory.dmp

Filesize
3.3MB

Download
memory/4896-254-0x00007FF651D50000-0x00007FF6520A1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-112-0x00007FF651D50000-0x00007FF6520A1000-memory.dmp

Filesize
3.3MB

Download