cobaltstrike | 28e326c14bb04323f229b845acfe225be043a8ab535b5469afdfb3c65e1eac54

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2bcd0bb42dda88160e4dcfe1f1550a01
SHA1

6ecbf2711a10a801779cab160730c8f34eed796a
SHA256

28e326c14bb04323f229b845acfe225be043a8ab535b5469afdfb3c65e1eac54
SHA512

d89c0ff2591f1ac7b9f91cc187d09ed09beb4c9d614dea794083a281e9638189a138fff2cd8fb63736c4bf266fe5e42368b6c4b72760b0e0bf1c3e5bfc24e281
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023b9c-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-17.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b38-7.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-69.dat	cobalt_reflective_dll
behavioral2/files/0x0058000000023ba6-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-98.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b97-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-88.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023ba4-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-74.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3600-26-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	xmrig
behavioral2/memory/1880-114-0x00007FF6E58C0000-0x00007FF6E5C11000-memory.dmp	xmrig
behavioral2/memory/4952-116-0x00007FF670120000-0x00007FF670471000-memory.dmp	xmrig
behavioral2/memory/880-115-0x00007FF6E4BB0000-0x00007FF6E4F01000-memory.dmp	xmrig
behavioral2/memory/3112-111-0x00007FF62AB10000-0x00007FF62AE61000-memory.dmp	xmrig
behavioral2/memory/4092-107-0x00007FF7DC8D0000-0x00007FF7DCC21000-memory.dmp	xmrig
behavioral2/memory/2788-101-0x00007FF7AC380000-0x00007FF7AC6D1000-memory.dmp	xmrig
behavioral2/memory/3296-94-0x00007FF7847B0000-0x00007FF784B01000-memory.dmp	xmrig
behavioral2/memory/1628-93-0x00007FF6DA050000-0x00007FF6DA3A1000-memory.dmp	xmrig
behavioral2/memory/5084-85-0x00007FF7D4E00000-0x00007FF7D5151000-memory.dmp	xmrig
behavioral2/memory/3428-73-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp	xmrig
behavioral2/memory/3308-131-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp	xmrig
behavioral2/memory/3600-132-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	xmrig
behavioral2/memory/3424-140-0x00007FF7124D0000-0x00007FF712821000-memory.dmp	xmrig
behavioral2/memory/2212-135-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	xmrig
behavioral2/memory/2932-134-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp	xmrig
behavioral2/memory/4936-130-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp	xmrig
behavioral2/memory/1344-129-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp	xmrig
behavioral2/memory/2492-138-0x00007FF770F40000-0x00007FF771291000-memory.dmp	xmrig
behavioral2/memory/224-128-0x00007FF715250000-0x00007FF7155A1000-memory.dmp	xmrig
behavioral2/memory/4604-133-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp	xmrig
behavioral2/memory/2500-149-0x00007FF603530000-0x00007FF603881000-memory.dmp	xmrig
behavioral2/memory/2060-148-0x00007FF667100000-0x00007FF667451000-memory.dmp	xmrig
behavioral2/memory/224-150-0x00007FF715250000-0x00007FF7155A1000-memory.dmp	xmrig
behavioral2/memory/1344-208-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp	xmrig
behavioral2/memory/3600-210-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	xmrig
behavioral2/memory/4936-212-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp	xmrig
behavioral2/memory/3308-214-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp	xmrig
behavioral2/memory/2932-216-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp	xmrig
behavioral2/memory/4604-218-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp	xmrig
behavioral2/memory/2212-229-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	xmrig
behavioral2/memory/3428-227-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp	xmrig
behavioral2/memory/5084-234-0x00007FF7D4E00000-0x00007FF7D5151000-memory.dmp	xmrig
behavioral2/memory/1628-235-0x00007FF6DA050000-0x00007FF6DA3A1000-memory.dmp	xmrig
behavioral2/memory/3296-237-0x00007FF7847B0000-0x00007FF784B01000-memory.dmp	xmrig
behavioral2/memory/3424-239-0x00007FF7124D0000-0x00007FF712821000-memory.dmp	xmrig
behavioral2/memory/2492-233-0x00007FF770F40000-0x00007FF771291000-memory.dmp	xmrig
behavioral2/memory/3112-244-0x00007FF62AB10000-0x00007FF62AE61000-memory.dmp	xmrig
behavioral2/memory/1880-249-0x00007FF6E58C0000-0x00007FF6E5C11000-memory.dmp	xmrig
behavioral2/memory/4092-248-0x00007FF7DC8D0000-0x00007FF7DCC21000-memory.dmp	xmrig
behavioral2/memory/880-246-0x00007FF6E4BB0000-0x00007FF6E4F01000-memory.dmp	xmrig
behavioral2/memory/2788-242-0x00007FF7AC380000-0x00007FF7AC6D1000-memory.dmp	xmrig
behavioral2/memory/4952-257-0x00007FF670120000-0x00007FF670471000-memory.dmp	xmrig
behavioral2/memory/2060-255-0x00007FF667100000-0x00007FF667451000-memory.dmp	xmrig
behavioral2/memory/2500-254-0x00007FF603530000-0x00007FF603881000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1344	VzfrZAk.exe
4936	jjQLjAI.exe
3308	KdYXdiM.exe
3600	PGgZVFe.exe
4604	GNqIwak.exe
2932	MplYZGj.exe
2212	FPyiHDR.exe
3428	WSKnNYk.exe
5084	ZjDgFgE.exe
2492	eMbaMrS.exe
1628	tYOVxVT.exe
3424	pIesTmC.exe
3296	eAxWmvB.exe
3112	rZxTvIS.exe
2788	mccdlNa.exe
1880	uGxtJYH.exe
4092	QkgRWmX.exe
880	ctQRPaY.exe
4952	vyARXMt.exe
2060	rssXGNS.exe
2500	ZtswfxC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-0-0x00007FF715250000-0x00007FF7155A1000-memory.dmp	upx
behavioral2/memory/1344-6-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-22.dat	upx
behavioral2/files/0x000a000000023b9e-31.dat	upx
behavioral2/files/0x000a000000023ba1-47.dat	upx
behavioral2/files/0x000a000000023b9d-45.dat	upx
behavioral2/memory/2932-42-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-41.dat	upx
behavioral2/memory/4604-35-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-33.dat	upx
behavioral2/files/0x000a000000023b9b-37.dat	upx
behavioral2/memory/3308-27-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp	upx
behavioral2/memory/3600-26-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	upx
behavioral2/memory/4936-20-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-17.dat	upx
behavioral2/files/0x000c000000023b38-7.dat	upx
behavioral2/files/0x000a000000023ba2-69.dat	upx
behavioral2/files/0x0058000000023ba6-77.dat	upx
behavioral2/files/0x000a000000023ba9-92.dat	upx
behavioral2/files/0x000a000000023ba7-98.dat	upx
behavioral2/files/0x000b000000023b97-106.dat	upx
behavioral2/memory/1880-114-0x00007FF6E58C0000-0x00007FF6E5C11000-memory.dmp	upx
behavioral2/memory/4952-116-0x00007FF670120000-0x00007FF670471000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-121.dat	upx
behavioral2/files/0x000a000000023bab-124.dat	upx
behavioral2/memory/2500-123-0x00007FF603530000-0x00007FF603881000-memory.dmp	upx
behavioral2/memory/2060-122-0x00007FF667100000-0x00007FF667451000-memory.dmp	upx
behavioral2/memory/880-115-0x00007FF6E4BB0000-0x00007FF6E4F01000-memory.dmp	upx
behavioral2/memory/3112-111-0x00007FF62AB10000-0x00007FF62AE61000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-108.dat	upx
behavioral2/memory/4092-107-0x00007FF7DC8D0000-0x00007FF7DCC21000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-102.dat	upx
behavioral2/memory/2788-101-0x00007FF7AC380000-0x00007FF7AC6D1000-memory.dmp	upx
behavioral2/memory/3296-94-0x00007FF7847B0000-0x00007FF784B01000-memory.dmp	upx
behavioral2/memory/1628-93-0x00007FF6DA050000-0x00007FF6DA3A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-88.dat	upx
behavioral2/memory/5084-85-0x00007FF7D4E00000-0x00007FF7D5151000-memory.dmp	upx
behavioral2/files/0x0031000000023ba4-80.dat	upx
behavioral2/memory/3428-73-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-74.dat	upx
behavioral2/memory/3424-65-0x00007FF7124D0000-0x00007FF712821000-memory.dmp	upx
behavioral2/memory/2492-56-0x00007FF770F40000-0x00007FF771291000-memory.dmp	upx
behavioral2/memory/2212-54-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	upx
behavioral2/memory/3308-131-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp	upx
behavioral2/memory/3600-132-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	upx
behavioral2/memory/3424-140-0x00007FF7124D0000-0x00007FF712821000-memory.dmp	upx
behavioral2/memory/2212-135-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	upx
behavioral2/memory/2932-134-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp	upx
behavioral2/memory/4936-130-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp	upx
behavioral2/memory/1344-129-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp	upx
behavioral2/memory/2492-138-0x00007FF770F40000-0x00007FF771291000-memory.dmp	upx
behavioral2/memory/224-128-0x00007FF715250000-0x00007FF7155A1000-memory.dmp	upx
behavioral2/memory/4604-133-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp	upx
behavioral2/memory/2500-149-0x00007FF603530000-0x00007FF603881000-memory.dmp	upx
behavioral2/memory/2060-148-0x00007FF667100000-0x00007FF667451000-memory.dmp	upx
behavioral2/memory/224-150-0x00007FF715250000-0x00007FF7155A1000-memory.dmp	upx
behavioral2/memory/1344-208-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp	upx
behavioral2/memory/3600-210-0x00007FF6652D0000-0x00007FF665621000-memory.dmp	upx
behavioral2/memory/4936-212-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp	upx
behavioral2/memory/3308-214-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp	upx
behavioral2/memory/2932-216-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp	upx
behavioral2/memory/4604-218-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp	upx
behavioral2/memory/2212-229-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	upx
behavioral2/memory/3428-227-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VzfrZAk.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jjQLjAI.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GNqIwak.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WSKnNYk.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdYXdiM.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMbaMrS.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eAxWmvB.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZxTvIS.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mccdlNa.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rssXGNS.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZtswfxC.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MplYZGj.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FPyiHDR.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZjDgFgE.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tYOVxVT.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QkgRWmX.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctQRPaY.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PGgZVFe.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIesTmC.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uGxtJYH.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vyARXMt.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1344	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 224 wrote to memory of 1344	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 224 wrote to memory of 4936	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 224 wrote to memory of 4936	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 224 wrote to memory of 3308	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 224 wrote to memory of 3308	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 224 wrote to memory of 3600	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 224 wrote to memory of 3600	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 224 wrote to memory of 4604	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 224 wrote to memory of 4604	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 224 wrote to memory of 2932	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 224 wrote to memory of 2932	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 224 wrote to memory of 2212	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 224 wrote to memory of 2212	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 224 wrote to memory of 3428	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 224 wrote to memory of 3428	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 224 wrote to memory of 5084	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 224 wrote to memory of 5084	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 224 wrote to memory of 2492	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 224 wrote to memory of 2492	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 224 wrote to memory of 1628	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 224 wrote to memory of 1628	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 224 wrote to memory of 3424	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 224 wrote to memory of 3424	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 224 wrote to memory of 3296	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 224 wrote to memory of 3296	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 224 wrote to memory of 3112	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 224 wrote to memory of 3112	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 224 wrote to memory of 2788	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 224 wrote to memory of 2788	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 224 wrote to memory of 1880	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 224 wrote to memory of 1880	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 224 wrote to memory of 4092	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 224 wrote to memory of 4092	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 224 wrote to memory of 880	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 224 wrote to memory of 880	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 224 wrote to memory of 4952	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 224 wrote to memory of 4952	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 224 wrote to memory of 2060	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 224 wrote to memory of 2060	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 224 wrote to memory of 2500	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 224 wrote to memory of 2500	224	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\System\VzfrZAk.exe
  C:\Windows\System\VzfrZAk.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\jjQLjAI.exe
  C:\Windows\System\jjQLjAI.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\KdYXdiM.exe
  C:\Windows\System\KdYXdiM.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\PGgZVFe.exe
  C:\Windows\System\PGgZVFe.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\GNqIwak.exe
  C:\Windows\System\GNqIwak.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\MplYZGj.exe
  C:\Windows\System\MplYZGj.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\FPyiHDR.exe
  C:\Windows\System\FPyiHDR.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\WSKnNYk.exe
  C:\Windows\System\WSKnNYk.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\ZjDgFgE.exe
  C:\Windows\System\ZjDgFgE.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\eMbaMrS.exe
  C:\Windows\System\eMbaMrS.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\tYOVxVT.exe
  C:\Windows\System\tYOVxVT.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\pIesTmC.exe
  C:\Windows\System\pIesTmC.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\eAxWmvB.exe
  C:\Windows\System\eAxWmvB.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\rZxTvIS.exe
  C:\Windows\System\rZxTvIS.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\mccdlNa.exe
  C:\Windows\System\mccdlNa.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\uGxtJYH.exe
  C:\Windows\System\uGxtJYH.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\QkgRWmX.exe
  C:\Windows\System\QkgRWmX.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\ctQRPaY.exe
  C:\Windows\System\ctQRPaY.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\vyARXMt.exe
  C:\Windows\System\vyARXMt.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\rssXGNS.exe
  C:\Windows\System\rssXGNS.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\ZtswfxC.exe
  C:\Windows\System\ZtswfxC.exe
  2⤵
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FPyiHDR.exe

Filesize
5.2MB

MD5
f644139c86063937a57a7cada0f85621

SHA1
0f9d1f63d1126d88163ec1c88d93e8aab1ba2916

SHA256
3d57240096b7e0c3f180309db365b2f3a9ae829cf674e33055c2941020dfb680

SHA512
370762367106b18ec51033cccfc76184eb59a35ca81ebd7ffb2045c2a8e3450f90a287ebfc6a581432c5756560100dc8d48a9f3476a99833c2c790c59f6ded1d

Download Submit
C:\Windows\System\GNqIwak.exe

Filesize
5.2MB

MD5
88b7d23617e4890247d2395bd0c13af1

SHA1
8bd5f4729ebc4762b7e292fcb45ad0918eff52c7

SHA256
437c328de24a74253cea7207fb1055dd5157f09e09c7d9b859d79d8c4bd6fbc7

SHA512
5e4a5746f06981ab9002474d530227100532e222d23a8eda390863650cc1c27e10e8c75d0587386fc81380814768059060c550b1455630d909f322680386ef10

Download Submit
C:\Windows\System\KdYXdiM.exe

Filesize
5.2MB

MD5
351625a603dcb56bcaf2996da0191d93

SHA1
ff3239d5a7f3f426e53404b31d604b1e3e14f2ad

SHA256
6c1de40e3a1295da9cb8d5899fa6b7a48a53cd55de6d0266dcd28cc04ea6b680

SHA512
0449204232aeaeb8e494dc9463e24ac56fa66bf5bd4aeff8f5a4fb67af160d2941e7340cc5dd63eba21c5ac6095242d6db39ae9e1f53c7163444b67625a2bf77

Download Submit
C:\Windows\System\MplYZGj.exe

Filesize
5.2MB

MD5
d96256e535f16c9c2cf0fc8809897da0

SHA1
4d7dcfd86fb71ddda1992a734394acbb8151cdca

SHA256
8416e5f1c5f0a8fe40f0a1c2357fcd418f5a6cc2f1f116f26f89a266016d3173

SHA512
7c9ee77cf72606efd39f5701c3b33938cd63ff13a1aad9d476d070d863961d40eaa14e0b034e77ddf684e84c25f01637893afe3c2fb038e64b6522bebe2c028e

Download Submit
C:\Windows\System\PGgZVFe.exe

Filesize
5.2MB

MD5
95f2bd16c412bb9d0d5f03cb4f4d008b

SHA1
f49db7e314bcf3f0fdbca6a13bc234a047379811

SHA256
99aa7ec6f9a69199f902f798383385a62d6d6d4e369a4ee14934549988fbccef

SHA512
4a269197cbf9a6b09f6d59b58feb40faebacfd786815c318d63026790efe4d289a6da0f3fb77e8a89378c0ade754e6e4d4a3bd8598455ce5e800d26700f0cdb8

Download Submit
C:\Windows\System\QkgRWmX.exe

Filesize
5.2MB

MD5
20e5ebc8411585fb98230dd1a498847a

SHA1
e91d8eded359ec79a5c1b94a43de09cb4b999a9c

SHA256
f7c73b2025ca81cdbbf7dbdc7994d2f59f3f453b8e1535c6f306aad4d2cfe70c

SHA512
59d905a181715fa78a90680158af71def1676f3a63887a2d1deb8a9e2e3d85ae27d39aa31620b9336119bc13d51c1116ef72a034ea1c642a4f1b283d16dee57e

Download Submit
C:\Windows\System\VzfrZAk.exe

Filesize
5.2MB

MD5
3a0b058948aa3ee5c4cd0b20f1113ba7

SHA1
b0ea296f1a07b4a2ea0d708a98920b7ee93bb1a8

SHA256
e15a472d2a79fc61e1275f590732cfe532c3f4a5a25830872a276b29a9ee0451

SHA512
d25d6e5fed97238a7cff5c304dcb15eaaa4d94ff096f48aa1a4800b0b76a16c0ef75806f411e7091815223b9216c516e37cc0e08377628908dc427a0afffe167

Download Submit
C:\Windows\System\WSKnNYk.exe

Filesize
5.2MB

MD5
ced2a6b819502067fe1d2b9dba4e5dd2

SHA1
e472ad305b98e0aaa46fc25e3afd171544117cdb

SHA256
20e4bbb727df2116c2d089c6de1d751db2e75dbe6f15e6a4de1de84cfefed6d9

SHA512
5574a53b1089195de16bb1d27a840b9b817a5a48d55908c87bed323cf72006d06bc9bd686d2ae3281c10ee3554e926e32cb8f016092ae8357203dac4c776af4c

Download Submit
C:\Windows\System\ZjDgFgE.exe

Filesize
5.2MB

MD5
bad374201f71fe655d377cd159a490b8

SHA1
f0022bdacaaf9bf9f5e54e6abcaab9b3bce186e0

SHA256
93b0e37c8fb765ef021c346754d7095ca021815c46f2c5669b6d3c91a18f9609

SHA512
85384978c56bfdda2c047edd96688131fee2f56b2fed0440cd678e927d651f45c31cdade97d7a3cf8fdb8b17cb04c61a643644a85d9373592e5c688e427d01af

Download Submit
C:\Windows\System\ZtswfxC.exe

Filesize
5.2MB

MD5
11cf46c17e75460b5a82bebc7168e184

SHA1
9bebab059f3efdab92a2e8a6f3644884b7c9bc42

SHA256
c9be2ba76543218ac32543ae5293314128256a765dafb6a560f33c330f6f2a03

SHA512
d502cfaa4fe99e56e9b2eaacb33fe678d9381ecfb9b92b46955fca1ea09da7077bbe53c06b1eee575f0b9ea1643fbc5527eb5b80b0d16ca9d89be3a61f904249

Download Submit
C:\Windows\System\ctQRPaY.exe

Filesize
5.2MB

MD5
1d81d15cef7982dd492022fca5996815

SHA1
66c248db212a504b741b07734801d96e7dee47bf

SHA256
e9cecdabc76c44e0fe14076db07ecfe94596651348adc54a3b4fc3c0e827cd97

SHA512
d18faebb05b211d5dd09226bb08d2e953d44ba429672bb6a0f53d831d0ea8ef1ddf221a6b148ec6f7a26f09376b56ca13c013af14d4581292aea9d12bab3af41

Download Submit
C:\Windows\System\eAxWmvB.exe

Filesize
5.2MB

MD5
8e549c88240167ee9d9506121f5f1181

SHA1
adaeca7c121cc0782145f57b24ef0d199638c869

SHA256
75a113dc1ec8beaa8dd854720e42bea6375c16787753a18df00ec3f58623c0f5

SHA512
c5c12bbfd256c5cb7f3450386942dfb66966882459994f16409b4325a99cae87751d08fdf4761722ae5e63f7bc3e86ca8e85ff0fc387424e5657aedad65692c6

Download Submit
C:\Windows\System\eMbaMrS.exe

Filesize
5.2MB

MD5
49a94e7382fce61f3f7599141a4fcbb9

SHA1
4abcc852983ffa54efc55e5326cf49984005a6e5

SHA256
0814ef781ed263fc04bdc52a766b3118340a5fddb068a3e0a98177d083ef1a92

SHA512
1c5eaaa5c5e66165dedb0583f87ae5b9675d7ade95fcff15a8c8681fea0a409f300d98bc5be5671b07c2f133212238f4db98386bb905eb607478bfbef18e4688

Download Submit
C:\Windows\System\jjQLjAI.exe

Filesize
5.2MB

MD5
8ef27f38350ae41870f1a4b265bfd791

SHA1
77dfbb011465c9f762dcb2ec5bed4e5845e476fd

SHA256
962785a796235f14bb44dae4d3ec5f5fd613f90dfc221a8792f5ada9acc080f5

SHA512
cb9a95472333c2c976db1afe75306ac698bc6dacd5b9103dcd237c977ebab491c526d74310a2930b1428f1b4f56c8722cd0b238767b50c033863b8e9a1554f3f

Download Submit
C:\Windows\System\mccdlNa.exe

Filesize
5.2MB

MD5
c9520775b0d561c09b46286fb62ce006

SHA1
5c320f34654eee15acfc2b5c453f98927260cc1f

SHA256
4a0c325216dddd4bcb429d4d7eeafe9a71d857997594aa7d955531a9e3307322

SHA512
bba81135b7c82ee5b7db46bbac378a33a6005237f0d5ce32ab80cb3af06f3d4adc80cce0bc3330a7b7eb2f18fa3db5b51fe244ff615ca0185e555b3873c38a67

Download Submit
C:\Windows\System\pIesTmC.exe

Filesize
5.2MB

MD5
f8e1e0058b23f379ca2b2bae0f5fded6

SHA1
8082977e4c76ffaa392c576e75a86551e75b6914

SHA256
2d3113f74fafb20f19396ac4647651694e54d90bf54f90d4c4d26f1b1dd95d46

SHA512
cdee8ce2e6f497367bea3517ec0b5e3e929e393cc7f0b254c47d9ac1c33486a984974a02136412d11a9c16f986c9e5c15094998838b6d26654c52ab63a723951

Download Submit
C:\Windows\System\rZxTvIS.exe

Filesize
5.2MB

MD5
1df0121affda9050745313c752861404

SHA1
aae60b63d2cfff42eb41f847a818c836f98b635d

SHA256
be97e13f7715eb78ed35c6d600b32d93715bab40bfde1f164cd4354bbcfaa29b

SHA512
2283e127f1892eff12ad88505b5278f8cd5371ed90cb38b26e2546502efbb5fcbfe8a4cb15c6801bbc939675aee35eb13ffc3e0ec53756456b897b97eb2cc100

Download Submit
C:\Windows\System\rssXGNS.exe

Filesize
5.2MB

MD5
30c63afc1ac09ae65c04a928eaee9ad4

SHA1
312a70dd094f2f8253c695d4f4ca0f9202b6363e

SHA256
86462b404fdacf4d4055a432903974beddc256ba7f377f927614e8031b028f6e

SHA512
147c2a47a476a4e24db664df28303041ae9eb1a650b212bd3cbb591ad62606cab99e059f28779dfca8220ca3c1cc07913aed78dddba61fb8ed58403a65b67cbb

Download Submit
C:\Windows\System\tYOVxVT.exe

Filesize
5.2MB

MD5
24ba49f13ec242efcd2bfbead70a1717

SHA1
8f1492e7a40b784433fce2fb74b5f741190057c8

SHA256
284f556cb1714e6997766ead026f4e9f95ee31c0e1dfa718d087a908dd5e45b7

SHA512
9247cf1bf96ce8922c4c62cd7117dd7f5d8bcb4bc0da3ad6154d2e74e2de5ebefaafa5325e10f23fd8563ff9d55a92080ea4344524af69b54e685d5a74c7c7d9

Download Submit
C:\Windows\System\uGxtJYH.exe

Filesize
5.2MB

MD5
74233a3961535b90da4e1d230bc966cd

SHA1
d6353fe3bd0938aa2bf7443d5d9f80a927810138

SHA256
8ef160a2f8fbef25ac7e2ddb7ead75ac12d567c56ea1cda767e8147d832ffd4b

SHA512
650e7404cd032c14b2095f01df4106a88a88b9c29b31232f67c7fcb68aaf3ecf1357bfc0e882806758de9b6cd787987785afe0e7d11b4de0813f50064b8d81ae

Download Submit
C:\Windows\System\vyARXMt.exe

Filesize
5.2MB

MD5
98f0ca11aba4ff7801b0de929bba27d5

SHA1
1d31eed251d41166969997bc44d0c470dddf5bfa

SHA256
8e602b0db02644fa50578099c36789fcee6b3ea5047900a595ad1fbe44571f05

SHA512
1199089cbbd5293191db659a2f25ffa2e69e02a0a13169e8d2481877b5c387a6f91a6de8bf133ceff2ef056a5bc017d6092ac6c2d6eb4872db903ee5b3b4ee95

Download Submit
memory/224-128-0x00007FF715250000-0x00007FF7155A1000-memory.dmp

Filesize
3.3MB

Download
memory/224-150-0x00007FF715250000-0x00007FF7155A1000-memory.dmp

Filesize
3.3MB

Download
memory/224-0-0x00007FF715250000-0x00007FF7155A1000-memory.dmp

Filesize
3.3MB

Download
memory/224-1-0x000002C75A640000-0x000002C75A650000-memory.dmp

Filesize
64KB

Download
memory/880-115-0x00007FF6E4BB0000-0x00007FF6E4F01000-memory.dmp

Filesize
3.3MB

Download
memory/880-246-0x00007FF6E4BB0000-0x00007FF6E4F01000-memory.dmp

Filesize
3.3MB

Download
memory/1344-208-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp

Filesize
3.3MB

Download
memory/1344-129-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp

Filesize
3.3MB

Download
memory/1344-6-0x00007FF63ECB0000-0x00007FF63F001000-memory.dmp

Filesize
3.3MB

Download
memory/1628-93-0x00007FF6DA050000-0x00007FF6DA3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-235-0x00007FF6DA050000-0x00007FF6DA3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-249-0x00007FF6E58C0000-0x00007FF6E5C11000-memory.dmp

Filesize
3.3MB

Download
memory/1880-114-0x00007FF6E58C0000-0x00007FF6E5C11000-memory.dmp

Filesize
3.3MB

Download
memory/2060-255-0x00007FF667100000-0x00007FF667451000-memory.dmp

Filesize
3.3MB

Download
memory/2060-122-0x00007FF667100000-0x00007FF667451000-memory.dmp

Filesize
3.3MB

Download
memory/2060-148-0x00007FF667100000-0x00007FF667451000-memory.dmp

Filesize
3.3MB

Download
memory/2212-54-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-135-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-229-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-138-0x00007FF770F40000-0x00007FF771291000-memory.dmp

Filesize
3.3MB

Download
memory/2492-233-0x00007FF770F40000-0x00007FF771291000-memory.dmp

Filesize
3.3MB

Download
memory/2492-56-0x00007FF770F40000-0x00007FF771291000-memory.dmp

Filesize
3.3MB

Download
memory/2500-254-0x00007FF603530000-0x00007FF603881000-memory.dmp

Filesize
3.3MB

Download
memory/2500-123-0x00007FF603530000-0x00007FF603881000-memory.dmp

Filesize
3.3MB

Download
memory/2500-149-0x00007FF603530000-0x00007FF603881000-memory.dmp

Filesize
3.3MB

Download
memory/2788-101-0x00007FF7AC380000-0x00007FF7AC6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-242-0x00007FF7AC380000-0x00007FF7AC6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-216-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-134-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-42-0x00007FF71C650000-0x00007FF71C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-244-0x00007FF62AB10000-0x00007FF62AE61000-memory.dmp

Filesize
3.3MB

Download
memory/3112-111-0x00007FF62AB10000-0x00007FF62AE61000-memory.dmp

Filesize
3.3MB

Download
memory/3296-94-0x00007FF7847B0000-0x00007FF784B01000-memory.dmp

Filesize
3.3MB

Download
memory/3296-237-0x00007FF7847B0000-0x00007FF784B01000-memory.dmp

Filesize
3.3MB

Download
memory/3308-131-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3308-27-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3308-214-0x00007FF66E290000-0x00007FF66E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-239-0x00007FF7124D0000-0x00007FF712821000-memory.dmp

Filesize
3.3MB

Download
memory/3424-140-0x00007FF7124D0000-0x00007FF712821000-memory.dmp

Filesize
3.3MB

Download
memory/3424-65-0x00007FF7124D0000-0x00007FF712821000-memory.dmp

Filesize
3.3MB

Download
memory/3428-73-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3428-227-0x00007FF69FAF0000-0x00007FF69FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3600-132-0x00007FF6652D0000-0x00007FF665621000-memory.dmp

Filesize
3.3MB

Download
memory/3600-26-0x00007FF6652D0000-0x00007FF665621000-memory.dmp

Filesize
3.3MB

Download
memory/3600-210-0x00007FF6652D0000-0x00007FF665621000-memory.dmp

Filesize
3.3MB

Download
memory/4092-107-0x00007FF7DC8D0000-0x00007FF7DCC21000-memory.dmp

Filesize
3.3MB

Download
memory/4092-248-0x00007FF7DC8D0000-0x00007FF7DCC21000-memory.dmp

Filesize
3.3MB

Download
memory/4604-35-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp

Filesize
3.3MB

Download
memory/4604-133-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp

Filesize
3.3MB

Download
memory/4604-218-0x00007FF734AD0000-0x00007FF734E21000-memory.dmp

Filesize
3.3MB

Download
memory/4936-212-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-130-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-20-0x00007FF6E0E50000-0x00007FF6E11A1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-257-0x00007FF670120000-0x00007FF670471000-memory.dmp

Filesize
3.3MB

Download
memory/4952-116-0x00007FF670120000-0x00007FF670471000-memory.dmp

Filesize
3.3MB

Download
memory/5084-85-0x00007FF7D4E00000-0x00007FF7D5151000-memory.dmp

Filesize
3.3MB

Download
memory/5084-234-0x00007FF7D4E00000-0x00007FF7D5151000-memory.dmp

Filesize
3.3MB

Download