cobaltstrike | 329964ebbad4fa67dffd984484804f480db4077f7d172135c6e3c7abf97adc32

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2ec77e0531e07061162193fa5066da06
SHA1

ce3b708a5b4603cb1117ad6510cd54f0b2878eb2
SHA256

329964ebbad4fa67dffd984484804f480db4077f7d172135c6e3c7abf97adc32
SHA512

558683dd7db3424735222fe301575b4e26bb58441df7804d81a9c5bc6c6d6154716b27af3cd28e8c2d57fa1b2f886eb99ce9fabc2b9c4d303088b426f51706b8
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBib+56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b6f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-15.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b76-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-114.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b70-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-61.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b77-50.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b75-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-23.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2128-108-0x00007FF74F520000-0x00007FF74F871000-memory.dmp	xmrig
behavioral2/memory/4336-104-0x00007FF654530000-0x00007FF654881000-memory.dmp	xmrig
behavioral2/memory/3640-60-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	xmrig
behavioral2/memory/2740-125-0x00007FF7B8D20000-0x00007FF7B9071000-memory.dmp	xmrig
behavioral2/memory/4460-137-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp	xmrig
behavioral2/memory/3168-134-0x00007FF654140000-0x00007FF654491000-memory.dmp	xmrig
behavioral2/memory/2188-136-0x00007FF607840000-0x00007FF607B91000-memory.dmp	xmrig
behavioral2/memory/2152-138-0x00007FF7015F0000-0x00007FF701941000-memory.dmp	xmrig
behavioral2/memory/3508-144-0x00007FF692360000-0x00007FF6926B1000-memory.dmp	xmrig
behavioral2/memory/648-145-0x00007FF7B3310000-0x00007FF7B3661000-memory.dmp	xmrig
behavioral2/memory/2380-142-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	xmrig
behavioral2/memory/2460-135-0x00007FF686300000-0x00007FF686651000-memory.dmp	xmrig
behavioral2/memory/5052-133-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp	xmrig
behavioral2/memory/1424-131-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp	xmrig
behavioral2/memory/3472-129-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp	xmrig
behavioral2/memory/1388-141-0x00007FF760F20000-0x00007FF761271000-memory.dmp	xmrig
behavioral2/memory/324-139-0x00007FF701150000-0x00007FF7014A1000-memory.dmp	xmrig
behavioral2/memory/4776-130-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp	xmrig
behavioral2/memory/3592-128-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp	xmrig
behavioral2/memory/4712-127-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp	xmrig
behavioral2/memory/2380-126-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	xmrig
behavioral2/memory/2296-146-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp	xmrig
behavioral2/memory/5104-148-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp	xmrig
behavioral2/memory/2380-151-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	xmrig
behavioral2/memory/4712-203-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp	xmrig
behavioral2/memory/3592-205-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp	xmrig
behavioral2/memory/3472-220-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp	xmrig
behavioral2/memory/1424-222-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp	xmrig
behavioral2/memory/5052-225-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp	xmrig
behavioral2/memory/4776-226-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp	xmrig
behavioral2/memory/3640-228-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	xmrig
behavioral2/memory/3168-230-0x00007FF654140000-0x00007FF654491000-memory.dmp	xmrig
behavioral2/memory/2460-233-0x00007FF686300000-0x00007FF686651000-memory.dmp	xmrig
behavioral2/memory/2188-236-0x00007FF607840000-0x00007FF607B91000-memory.dmp	xmrig
behavioral2/memory/4460-235-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp	xmrig
behavioral2/memory/324-242-0x00007FF701150000-0x00007FF7014A1000-memory.dmp	xmrig
behavioral2/memory/2128-244-0x00007FF74F520000-0x00007FF74F871000-memory.dmp	xmrig
behavioral2/memory/2152-246-0x00007FF7015F0000-0x00007FF701941000-memory.dmp	xmrig
behavioral2/memory/4336-241-0x00007FF654530000-0x00007FF654881000-memory.dmp	xmrig
behavioral2/memory/2740-249-0x00007FF7B8D20000-0x00007FF7B9071000-memory.dmp	xmrig
behavioral2/memory/3508-255-0x00007FF692360000-0x00007FF6926B1000-memory.dmp	xmrig
behavioral2/memory/648-258-0x00007FF7B3310000-0x00007FF7B3661000-memory.dmp	xmrig
behavioral2/memory/2296-253-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp	xmrig
behavioral2/memory/5104-250-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp	xmrig
behavioral2/memory/1388-256-0x00007FF760F20000-0x00007FF761271000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4712	VhpoyJL.exe
3592	ArPRJyR.exe
3472	XESzhSn.exe
4776	VEFLqYj.exe
1424	TQvikmv.exe
3640	OOOYAUE.exe
5052	KvrNKoK.exe
3168	ojxwzsZ.exe
2460	qEZiQLL.exe
2188	gTGJBqm.exe
4460	BeFoOEo.exe
2152	mfXeJUM.exe
324	bpEgpTM.exe
4336	kxwZRUE.exe
1388	FedDcAc.exe
2128	hrzMxRX.exe
2296	xHHhTIR.exe
3508	dbTXhSV.exe
5104	HUcGoSM.exe
2740	MnjfRwe.exe
648	eBYMxnZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2380-0-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	upx
behavioral2/files/0x000b000000023b6f-5.dat	upx
behavioral2/memory/4712-8-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-15.dat	upx
behavioral2/memory/3472-24-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp	upx
behavioral2/files/0x0031000000023b76-34.dat	upx
behavioral2/files/0x000a000000023b79-40.dat	upx
behavioral2/files/0x000a000000023b78-45.dat	upx
behavioral2/files/0x000a000000023b7b-54.dat	upx
behavioral2/files/0x000a000000023b7c-59.dat	upx
behavioral2/memory/2460-63-0x00007FF686300000-0x00007FF686651000-memory.dmp	upx
behavioral2/memory/4460-70-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-76.dat	upx
behavioral2/memory/2152-82-0x00007FF7015F0000-0x00007FF701941000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-86.dat	upx
behavioral2/memory/1388-103-0x00007FF760F20000-0x00007FF761271000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-111.dat	upx
behavioral2/memory/5104-120-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-123.dat	upx
behavioral2/files/0x000a000000023b84-118.dat	upx
behavioral2/files/0x000a000000023b83-116.dat	upx
behavioral2/files/0x000a000000023b82-114.dat	upx
behavioral2/memory/2296-113-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp	upx
behavioral2/files/0x000b000000023b70-109.dat	upx
behavioral2/memory/2128-108-0x00007FF74F520000-0x00007FF74F871000-memory.dmp	upx
behavioral2/memory/4336-104-0x00007FF654530000-0x00007FF654881000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-94.dat	upx
behavioral2/memory/324-89-0x00007FF701150000-0x00007FF7014A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-83.dat	upx
behavioral2/files/0x000a000000023b7a-61.dat	upx
behavioral2/memory/3640-60-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	upx
behavioral2/memory/2188-58-0x00007FF607840000-0x00007FF607B91000-memory.dmp	upx
behavioral2/files/0x0031000000023b77-50.dat	upx
behavioral2/memory/3168-48-0x00007FF654140000-0x00007FF654491000-memory.dmp	upx
behavioral2/memory/5052-44-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp	upx
behavioral2/memory/1424-41-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp	upx
behavioral2/files/0x0031000000023b75-37.dat	upx
behavioral2/memory/4776-29-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-23.dat	upx
behavioral2/memory/3592-19-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp	upx
behavioral2/memory/2740-125-0x00007FF7B8D20000-0x00007FF7B9071000-memory.dmp	upx
behavioral2/memory/4460-137-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp	upx
behavioral2/memory/3168-134-0x00007FF654140000-0x00007FF654491000-memory.dmp	upx
behavioral2/memory/2188-136-0x00007FF607840000-0x00007FF607B91000-memory.dmp	upx
behavioral2/memory/2152-138-0x00007FF7015F0000-0x00007FF701941000-memory.dmp	upx
behavioral2/memory/3508-144-0x00007FF692360000-0x00007FF6926B1000-memory.dmp	upx
behavioral2/memory/648-145-0x00007FF7B3310000-0x00007FF7B3661000-memory.dmp	upx
behavioral2/memory/2380-142-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	upx
behavioral2/memory/2460-135-0x00007FF686300000-0x00007FF686651000-memory.dmp	upx
behavioral2/memory/5052-133-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp	upx
behavioral2/memory/1424-131-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp	upx
behavioral2/memory/3472-129-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp	upx
behavioral2/memory/1388-141-0x00007FF760F20000-0x00007FF761271000-memory.dmp	upx
behavioral2/memory/324-139-0x00007FF701150000-0x00007FF7014A1000-memory.dmp	upx
behavioral2/memory/4776-130-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp	upx
behavioral2/memory/3592-128-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp	upx
behavioral2/memory/4712-127-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp	upx
behavioral2/memory/2380-126-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	upx
behavioral2/memory/2296-146-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp	upx
behavioral2/memory/5104-148-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp	upx
behavioral2/memory/2380-151-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp	upx
behavioral2/memory/4712-203-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp	upx
behavioral2/memory/3592-205-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp	upx
behavioral2/memory/3472-220-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VEFLqYj.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTGJBqm.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbTXhSV.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VhpoyJL.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XESzhSn.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FedDcAc.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hrzMxRX.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eBYMxnZ.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TQvikmv.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxwZRUE.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojxwzsZ.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qEZiQLL.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BeFoOEo.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfXeJUM.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpEgpTM.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HUcGoSM.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArPRJyR.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KvrNKoK.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnjfRwe.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOOYAUE.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHHhTIR.exe	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4712	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2380 wrote to memory of 4712	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2380 wrote to memory of 3592	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2380 wrote to memory of 3592	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2380 wrote to memory of 3472	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2380 wrote to memory of 3472	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2380 wrote to memory of 4776	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2380 wrote to memory of 4776	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2380 wrote to memory of 1424	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2380 wrote to memory of 1424	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2380 wrote to memory of 3640	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2380 wrote to memory of 3640	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2380 wrote to memory of 5052	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2380 wrote to memory of 5052	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2380 wrote to memory of 3168	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2380 wrote to memory of 3168	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2380 wrote to memory of 2460	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2380 wrote to memory of 2460	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2380 wrote to memory of 2188	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2380 wrote to memory of 2188	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2380 wrote to memory of 4460	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2380 wrote to memory of 4460	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2380 wrote to memory of 2152	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2380 wrote to memory of 2152	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2380 wrote to memory of 324	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2380 wrote to memory of 324	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2380 wrote to memory of 4336	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2380 wrote to memory of 4336	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2380 wrote to memory of 1388	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2380 wrote to memory of 1388	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2380 wrote to memory of 2128	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2380 wrote to memory of 2128	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2380 wrote to memory of 2296	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2380 wrote to memory of 2296	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2380 wrote to memory of 3508	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2380 wrote to memory of 3508	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2380 wrote to memory of 5104	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2380 wrote to memory of 5104	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2380 wrote to memory of 2740	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2380 wrote to memory of 2740	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2380 wrote to memory of 648	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2380 wrote to memory of 648	2380	2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_2ec77e0531e07061162193fa5066da06_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System\VhpoyJL.exe
  C:\Windows\System\VhpoyJL.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\ArPRJyR.exe
  C:\Windows\System\ArPRJyR.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\XESzhSn.exe
  C:\Windows\System\XESzhSn.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\VEFLqYj.exe
  C:\Windows\System\VEFLqYj.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\TQvikmv.exe
  C:\Windows\System\TQvikmv.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\OOOYAUE.exe
  C:\Windows\System\OOOYAUE.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\KvrNKoK.exe
  C:\Windows\System\KvrNKoK.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\ojxwzsZ.exe
  C:\Windows\System\ojxwzsZ.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\qEZiQLL.exe
  C:\Windows\System\qEZiQLL.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\gTGJBqm.exe
  C:\Windows\System\gTGJBqm.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\BeFoOEo.exe
  C:\Windows\System\BeFoOEo.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\mfXeJUM.exe
  C:\Windows\System\mfXeJUM.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\bpEgpTM.exe
  C:\Windows\System\bpEgpTM.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\kxwZRUE.exe
  C:\Windows\System\kxwZRUE.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\FedDcAc.exe
  C:\Windows\System\FedDcAc.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\hrzMxRX.exe
  C:\Windows\System\hrzMxRX.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\xHHhTIR.exe
  C:\Windows\System\xHHhTIR.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\dbTXhSV.exe
  C:\Windows\System\dbTXhSV.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\HUcGoSM.exe
  C:\Windows\System\HUcGoSM.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\MnjfRwe.exe
  C:\Windows\System\MnjfRwe.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\eBYMxnZ.exe
  C:\Windows\System\eBYMxnZ.exe
  2⤵
  - Executes dropped EXE
  PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArPRJyR.exe

Filesize
5.2MB

MD5
e7763ff9c1b90f96058a7f22cb1dc3ac

SHA1
3ef6bc10400c840658c697290e810b3858480130

SHA256
cc9a800ee14ab505347bec9ef4f3e613642928e1415976cd8f2787c1d3d3ca06

SHA512
e8d69d67e75e0ee4762a8730b606081644167d701e285096808b88b2585de434e32643e14ce41b5ac8dc299190febe5d3c6e97e1859d39f125bed83894ae65de

Download Submit
C:\Windows\System\BeFoOEo.exe

Filesize
5.2MB

MD5
266fd34d35e4054820e1a5d4b0aeba92

SHA1
707f266586e623d7a98ae6a8930a754c947b4f14

SHA256
adef490f2ec9e516eb4f6bcd92d3cc3b81b5b5e40e514fad4e5c6d55de9e78fa

SHA512
150f263cb6d28782013c9b7ae98ea6874fb3b440e0d763582eab4225b2f7d1766690ee7fac093ffb593fa3259811a4d5d869084066f0223f4c05d7bd46582250

Download Submit
C:\Windows\System\FedDcAc.exe

Filesize
5.2MB

MD5
f469bbaa1e04ee47ea7878623e3d4bc9

SHA1
a67cdbfa8bc00f6ece579450947bcc60adac2998

SHA256
0fd62526e6d5f04062a4a6003d52c512b3ca1e40616cc502d7265da96158e904

SHA512
7ef407e1fa6274ff716a7b9b5d93aa47cedb1e4ff7e17dcbdf073f4a959c11cdfbcdd47d08a6ee5b71b327d591924758502475cc53ac5e1e1f12eeb9564fe461

Download Submit
C:\Windows\System\HUcGoSM.exe

Filesize
5.2MB

MD5
926c0dc3cdc6b1f29c00927c15f360ca

SHA1
aaa85a5c0312bf368a978107b5c906ea05def9dd

SHA256
ba49bf5169e957729cf9d92488480f83f89e4020451d1f376362ec5c4848be2e

SHA512
b3d7cd09aeb58fee0cebb0189d4ea1c5c5454bff7072e4545542d530d1e763852c9662509332528f9b87704939fc8acb2aaf8fda58f6f87044dfdb855a2cc61f

Download Submit
C:\Windows\System\KvrNKoK.exe

Filesize
5.2MB

MD5
aff49a42865079f3efbb07a1b490ce8f

SHA1
68d859fdf5435638376c460125645915bf58e90e

SHA256
60dbf5fa18e36d760ccd43f0b3497be76fbada66f36e3f4663c75631d7185c8f

SHA512
e2263ffda7e16b735144840f985b8562d8f758719bb1ddb6ca0afe930d86960ffb96535da26e9dc8a3d07e3acd39d327ce72b1d0067479ed78f959d3163ef229

Download Submit
C:\Windows\System\MnjfRwe.exe

Filesize
5.2MB

MD5
9711e648afac34713be5696c4a222a07

SHA1
706857a59fc87e6987f8596da5951229decd780d

SHA256
2ba7defbcbfd6941bb378bdab095218364a3487720afde88cb3f323dfc558fe6

SHA512
6db200db54a833e2d23f005df0862e269368b3ff12bdece7446e57e6e2d76c97331864410d36777f1de1428e3526d7039cb9935dadcbf4b77cac47329cc8da73

Download Submit
C:\Windows\System\OOOYAUE.exe

Filesize
5.2MB

MD5
8dc5acf815073a115055923288142407

SHA1
10a638833d067637753f789593c7caede3ca4d7a

SHA256
5e0e551c61baaaef3b585785fc0e53366baed96ed798468af5580a9c0e45cf48

SHA512
a04f15b5a194106777c764180a0a1cbcfff44d5858cd20ea8b6f837d297778cd514047d2a2ab4ebbb0cff23b6c4b7bf36a895c4d9258956a7511855b787eae13

Download Submit
C:\Windows\System\TQvikmv.exe

Filesize
5.2MB

MD5
c9034b67f90e20d250b918c9c3ce259b

SHA1
9c6798f625dcacdc9cc7bd1f19628976335032e5

SHA256
633c21a6959fd97b9da9fe1a569c34bb85df42bcc07cc924d8be525366434c44

SHA512
3a3d1eaa3a1dbd158a6cb3daffbb3f36b84419748e13df46479b8642de5838e91cdee3800d9f920a083b2445a45b9cc4b67a7b61152dbd69a603798996512bb7

Download Submit
C:\Windows\System\VEFLqYj.exe

Filesize
5.2MB

MD5
6b9fd30e1bf9c8bd87074d0bbdb72fb0

SHA1
f08f111bdc07130cba091b23b40a937d2eb3c376

SHA256
2a233402c55649e6bc0e7ac04ee1884d8935c4b9bd50e752068f67d0185f38a3

SHA512
8639b60c33fe6fb5c2a2ddfe225e67bac281f0072d82e9d4c43ee864a5b33705ff8470c505829ea718a1e0704f6999b5824f96b4d857859728e507f82e34ad91

Download Submit
C:\Windows\System\VhpoyJL.exe

Filesize
5.2MB

MD5
19ffcacca1b3267a2981d3277d9d2d68

SHA1
a3171866fac40c22f3a497ac30352929da5aa3f0

SHA256
3a1964459f029f2a8ab7187409c8c67a3d806d803fe326f8531e405dd5f7cc36

SHA512
2163c9bf97889aa54bada5b20134d2dda3313359384e15f97c29888a1b97c1b872f56f96b6bf6db6131455c9cae7fea512deacc92b1830f5b2335b9652d5b520

Download Submit
C:\Windows\System\XESzhSn.exe

Filesize
5.2MB

MD5
9e2496416be38c9b67a6013723cafddf

SHA1
11f5fefa7813d4a6a74dcc5eade36a930d866404

SHA256
971337080bd3caaf0f716a0587dd1ee2095a461a61a32e503d8a3fb94a6b6034

SHA512
7d1a4c33b989681bd0e64f892cb40b0c219f307ad110fe1eb5c8ebc2c2a5b96a7df8589a5d0886951a01d59b0b8fb000766f4d80cb740d30a0c8195144a98e75

Download Submit
C:\Windows\System\bpEgpTM.exe

Filesize
5.2MB

MD5
9a540066193bb7191b136917d4abfc91

SHA1
925b1a5a586f17380da310af10084ae7fc9b96df

SHA256
1fec4aa52fdfc11d4086e7570390dbda53976305fb048ab0f02572fc53bc48d3

SHA512
13761f4e251ad84d64d5d15c2cff880a431c328b767e6f3d6aa036282c5617cd71a8f8e66a9b7f8f652d7643957fde984824c98b3b164fcf84f5540c746132fa

Download Submit
C:\Windows\System\dbTXhSV.exe

Filesize
5.2MB

MD5
434a7ebf28acb6158cdeee53b53359bf

SHA1
f1d01a87841052e1c25c50cb907ae7d96d19966c

SHA256
0f89cfea389682fd378c1b2847fe257742628d99fdf8bfbae5f52892b83f1a37

SHA512
a60dbf6702c95c13c0082796adb0f4f965adb43e36fe4051cd19cc76c7182ce05fdaf9f36dae36b7b74ae0ac917762287cfe922becb0a764dc9115028d13be85

Download Submit
C:\Windows\System\eBYMxnZ.exe

Filesize
5.2MB

MD5
3d9f72eaa4aabbd9dd5e90703c01a72d

SHA1
987163dbb569efac84cd2c0c98d93c70693cbc7b

SHA256
baf8f80559e0c90417394ebf313020147b73f8942fbd98d833e8be443fd8e700

SHA512
8be5c84c8942479b4120ff9ffbce693f97d0223d51644cb91439f439aa099943dc34aa3f9f63192095dfeba6fa66aaa512504416c03468447576928341e95052

Download Submit
C:\Windows\System\gTGJBqm.exe

Filesize
5.2MB

MD5
417f1d373c5c63f634aa95dacf67c973

SHA1
9d2ac548a3c5d4ce06f4e91b64d8eef03260fe04

SHA256
6ab2c89e8b2285e1c7d5bdf253b7598c5c0912ad50b04869aecf93ec70c23717

SHA512
dea9f2359180833f94b6d3b6371e8055aea17d214c1445a91731e24106efcba25c0fc75c2893156f09ebe52954d5a78b03d5100a8935010d013503086a92f1e2

Download Submit
C:\Windows\System\hrzMxRX.exe

Filesize
5.2MB

MD5
ba5bc9009251bfc5cad369cf229ede37

SHA1
f1614cc9a6e590961e2573f62620023f85d6ce46

SHA256
351440a9eea281f52cf2fd29dfff40ec1808ebbb6ed58b5c9397f32415e8d5f4

SHA512
f4ddcc627edd20c1ecf0da9c8be3c822837d4aa277671b20c5183ab9b4c34f76a7559c27294673df60c3ef2d9e0be25b6439d975826df0cc5a0dd3f00c3989ca

Download Submit
C:\Windows\System\kxwZRUE.exe

Filesize
5.2MB

MD5
ef4abeaec7517a327ca20d2733b01893

SHA1
6585ac9132aa9dd043787fdfb39f948b300e0a14

SHA256
6af8bb609517c4817ec680d50e3289d010f6e4984f97a533fcb6535cec413a5a

SHA512
3a01216f8bf5c50a941330468aa65d36352adc3455139a5bf815e75e4b578f908c22886bcfb273a5d5d6a3bf63029b0cc837dc9eaba69bcb26031bc42f15dc42

Download Submit
C:\Windows\System\mfXeJUM.exe

Filesize
5.2MB

MD5
d95037b2927a06f46d195186dbe24ca4

SHA1
6da518ffbf233afa731fafba776135796a03b9e8

SHA256
d122b0562709822d137ed972b236be816cf4b107ea98c8a2e8714d84eb94465c

SHA512
b90db719c4bb2feffcbed70cc689a87400e3d98b9530307862385340de22eef3e6efaea89e951dcc8ee9ebf778e5e9ae7eb94cccd6f56901fb5df2b1e231865a

Download Submit
C:\Windows\System\ojxwzsZ.exe

Filesize
5.2MB

MD5
9a278bd47f4618ac1c83fd32857ff03b

SHA1
80c2938a13142cdd129fa762d03de4d8d5eb3d87

SHA256
be55788bca51f4f312ef63d6020edc7f4f9a7e5308c83647ec700b8df5f120e9

SHA512
2e2454ae1bea04d8c282e01fc135c352f244b22ecd68fd7571d0edd8e72a5008b681918563dccb11ce71eb7e91c5fa20f83ca66abf7cc1222325937f9a079b23

Download Submit
C:\Windows\System\qEZiQLL.exe

Filesize
5.2MB

MD5
f647b2ffa2b4aa4efa00955d915f59f2

SHA1
abd4f89cd7a33f4fa267b58470acb1870d9e6fee

SHA256
0bac3aabbadee096ced38cbfc70fdf75ffa6e5fac7cd205cf02feedc3130a7f5

SHA512
8a8f966ab7c903024db529ff5b712294b412e31bbfc2fc41d02fea7657ae7da2640c931d46e41af23a1c1572d58e1ea535dc8e5d6f69f4d61cfd6d02b3703847

Download Submit
C:\Windows\System\xHHhTIR.exe

Filesize
5.2MB

MD5
a1519920dd8dfda028d3a7c2307705f1

SHA1
93fd05081ea761887979ac3588f9a3bdba7d4434

SHA256
bd98480a7b3faeca3949a9f2130c45652953e9c5aabf00268e830cc6a3a02047

SHA512
be7cb7334aa202c56c9dd02b807ac09dabca1215dea82d5689a01c2c98c110cedf1f07329fd771adef3b8432e726561647d87999f5fb154826332d8880ceb884

Download Submit
memory/324-242-0x00007FF701150000-0x00007FF7014A1000-memory.dmp

Filesize
3.3MB

Download
memory/324-139-0x00007FF701150000-0x00007FF7014A1000-memory.dmp

Filesize
3.3MB

Download
memory/324-89-0x00007FF701150000-0x00007FF7014A1000-memory.dmp

Filesize
3.3MB

Download
memory/648-145-0x00007FF7B3310000-0x00007FF7B3661000-memory.dmp

Filesize
3.3MB

Download
memory/648-258-0x00007FF7B3310000-0x00007FF7B3661000-memory.dmp

Filesize
3.3MB

Download
memory/1388-256-0x00007FF760F20000-0x00007FF761271000-memory.dmp

Filesize
3.3MB

Download
memory/1388-141-0x00007FF760F20000-0x00007FF761271000-memory.dmp

Filesize
3.3MB

Download
memory/1388-103-0x00007FF760F20000-0x00007FF761271000-memory.dmp

Filesize
3.3MB

Download
memory/1424-222-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-131-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-41-0x00007FF6C1AA0000-0x00007FF6C1DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-108-0x00007FF74F520000-0x00007FF74F871000-memory.dmp

Filesize
3.3MB

Download
memory/2128-244-0x00007FF74F520000-0x00007FF74F871000-memory.dmp

Filesize
3.3MB

Download
memory/2152-246-0x00007FF7015F0000-0x00007FF701941000-memory.dmp

Filesize
3.3MB

Download
memory/2152-82-0x00007FF7015F0000-0x00007FF701941000-memory.dmp

Filesize
3.3MB

Download
memory/2152-138-0x00007FF7015F0000-0x00007FF701941000-memory.dmp

Filesize
3.3MB

Download
memory/2188-58-0x00007FF607840000-0x00007FF607B91000-memory.dmp

Filesize
3.3MB

Download
memory/2188-236-0x00007FF607840000-0x00007FF607B91000-memory.dmp

Filesize
3.3MB

Download
memory/2188-136-0x00007FF607840000-0x00007FF607B91000-memory.dmp

Filesize
3.3MB

Download
memory/2296-146-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-253-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-113-0x00007FF70A260000-0x00007FF70A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-151-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2380-0-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2380-142-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2380-1-0x0000016F5D350000-0x0000016F5D360000-memory.dmp

Filesize
64KB

Download
memory/2380-126-0x00007FF66CA40000-0x00007FF66CD91000-memory.dmp

Filesize
3.3MB

Download
memory/2460-233-0x00007FF686300000-0x00007FF686651000-memory.dmp

Filesize
3.3MB

Download
memory/2460-135-0x00007FF686300000-0x00007FF686651000-memory.dmp

Filesize
3.3MB

Download
memory/2460-63-0x00007FF686300000-0x00007FF686651000-memory.dmp

Filesize
3.3MB

Download
memory/2740-249-0x00007FF7B8D20000-0x00007FF7B9071000-memory.dmp

Filesize
3.3MB

Download
memory/2740-125-0x00007FF7B8D20000-0x00007FF7B9071000-memory.dmp

Filesize
3.3MB

Download
memory/3168-134-0x00007FF654140000-0x00007FF654491000-memory.dmp

Filesize
3.3MB

Download
memory/3168-230-0x00007FF654140000-0x00007FF654491000-memory.dmp

Filesize
3.3MB

Download
memory/3168-48-0x00007FF654140000-0x00007FF654491000-memory.dmp

Filesize
3.3MB

Download
memory/3472-24-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp

Filesize
3.3MB

Download
memory/3472-129-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp

Filesize
3.3MB

Download
memory/3472-220-0x00007FF6E8DD0000-0x00007FF6E9121000-memory.dmp

Filesize
3.3MB

Download
memory/3508-144-0x00007FF692360000-0x00007FF6926B1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-255-0x00007FF692360000-0x00007FF6926B1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-128-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp

Filesize
3.3MB

Download
memory/3592-19-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp

Filesize
3.3MB

Download
memory/3592-205-0x00007FF72CE40000-0x00007FF72D191000-memory.dmp

Filesize
3.3MB

Download
memory/3640-228-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-60-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-104-0x00007FF654530000-0x00007FF654881000-memory.dmp

Filesize
3.3MB

Download
memory/4336-241-0x00007FF654530000-0x00007FF654881000-memory.dmp

Filesize
3.3MB

Download
memory/4460-235-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4460-70-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4460-137-0x00007FF70AB40000-0x00007FF70AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4712-203-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-127-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-8-0x00007FF6E8590000-0x00007FF6E88E1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-226-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp

Filesize
3.3MB

Download
memory/4776-130-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp

Filesize
3.3MB

Download
memory/4776-29-0x00007FF7A7CD0000-0x00007FF7A8021000-memory.dmp

Filesize
3.3MB

Download
memory/5052-225-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-44-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-133-0x00007FF77B870000-0x00007FF77BBC1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-120-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-148-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-250-0x00007FF6DCAA0000-0x00007FF6DCDF1000-memory.dmp

Filesize
3.3MB

Download