cobaltstrike | 13384ae5493fd2f68aaa3bea80b2721d4053c7799aafa32b01d3c426c579685a

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

58bbde8035131adb1200dff743889aae
SHA1

6419a6e7e9894275bd3c844dfd6d109785a1f58e
SHA256

13384ae5493fd2f68aaa3bea80b2721d4053c7799aafa32b01d3c426c579685a
SHA512

86969d55f5ebc5bb3e0eb441cdf38440f8e36ba317e311cd76f39eb5f6a91d5f1e71280b9ae36cfb320287c6a9484e441e2e7bacbb5174ef5f2a4136ad8e3694
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lr:RWWBib+56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023baa-4.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bae-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023baf-16.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bb0-23.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bab-28.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bbf-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-40.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcd-47.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcf-65.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd3-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-82.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd8-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdb-111.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0b-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-109.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bda-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-74.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bce-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0c-128.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0d-132.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/4892-86-0x00007FF620380000-0x00007FF6206D1000-memory.dmp	xmrig
behavioral2/memory/972-114-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp	xmrig
behavioral2/memory/3764-97-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp	xmrig
behavioral2/memory/1068-94-0x00007FF7353B0000-0x00007FF735701000-memory.dmp	xmrig
behavioral2/memory/4708-83-0x00007FF60D300000-0x00007FF60D651000-memory.dmp	xmrig
behavioral2/memory/1844-79-0x00007FF7A4AF0000-0x00007FF7A4E41000-memory.dmp	xmrig
behavioral2/memory/2428-73-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp	xmrig
behavioral2/memory/4880-71-0x00007FF7603D0000-0x00007FF760721000-memory.dmp	xmrig
behavioral2/memory/1924-63-0x00007FF66D590000-0x00007FF66D8E1000-memory.dmp	xmrig
behavioral2/memory/3936-62-0x00007FF6885C0000-0x00007FF688911000-memory.dmp	xmrig
behavioral2/memory/760-136-0x00007FF760170000-0x00007FF7604C1000-memory.dmp	xmrig
behavioral2/memory/1356-145-0x00007FF772BF0000-0x00007FF772F41000-memory.dmp	xmrig
behavioral2/memory/4640-144-0x00007FF600ED0000-0x00007FF601221000-memory.dmp	xmrig
behavioral2/memory/2496-143-0x00007FF789710000-0x00007FF789A61000-memory.dmp	xmrig
behavioral2/memory/3008-142-0x00007FF744360000-0x00007FF7446B1000-memory.dmp	xmrig
behavioral2/memory/3980-138-0x00007FF63ADD0000-0x00007FF63B121000-memory.dmp	xmrig
behavioral2/memory/832-153-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp	xmrig
behavioral2/memory/3820-154-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp	xmrig
behavioral2/memory/4968-156-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp	xmrig
behavioral2/memory/2100-155-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp	xmrig
behavioral2/memory/3604-152-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp	xmrig
behavioral2/memory/1748-158-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp	xmrig
behavioral2/memory/3936-159-0x00007FF6885C0000-0x00007FF688911000-memory.dmp	xmrig
behavioral2/memory/2428-209-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp	xmrig
behavioral2/memory/4708-211-0x00007FF60D300000-0x00007FF60D651000-memory.dmp	xmrig
behavioral2/memory/4892-213-0x00007FF620380000-0x00007FF6206D1000-memory.dmp	xmrig
behavioral2/memory/1068-218-0x00007FF7353B0000-0x00007FF735701000-memory.dmp	xmrig
behavioral2/memory/3764-220-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp	xmrig
behavioral2/memory/972-222-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp	xmrig
behavioral2/memory/760-233-0x00007FF760170000-0x00007FF7604C1000-memory.dmp	xmrig
behavioral2/memory/2496-235-0x00007FF789710000-0x00007FF789A61000-memory.dmp	xmrig
behavioral2/memory/1924-237-0x00007FF66D590000-0x00007FF66D8E1000-memory.dmp	xmrig
behavioral2/memory/4880-239-0x00007FF7603D0000-0x00007FF760721000-memory.dmp	xmrig
behavioral2/memory/4640-242-0x00007FF600ED0000-0x00007FF601221000-memory.dmp	xmrig
behavioral2/memory/1844-243-0x00007FF7A4AF0000-0x00007FF7A4E41000-memory.dmp	xmrig
behavioral2/memory/3604-251-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp	xmrig
behavioral2/memory/1748-252-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp	xmrig
behavioral2/memory/832-254-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp	xmrig
behavioral2/memory/3820-256-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp	xmrig
behavioral2/memory/2100-258-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp	xmrig
behavioral2/memory/4968-260-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp	xmrig
behavioral2/memory/3980-265-0x00007FF63ADD0000-0x00007FF63B121000-memory.dmp	xmrig
behavioral2/memory/3008-267-0x00007FF744360000-0x00007FF7446B1000-memory.dmp	xmrig
behavioral2/memory/1356-269-0x00007FF772BF0000-0x00007FF772F41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2428	vusenFn.exe
4708	NtEDrEM.exe
4892	AxFANqZ.exe
1068	kjVuKEd.exe
3764	VQBnEBa.exe
972	FKrqEEt.exe
760	xkOeOow.exe
2496	DpEEwcu.exe
1924	AtiEzqE.exe
4880	LiIqblP.exe
4640	zjSdQRT.exe
1844	upWNFGG.exe
1748	PcDSJTD.exe
3604	zNEQgBW.exe
832	fXjaXaV.exe
2100	KOhdXHh.exe
3820	QmdXSfL.exe
4968	MmoJxXs.exe
3980	waWOiqw.exe
3008	tqEggVo.exe
1356	jQZcTTE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3936-0-0x00007FF6885C0000-0x00007FF688911000-memory.dmp	upx
behavioral2/files/0x000b000000023baa-4.dat	upx
behavioral2/memory/2428-8-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp	upx
behavioral2/files/0x000b000000023bae-11.dat	upx
behavioral2/files/0x000b000000023baf-16.dat	upx
behavioral2/memory/4892-18-0x00007FF620380000-0x00007FF6206D1000-memory.dmp	upx
behavioral2/memory/4708-13-0x00007FF60D300000-0x00007FF60D651000-memory.dmp	upx
behavioral2/files/0x000b000000023bb0-23.dat	upx
behavioral2/files/0x000b000000023bab-28.dat	upx
behavioral2/memory/3764-30-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp	upx
behavioral2/files/0x000e000000023bbf-34.dat	upx
behavioral2/memory/972-36-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp	upx
behavioral2/memory/1068-24-0x00007FF7353B0000-0x00007FF735701000-memory.dmp	upx
behavioral2/files/0x0008000000023bc8-40.dat	upx
behavioral2/memory/760-44-0x00007FF760170000-0x00007FF7604C1000-memory.dmp	upx
behavioral2/files/0x0009000000023bcd-47.dat	upx
behavioral2/memory/2496-48-0x00007FF789710000-0x00007FF789A61000-memory.dmp	upx
behavioral2/files/0x0009000000023bcf-65.dat	upx
behavioral2/memory/4640-69-0x00007FF600ED0000-0x00007FF601221000-memory.dmp	upx
behavioral2/files/0x000e000000023bd3-77.dat	upx
behavioral2/files/0x0008000000023bd9-82.dat	upx
behavioral2/files/0x0008000000023bd8-87.dat	upx
behavioral2/memory/4892-86-0x00007FF620380000-0x00007FF6206D1000-memory.dmp	upx
behavioral2/memory/2100-105-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp	upx
behavioral2/files/0x0008000000023bdb-111.dat	upx
behavioral2/files/0x0008000000023c0b-116.dat	upx
behavioral2/memory/4968-115-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp	upx
behavioral2/memory/972-114-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0a-109.dat	upx
behavioral2/memory/3820-108-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bda-99.dat	upx
behavioral2/memory/832-98-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp	upx
behavioral2/memory/3764-97-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp	upx
behavioral2/memory/1068-94-0x00007FF7353B0000-0x00007FF735701000-memory.dmp	upx
behavioral2/memory/3604-85-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp	upx
behavioral2/memory/1748-84-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp	upx
behavioral2/memory/4708-83-0x00007FF60D300000-0x00007FF60D651000-memory.dmp	upx
behavioral2/memory/1844-79-0x00007FF7A4AF0000-0x00007FF7A4E41000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-74.dat	upx
behavioral2/memory/2428-73-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp	upx
behavioral2/memory/4880-71-0x00007FF7603D0000-0x00007FF760721000-memory.dmp	upx
behavioral2/memory/1924-63-0x00007FF66D590000-0x00007FF66D8E1000-memory.dmp	upx
behavioral2/memory/3936-62-0x00007FF6885C0000-0x00007FF688911000-memory.dmp	upx
behavioral2/files/0x0009000000023bce-59.dat	upx
behavioral2/files/0x0008000000023c0c-128.dat	upx
behavioral2/files/0x0008000000023c0d-132.dat	upx
behavioral2/memory/760-136-0x00007FF760170000-0x00007FF7604C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0e-140.dat	upx
behavioral2/memory/1356-145-0x00007FF772BF0000-0x00007FF772F41000-memory.dmp	upx
behavioral2/memory/4640-144-0x00007FF600ED0000-0x00007FF601221000-memory.dmp	upx
behavioral2/memory/2496-143-0x00007FF789710000-0x00007FF789A61000-memory.dmp	upx
behavioral2/memory/3008-142-0x00007FF744360000-0x00007FF7446B1000-memory.dmp	upx
behavioral2/memory/3980-138-0x00007FF63ADD0000-0x00007FF63B121000-memory.dmp	upx
behavioral2/memory/832-153-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp	upx
behavioral2/memory/3820-154-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp	upx
behavioral2/memory/4968-156-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp	upx
behavioral2/memory/2100-155-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp	upx
behavioral2/memory/3604-152-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp	upx
behavioral2/memory/1748-158-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp	upx
behavioral2/memory/3936-159-0x00007FF6885C0000-0x00007FF688911000-memory.dmp	upx
behavioral2/memory/2428-209-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp	upx
behavioral2/memory/4708-211-0x00007FF60D300000-0x00007FF60D651000-memory.dmp	upx
behavioral2/memory/4892-213-0x00007FF620380000-0x00007FF6206D1000-memory.dmp	upx
behavioral2/memory/1068-218-0x00007FF7353B0000-0x00007FF735701000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\upWNFGG.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXjaXaV.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\waWOiqw.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jQZcTTE.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NtEDrEM.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AtiEzqE.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LiIqblP.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PcDSJTD.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNEQgBW.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjVuKEd.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VQBnEBa.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpEEwcu.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmoJxXs.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tqEggVo.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FKrqEEt.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zjSdQRT.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QmdXSfL.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KOhdXHh.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vusenFn.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AxFANqZ.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xkOeOow.exe	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2428	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3936 wrote to memory of 2428	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3936 wrote to memory of 4708	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3936 wrote to memory of 4708	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3936 wrote to memory of 4892	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3936 wrote to memory of 4892	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3936 wrote to memory of 1068	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3936 wrote to memory of 1068	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3936 wrote to memory of 3764	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3936 wrote to memory of 3764	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3936 wrote to memory of 972	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3936 wrote to memory of 972	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3936 wrote to memory of 760	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3936 wrote to memory of 760	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3936 wrote to memory of 2496	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3936 wrote to memory of 2496	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3936 wrote to memory of 1924	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3936 wrote to memory of 1924	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3936 wrote to memory of 4880	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3936 wrote to memory of 4880	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3936 wrote to memory of 4640	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3936 wrote to memory of 4640	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3936 wrote to memory of 1844	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3936 wrote to memory of 1844	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3936 wrote to memory of 1748	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3936 wrote to memory of 1748	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3936 wrote to memory of 3604	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3936 wrote to memory of 3604	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3936 wrote to memory of 832	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3936 wrote to memory of 832	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3936 wrote to memory of 3820	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3936 wrote to memory of 3820	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3936 wrote to memory of 2100	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3936 wrote to memory of 2100	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3936 wrote to memory of 4968	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3936 wrote to memory of 4968	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3936 wrote to memory of 3980	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3936 wrote to memory of 3980	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3936 wrote to memory of 3008	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3936 wrote to memory of 3008	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3936 wrote to memory of 1356	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3936 wrote to memory of 1356	3936	2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_58bbde8035131adb1200dff743889aae_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\System\vusenFn.exe
  C:\Windows\System\vusenFn.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\NtEDrEM.exe
  C:\Windows\System\NtEDrEM.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\AxFANqZ.exe
  C:\Windows\System\AxFANqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\kjVuKEd.exe
  C:\Windows\System\kjVuKEd.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\VQBnEBa.exe
  C:\Windows\System\VQBnEBa.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\FKrqEEt.exe
  C:\Windows\System\FKrqEEt.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\xkOeOow.exe
  C:\Windows\System\xkOeOow.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\DpEEwcu.exe
  C:\Windows\System\DpEEwcu.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\AtiEzqE.exe
  C:\Windows\System\AtiEzqE.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\LiIqblP.exe
  C:\Windows\System\LiIqblP.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\zjSdQRT.exe
  C:\Windows\System\zjSdQRT.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\upWNFGG.exe
  C:\Windows\System\upWNFGG.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\PcDSJTD.exe
  C:\Windows\System\PcDSJTD.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\zNEQgBW.exe
  C:\Windows\System\zNEQgBW.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\fXjaXaV.exe
  C:\Windows\System\fXjaXaV.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\QmdXSfL.exe
  C:\Windows\System\QmdXSfL.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\KOhdXHh.exe
  C:\Windows\System\KOhdXHh.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\MmoJxXs.exe
  C:\Windows\System\MmoJxXs.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\waWOiqw.exe
  C:\Windows\System\waWOiqw.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\tqEggVo.exe
  C:\Windows\System\tqEggVo.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\jQZcTTE.exe
  C:\Windows\System\jQZcTTE.exe
  2⤵
  - Executes dropped EXE
  PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AtiEzqE.exe

Filesize
5.2MB

MD5
b7076f54ea4d08847b0306c84e0b11dc

SHA1
f91bfda53111ac2ebdecafb0c8e4cd3933102306

SHA256
540159ac2dce2ff30538e31ef0ba5fe7618b67f60442529da680e88118b40135

SHA512
b1dd5f27f7c6ba721008519c67f5bd45eaf958473cdc7024e928e9ba4f4bf63a6cfabba63ee2f982c0605576b162835d8242c6950f4a07f6fb0d9c1beb791a5a

Download Submit
C:\Windows\System\AxFANqZ.exe

Filesize
5.2MB

MD5
0eac667770ac1dfeb6fd7cf5cb838dc1

SHA1
441ec47446499089124044cbf3a73950a47a4145

SHA256
2f2c81915b6e47587731fd389177209064c6539502bb179ac239c9e1d508c247

SHA512
a59eb443246f0171ee48d9b96dae3bd996369166ea2a0663f85ddd0b19c9350858673ffafc3d1ef587165ad0dcc698e5af38b13b80a9af25a630c2ae7d36aabf

Download Submit
C:\Windows\System\DpEEwcu.exe

Filesize
5.2MB

MD5
37180ff0a87ff09fb3ed19517089788d

SHA1
682c58290c07bbaed7cd66b881a81e87fdd5cbe0

SHA256
f83821b0c53a957be454ff433d4eaaeaa13737d7f00f3725ee546280a97a84b7

SHA512
3b53cbe16e627eddc945fb82cd609f7f0f06d99cd478612a894e8f7cee54c89aeb11c6598dbd7e5a78dfc402af9b5383c3663b6f35b725a9791e9d4c5a31bc68

Download Submit
C:\Windows\System\FKrqEEt.exe

Filesize
5.2MB

MD5
7ec57ec3ef747d51dd05e68efe84f826

SHA1
20969cacec6974deade64d4f5d47c21386238ee3

SHA256
53d17b5d6e432d5f3d2279f05cac37d8598f56a84c7d21f383258eb5d9268c99

SHA512
504487a4c5e372b2dddc1aa01dbda3558c6483eec7308ebaa9e2f94ab9cb6a44ab6a2b80e0ce78763f5ea59b38ebb0dcf3a590c8a1a158af6190396e2b6f3f3a

Download Submit
C:\Windows\System\KOhdXHh.exe

Filesize
5.2MB

MD5
75537ab6f80b09b6fd8d507e09e0517f

SHA1
28f1cf7b80e93dc8f3649f14bb655c7d14a7bea2

SHA256
80f4cff33ba2e18ba99baecfc2ca816ebde7d982f236f8cd1f3640811c58d229

SHA512
411413c32be69e723f962411220f1a7c80ca5c0ba11904a3f8db055ed30989b9dde6f44301a3c8fe6700e57efb10417b8a403ca0ef92af82850b805375f7a649

Download Submit
C:\Windows\System\LiIqblP.exe

Filesize
5.2MB

MD5
966114d2f41b5f9c2cc05f8067e8a2aa

SHA1
50180443e7ec86a94bf44b3797fb380dd5c45068

SHA256
dca52f11f36c9ab1e071f7ce5d195647e33d5077d2d03896c7ffe9c4356c5e06

SHA512
cbb970f5b83df8c4aff66d49dc396ef6da7cd9cc6e30e4003188dd649b6f5ad0d94228f278ef9cc13a88bb61f7fe9ab435b4f50578941b9a4f7856a1f64f8080

Download Submit
C:\Windows\System\MmoJxXs.exe

Filesize
5.2MB

MD5
03faf96c2a057c396c55fb0b01c53e1f

SHA1
91d601bc671acbac9ee74abadb801f703740b489

SHA256
a373732d5227a69fe1f91d065f1e0be2f1fa266a7480e9ff96fc2ea8acbdcbfb

SHA512
d605a64e8c5fb93598e1c0adcc0bfddc515206303871dc6ea71732a066fc92e68eb39d214f3d086010e965803ace09b516f622b7fafa64e0471d5830a778cd0d

Download Submit
C:\Windows\System\NtEDrEM.exe

Filesize
5.2MB

MD5
9b475b2dea4ee592c030680e0e9f82da

SHA1
3425acf04610dc3b5457f11abbc6c69ff74ece44

SHA256
00df65f216a03d881bbb00faabcce169954f0c4c88f7839c990aaed29d7e7070

SHA512
394b7da363a76ca861891b5057a68ab1b3558c27aed9e7e6344d42b6a3fba359f411a6c579e2a4ba5b204a0d8defc84ce8cdab1f0583401342dab18935c6c4bd

Download Submit
C:\Windows\System\PcDSJTD.exe

Filesize
5.2MB

MD5
d510d0ddf91fdf18d520a2bd89fa4fd0

SHA1
bad6250f069f0a10ea6ec50859058705ccfa1d5d

SHA256
0daf30c14d7a39a69dbe46bd737f1561725c5e30dabf2b832b47de7431de2228

SHA512
2bf2ea012caa8c10a753c2ccc1be430775bac736db1b520ba3ae064e769b694ad842b1d52ca7450d78ac93d5d7da3715af431900fc254c284aebd2447dd0f60a

Download Submit
C:\Windows\System\QmdXSfL.exe

Filesize
5.2MB

MD5
5370b816af020d6998f746c4696f0dcc

SHA1
7d2e7fada85547725b5ece585f6cdaf49e4428f4

SHA256
7bd8cb7e276b31ba6b5f3f259c1c81a7c102b957aa9264cc112e67c1854f0b38

SHA512
17f9526387cd4290985c83e67ade9f29d22a74b394e764afb3922247635010fc14d6b58c8ce273ff09ce3dd36b207366425f314baa3a4dc6f0ed380216419da9

Download Submit
C:\Windows\System\VQBnEBa.exe

Filesize
5.2MB

MD5
b2cf97131d7591e930cf5d38187f447b

SHA1
75efb5331d6a106c3c2761e2586dcfdc9b3820a7

SHA256
c555ec54f8dc076c5ea93e547178b182858536a85e9551f7454219d704d495a2

SHA512
894caf9c43f8066277e99db3ef85641fe62f80a6159d3dd8e2263fdd2f3776afda9fa4403926f125f7220c19768dae9de6d1e3298f3d09afbf8fca0cce64123c

Download Submit
C:\Windows\System\fXjaXaV.exe

Filesize
5.2MB

MD5
454b64c99bf66b6e0a3d23d3b19d86d1

SHA1
9efa7d97ffb11e89997569f958f9d89080e9927b

SHA256
e90bcd79cfedb702aa07e52bccaa2d88b893bbd18ddfc7880dddd5047bb8bfef

SHA512
ffadd7c968ce7916ef1d6264c930216af12f439429c3795eb7e32391d5e71c12520414d54879317a4707ff60ab337214bfea4a6494b3012659df9921f2098145

Download Submit
C:\Windows\System\jQZcTTE.exe

Filesize
5.2MB

MD5
223c134c1220c7eb6f1cbdb4f9c189c3

SHA1
780f16ccfd57a0e5903d40544709786b4609c9ff

SHA256
38b95335eeea266eccd9dd0a931a8fc3552218fcca4eb7af77ff0de8c7fb0e1f

SHA512
89a1fc302444db95052bb3d3cd5e7922aecc6dcee7c9bc6682301cb865ad8348d761eee8aa91021b4c8c6957d8c6898bba678614a33a4fc70dcde445180110a0

Download Submit
C:\Windows\System\kjVuKEd.exe

Filesize
5.2MB

MD5
0a5757e58252472354dc6530de9733ba

SHA1
10b22a248cffdd7dbbcf12cdefc9fe08125887de

SHA256
e0119db538316c08fe4b3b85df15d65c0f6abbf3443ab3ff15020dc14b4736d3

SHA512
aabb9583d7ffa41f6cc8971a01a889c6f2878e7888825004dab4d5ccaa739617992067c10e3db2e427f450f5f3cd6522443045f159d15a4fabcd89a8a59910a0

Download Submit
C:\Windows\System\tqEggVo.exe

Filesize
5.2MB

MD5
6135bfec77a2e70b6d5bb2bd0aa304de

SHA1
4c463d3f8a122f9fd71a07a03324e4f714921fed

SHA256
799a3d00cd6715f45614f207a414e5f7ead3217c19511e54cfb00a41340759e3

SHA512
dea4236cf74c8afc40f098f8dd5dd07258410b8da446b5bbbe73289bcc112361746563bda5dbba4f72697187ddf18cb49f7a1fa63ccbe53d98f8fc21f11d7221

Download Submit
C:\Windows\System\upWNFGG.exe

Filesize
5.2MB

MD5
e2dcd82bbfdeb1064cd3c0d5155cbc6b

SHA1
fa22121ee9b327da06c05c79bc1cf833cdc5ce42

SHA256
466905be13b02c440858b86bb438243b678c687abd87888d26b742483a65995f

SHA512
338f68ee2a436d0a37fb3fbac7446ad9748e2b5aad760b1ebb4cdf05ae52bf834f84f72a1b8270bf6724e9a44851e6b99cb2cc2a07379f0a20fed87d862c1855

Download Submit
C:\Windows\System\vusenFn.exe

Filesize
5.2MB

MD5
06dd4281e0b2ab3686de7f7c894fdcc4

SHA1
e9048fc44de832c7b2cffae3af450f248f56e8e5

SHA256
c979db8ce2bc8c36aeee9f84eecbd0eccadc7cb8937320d6f7460e8ad2083a7e

SHA512
c85969af8d4ebfda05ec722127d7363154320788df79fd1609c443a1b3792f52a883aeda3a2ee8f6460c0365d8e993a0dab4d9ec51b64237a035c03cdceb63f3

Download Submit
C:\Windows\System\waWOiqw.exe

Filesize
5.2MB

MD5
80f89f2e9902f450b4a8b62643cf77bc

SHA1
6bacc869b9b9d48dbdbacdf3bfca5409c4f9de52

SHA256
a17ff3273d97e21b4acfe531e8c59cbd7d65062a79729fc960abe3332b44d67d

SHA512
614e43c68b9158d9364e5834044940939640e7c6e51230f986e4c4ecaf9c54ec3a2d4a4460945b010880b916d1453c614a698af519717dea5610d648f659ac3b

Download Submit
C:\Windows\System\xkOeOow.exe

Filesize
5.2MB

MD5
152ab02108fc64aedd6df25e348b2f5d

SHA1
820326f578954a96154341fc196f6f81de7c99dd

SHA256
e95654baa709a88a69702ac697fed92d9f7a9797ddce06757db2b778cef7f35d

SHA512
05a8aa56e30749a043ab140e0dc1f6c4ba970c2167a750af03961e5d726f488c37f4905cdb5741a90ce93b396459ce15046d510f9a370734d48168cd07d0b5db

Download Submit
C:\Windows\System\zNEQgBW.exe

Filesize
5.2MB

MD5
1757380c2bf80b44a7c586eaae135c64

SHA1
79d79696142bab1ceff5cd174b80491f3ea05b99

SHA256
874520d71fe35da39c912638445306895ddd72423c564a8529716f556955b1f6

SHA512
5d763895b50b55afba979542e1acb02a59f58646d3d305dcbc61f9d95bc903d11ecb50b4dd5719ebe07baa8bcbb2220a0cfc8bfffbac1d44e0fb22f9385ddf39

Download Submit
C:\Windows\System\zjSdQRT.exe

Filesize
5.2MB

MD5
3f6e7aa77ad90e7548e60f74c357654d

SHA1
a6984fc17f42262a986903fb368fd716d73de624

SHA256
9df8619217b2090f7871e64d15bfca4424ecdcecf9fead5a6beab5da965f7bf9

SHA512
40ed5ed3e5e9c1d0b94302efe327a08620bf7a5b9403cc03cc05197619b8e7625252736ee6ceecb78174db7c1a56b2abe1f07a9e5c365936975d4de0a8c63c67

Download Submit
memory/760-233-0x00007FF760170000-0x00007FF7604C1000-memory.dmp

Filesize
3.3MB

Download
memory/760-44-0x00007FF760170000-0x00007FF7604C1000-memory.dmp

Filesize
3.3MB

Download
memory/760-136-0x00007FF760170000-0x00007FF7604C1000-memory.dmp

Filesize
3.3MB

Download
memory/832-254-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp

Filesize
3.3MB

Download
memory/832-153-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp

Filesize
3.3MB

Download
memory/832-98-0x00007FF7856C0000-0x00007FF785A11000-memory.dmp

Filesize
3.3MB

Download
memory/972-222-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp

Filesize
3.3MB

Download
memory/972-114-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp

Filesize
3.3MB

Download
memory/972-36-0x00007FF7E1370000-0x00007FF7E16C1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-218-0x00007FF7353B0000-0x00007FF735701000-memory.dmp

Filesize
3.3MB

Download
memory/1068-94-0x00007FF7353B0000-0x00007FF735701000-memory.dmp

Filesize
3.3MB

Download
memory/1068-24-0x00007FF7353B0000-0x00007FF735701000-memory.dmp

Filesize
3.3MB

Download
memory/1356-145-0x00007FF772BF0000-0x00007FF772F41000-memory.dmp

Filesize
3.3MB

Download
memory/1356-269-0x00007FF772BF0000-0x00007FF772F41000-memory.dmp

Filesize
3.3MB

Download
memory/1748-84-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp

Filesize
3.3MB

Download
memory/1748-158-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp

Filesize
3.3MB

Download
memory/1748-252-0x00007FF7626F0000-0x00007FF762A41000-memory.dmp

Filesize
3.3MB

Download
memory/1844-79-0x00007FF7A4AF0000-0x00007FF7A4E41000-memory.dmp

Filesize
3.3MB

Download
memory/1844-243-0x00007FF7A4AF0000-0x00007FF7A4E41000-memory.dmp

Filesize
3.3MB

Download
memory/1924-237-0x00007FF66D590000-0x00007FF66D8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-63-0x00007FF66D590000-0x00007FF66D8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-155-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp

Filesize
3.3MB

Download
memory/2100-105-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp

Filesize
3.3MB

Download
memory/2100-258-0x00007FF7D3540000-0x00007FF7D3891000-memory.dmp

Filesize
3.3MB

Download
memory/2428-73-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-8-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-209-0x00007FF7A8380000-0x00007FF7A86D1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-143-0x00007FF789710000-0x00007FF789A61000-memory.dmp

Filesize
3.3MB

Download
memory/2496-235-0x00007FF789710000-0x00007FF789A61000-memory.dmp

Filesize
3.3MB

Download
memory/2496-48-0x00007FF789710000-0x00007FF789A61000-memory.dmp

Filesize
3.3MB

Download
memory/3008-142-0x00007FF744360000-0x00007FF7446B1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-267-0x00007FF744360000-0x00007FF7446B1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-251-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp

Filesize
3.3MB

Download
memory/3604-85-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp

Filesize
3.3MB

Download
memory/3604-152-0x00007FF6CD6B0000-0x00007FF6CDA01000-memory.dmp

Filesize
3.3MB

Download
memory/3764-30-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3764-220-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3764-97-0x00007FF71C6C0000-0x00007FF71CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3820-154-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-108-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-256-0x00007FF6D2F70000-0x00007FF6D32C1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-62-0x00007FF6885C0000-0x00007FF688911000-memory.dmp

Filesize
3.3MB

Download
memory/3936-159-0x00007FF6885C0000-0x00007FF688911000-memory.dmp

Filesize
3.3MB

Download
memory/3936-1-0x000001B2AB680000-0x000001B2AB690000-memory.dmp

Filesize
64KB

Download
memory/3936-0-0x00007FF6885C0000-0x00007FF688911000-memory.dmp

Filesize
3.3MB

Download
memory/3980-265-0x00007FF63ADD0000-0x00007FF63B121000-memory.dmp

Filesize
3.3MB

Download
memory/3980-138-0x00007FF63ADD0000-0x00007FF63B121000-memory.dmp

Filesize
3.3MB

Download
memory/4640-144-0x00007FF600ED0000-0x00007FF601221000-memory.dmp

Filesize
3.3MB

Download
memory/4640-69-0x00007FF600ED0000-0x00007FF601221000-memory.dmp

Filesize
3.3MB

Download
memory/4640-242-0x00007FF600ED0000-0x00007FF601221000-memory.dmp

Filesize
3.3MB

Download
memory/4708-83-0x00007FF60D300000-0x00007FF60D651000-memory.dmp

Filesize
3.3MB

Download
memory/4708-13-0x00007FF60D300000-0x00007FF60D651000-memory.dmp

Filesize
3.3MB

Download
memory/4708-211-0x00007FF60D300000-0x00007FF60D651000-memory.dmp

Filesize
3.3MB

Download
memory/4880-239-0x00007FF7603D0000-0x00007FF760721000-memory.dmp

Filesize
3.3MB

Download
memory/4880-71-0x00007FF7603D0000-0x00007FF760721000-memory.dmp

Filesize
3.3MB

Download
memory/4892-18-0x00007FF620380000-0x00007FF6206D1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-86-0x00007FF620380000-0x00007FF6206D1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-213-0x00007FF620380000-0x00007FF6206D1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-260-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp

Filesize
3.3MB

Download
memory/4968-156-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp

Filesize
3.3MB

Download
memory/4968-115-0x00007FF72ACB0000-0x00007FF72B001000-memory.dmp

Filesize
3.3MB

Download