cobaltstrike | 72ddfe11e4ece70e5c253f8371f6eb6940c4257f712989b58de8a18dfd8427f0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

75fa5a01bf418131b9556863a4a2b76b
SHA1

154ee21fa870cfed33d5e7476a43d574198ec209
SHA256

72ddfe11e4ece70e5c253f8371f6eb6940c4257f712989b58de8a18dfd8427f0
SHA512

fc5dead7b214913912d57a196e9d7ea74c27be0ccc5d4b9cee3a5e03b5f6e66171388aee419f41d88f4bc67b7f7d85d2986810c2c1641951027af2dc7a6be743
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibd56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023af7-5.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b5b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5a-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b57-25.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b5d-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5e-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2800-88-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp	xmrig
behavioral2/memory/1084-92-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp	xmrig
behavioral2/memory/2292-91-0x00007FF76F7B0000-0x00007FF76FB01000-memory.dmp	xmrig
behavioral2/memory/5012-90-0x00007FF696010000-0x00007FF696361000-memory.dmp	xmrig
behavioral2/memory/3356-89-0x00007FF74CD90000-0x00007FF74D0E1000-memory.dmp	xmrig
behavioral2/memory/968-87-0x00007FF61C280000-0x00007FF61C5D1000-memory.dmp	xmrig
behavioral2/memory/4180-86-0x00007FF6C5D30000-0x00007FF6C6081000-memory.dmp	xmrig
behavioral2/memory/4748-83-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp	xmrig
behavioral2/memory/2248-82-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp	xmrig
behavioral2/memory/3680-104-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp	xmrig
behavioral2/memory/2284-109-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp	xmrig
behavioral2/memory/1020-114-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp	xmrig
behavioral2/memory/2288-133-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	xmrig
behavioral2/memory/2648-135-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp	xmrig
behavioral2/memory/1908-137-0x00007FF710730000-0x00007FF710A81000-memory.dmp	xmrig
behavioral2/memory/3460-136-0x00007FF747620000-0x00007FF747971000-memory.dmp	xmrig
behavioral2/memory/4844-134-0x00007FF743550000-0x00007FF7438A1000-memory.dmp	xmrig
behavioral2/memory/2248-140-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp	xmrig
behavioral2/memory/3240-148-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp	xmrig
behavioral2/memory/1828-138-0x00007FF616150000-0x00007FF6164A1000-memory.dmp	xmrig
behavioral2/memory/996-149-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp	xmrig
behavioral2/memory/4780-150-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp	xmrig
behavioral2/memory/764-151-0x00007FF643DD0000-0x00007FF644121000-memory.dmp	xmrig
behavioral2/memory/3680-152-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp	xmrig
behavioral2/memory/2284-200-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp	xmrig
behavioral2/memory/1020-202-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp	xmrig
behavioral2/memory/4844-214-0x00007FF743550000-0x00007FF7438A1000-memory.dmp	xmrig
behavioral2/memory/2288-216-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	xmrig
behavioral2/memory/1908-218-0x00007FF710730000-0x00007FF710A81000-memory.dmp	xmrig
behavioral2/memory/1828-220-0x00007FF616150000-0x00007FF6164A1000-memory.dmp	xmrig
behavioral2/memory/4748-229-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp	xmrig
behavioral2/memory/1084-230-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp	xmrig
behavioral2/memory/2248-234-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp	xmrig
behavioral2/memory/968-238-0x00007FF61C280000-0x00007FF61C5D1000-memory.dmp	xmrig
behavioral2/memory/4180-236-0x00007FF6C5D30000-0x00007FF6C6081000-memory.dmp	xmrig
behavioral2/memory/2292-232-0x00007FF76F7B0000-0x00007FF76FB01000-memory.dmp	xmrig
behavioral2/memory/2800-242-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp	xmrig
behavioral2/memory/5012-241-0x00007FF696010000-0x00007FF696361000-memory.dmp	xmrig
behavioral2/memory/3356-244-0x00007FF74CD90000-0x00007FF74D0E1000-memory.dmp	xmrig
behavioral2/memory/3240-247-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp	xmrig
behavioral2/memory/996-251-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp	xmrig
behavioral2/memory/764-254-0x00007FF643DD0000-0x00007FF644121000-memory.dmp	xmrig
behavioral2/memory/4780-255-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp	xmrig
behavioral2/memory/3460-262-0x00007FF747620000-0x00007FF747971000-memory.dmp	xmrig
behavioral2/memory/2648-261-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2284	rBEXkqF.exe
1020	IAqWBci.exe
4844	aMBBBXA.exe
2288	AtNusoR.exe
1908	fOFBGBD.exe
1828	WCaGjIl.exe
2292	xpMUCBg.exe
2248	YFYJWzg.exe
1084	ZkXeJZJ.exe
4748	zInNoBH.exe
4180	NxJidTE.exe
968	obhRwEG.exe
2800	xwZCdnv.exe
3356	hJBlXMh.exe
5012	GaBVnIt.exe
3240	IWvPFBO.exe
996	tVNWscU.exe
4780	PbDUEjS.exe
764	zkWyHMq.exe
2648	hiUJYBI.exe
3460	miOorhP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3680-0-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp	upx
behavioral2/files/0x000c000000023af7-5.dat	upx
behavioral2/memory/2284-7-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp	upx
behavioral2/files/0x0031000000023b5b-10.dat	upx
behavioral2/files/0x000a000000023b5a-11.dat	upx
behavioral2/memory/1020-14-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp	upx
behavioral2/memory/4844-18-0x00007FF743550000-0x00007FF7438A1000-memory.dmp	upx
behavioral2/files/0x000b000000023b57-25.dat	upx
behavioral2/memory/2288-24-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	upx
behavioral2/files/0x0031000000023b5d-28.dat	upx
behavioral2/files/0x000a000000023b5e-34.dat	upx
behavioral2/files/0x000a000000023b5f-41.dat	upx
behavioral2/files/0x000a000000023b60-49.dat	upx
behavioral2/files/0x000a000000023b61-55.dat	upx
behavioral2/files/0x000a000000023b63-65.dat	upx
behavioral2/files/0x000a000000023b65-75.dat	upx
behavioral2/files/0x000a000000023b67-81.dat	upx
behavioral2/files/0x000a000000023b66-77.dat	upx
behavioral2/memory/2800-88-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp	upx
behavioral2/memory/1084-92-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp	upx
behavioral2/memory/2292-91-0x00007FF76F7B0000-0x00007FF76FB01000-memory.dmp	upx
behavioral2/memory/5012-90-0x00007FF696010000-0x00007FF696361000-memory.dmp	upx
behavioral2/memory/3356-89-0x00007FF74CD90000-0x00007FF74D0E1000-memory.dmp	upx
behavioral2/memory/968-87-0x00007FF61C280000-0x00007FF61C5D1000-memory.dmp	upx
behavioral2/memory/4180-86-0x00007FF6C5D30000-0x00007FF6C6081000-memory.dmp	upx
behavioral2/memory/4748-83-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp	upx
behavioral2/memory/2248-82-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-69.dat	upx
behavioral2/files/0x000a000000023b62-59.dat	upx
behavioral2/memory/1828-39-0x00007FF616150000-0x00007FF6164A1000-memory.dmp	upx
behavioral2/memory/1908-30-0x00007FF710730000-0x00007FF710A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-95.dat	upx
behavioral2/memory/3240-96-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-101.dat	upx
behavioral2/memory/3680-104-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp	upx
behavioral2/memory/2284-109-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-113.dat	upx
behavioral2/memory/1020-114-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-116.dat	upx
behavioral2/memory/764-115-0x00007FF643DD0000-0x00007FF644121000-memory.dmp	upx
behavioral2/memory/4780-111-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp	upx
behavioral2/memory/996-105-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-125.dat	upx
behavioral2/files/0x000a000000023b6d-129.dat	upx
behavioral2/memory/2288-133-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	upx
behavioral2/memory/2648-135-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp	upx
behavioral2/memory/1908-137-0x00007FF710730000-0x00007FF710A81000-memory.dmp	upx
behavioral2/memory/3460-136-0x00007FF747620000-0x00007FF747971000-memory.dmp	upx
behavioral2/memory/4844-134-0x00007FF743550000-0x00007FF7438A1000-memory.dmp	upx
behavioral2/memory/2248-140-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp	upx
behavioral2/memory/3240-148-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp	upx
behavioral2/memory/1828-138-0x00007FF616150000-0x00007FF6164A1000-memory.dmp	upx
behavioral2/memory/996-149-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp	upx
behavioral2/memory/4780-150-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp	upx
behavioral2/memory/764-151-0x00007FF643DD0000-0x00007FF644121000-memory.dmp	upx
behavioral2/memory/3680-152-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp	upx
behavioral2/memory/2284-200-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp	upx
behavioral2/memory/1020-202-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp	upx
behavioral2/memory/4844-214-0x00007FF743550000-0x00007FF7438A1000-memory.dmp	upx
behavioral2/memory/2288-216-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp	upx
behavioral2/memory/1908-218-0x00007FF710730000-0x00007FF710A81000-memory.dmp	upx
behavioral2/memory/1828-220-0x00007FF616150000-0x00007FF6164A1000-memory.dmp	upx
behavioral2/memory/4748-229-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp	upx
behavioral2/memory/1084-230-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AtNusoR.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zInNoBH.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NxJidTE.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaBVnIt.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBEXkqF.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZkXeJZJ.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\obhRwEG.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWvPFBO.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVNWscU.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PbDUEjS.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xpMUCBg.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fOFBGBD.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YFYJWzg.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\miOorhP.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAqWBci.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WCaGjIl.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwZCdnv.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJBlXMh.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zkWyHMq.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hiUJYBI.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMBBBXA.exe	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2284	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3680 wrote to memory of 2284	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3680 wrote to memory of 1020	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3680 wrote to memory of 1020	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3680 wrote to memory of 4844	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3680 wrote to memory of 4844	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3680 wrote to memory of 2288	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3680 wrote to memory of 2288	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3680 wrote to memory of 1908	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3680 wrote to memory of 1908	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3680 wrote to memory of 1828	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3680 wrote to memory of 1828	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3680 wrote to memory of 2292	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3680 wrote to memory of 2292	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3680 wrote to memory of 2248	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3680 wrote to memory of 2248	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3680 wrote to memory of 1084	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3680 wrote to memory of 1084	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3680 wrote to memory of 4748	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3680 wrote to memory of 4748	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3680 wrote to memory of 4180	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3680 wrote to memory of 4180	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3680 wrote to memory of 968	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3680 wrote to memory of 968	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3680 wrote to memory of 2800	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3680 wrote to memory of 2800	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3680 wrote to memory of 3356	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3680 wrote to memory of 3356	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3680 wrote to memory of 5012	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3680 wrote to memory of 5012	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3680 wrote to memory of 3240	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3680 wrote to memory of 3240	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3680 wrote to memory of 996	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3680 wrote to memory of 996	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3680 wrote to memory of 4780	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3680 wrote to memory of 4780	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3680 wrote to memory of 764	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3680 wrote to memory of 764	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3680 wrote to memory of 2648	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3680 wrote to memory of 2648	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3680 wrote to memory of 3460	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3680 wrote to memory of 3460	3680	2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_75fa5a01bf418131b9556863a4a2b76b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\System\rBEXkqF.exe
  C:\Windows\System\rBEXkqF.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\IAqWBci.exe
  C:\Windows\System\IAqWBci.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\aMBBBXA.exe
  C:\Windows\System\aMBBBXA.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\AtNusoR.exe
  C:\Windows\System\AtNusoR.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\fOFBGBD.exe
  C:\Windows\System\fOFBGBD.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\WCaGjIl.exe
  C:\Windows\System\WCaGjIl.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\xpMUCBg.exe
  C:\Windows\System\xpMUCBg.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\YFYJWzg.exe
  C:\Windows\System\YFYJWzg.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\ZkXeJZJ.exe
  C:\Windows\System\ZkXeJZJ.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\zInNoBH.exe
  C:\Windows\System\zInNoBH.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\NxJidTE.exe
  C:\Windows\System\NxJidTE.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\obhRwEG.exe
  C:\Windows\System\obhRwEG.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\xwZCdnv.exe
  C:\Windows\System\xwZCdnv.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\hJBlXMh.exe
  C:\Windows\System\hJBlXMh.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\GaBVnIt.exe
  C:\Windows\System\GaBVnIt.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\IWvPFBO.exe
  C:\Windows\System\IWvPFBO.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\tVNWscU.exe
  C:\Windows\System\tVNWscU.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\PbDUEjS.exe
  C:\Windows\System\PbDUEjS.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\zkWyHMq.exe
  C:\Windows\System\zkWyHMq.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\hiUJYBI.exe
  C:\Windows\System\hiUJYBI.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\miOorhP.exe
  C:\Windows\System\miOorhP.exe
  2⤵
  - Executes dropped EXE
  PID:3460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AtNusoR.exe

Filesize
5.2MB

MD5
34cd3a09063ba7861a65a610f7b2485d

SHA1
53feef4854741069e986b56cd2aaebd502e6ad89

SHA256
9fd9b6348eed90a0a985c7e7448c2f5cc7bcf06a3371a5ea9a8982ecbc258d52

SHA512
ee972901a1bed553bfb46db1e8169e58786563ec10884414ff44ec4a6f6138ea38a96384d30e780e141a9a876530f92c7b1e649d64a97aa3f441d53a89c8ee43

Download Submit
C:\Windows\System\GaBVnIt.exe

Filesize
5.2MB

MD5
d7f824edfaa1ec86119361e768aa9915

SHA1
3e2c6ac940a8fb1214802ac68da989ceedc271c1

SHA256
d4f66135f15a57c1820a91d32d70d0cb53663e01843b4a689c101b12be6c3fad

SHA512
531d73bfa6bc8367744a72e636ad7561d8bdc495d484dc9223ea6a18f5b4764ae66e5f9591a78ad9c174320a4527572fa12c6c505a3a2f02d4cf751a7021a474

Download Submit
C:\Windows\System\IAqWBci.exe

Filesize
5.2MB

MD5
45b02da309400717dd67fb4d02af6fc7

SHA1
b97d95208b5bf2f43f1a6c1f53e4bd3c0e5d2eb0

SHA256
9e40548d31cba2ec1bfee28002003146255d1b9e1791ad9bb6af4b86283d5f8d

SHA512
a29c5ec30eeafb55223385cbe2643df104b8b7b69c5596fdd9769c3dd69a227c8fb4dcfaeaa1f20f6acb213d03c16edce84ce6cb420ce18be24b584a46a6dec8

Download Submit
C:\Windows\System\IWvPFBO.exe

Filesize
5.2MB

MD5
844fd09a9ecddd7f037b1dc107464539

SHA1
6851c28069c75b716feb630fda02204d33707b1c

SHA256
d5a7155489c58d1eed6b264f6cb76ef45f727d240f236852af0543470c50c560

SHA512
f2a628edf8a10a5ff08cd3e4eee50eac08ff995a0b08d373511e1aed1adfbf357b7979ec0df6456b76c888af9d21edf66e19201757d28b0328f53c7e20ff7bea

Download Submit
C:\Windows\System\NxJidTE.exe

Filesize
5.2MB

MD5
25f3c9d7cbe2d470d67fe8e9d7385bef

SHA1
393ed2b8e81ec6bbbf7f80d6871e0e7e8d5c9db0

SHA256
c4590e7056bf4a6cc5fabcd1226aef5df1ede9a7dcd6c6e970438a9db51313b8

SHA512
8e9bfeda7d5b37f8f54bf7612e8b78b3fb97a5c130fe4147d06413abb34a354641e7b473ecd5de0dd378294eb8b77c2fd4fef523de27beea1907b90a6391bd50

Download Submit
C:\Windows\System\PbDUEjS.exe

Filesize
5.2MB

MD5
17b7b287fd075432795af1be0e96065b

SHA1
adbdc486021e44596286435d0a661a8c702fe1c2

SHA256
dbbb48e6e9fe21d5f43a959bea036dd2509babea5fd285af7c11147d42627872

SHA512
10dd9c8651ab91f361a9aff236cc9c27e7345676d251dc2a2180f049ef016f4b07554a29e36986ccae3e56d00505936f3c6399d16223594895aa9690d1fa7055

Download Submit
C:\Windows\System\WCaGjIl.exe

Filesize
5.2MB

MD5
427dd6f1df76114ec71b3463c4596e99

SHA1
3ed5288c5e7d185d1edaeba04e44c582f3fab772

SHA256
bd17f98d818929e0f49476da836f88ba4c549fa533fcfb915f401f50f67bccbf

SHA512
812debc45eaf870fe926834d8ff0635b6bd61a10feaa540646e6d7e6df6be350de514bd177ad31c54432ff9d57ec308287c74dc0b9208470c63a2d8de9a2a747

Download Submit
C:\Windows\System\YFYJWzg.exe

Filesize
5.2MB

MD5
868deaecfc44c37e3851ba7baeddfd16

SHA1
9e3cae7d79cf8d0bd8e07be70396ba9f001e5a85

SHA256
aff1f5a51207f525b64db404bf275ade18bf3e1d43ba76b40f6a564089df226f

SHA512
2788c244c88005e8ffd1e31ab8f8931ffec3f71590ed323db258cdbb5356d354fd10f3b6d7d72992f332cc348b7882d2c9bbf47872b2223b24f206b48f6c97f5

Download Submit
C:\Windows\System\ZkXeJZJ.exe

Filesize
5.2MB

MD5
e7bb35c1995ceca8356b8a6c2ee1a91f

SHA1
bf269196a250b85ba99625eefe79274e1d3def05

SHA256
0f1f0d1075d8c713a84ce383c05c9a1df4e7b56cb6a8efc0d7d872da8a2af99d

SHA512
c5fb064cbd523521de6baed7eeae633877a105d6e22e786226d747a59e6921dcfcda711bb95e021c486c1fd9f99fa9946ebcc5e267f3c5e9eeb167ee22db49b7

Download Submit
C:\Windows\System\aMBBBXA.exe

Filesize
5.2MB

MD5
f51fd8edd81613feab99bc2a7d10f3eb

SHA1
cab9d25e244b0c9b4453f6283d76db99af89cf35

SHA256
d80fdac565a63d6e2ce998a3381bfbce57afbc5dca57f7e678ec7ba6021ac333

SHA512
ddba8f6cd5fe1fd9948f5266bbf917d4ea4cb21cd8f0f51196a140ef8830afeb10a08d44066405a000321def8c0485f1dc30b8211d87908a7db9a672a1bfdb60

Download Submit
C:\Windows\System\fOFBGBD.exe

Filesize
5.2MB

MD5
ef14b3546c6ee2040852145f3ec2d15d

SHA1
8e0be14307be7f4eb480a8e5ad18d760781d409e

SHA256
9a75319acabdb634c459d845137e0adbdc1d8f410f2349652202ed70709ae6c8

SHA512
fe022982038f81fafc043e14286a7ab39de74533dd12aba3b0b1562c070e3c380bf70363e11e784983a8931e92351f1c9e769646667266d3ccb2bfb153ce684c

Download Submit
C:\Windows\System\hJBlXMh.exe

Filesize
5.2MB

MD5
39a8a1c59bdf709ac19e33ad60564c8b

SHA1
448618ccd3496f5fb5edff34ad14fc420ee066d9

SHA256
fb2ab9ec341c83d5d5211641d2fbcd6be7f7ada3136eb57bc4e018464d819f9e

SHA512
799f23fb32ce8f7d1ded60608b7e6c145bd746e3205df8b3cc278b686a21b90163a3e6f1e89f1fd3bb1d5582f73f7474bb2676c687727738b2d7f496172b1d83

Download Submit
C:\Windows\System\hiUJYBI.exe

Filesize
5.2MB

MD5
508d5131d785c047ae69a2977acde51e

SHA1
799ef88b49d99decc51005921cff55df2ebe0acb

SHA256
8b15c9bc603cafec337c3de9f486f823e223d1c5feb010bc8a82c948a49e5746

SHA512
fab35e4025eb174f949462c65b95d80472ef0e9bb2d1d13ce83e55ba4f16b05546f5ccca19dada5efa0894b4f89caa8ae741a70f4161ce17ca65e49fc2e10a25

Download Submit
C:\Windows\System\miOorhP.exe

Filesize
5.2MB

MD5
fea1ddb72647bc1b7b7e987faf139ffd

SHA1
4c7aaed751201f50eafdcf91316d746a6dc72ec1

SHA256
87d381b87dac1dd98dc1eeb4f1478fa90bf91e2bcd78fea7c6b941dfe6ee80a8

SHA512
d193e288e25376994171ee4f9b903911d6bc2941f26a21ffcd600611b505d77f83289cbafe0a9044a48864455d93d5b9ecd0f72d1eeb970b26bda92b1926f5f4

Download Submit
C:\Windows\System\obhRwEG.exe

Filesize
5.2MB

MD5
f00da7a33806603dc37d1432c9b3ce24

SHA1
d10c53daf87666fe499e84cadb78842320d85a1f

SHA256
63b5696c8a8bfd95bd5aea656ffc62910ae15ec44343580c50eae6287b4216ff

SHA512
cedd17448eb902bc477adbb74c3f9c56bb676543ab909487d5af37073101dd99f102a50ef9c183325d7bd568f5469c39dc83c0cbe7d777e8646109c4706ff26d

Download Submit
C:\Windows\System\rBEXkqF.exe

Filesize
5.2MB

MD5
dd31ce7646608d36ee38cf7b2b2fd6b9

SHA1
ac3a3871ef424f67ba90bcc86a9b2ec9ce4b4a5a

SHA256
351d070691e0f49030cf229889d8b668e5d28ba5c9e28701fe9b701e5101cf76

SHA512
0f677b94dde29d5146333031be55c622caeb1ae43bbf610b0e00d91ee6110e5a17880ebdfd2c0356a703ee7021bdb6f67bb1edb2a083c234ba3b71adc2f416c5

Download Submit
C:\Windows\System\tVNWscU.exe

Filesize
5.2MB

MD5
0ea2791d3a77aea84bc682b6d6c441ff

SHA1
a42495fe706bf0aba213b34a5551172fc9d16422

SHA256
f31acff3a76ebf57495c5b17a2da12735f155741b67ac3d91d019a3d7b9adc7b

SHA512
bf0dda9b1c14208929fc2ecbd02e9602a12660c3c9550ff505ff7cc4b3c5f96e13166785bd86d55c93e3b9e76f5e99b877f5427bba690ac53578fb5261a80db8

Download Submit
C:\Windows\System\xpMUCBg.exe

Filesize
5.2MB

MD5
a26978421851b78f793f8dad8c412dab

SHA1
8da62be6c9b96393dc45a6213686a469e115a044

SHA256
588c1b119b5d0085cde9aa3217b06e9add8a6678d310feddc7f7d5d125a81022

SHA512
ab0ff7e2caa25469ef2ecf7ba488f66ff9479ddf2c90e6b9ee62f7247109b6ed33097cb700f51beb0c8e38247fe36ef3a4c9d961a7cb69ff300094244133fd46

Download Submit
C:\Windows\System\xwZCdnv.exe

Filesize
5.2MB

MD5
b17cb62a386c703ff8b02f35d6d3a3fa

SHA1
be68bc34a167127afef338a9f06724d6b966ab83

SHA256
d7b86d2599fe34d4044eb5c1d0964fd4a89abd33b0e16f5a5574148dca6859d9

SHA512
3cf850f9b514f65fa1ac174f6d43a19fbac631373b8761f8c1f749cf68fab10d7c43e59891d48ac977ab220092d96be1bcb91f7944e2941b46b47108b4aaff1a

Download Submit
C:\Windows\System\zInNoBH.exe

Filesize
5.2MB

MD5
cfeb77e7727d70bc185801e15b1cef2b

SHA1
5beb232ef6cdae31418c80d7ff48ef6a695de751

SHA256
4b881bb94de6aac70d34e150af3f8b34f85ebb00548a8dbe427167523f1f5ad3

SHA512
d4c9b6d76faf9c01b22b85e134ffc1359c3479789cfb99457d590994072b042298b3d4313b2b4c44e01f12a4943a4155c1ef67c8f8145ee3c7884a8e9c884649

Download Submit
C:\Windows\System\zkWyHMq.exe

Filesize
5.2MB

MD5
9dcc0e49cfcbbd105c3e300eec408904

SHA1
2b62931d61535b355097ba520278c9e82a699ddc

SHA256
2a756b2747729833ad586cd2802da4e971acc16655b05c0e62b8b4b163385a77

SHA512
79aaaaafe49970550f087778f6a66703000cc8b9e0a022f2b937c24573eb6470efac21805c75ca345cb34ec5c65b44d48ded7865e1e84c67ba67efd5b303bbaf

Download Submit
memory/764-115-0x00007FF643DD0000-0x00007FF644121000-memory.dmp

Filesize
3.3MB

Download
memory/764-254-0x00007FF643DD0000-0x00007FF644121000-memory.dmp

Filesize
3.3MB

Download
memory/764-151-0x00007FF643DD0000-0x00007FF644121000-memory.dmp

Filesize
3.3MB

Download
memory/968-238-0x00007FF61C280000-0x00007FF61C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/968-87-0x00007FF61C280000-0x00007FF61C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/996-251-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp

Filesize
3.3MB

Download
memory/996-105-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp

Filesize
3.3MB

Download
memory/996-149-0x00007FF7FB6C0000-0x00007FF7FBA11000-memory.dmp

Filesize
3.3MB

Download
memory/1020-14-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp

Filesize
3.3MB

Download
memory/1020-114-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp

Filesize
3.3MB

Download
memory/1020-202-0x00007FF6938C0000-0x00007FF693C11000-memory.dmp

Filesize
3.3MB

Download
memory/1084-92-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-230-0x00007FF7D8350000-0x00007FF7D86A1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-39-0x00007FF616150000-0x00007FF6164A1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-138-0x00007FF616150000-0x00007FF6164A1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-220-0x00007FF616150000-0x00007FF6164A1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-218-0x00007FF710730000-0x00007FF710A81000-memory.dmp

Filesize
3.3MB

Download
memory/1908-137-0x00007FF710730000-0x00007FF710A81000-memory.dmp

Filesize
3.3MB

Download
memory/1908-30-0x00007FF710730000-0x00007FF710A81000-memory.dmp

Filesize
3.3MB

Download
memory/2248-234-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp

Filesize
3.3MB

Download
memory/2248-82-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp

Filesize
3.3MB

Download
memory/2248-140-0x00007FF61DA20000-0x00007FF61DD71000-memory.dmp

Filesize
3.3MB

Download
memory/2284-109-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp

Filesize
3.3MB

Download
memory/2284-200-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp

Filesize
3.3MB

Download
memory/2284-7-0x00007FF707BD0000-0x00007FF707F21000-memory.dmp

Filesize
3.3MB

Download
memory/2288-133-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-216-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-24-0x00007FF7E3370000-0x00007FF7E36C1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-91-0x00007FF76F7B0000-0x00007FF76FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2292-232-0x00007FF76F7B0000-0x00007FF76FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2648-261-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp

Filesize
3.3MB

Download
memory/2648-135-0x00007FF7289E0000-0x00007FF728D31000-memory.dmp

Filesize
3.3MB

Download
memory/2800-88-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp

Filesize
3.3MB

Download
memory/2800-242-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp

Filesize
3.3MB

Download
memory/3240-96-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp

Filesize
3.3MB

Download
memory/3240-247-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp

Filesize
3.3MB

Download
memory/3240-148-0x00007FF6C7230000-0x00007FF6C7581000-memory.dmp

Filesize
3.3MB

Download
memory/3356-89-0x00007FF74CD90000-0x00007FF74D0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-244-0x00007FF74CD90000-0x00007FF74D0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-262-0x00007FF747620000-0x00007FF747971000-memory.dmp

Filesize
3.3MB

Download
memory/3460-136-0x00007FF747620000-0x00007FF747971000-memory.dmp

Filesize
3.3MB

Download
memory/3680-104-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-1-0x0000028A0F540000-0x0000028A0F550000-memory.dmp

Filesize
64KB

Download
memory/3680-0-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-152-0x00007FF63A9A0000-0x00007FF63ACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4180-236-0x00007FF6C5D30000-0x00007FF6C6081000-memory.dmp

Filesize
3.3MB

Download
memory/4180-86-0x00007FF6C5D30000-0x00007FF6C6081000-memory.dmp

Filesize
3.3MB

Download
memory/4748-83-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp

Filesize
3.3MB

Download
memory/4748-229-0x00007FF62CC40000-0x00007FF62CF91000-memory.dmp

Filesize
3.3MB

Download
memory/4780-150-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp

Filesize
3.3MB

Download
memory/4780-111-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp

Filesize
3.3MB

Download
memory/4780-255-0x00007FF7EDA00000-0x00007FF7EDD51000-memory.dmp

Filesize
3.3MB

Download
memory/4844-134-0x00007FF743550000-0x00007FF7438A1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-18-0x00007FF743550000-0x00007FF7438A1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-214-0x00007FF743550000-0x00007FF7438A1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-241-0x00007FF696010000-0x00007FF696361000-memory.dmp

Filesize
3.3MB

Download
memory/5012-90-0x00007FF696010000-0x00007FF696361000-memory.dmp

Filesize
3.3MB

Download