cobaltstrike | 3cdc4209c119e04757a42ec9061fe6f327ec2e8bb862586881b6b57ef1c50e77

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a29f5616d19cfff89ab11ee7fcff2610
SHA1

8ce1455208b20acca03f03ef12f1d4152a60e594
SHA256

3cdc4209c119e04757a42ec9061fe6f327ec2e8bb862586881b6b57ef1c50e77
SHA512

cadf729555de1ed93d048c9d593824deb0f08406b539fc7648767c75e6899e2af69dd1ba7254e7f07afbe8df2f7074b81f689fd8962dca7a7bf39f3c34695441
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibd56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b0b-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-23.dat	cobalt_reflective_dll
behavioral2/files/0x0032000000023b5c-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3368-59-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp	xmrig
behavioral2/memory/4424-53-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	xmrig
behavioral2/memory/3776-62-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp	xmrig
behavioral2/memory/2488-69-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp	xmrig
behavioral2/memory/1892-96-0x00007FF756150000-0x00007FF7564A1000-memory.dmp	xmrig
behavioral2/memory/2076-89-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp	xmrig
behavioral2/memory/1468-75-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp	xmrig
behavioral2/memory/2316-113-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp	xmrig
behavioral2/memory/4688-123-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp	xmrig
behavioral2/memory/4796-117-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp	xmrig
behavioral2/memory/1440-104-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp	xmrig
behavioral2/memory/3616-143-0x00007FF630730000-0x00007FF630A81000-memory.dmp	xmrig
behavioral2/memory/1552-141-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp	xmrig
behavioral2/memory/380-147-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp	xmrig
behavioral2/memory/4180-153-0x00007FF61F620000-0x00007FF61F971000-memory.dmp	xmrig
behavioral2/memory/3428-154-0x00007FF770170000-0x00007FF7704C1000-memory.dmp	xmrig
behavioral2/memory/1984-155-0x00007FF791DF0000-0x00007FF792141000-memory.dmp	xmrig
behavioral2/memory/924-157-0x00007FF652EB0000-0x00007FF653201000-memory.dmp	xmrig
behavioral2/memory/4784-156-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp	xmrig
behavioral2/memory/1956-164-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp	xmrig
behavioral2/memory/4424-165-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	xmrig
behavioral2/memory/2236-173-0x00007FF607620000-0x00007FF607971000-memory.dmp	xmrig
behavioral2/memory/3916-172-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	xmrig
behavioral2/memory/4424-188-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	xmrig
behavioral2/memory/3368-221-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp	xmrig
behavioral2/memory/3776-223-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp	xmrig
behavioral2/memory/2488-226-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp	xmrig
behavioral2/memory/1468-228-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp	xmrig
behavioral2/memory/2076-232-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp	xmrig
behavioral2/memory/1892-234-0x00007FF756150000-0x00007FF7564A1000-memory.dmp	xmrig
behavioral2/memory/1440-239-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp	xmrig
behavioral2/memory/2316-241-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp	xmrig
behavioral2/memory/4796-246-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp	xmrig
behavioral2/memory/4688-248-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp	xmrig
behavioral2/memory/1552-255-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp	xmrig
behavioral2/memory/380-257-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp	xmrig
behavioral2/memory/3616-261-0x00007FF630730000-0x00007FF630A81000-memory.dmp	xmrig
behavioral2/memory/4180-260-0x00007FF61F620000-0x00007FF61F971000-memory.dmp	xmrig
behavioral2/memory/3428-263-0x00007FF770170000-0x00007FF7704C1000-memory.dmp	xmrig
behavioral2/memory/1984-269-0x00007FF791DF0000-0x00007FF792141000-memory.dmp	xmrig
behavioral2/memory/4784-271-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp	xmrig
behavioral2/memory/2236-274-0x00007FF607620000-0x00007FF607971000-memory.dmp	xmrig
behavioral2/memory/1956-277-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp	xmrig
behavioral2/memory/924-276-0x00007FF652EB0000-0x00007FF653201000-memory.dmp	xmrig
behavioral2/memory/3916-279-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3368	sxsTIBi.exe
3776	UeWspjM.exe
2488	gbjtKwP.exe
1468	YrIWnIh.exe
2076	AEidrgk.exe
1892	CAIKWfF.exe
1440	mtWxRZn.exe
2316	jqfZCJF.exe
4796	rCcMvHc.exe
4688	JZhCkia.exe
1552	gjJVfZl.exe
3616	NofRtNJ.exe
380	QZaenHi.exe
4180	cjWCqsT.exe
3428	bGCGCPh.exe
1984	VxMLJIA.exe
4784	mMnUEoe.exe
924	leMLfVa.exe
1956	opUtIWd.exe
2236	hheZHEI.exe
3916	GgYzhDm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4424-0-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	upx
behavioral2/files/0x000c000000023b0b-4.dat	upx
behavioral2/memory/3368-7-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp	upx
behavioral2/files/0x000a000000023b5f-11.dat	upx
behavioral2/memory/3776-12-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b60-15.dat	upx
behavioral2/files/0x000a000000023b61-23.dat	upx
behavioral2/memory/1468-24-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp	upx
behavioral2/memory/2488-18-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp	upx
behavioral2/files/0x0032000000023b5c-35.dat	upx
behavioral2/memory/2076-32-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp	upx
behavioral2/memory/1892-36-0x00007FF756150000-0x00007FF7564A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b62-30.dat	upx
behavioral2/files/0x000a000000023b63-40.dat	upx
behavioral2/files/0x000a000000023b65-52.dat	upx
behavioral2/files/0x000a000000023b66-51.dat	upx
behavioral2/memory/4796-55-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp	upx
behavioral2/memory/3368-59-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-61.dat	upx
behavioral2/memory/4688-60-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp	upx
behavioral2/memory/4424-53-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	upx
behavioral2/memory/2316-50-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp	upx
behavioral2/memory/1440-43-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp	upx
behavioral2/memory/3776-62-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-68.dat	upx
behavioral2/memory/2488-69-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp	upx
behavioral2/memory/1552-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-80.dat	upx
behavioral2/memory/3616-77-0x00007FF630730000-0x00007FF630A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-82.dat	upx
behavioral2/files/0x000a000000023b6b-87.dat	upx
behavioral2/files/0x000a000000023b6c-93.dat	upx
behavioral2/memory/3428-97-0x00007FF770170000-0x00007FF7704C1000-memory.dmp	upx
behavioral2/memory/1892-96-0x00007FF756150000-0x00007FF7564A1000-memory.dmp	upx
behavioral2/memory/4180-92-0x00007FF61F620000-0x00007FF61F971000-memory.dmp	upx
behavioral2/memory/2076-89-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp	upx
behavioral2/memory/380-81-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp	upx
behavioral2/memory/1468-75-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-102.dat	upx
behavioral2/memory/2316-113-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp	upx
behavioral2/memory/4784-114-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-112.dat	upx
behavioral2/files/0x000a000000023b70-121.dat	upx
behavioral2/memory/4688-123-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-131.dat	upx
behavioral2/memory/2236-132-0x00007FF607620000-0x00007FF607971000-memory.dmp	upx
behavioral2/memory/1956-126-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-119.dat	upx
behavioral2/memory/4796-117-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp	upx
behavioral2/memory/924-115-0x00007FF652EB0000-0x00007FF653201000-memory.dmp	upx
behavioral2/memory/1984-106-0x00007FF791DF0000-0x00007FF792141000-memory.dmp	upx
behavioral2/memory/1440-104-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp	upx
behavioral2/memory/3616-143-0x00007FF630730000-0x00007FF630A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-145.dat	upx
behavioral2/memory/3916-144-0x00007FF796DB0000-0x00007FF797101000-memory.dmp	upx
behavioral2/memory/1552-141-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp	upx
behavioral2/memory/380-147-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp	upx
behavioral2/memory/4180-153-0x00007FF61F620000-0x00007FF61F971000-memory.dmp	upx
behavioral2/memory/3428-154-0x00007FF770170000-0x00007FF7704C1000-memory.dmp	upx
behavioral2/memory/1984-155-0x00007FF791DF0000-0x00007FF792141000-memory.dmp	upx
behavioral2/memory/924-157-0x00007FF652EB0000-0x00007FF653201000-memory.dmp	upx
behavioral2/memory/4784-156-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp	upx
behavioral2/memory/1956-164-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp	upx
behavioral2/memory/4424-165-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mtWxRZn.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JZhCkia.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NofRtNJ.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VxMLJIA.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMnUEoe.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leMLfVa.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjWCqsT.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hheZHEI.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QZaenHi.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bGCGCPh.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sxsTIBi.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UeWspjM.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gbjtKwP.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AEidrgk.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jqfZCJF.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjJVfZl.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\opUtIWd.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GgYzhDm.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YrIWnIh.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAIKWfF.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rCcMvHc.exe	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3368	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4424 wrote to memory of 3368	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4424 wrote to memory of 3776	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4424 wrote to memory of 3776	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4424 wrote to memory of 2488	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4424 wrote to memory of 2488	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4424 wrote to memory of 1468	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4424 wrote to memory of 1468	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4424 wrote to memory of 2076	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4424 wrote to memory of 2076	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4424 wrote to memory of 1892	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4424 wrote to memory of 1892	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4424 wrote to memory of 1440	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4424 wrote to memory of 1440	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4424 wrote to memory of 2316	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4424 wrote to memory of 2316	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4424 wrote to memory of 4796	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4424 wrote to memory of 4796	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4424 wrote to memory of 4688	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4424 wrote to memory of 4688	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4424 wrote to memory of 1552	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4424 wrote to memory of 1552	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4424 wrote to memory of 3616	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4424 wrote to memory of 3616	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4424 wrote to memory of 380	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4424 wrote to memory of 380	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4424 wrote to memory of 4180	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4424 wrote to memory of 4180	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4424 wrote to memory of 3428	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4424 wrote to memory of 3428	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4424 wrote to memory of 1984	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4424 wrote to memory of 1984	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4424 wrote to memory of 4784	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4424 wrote to memory of 4784	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4424 wrote to memory of 924	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4424 wrote to memory of 924	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4424 wrote to memory of 1956	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4424 wrote to memory of 1956	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4424 wrote to memory of 2236	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4424 wrote to memory of 2236	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4424 wrote to memory of 3916	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4424 wrote to memory of 3916	4424	2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_a29f5616d19cfff89ab11ee7fcff2610_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\System\sxsTIBi.exe
  C:\Windows\System\sxsTIBi.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\UeWspjM.exe
  C:\Windows\System\UeWspjM.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\gbjtKwP.exe
  C:\Windows\System\gbjtKwP.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\YrIWnIh.exe
  C:\Windows\System\YrIWnIh.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\AEidrgk.exe
  C:\Windows\System\AEidrgk.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\CAIKWfF.exe
  C:\Windows\System\CAIKWfF.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\mtWxRZn.exe
  C:\Windows\System\mtWxRZn.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\jqfZCJF.exe
  C:\Windows\System\jqfZCJF.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\rCcMvHc.exe
  C:\Windows\System\rCcMvHc.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\JZhCkia.exe
  C:\Windows\System\JZhCkia.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\gjJVfZl.exe
  C:\Windows\System\gjJVfZl.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\NofRtNJ.exe
  C:\Windows\System\NofRtNJ.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\QZaenHi.exe
  C:\Windows\System\QZaenHi.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\cjWCqsT.exe
  C:\Windows\System\cjWCqsT.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\bGCGCPh.exe
  C:\Windows\System\bGCGCPh.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\VxMLJIA.exe
  C:\Windows\System\VxMLJIA.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\mMnUEoe.exe
  C:\Windows\System\mMnUEoe.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\leMLfVa.exe
  C:\Windows\System\leMLfVa.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\opUtIWd.exe
  C:\Windows\System\opUtIWd.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\hheZHEI.exe
  C:\Windows\System\hheZHEI.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\GgYzhDm.exe
  C:\Windows\System\GgYzhDm.exe
  2⤵
  - Executes dropped EXE
  PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AEidrgk.exe

Filesize
5.2MB

MD5
a489bf61c2568616e80d069701a9abf1

SHA1
bd7df1b7a3be3baca3aa703f2a59009b438a5069

SHA256
e9271735bb01e270e1cad8bc36b50159d08dda3e4bb1631282c1d30914610687

SHA512
050a7cba1a8e58ac97bcba016796e1e28c1cddd9cea2c4a4ef11757dddafa790a329ed9d4fcaef8f5549ffc82e263cc860799c4f2d3c52efaf0db72d7c691d4b

Download Submit
C:\Windows\System\CAIKWfF.exe

Filesize
5.2MB

MD5
22461c84e028b696f193273da84600b6

SHA1
3dc026aa1cba74f137387d3e76790a34743786b8

SHA256
9ae1020bc61a81b92b99122b4c8e4c4752bc59ad9fec146ba4ee9f804a608304

SHA512
cf032a13feb7af38ad1af385722532836517f35458b629b119c54d86a98e054ee7fbb083317d45921b48212443d38a643f65d29d1c376b22b9271c6b1d21b5b8

Download Submit
C:\Windows\System\GgYzhDm.exe

Filesize
5.2MB

MD5
eb72d26944c9a7a16e3a3209c3eb1a55

SHA1
d15b1eb2d68bd37c5fb43148542a7518eb9bc3cf

SHA256
d44621c753d98dfc13196e6d140842d22221a86b83eddc207f2245d267458096

SHA512
0e614c80031a16509c7d3695016a2f8ffd826ece90a44ee84e334367be6ee4579a7310378d6ba730fa04317c932a5a142040d6659dc9455d12f99fcbed9274ab

Download Submit
C:\Windows\System\JZhCkia.exe

Filesize
5.2MB

MD5
08271653308de641298ea1146ae68285

SHA1
80918a11139e9bd724c1c2489dab0c94115d6531

SHA256
37cdbe99568115a7cae64458df79772f4bfe0efaf8fd6c601de954f0b010ef26

SHA512
8f668b8f960a457c846cfac2ac943913d0e51e74f4fc7ce8c244177857c47bcf98b4e3f93ae14c97f545224f9253e75315c8444a17639e253d797f0d9c585745

Download Submit
C:\Windows\System\NofRtNJ.exe

Filesize
5.2MB

MD5
b4393f9dc19266fd16190fe19e3fd70c

SHA1
2bb7eba13511c274803e53643bf1155b4e777bc7

SHA256
1bdc27b963fcec037b99065f62eb210d7b2d9364dad3401f55d12dbca8b4032b

SHA512
a48985b1331b76977e9f7374af5e37789e93654e53e2c9e2b02e77960fee7eaf7ee1728572b83923c0c1b8140987d4f942ef98208f44ea5cdbc770e729de3bc5

Download Submit
C:\Windows\System\QZaenHi.exe

Filesize
5.2MB

MD5
83555e2f5a27eb408667fea35b4fec31

SHA1
ae9dbb3ae212631016904479a35ef0fbe677998f

SHA256
f16fe22643e1d3fde169f50ce0277a5d1cf879a0fc738db9f9b84a9ebc465340

SHA512
244679d3f0380cbe7769e677ef41eba15156ec45c4fa04ab2c0e2b2dc556095393e170d371c554453545f74cb92fa48427fd00adc74fd7d83d66c54b46b7e705

Download Submit
C:\Windows\System\UeWspjM.exe

Filesize
5.2MB

MD5
58825e77c924f23e722da34e7d7ff8b1

SHA1
4adc82573854d9ff9463ad3d23b2b9e1d13cb5c3

SHA256
648919e387f33b5af02513dc08c55dcf6537f4c84e2143b3c442fd766800ba40

SHA512
eb66c7848110ea87e4e513152e3a34d535f191662fe299aff0e74333c0ea5d49318e73b7bf77882ffae5cf655a7c1588f4ac75c3fcefbfd7901e2622d1cc1a9e

Download Submit
C:\Windows\System\VxMLJIA.exe

Filesize
5.2MB

MD5
4ed9204e4721abda54da5b8c3dae69d3

SHA1
2068effd6ccf6f1465442a4ff0e44de9a5109a3a

SHA256
45fdd1b68829be605df1caf5c623c8af92e05bf5241a2b937fa0ea74fe1e2f1a

SHA512
fe6f3a4abd79ce8ab342faa0b01dba031ef3e1e1809698545d26573caf168f05bf17d60f1f900714f19cc1498aeede95386cad202fa805a020223145926800a1

Download Submit
C:\Windows\System\YrIWnIh.exe

Filesize
5.2MB

MD5
f108594ed99ed427e6a97d9c4ad26a5b

SHA1
5df7e97b66637e77f71b113f5d1cc8e8a4e593e1

SHA256
bc83f64275d052ca51f9513486c616cdaad9aa1f42cbe8206638106e55ebb686

SHA512
88ea6ee5ff1545120b7e0adfca6b0be7c0b9dffab6fccda24bbecca6ac7d6572a032a1b5f6d6672e87727650dfba8e21f09a034e64d4cf6adda573b3f7082ece

Download Submit
C:\Windows\System\bGCGCPh.exe

Filesize
5.2MB

MD5
718bab84a68ac24e5bf0fc6219a10fd3

SHA1
62e72c4cf3af6d45ae32d12d228cb63ac090ed12

SHA256
8bc56dcf7b9dd6de95deeec6c55f3a86262519485fe26ba08fcbc2ec7fa60690

SHA512
cb0ff6dc382df25e2e258531f00bdcdfff958fe0d9c33851c5d514b457f2528fdc3bd51ea4052a47883c27cadf9d930aff54d0e44eb1353786ae2b32e66a01a3

Download Submit
C:\Windows\System\cjWCqsT.exe

Filesize
5.2MB

MD5
cb086696993a587237849afb910cdeb9

SHA1
ff8b800d1ce878d5ca4c00d935fd6569732090ac

SHA256
b81a45837a1be48cc7813ddfc873bbfcc6ee56e5e20827a391e1c5c91388fe5a

SHA512
d7a6c1e9dc68bdde6ae10eed422bb016dd0f1fe7a25b31ff56731ac524db12b41068d5d6a4fdb83b4a24e392417ce8fafbe213d28b0a5fddc03ce3db058e3fe9

Download Submit
C:\Windows\System\gbjtKwP.exe

Filesize
5.2MB

MD5
949002ec75d7196bcb74c1f4d729f4fc

SHA1
c23c5793ce60189ff9436e46e5949db376e2ff2e

SHA256
9c017a983b9d19871c9b837b4807e04cbaca95ac18c24ef4ca1425b8cfc88409

SHA512
b67ca8da4c4465b085a661def587978b9983455617edc5537562cd4d923bdf29269d4f771a65fd92390895303d5270313a59b6f24b975bc97977a91ccc38b466

Download Submit
C:\Windows\System\gjJVfZl.exe

Filesize
5.2MB

MD5
69e11ccbcb071799b32d0acd81f04e22

SHA1
bc236a7fc5761a099187df7f86d29e7b92514495

SHA256
5d1432611e58aa429487e2414974f4c8365d3a262d1de3b9716c9beed892da00

SHA512
c1b9b8fa04a2af65a5ffd967552680a541ddbdcfe7c4b6249694d49bfbcdabb98de17f4d93e868c44e9bc6ac6809594f7ca5a893cd3a2747d57c03df84a743bb

Download Submit
C:\Windows\System\hheZHEI.exe

Filesize
5.2MB

MD5
f0f5777b2336af172643d3413250b7c3

SHA1
777839b725ccfff5567fe10b00460e883b3f6f2f

SHA256
8436f0f11e10219878d67b56cdedb677680c07bab255d1a588ca7678f8e6e13b

SHA512
d8bb1c8f54257255798ac43bc2bc3439836048377b38951e8980823f52f346b0a8fc86290bfb016ead617a9ff20d00bdfca8ef78752a74b9ede0a94e6f4f9459

Download Submit
C:\Windows\System\jqfZCJF.exe

Filesize
5.2MB

MD5
ad808c5a7b802c59c66aff71a9584d28

SHA1
5c7f2568bf329a175842ba04b8b74751f5e16d84

SHA256
de6b3e3a2472ce372d6411d5e16be243399d6dccdec94b0fd4d0ab8c661e4c35

SHA512
54a37dad435f88b7187fbed6c6dfcecc2294d20eb29e651dea240c6c26542696cdc46ff2ecc2701175b88d1532f4ab8b355df7bc3f98b03c9fd68c89e0d31f67

Download Submit
C:\Windows\System\leMLfVa.exe

Filesize
5.2MB

MD5
912849d3203690a546e33de9bc4c8fde

SHA1
3d1d3ecfc0d1663aeff9bb4555b290e68a816241

SHA256
ccf85c34e3e9b40fd0be95d970466ba8fc39ed1a16b86d57ecf4e2fbd84b6a5b

SHA512
4e730de219a759fc077eceda1dc9e4732e0009bf28f5eafa9bbf61aacab4f902f34e5f7360e3a24a3b2bb33fa8164430e51c3c450fec5a715ed00448bf6bd289

Download Submit
C:\Windows\System\mMnUEoe.exe

Filesize
5.2MB

MD5
67a4c2ff07f21a2e7bdc016ae5dc4623

SHA1
30f75d7efbb1de117244ca29c1c1e9663c479551

SHA256
3aaa426081d7f98eaeea26ef42d4a2b937368eb8d63871c331bb96ff59c82a86

SHA512
8f6544f2c81b3624a85e8b6d26ab87cd7a2d2ad197c8d884b10c39474f712f95f89c64e45b963c4b4c5fde580f4ad13b7237c8f1c1df45891e39177c31ec97cc

Download Submit
C:\Windows\System\mtWxRZn.exe

Filesize
5.2MB

MD5
a70fef3f40a7e0f0a58361249b3aa7ac

SHA1
3f84afc695e8f8055a98fea70548956330966890

SHA256
fa9240bffd8106bd17010cc9c9e41fa8f028ecb0014649cc1f346a3d9f1aa8ef

SHA512
dee9c80871363aa11c57426a48d3f652b9e1563e4a8e9bfd2b40e58b5523d83e93174ab9ba10d36a098bb939d7bcfc29cc6170f9afe169944733d2f4a593cf7b

Download Submit
C:\Windows\System\opUtIWd.exe

Filesize
5.2MB

MD5
d416230c8cc82073597fa98a49d75afe

SHA1
0dc7626f6ea1bf00483f8a6baadffff0b291658e

SHA256
5242054e61a3fd0c641fd92d0053af341a7ec80848daf802fad154b544aef103

SHA512
e5c5e17eabb4f9c1c53efc3aeda413249e71b969ca519365aba8ce70b7c9111fe0c8a631952599cab260543475542e0772b23f39ad40c5d4c95efb6bdef53035

Download Submit
C:\Windows\System\rCcMvHc.exe

Filesize
5.2MB

MD5
a14d8cd0ed28de9023300b03f6ef1967

SHA1
a225ab8246a2da48750efc309ec12693d78a5376

SHA256
402490fea6f61bc46837679564ed61e165c1ce815dfc3100b80b74e4b4d0f3ac

SHA512
5e42bc29c512c4e2536a5e17232611b1db25523b45e9f1db54355c6de6c6d0dc70625c66728ce07647ddf95ae72197a9c7559760f9ac43d61021851427ba610f

Download Submit
C:\Windows\System\sxsTIBi.exe

Filesize
5.2MB

MD5
076aa178bd83750a331ae2023d3e1060

SHA1
7c435d7fe9f400c53a25fd8e9249dd46dc3ba9f7

SHA256
fc798777293c400dd6d918ac88ccd813358ae98b70132a80c07a6e339466cae5

SHA512
9a60a252e906b92c6c83bd75135110dc0f626876dcd2acce8b29c2f5664ef326109ec1833387d9f893650daff1b72d3ba8802e9fbcce2963c3ce0ebcf8cf3fa2

Download Submit
memory/380-257-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp

Filesize
3.3MB

Download
memory/380-81-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp

Filesize
3.3MB

Download
memory/380-147-0x00007FF7DDDD0000-0x00007FF7DE121000-memory.dmp

Filesize
3.3MB

Download
memory/924-115-0x00007FF652EB0000-0x00007FF653201000-memory.dmp

Filesize
3.3MB

Download
memory/924-157-0x00007FF652EB0000-0x00007FF653201000-memory.dmp

Filesize
3.3MB

Download
memory/924-276-0x00007FF652EB0000-0x00007FF653201000-memory.dmp

Filesize
3.3MB

Download
memory/1440-239-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp

Filesize
3.3MB

Download
memory/1440-43-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp

Filesize
3.3MB

Download
memory/1440-104-0x00007FF7D9B10000-0x00007FF7D9E61000-memory.dmp

Filesize
3.3MB

Download
memory/1468-228-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-75-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-24-0x00007FF780B80000-0x00007FF780ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-255-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp

Filesize
3.3MB

Download
memory/1552-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp

Filesize
3.3MB

Download
memory/1552-141-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp

Filesize
3.3MB

Download
memory/1892-36-0x00007FF756150000-0x00007FF7564A1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-96-0x00007FF756150000-0x00007FF7564A1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-234-0x00007FF756150000-0x00007FF7564A1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-164-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-126-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-277-0x00007FF6B3C90000-0x00007FF6B3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-155-0x00007FF791DF0000-0x00007FF792141000-memory.dmp

Filesize
3.3MB

Download
memory/1984-106-0x00007FF791DF0000-0x00007FF792141000-memory.dmp

Filesize
3.3MB

Download
memory/1984-269-0x00007FF791DF0000-0x00007FF792141000-memory.dmp

Filesize
3.3MB

Download
memory/2076-89-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp

Filesize
3.3MB

Download
memory/2076-232-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp

Filesize
3.3MB

Download
memory/2076-32-0x00007FF7DE510000-0x00007FF7DE861000-memory.dmp

Filesize
3.3MB

Download
memory/2236-173-0x00007FF607620000-0x00007FF607971000-memory.dmp

Filesize
3.3MB

Download
memory/2236-132-0x00007FF607620000-0x00007FF607971000-memory.dmp

Filesize
3.3MB

Download
memory/2236-274-0x00007FF607620000-0x00007FF607971000-memory.dmp

Filesize
3.3MB

Download
memory/2316-50-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp

Filesize
3.3MB

Download
memory/2316-241-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp

Filesize
3.3MB

Download
memory/2316-113-0x00007FF7BFE10000-0x00007FF7C0161000-memory.dmp

Filesize
3.3MB

Download
memory/2488-69-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp

Filesize
3.3MB

Download
memory/2488-18-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp

Filesize
3.3MB

Download
memory/2488-226-0x00007FF6D82C0000-0x00007FF6D8611000-memory.dmp

Filesize
3.3MB

Download
memory/3368-7-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp

Filesize
3.3MB

Download
memory/3368-59-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp

Filesize
3.3MB

Download
memory/3368-221-0x00007FF7F5AE0000-0x00007FF7F5E31000-memory.dmp

Filesize
3.3MB

Download
memory/3428-97-0x00007FF770170000-0x00007FF7704C1000-memory.dmp

Filesize
3.3MB

Download
memory/3428-263-0x00007FF770170000-0x00007FF7704C1000-memory.dmp

Filesize
3.3MB

Download
memory/3428-154-0x00007FF770170000-0x00007FF7704C1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-143-0x00007FF630730000-0x00007FF630A81000-memory.dmp

Filesize
3.3MB

Download
memory/3616-77-0x00007FF630730000-0x00007FF630A81000-memory.dmp

Filesize
3.3MB

Download
memory/3616-261-0x00007FF630730000-0x00007FF630A81000-memory.dmp

Filesize
3.3MB

Download
memory/3776-12-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp

Filesize
3.3MB

Download
memory/3776-223-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp

Filesize
3.3MB

Download
memory/3776-62-0x00007FF6E1FA0000-0x00007FF6E22F1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-144-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/3916-279-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/3916-172-0x00007FF796DB0000-0x00007FF797101000-memory.dmp

Filesize
3.3MB

Download
memory/4180-260-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

Filesize
3.3MB

Download
memory/4180-153-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

Filesize
3.3MB

Download
memory/4180-92-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

Filesize
3.3MB

Download
memory/4424-165-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-1-0x0000023DD6EF0000-0x0000023DD6F00000-memory.dmp

Filesize
64KB

Download
memory/4424-53-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-0-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-188-0x00007FF60B670000-0x00007FF60B9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-248-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp

Filesize
3.3MB

Download
memory/4688-123-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp

Filesize
3.3MB

Download
memory/4688-60-0x00007FF7B32D0000-0x00007FF7B3621000-memory.dmp

Filesize
3.3MB

Download
memory/4784-156-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp

Filesize
3.3MB

Download
memory/4784-271-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp

Filesize
3.3MB

Download
memory/4784-114-0x00007FF7BB6C0000-0x00007FF7BBA11000-memory.dmp

Filesize
3.3MB

Download
memory/4796-117-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-55-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-246-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

Filesize
3.3MB

Download