cobaltstrike | 3fb6bf20eb86ac0bc46d97506a27f27a6d4e2517a1175e8b4105911570f756a4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b4dbcae732186d329770833a3c0d7b4c
SHA1

88c90b06c81b4d8e8847b12b45021f4da09f4afe
SHA256

3fb6bf20eb86ac0bc46d97506a27f27a6d4e2517a1175e8b4105911570f756a4
SHA512

d877a02f978b4bd139e3a586096ca1e6a336b467006a9f40b8c4b46b97c3c79cd38d43e32ff2faa1887182c0e71878ef9efd7ddb71655bab53fa6ef925ad5d0a
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBib+56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b2b-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-53.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7c-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-128.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/980-35-0x00007FF7EB1F0000-0x00007FF7EB541000-memory.dmp	xmrig
behavioral2/memory/1668-88-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp	xmrig
behavioral2/memory/440-101-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp	xmrig
behavioral2/memory/1752-92-0x00007FF7EE060000-0x00007FF7EE3B1000-memory.dmp	xmrig
behavioral2/memory/1780-91-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	xmrig
behavioral2/memory/1940-77-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp	xmrig
behavioral2/memory/4580-69-0x00007FF780530000-0x00007FF780881000-memory.dmp	xmrig
behavioral2/memory/3344-58-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	xmrig
behavioral2/memory/2188-111-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp	xmrig
behavioral2/memory/4296-132-0x00007FF749E30000-0x00007FF74A181000-memory.dmp	xmrig
behavioral2/memory/2316-130-0x00007FF60F100000-0x00007FF60F451000-memory.dmp	xmrig
behavioral2/memory/1020-124-0x00007FF706080000-0x00007FF7063D1000-memory.dmp	xmrig
behavioral2/memory/3568-118-0x00007FF677130000-0x00007FF677481000-memory.dmp	xmrig
behavioral2/memory/2008-116-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp	xmrig
behavioral2/memory/4348-138-0x00007FF797520000-0x00007FF797871000-memory.dmp	xmrig
behavioral2/memory/4676-139-0x00007FF626180000-0x00007FF6264D1000-memory.dmp	xmrig
behavioral2/memory/3064-137-0x00007FF7973E0000-0x00007FF797731000-memory.dmp	xmrig
behavioral2/memory/4352-136-0x00007FF759700000-0x00007FF759A51000-memory.dmp	xmrig
behavioral2/memory/1476-140-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp	xmrig
behavioral2/memory/4048-141-0x00007FF691D10000-0x00007FF692061000-memory.dmp	xmrig
behavioral2/memory/3344-142-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	xmrig
behavioral2/memory/4520-148-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp	xmrig
behavioral2/memory/4276-158-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp	xmrig
behavioral2/memory/3344-166-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	xmrig
behavioral2/memory/4580-220-0x00007FF780530000-0x00007FF780881000-memory.dmp	xmrig
behavioral2/memory/1940-222-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp	xmrig
behavioral2/memory/1668-224-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp	xmrig
behavioral2/memory/1780-226-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	xmrig
behavioral2/memory/980-228-0x00007FF7EB1F0000-0x00007FF7EB541000-memory.dmp	xmrig
behavioral2/memory/440-230-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp	xmrig
behavioral2/memory/2188-232-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp	xmrig
behavioral2/memory/2008-243-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp	xmrig
behavioral2/memory/1020-245-0x00007FF706080000-0x00007FF7063D1000-memory.dmp	xmrig
behavioral2/memory/4296-247-0x00007FF749E30000-0x00007FF74A181000-memory.dmp	xmrig
behavioral2/memory/3064-249-0x00007FF7973E0000-0x00007FF797731000-memory.dmp	xmrig
behavioral2/memory/1476-253-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp	xmrig
behavioral2/memory/1752-255-0x00007FF7EE060000-0x00007FF7EE3B1000-memory.dmp	xmrig
behavioral2/memory/4348-252-0x00007FF797520000-0x00007FF797871000-memory.dmp	xmrig
behavioral2/memory/4048-257-0x00007FF691D10000-0x00007FF692061000-memory.dmp	xmrig
behavioral2/memory/4276-259-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp	xmrig
behavioral2/memory/4520-261-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp	xmrig
behavioral2/memory/3568-267-0x00007FF677130000-0x00007FF677481000-memory.dmp	xmrig
behavioral2/memory/2316-269-0x00007FF60F100000-0x00007FF60F451000-memory.dmp	xmrig
behavioral2/memory/4352-271-0x00007FF759700000-0x00007FF759A51000-memory.dmp	xmrig
behavioral2/memory/4676-273-0x00007FF626180000-0x00007FF6264D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4580	WFbQjmd.exe
1940	kJtgXJH.exe
1668	eUzNPBj.exe
1780	MHUFBRR.exe
980	YjBOjhZ.exe
440	qQwCqXb.exe
2188	titENQt.exe
2008	ThRRims.exe
1020	NNjbjcK.exe
4296	KjqVqTe.exe
3064	pkbthSN.exe
1476	vGqEhwb.exe
4348	atQaPvi.exe
1752	BpINmpP.exe
4048	oZmkbDD.exe
4520	mqVziXl.exe
4276	uOLpRAV.exe
3568	tHCxvSf.exe
2316	FOevpyH.exe
4352	DZCFcOm.exe
4676	LzSNLHV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3344-0-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	upx
behavioral2/files/0x000c000000023b2b-4.dat	upx
behavioral2/memory/4580-7-0x00007FF780530000-0x00007FF780881000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-9.dat	upx
behavioral2/files/0x000a000000023b7f-12.dat	upx
behavioral2/memory/1940-13-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp	upx
behavioral2/memory/1668-17-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-23.dat	upx
behavioral2/memory/1780-31-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	upx
behavioral2/memory/980-35-0x00007FF7EB1F0000-0x00007FF7EB541000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-37.dat	upx
behavioral2/memory/440-40-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-43.dat	upx
behavioral2/memory/2188-42-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-29.dat	upx
behavioral2/files/0x000a000000023b85-48.dat	upx
behavioral2/files/0x000a000000023b86-53.dat	upx
behavioral2/memory/2008-49-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp	upx
behavioral2/files/0x000b000000023b7c-57.dat	upx
behavioral2/files/0x000a000000023b87-74.dat	upx
behavioral2/files/0x000a000000023b89-80.dat	upx
behavioral2/files/0x000a000000023b88-84.dat	upx
behavioral2/memory/1668-88-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-93.dat	upx
behavioral2/memory/440-101-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-104.dat	upx
behavioral2/files/0x000a000000023b8d-107.dat	upx
behavioral2/memory/4276-106-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp	upx
behavioral2/memory/4520-102-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp	upx
behavioral2/memory/4048-95-0x00007FF691D10000-0x00007FF692061000-memory.dmp	upx
behavioral2/memory/1752-92-0x00007FF7EE060000-0x00007FF7EE3B1000-memory.dmp	upx
behavioral2/memory/1780-91-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-87.dat	upx
behavioral2/memory/4348-82-0x00007FF797520000-0x00007FF797871000-memory.dmp	upx
behavioral2/memory/1476-78-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp	upx
behavioral2/memory/1940-77-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp	upx
behavioral2/memory/3064-70-0x00007FF7973E0000-0x00007FF797731000-memory.dmp	upx
behavioral2/memory/4580-69-0x00007FF780530000-0x00007FF780881000-memory.dmp	upx
behavioral2/memory/4296-59-0x00007FF749E30000-0x00007FF74A181000-memory.dmp	upx
behavioral2/memory/3344-58-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	upx
behavioral2/memory/1020-54-0x00007FF706080000-0x00007FF7063D1000-memory.dmp	upx
behavioral2/memory/2188-111-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-115.dat	upx
behavioral2/files/0x000a000000023b90-121.dat	upx
behavioral2/files/0x000a000000023b91-128.dat	upx
behavioral2/files/0x000b000000023b92-134.dat	upx
behavioral2/memory/4296-132-0x00007FF749E30000-0x00007FF74A181000-memory.dmp	upx
behavioral2/memory/2316-130-0x00007FF60F100000-0x00007FF60F451000-memory.dmp	upx
behavioral2/memory/1020-124-0x00007FF706080000-0x00007FF7063D1000-memory.dmp	upx
behavioral2/memory/3568-118-0x00007FF677130000-0x00007FF677481000-memory.dmp	upx
behavioral2/memory/2008-116-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp	upx
behavioral2/memory/4348-138-0x00007FF797520000-0x00007FF797871000-memory.dmp	upx
behavioral2/memory/4676-139-0x00007FF626180000-0x00007FF6264D1000-memory.dmp	upx
behavioral2/memory/3064-137-0x00007FF7973E0000-0x00007FF797731000-memory.dmp	upx
behavioral2/memory/4352-136-0x00007FF759700000-0x00007FF759A51000-memory.dmp	upx
behavioral2/memory/1476-140-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp	upx
behavioral2/memory/4048-141-0x00007FF691D10000-0x00007FF692061000-memory.dmp	upx
behavioral2/memory/3344-142-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	upx
behavioral2/memory/4520-148-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp	upx
behavioral2/memory/4276-158-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp	upx
behavioral2/memory/3344-166-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp	upx
behavioral2/memory/4580-220-0x00007FF780530000-0x00007FF780881000-memory.dmp	upx
behavioral2/memory/1940-222-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp	upx
behavioral2/memory/1668-224-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WFbQjmd.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pkbthSN.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atQaPvi.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uOLpRAV.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHCxvSf.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHUFBRR.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qQwCqXb.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oZmkbDD.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mqVziXl.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LzSNLHV.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kJtgXJH.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ThRRims.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KjqVqTe.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BpINmpP.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FOevpyH.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eUzNPBj.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjBOjhZ.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\titENQt.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNjbjcK.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vGqEhwb.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DZCFcOm.exe	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4580	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3344 wrote to memory of 4580	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3344 wrote to memory of 1940	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3344 wrote to memory of 1940	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3344 wrote to memory of 1668	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3344 wrote to memory of 1668	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3344 wrote to memory of 1780	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3344 wrote to memory of 1780	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3344 wrote to memory of 980	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3344 wrote to memory of 980	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3344 wrote to memory of 440	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3344 wrote to memory of 440	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3344 wrote to memory of 2188	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3344 wrote to memory of 2188	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3344 wrote to memory of 2008	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3344 wrote to memory of 2008	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3344 wrote to memory of 1020	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3344 wrote to memory of 1020	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3344 wrote to memory of 4296	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3344 wrote to memory of 4296	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3344 wrote to memory of 3064	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3344 wrote to memory of 3064	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3344 wrote to memory of 1476	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3344 wrote to memory of 1476	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3344 wrote to memory of 4348	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3344 wrote to memory of 4348	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3344 wrote to memory of 1752	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3344 wrote to memory of 1752	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3344 wrote to memory of 4048	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3344 wrote to memory of 4048	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3344 wrote to memory of 4520	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3344 wrote to memory of 4520	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3344 wrote to memory of 4276	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3344 wrote to memory of 4276	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3344 wrote to memory of 3568	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3344 wrote to memory of 3568	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3344 wrote to memory of 2316	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3344 wrote to memory of 2316	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3344 wrote to memory of 4352	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3344 wrote to memory of 4352	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3344 wrote to memory of 4676	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3344 wrote to memory of 4676	3344	2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_b4dbcae732186d329770833a3c0d7b4c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\System\WFbQjmd.exe
  C:\Windows\System\WFbQjmd.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\kJtgXJH.exe
  C:\Windows\System\kJtgXJH.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\eUzNPBj.exe
  C:\Windows\System\eUzNPBj.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\MHUFBRR.exe
  C:\Windows\System\MHUFBRR.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\YjBOjhZ.exe
  C:\Windows\System\YjBOjhZ.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\qQwCqXb.exe
  C:\Windows\System\qQwCqXb.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\titENQt.exe
  C:\Windows\System\titENQt.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\ThRRims.exe
  C:\Windows\System\ThRRims.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\NNjbjcK.exe
  C:\Windows\System\NNjbjcK.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\KjqVqTe.exe
  C:\Windows\System\KjqVqTe.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\pkbthSN.exe
  C:\Windows\System\pkbthSN.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\vGqEhwb.exe
  C:\Windows\System\vGqEhwb.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\atQaPvi.exe
  C:\Windows\System\atQaPvi.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\BpINmpP.exe
  C:\Windows\System\BpINmpP.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\oZmkbDD.exe
  C:\Windows\System\oZmkbDD.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\mqVziXl.exe
  C:\Windows\System\mqVziXl.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\uOLpRAV.exe
  C:\Windows\System\uOLpRAV.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\tHCxvSf.exe
  C:\Windows\System\tHCxvSf.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\FOevpyH.exe
  C:\Windows\System\FOevpyH.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\DZCFcOm.exe
  C:\Windows\System\DZCFcOm.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\LzSNLHV.exe
  C:\Windows\System\LzSNLHV.exe
  2⤵
  - Executes dropped EXE
  PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BpINmpP.exe

Filesize
5.2MB

MD5
dcd483a7f1743b564423ad9476877e01

SHA1
f07f4585b743df3d6ef49141c9284540f9efcb90

SHA256
f55fb1b59395b0d80278b86145f201275696a5c67b71181e56db6540fca0d63e

SHA512
8783be83296783aa8281edc65201f00be46332f9bc0190a15b062e299093089944f51147a65cf5638e80570e43eb2e3e89411145fbe0e027359a182e27efae14

Download Submit
C:\Windows\System\DZCFcOm.exe

Filesize
5.2MB

MD5
31044f81702244a13f0fbe9154d55d63

SHA1
3302574a2b3f05d5e5fb645a3f09c5235f043a3a

SHA256
02edddaef873bc130a1b4b84de209a6af9b362bacc72052325e0b8a55bc27995

SHA512
45e785710baca0749b0327b4845671acd18971080a3667c0310ad30de6385027a52eb064b8e02df211f590cdeb6c440285657d5c7c7010cbbda2a6c226019b14

Download Submit
C:\Windows\System\FOevpyH.exe

Filesize
5.2MB

MD5
8bdf34ae2465d1a4eb106d145f20a6a2

SHA1
f3276e12c9d845241d1a281eade9479dd29c22a4

SHA256
5cdc66b87fbad58e12cb717f5f2c7e236b6dbad6953fd6b1df5a9e85ffaaff59

SHA512
1b1f8d49903d5ebf2039cf66d2b0c602894db7abc31290c208a186e68065fefed2d13995431c17df48dce0b4bfe121e69a437c5abb9d573c17ce2ea8110a38e2

Download Submit
C:\Windows\System\KjqVqTe.exe

Filesize
5.2MB

MD5
b874d4fd9ea360b8d726d67967af4a61

SHA1
9461b2fbd28c8eed30737a38a6af88ef6b6db11e

SHA256
17df12cd22ddf4db96b3f78f9784f4aa2a7108eb6b3881b4f1a74467d0ecee0c

SHA512
6cdb84504c96f32a06a781acc0f2699d98cc64575641738d99c2e1150b5eee5ee1828e69573428254151a6a23d6c9fb084d2f86a5e410b3903509c1fb3b68d93

Download Submit
C:\Windows\System\LzSNLHV.exe

Filesize
5.2MB

MD5
21c91e2c58b3c1c00dd98e6e6cfac07c

SHA1
1ff5a5e7e2cdb3827bc78d893f5653904cb34406

SHA256
316886cc26c66c1fa6047f56e316bd63563b98b2e4bdf2fdfc70a8c5a9cd1ede

SHA512
4cb1d9610e669c8da5cb25095061c6d90e9637c685a92288f842a63f89734bc695de23c982c0422b830c523edd7c31a281162656d4e9a912328d179eed283dc0

Download Submit
C:\Windows\System\MHUFBRR.exe

Filesize
5.2MB

MD5
4d74cdec7936c8ed6bd7db487a5388a9

SHA1
8fde2144358eb43b7371388967b8be4e4907fa62

SHA256
8a8569c54d32f7770f4a2d58724783ae94501bca2850638ce4fd309ac08e0e59

SHA512
bfc83801e8a7ea95a03d30f9bfb73caa620c62e828d8f44de93ec37c0a243f15d7f0f4b219d417455a3e571a33f0e5954c803dfbe6119fe2d76f16a4d5871853

Download Submit
C:\Windows\System\NNjbjcK.exe

Filesize
5.2MB

MD5
5fb730ba96f05d30b2f32d4caf0d9716

SHA1
3bb21ccaeb5c2d5c26cf8d3d523e2210bdcb1d9c

SHA256
cfc3086bfcbdf78f8b19509ea912fcc1a088cb952a57a5e024da8a8e13602e72

SHA512
76bc71e43cad9837d12b2a823c75b14ffcbe7b91746b55706e07bcafc3d35c70fc5410241afa16e48c69115311d017940a819db9ef5a426b67344fb7fc769679

Download Submit
C:\Windows\System\ThRRims.exe

Filesize
5.2MB

MD5
0bce6827ccf9767404a64e660b10acfc

SHA1
6ba71eba5601acd8000eb3f4857635642c5c5dca

SHA256
a97653924734d211173421b0f15c069e78552acd44fb9d67daf3d8bfb1d6dd28

SHA512
12292c169a456728e77b833215eb6e7143f5506529cbf0d585d318011b595b3cdfbca2ed21aadc75abda8f85c5debb2237b75f174fea2223665a55325cf9159b

Download Submit
C:\Windows\System\WFbQjmd.exe

Filesize
5.2MB

MD5
e4f643ae5a90e877fa7a7d0ca3d45eb9

SHA1
1644897d7361d08b0ddd137ea9db4ff2c1cf77e3

SHA256
114bc63139b68fd3da1969c7bff4e9f3fae9f3ec4852a922ef2184194a481a77

SHA512
69a6e00c97fa45e7cd0e94acfe6b65e783a84fcfe815b0404550e45d4975278c73a66feb40ccfa96eb677ffae10b181149950b0fde81a737a09edc5ae6e17889

Download Submit
C:\Windows\System\YjBOjhZ.exe

Filesize
5.2MB

MD5
25f90c6a0ddf1f0a8b8cab3c1a900041

SHA1
4858c80a272d129bd97f6c8157def693aa22acf9

SHA256
d683ac08e0d51c47c6a5612e9a7eca7ed0090cf8d7d4cd0d6458e7696fca09fe

SHA512
cbc3188d89c378048857c1123c828f5079b63fa454d73f2fa2448b76bc982be44246b4eda5ff4c6c15530aa6b5029283cec3696979de049d53665b5ff5943f49

Download Submit
C:\Windows\System\atQaPvi.exe

Filesize
5.2MB

MD5
e901339f5ec7ebefe467fd48901d2ba6

SHA1
73b9f444484dfa6227e4943d3d61dd92690415b9

SHA256
8c283797d0ad72cef75494bbbf132e801ad965e06325b3b00f0a31543071c5e9

SHA512
7231b65c8aeeb054cdf32b6250fdaa5a9455810807b13ff4e108a60fe87748378dd4050fba48891a19b7f147e0be852012e9d7cbc5ae18fbe77f1585af2f5ef7

Download Submit
C:\Windows\System\eUzNPBj.exe

Filesize
5.2MB

MD5
f443275124dc8966fb9fe9d4811d3083

SHA1
b512df0d57bf6f515cd26dbfc37b7e9315c7b88c

SHA256
6dfbf063d7d7289d7d121b5fc577f0f0d85a03621d94158ac1ca83b2730644c7

SHA512
aed9f6054bc3d09551c0d808b7f70f769ca55a4ecd70272e50d6e9255968a2cfeea2b9bfa881edb0cbbd5a0f107065df0d8fbfef8803f3130cacb91ac6d88190

Download Submit
C:\Windows\System\kJtgXJH.exe

Filesize
5.2MB

MD5
8039eb5bdeb9f53cea144ab918176eda

SHA1
c8761d7bb616a207b92fda1b18e820d137102bfd

SHA256
067ec447b266dff0716ee4369a28f841caad3bc650da17efbf179f71146acc3a

SHA512
612d3cc02bf459cacd2a818e7cd79c31af2887be1f988441d72ec31b014d543bca05d2c058285aeffc54bf4e51cf9f994aa678ce3f6d175543d09fb53c71fc61

Download Submit
C:\Windows\System\mqVziXl.exe

Filesize
5.2MB

MD5
97d6f5766f18c461703a19bb3dfb45a1

SHA1
b00ae00f18f8efae41a9d166cc6a303f62e39185

SHA256
870d60da95fa13da8063a29d86c3acd2aca43d5d7441f6d315ef325f34d6bded

SHA512
c43a285cf154cb173b3f8b2b62fe347f08e604e08689c751a25d1cd720ae6a8438c5ba6aa7d864c6e7844c4a7cf22c206561afb2f00e22bc18e8220a4ce109b7

Download Submit
C:\Windows\System\oZmkbDD.exe

Filesize
5.2MB

MD5
01f51feb8833bfe9abe2dcc61d7e8ab3

SHA1
57e5a5d64eca2272c8b27476028c3be720cff1a7

SHA256
661032778a6796ad391d0dc2c1d519d936d1b9f9c185995f8a5bcbf3b7b4b4ee

SHA512
1fc7850ed3160cf335eacb35d629494569ff97b1e0682e700fa5ecfac83321913cb290ddfd1fe5c1cfa5ff32506be119882028288e835c4a772ad25357553df0

Download Submit
C:\Windows\System\pkbthSN.exe

Filesize
5.2MB

MD5
e0f6db492ee2e3e423bb1c30926069a4

SHA1
dd2d4082f8272ed39b43e03da980431d41104a3e

SHA256
7d5c40f2343e437e9744f60018d1aeec562f5adfb59a0cf786973ce8d77974c1

SHA512
4898071ec943422e31b06405d8b49f84376b90d5be1586ffe7ebf7c12c51d7001412d24dba5ab46bb8ce4f57be9c3e2207da341a88256ddecae8dfb1b6c731d7

Download Submit
C:\Windows\System\qQwCqXb.exe

Filesize
5.2MB

MD5
1fd3fe6fca16f5e619c63178315b66cb

SHA1
bde594cb1dad2156f48098252e0d1dc9d2607357

SHA256
dab61c297c6e75854b55a7f6a823be5312b36920bb32c93cbd246d4830e63af4

SHA512
d1221332417b5f83e663f6cf67371436f6601423e7d843ee17904ee072f893bc935415aa7c69272801cf71cb4a15a44a4f1de2081ebd33c90c1bb67d7920cc00

Download Submit
C:\Windows\System\tHCxvSf.exe

Filesize
5.2MB

MD5
511931be637aadb2f8e4e9225382648c

SHA1
d9990f0cf734b6c2faff06cbe9d8b1dddc801832

SHA256
257338e7a6e2c2da2fee9d6616b592b6aac8222c0c7dc4e347a5dbb4c1a2890d

SHA512
fd9f927a0f07978edf1fddceabf513cc8c1ac15ad3409c53129035b83c2fc3e0e49ccd6204aeb5dbf65842f47f6f744070cf0945c1e1b217621921a749824fda

Download Submit
C:\Windows\System\titENQt.exe

Filesize
5.2MB

MD5
dbaf8b38085040c118f3b57678b32468

SHA1
9adc95f7398c2e2b4586668fbb3d25a43043bffd

SHA256
78fc5400907fd03eaf7b2b93f605e139fda63ff9203377de94d1099995b279f5

SHA512
fb3fd671729d38c7d66b503c24bbeb907fa96caa6d1320be4a99cd43ee7add07eaad8944afdbf20de4ebb9829015e7ba9abd5b580f8bfc7ac9b9db85352833c2

Download Submit
C:\Windows\System\uOLpRAV.exe

Filesize
5.2MB

MD5
c9755395ef2d49540745a5cb8718e5fb

SHA1
1b537c83ffde9a8898350823a15a09a55a34ff3d

SHA256
57f04084d480f3435535ebb7b05cf7392d04182d5907f600117e64a944f17927

SHA512
be72412305d977bf94f66e9033f378064917d7725f50e049a73f451d45f4337d107effe05269116b9060e55fb055cc516e5e79aa3785ec4d37862d4bd3ee4d8e

Download Submit
C:\Windows\System\vGqEhwb.exe

Filesize
5.2MB

MD5
0e2261393bd6a4883cd902bff8bcc381

SHA1
1a9e34e08f0c9329364451daccc37f0224757fa5

SHA256
bf34c09999cb246e3cff7fcce5acd0b184a75c35616f113468c25da291def864

SHA512
fb37d9b9bc36c7c22a3ae81fccb910cb6459e0d143ec2b40306a3b0c699f8fa62c9af3100ac45c4e98d3eee2ad4abfd0b07c34b0428f92a8a42d7f2aa20e2ef5

Download Submit
memory/440-40-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp

Filesize
3.3MB

Download
memory/440-101-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp

Filesize
3.3MB

Download
memory/440-230-0x00007FF6CDCC0000-0x00007FF6CE011000-memory.dmp

Filesize
3.3MB

Download
memory/980-228-0x00007FF7EB1F0000-0x00007FF7EB541000-memory.dmp

Filesize
3.3MB

Download
memory/980-35-0x00007FF7EB1F0000-0x00007FF7EB541000-memory.dmp

Filesize
3.3MB

Download
memory/1020-245-0x00007FF706080000-0x00007FF7063D1000-memory.dmp

Filesize
3.3MB

Download
memory/1020-124-0x00007FF706080000-0x00007FF7063D1000-memory.dmp

Filesize
3.3MB

Download
memory/1020-54-0x00007FF706080000-0x00007FF7063D1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-253-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp

Filesize
3.3MB

Download
memory/1476-140-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp

Filesize
3.3MB

Download
memory/1476-78-0x00007FF65EBC0000-0x00007FF65EF11000-memory.dmp

Filesize
3.3MB

Download
memory/1668-224-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp

Filesize
3.3MB

Download
memory/1668-88-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp

Filesize
3.3MB

Download
memory/1668-17-0x00007FF69AEC0000-0x00007FF69B211000-memory.dmp

Filesize
3.3MB

Download
memory/1752-92-0x00007FF7EE060000-0x00007FF7EE3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-255-0x00007FF7EE060000-0x00007FF7EE3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-226-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/1780-31-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/1780-91-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/1940-13-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-77-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-222-0x00007FF7E1C90000-0x00007FF7E1FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-243-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp

Filesize
3.3MB

Download
memory/2008-49-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp

Filesize
3.3MB

Download
memory/2008-116-0x00007FF7176F0000-0x00007FF717A41000-memory.dmp

Filesize
3.3MB

Download
memory/2188-232-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp

Filesize
3.3MB

Download
memory/2188-111-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp

Filesize
3.3MB

Download
memory/2188-42-0x00007FF76EC10000-0x00007FF76EF61000-memory.dmp

Filesize
3.3MB

Download
memory/2316-269-0x00007FF60F100000-0x00007FF60F451000-memory.dmp

Filesize
3.3MB

Download
memory/2316-130-0x00007FF60F100000-0x00007FF60F451000-memory.dmp

Filesize
3.3MB

Download
memory/3064-70-0x00007FF7973E0000-0x00007FF797731000-memory.dmp

Filesize
3.3MB

Download
memory/3064-249-0x00007FF7973E0000-0x00007FF797731000-memory.dmp

Filesize
3.3MB

Download
memory/3064-137-0x00007FF7973E0000-0x00007FF797731000-memory.dmp

Filesize
3.3MB

Download
memory/3344-58-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp

Filesize
3.3MB

Download
memory/3344-166-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp

Filesize
3.3MB

Download
memory/3344-1-0x000001E4F6BC0000-0x000001E4F6BD0000-memory.dmp

Filesize
64KB

Download
memory/3344-0-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp

Filesize
3.3MB

Download
memory/3344-142-0x00007FF6F3940000-0x00007FF6F3C91000-memory.dmp

Filesize
3.3MB

Download
memory/3568-267-0x00007FF677130000-0x00007FF677481000-memory.dmp

Filesize
3.3MB

Download
memory/3568-118-0x00007FF677130000-0x00007FF677481000-memory.dmp

Filesize
3.3MB

Download
memory/4048-95-0x00007FF691D10000-0x00007FF692061000-memory.dmp

Filesize
3.3MB

Download
memory/4048-257-0x00007FF691D10000-0x00007FF692061000-memory.dmp

Filesize
3.3MB

Download
memory/4048-141-0x00007FF691D10000-0x00007FF692061000-memory.dmp

Filesize
3.3MB

Download
memory/4276-158-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp

Filesize
3.3MB

Download
memory/4276-259-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp

Filesize
3.3MB

Download
memory/4276-106-0x00007FF7E8700000-0x00007FF7E8A51000-memory.dmp

Filesize
3.3MB

Download
memory/4296-132-0x00007FF749E30000-0x00007FF74A181000-memory.dmp

Filesize
3.3MB

Download
memory/4296-59-0x00007FF749E30000-0x00007FF74A181000-memory.dmp

Filesize
3.3MB

Download
memory/4296-247-0x00007FF749E30000-0x00007FF74A181000-memory.dmp

Filesize
3.3MB

Download
memory/4348-82-0x00007FF797520000-0x00007FF797871000-memory.dmp

Filesize
3.3MB

Download
memory/4348-252-0x00007FF797520000-0x00007FF797871000-memory.dmp

Filesize
3.3MB

Download
memory/4348-138-0x00007FF797520000-0x00007FF797871000-memory.dmp

Filesize
3.3MB

Download
memory/4352-136-0x00007FF759700000-0x00007FF759A51000-memory.dmp

Filesize
3.3MB

Download
memory/4352-271-0x00007FF759700000-0x00007FF759A51000-memory.dmp

Filesize
3.3MB

Download
memory/4520-102-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp

Filesize
3.3MB

Download
memory/4520-261-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp

Filesize
3.3MB

Download
memory/4520-148-0x00007FF7E8300000-0x00007FF7E8651000-memory.dmp

Filesize
3.3MB

Download
memory/4580-69-0x00007FF780530000-0x00007FF780881000-memory.dmp

Filesize
3.3MB

Download
memory/4580-7-0x00007FF780530000-0x00007FF780881000-memory.dmp

Filesize
3.3MB

Download
memory/4580-220-0x00007FF780530000-0x00007FF780881000-memory.dmp

Filesize
3.3MB

Download
memory/4676-139-0x00007FF626180000-0x00007FF6264D1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-273-0x00007FF626180000-0x00007FF6264D1000-memory.dmp

Filesize
3.3MB

Download