cobaltstrike | 5cff8b8f68b2e64bbdb396668d32229629b9b690cef166d6acca6ac0c1bc0705

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

20de294bc562ce9b884ed98bd9172835
SHA1

780775b89ab987a5ecc297e4322acf1487d1052f
SHA256

5cff8b8f68b2e64bbdb396668d32229629b9b690cef166d6acca6ac0c1bc0705
SHA512

b52bfc43cd45d5f3d92a0883019278c7d81edcb94da1a702cbb3732ff5325f14a82864ea6de62e82f5e3f5b64f1f91f9e5cd9b90194bff84ea3ab99814dd5679
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibj56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b6d-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-36.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b6e-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1892-65-0x00007FF7DFE00000-0x00007FF7E0151000-memory.dmp	xmrig
behavioral2/memory/4396-66-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/1492-72-0x00007FF6344C0000-0x00007FF634811000-memory.dmp	xmrig
behavioral2/memory/4360-73-0x00007FF659D20000-0x00007FF65A071000-memory.dmp	xmrig
behavioral2/memory/1788-93-0x00007FF660990000-0x00007FF660CE1000-memory.dmp	xmrig
behavioral2/memory/2924-87-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp	xmrig
behavioral2/memory/1224-64-0x00007FF6A7BC0000-0x00007FF6A7F11000-memory.dmp	xmrig
behavioral2/memory/4168-40-0x00007FF7B1EF0000-0x00007FF7B2241000-memory.dmp	xmrig
behavioral2/memory/3568-97-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp	xmrig
behavioral2/memory/1768-128-0x00007FF788000000-0x00007FF788351000-memory.dmp	xmrig
behavioral2/memory/1704-124-0x00007FF692FA0000-0x00007FF6932F1000-memory.dmp	xmrig
behavioral2/memory/400-115-0x00007FF630A30000-0x00007FF630D81000-memory.dmp	xmrig
behavioral2/memory/1624-111-0x00007FF7FDDC0000-0x00007FF7FE111000-memory.dmp	xmrig
behavioral2/memory/2468-102-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp	xmrig
behavioral2/memory/3500-138-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp	xmrig
behavioral2/memory/4028-136-0x00007FF7962D0000-0x00007FF796621000-memory.dmp	xmrig
behavioral2/memory/3600-133-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp	xmrig
behavioral2/memory/3388-139-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp	xmrig
behavioral2/memory/2420-140-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp	xmrig
behavioral2/memory/1812-148-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	xmrig
behavioral2/memory/4396-141-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/5104-158-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp	xmrig
behavioral2/memory/4656-159-0x00007FF781520000-0x00007FF781871000-memory.dmp	xmrig
behavioral2/memory/3500-165-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp	xmrig
behavioral2/memory/4396-166-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	xmrig
behavioral2/memory/1492-222-0x00007FF6344C0000-0x00007FF634811000-memory.dmp	xmrig
behavioral2/memory/4360-224-0x00007FF659D20000-0x00007FF65A071000-memory.dmp	xmrig
behavioral2/memory/2924-226-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp	xmrig
behavioral2/memory/1788-228-0x00007FF660990000-0x00007FF660CE1000-memory.dmp	xmrig
behavioral2/memory/3568-230-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp	xmrig
behavioral2/memory/4168-232-0x00007FF7B1EF0000-0x00007FF7B2241000-memory.dmp	xmrig
behavioral2/memory/2468-234-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp	xmrig
behavioral2/memory/400-241-0x00007FF630A30000-0x00007FF630D81000-memory.dmp	xmrig
behavioral2/memory/1224-243-0x00007FF6A7BC0000-0x00007FF6A7F11000-memory.dmp	xmrig
behavioral2/memory/1892-245-0x00007FF7DFE00000-0x00007FF7E0151000-memory.dmp	xmrig
behavioral2/memory/1768-247-0x00007FF788000000-0x00007FF788351000-memory.dmp	xmrig
behavioral2/memory/3600-249-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp	xmrig
behavioral2/memory/4028-251-0x00007FF7962D0000-0x00007FF796621000-memory.dmp	xmrig
behavioral2/memory/3388-253-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp	xmrig
behavioral2/memory/2420-255-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp	xmrig
behavioral2/memory/1812-260-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	xmrig
behavioral2/memory/1624-262-0x00007FF7FDDC0000-0x00007FF7FE111000-memory.dmp	xmrig
behavioral2/memory/5104-267-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp	xmrig
behavioral2/memory/1704-269-0x00007FF692FA0000-0x00007FF6932F1000-memory.dmp	xmrig
behavioral2/memory/4656-271-0x00007FF781520000-0x00007FF781871000-memory.dmp	xmrig
behavioral2/memory/3500-273-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1492	jxTewaU.exe
4360	TpNzOIo.exe
2924	YtjNJbV.exe
1788	NhNSaUJ.exe
3568	RoFlXhm.exe
4168	xHbxQWy.exe
2468	yurPgGh.exe
400	IdLuCOt.exe
1224	DKRXIks.exe
1892	rSCxxZK.exe
1768	diZiWMp.exe
3600	PeTySRF.exe
4028	NSkgfwP.exe
3388	URwPTDP.exe
2420	vtxAaqA.exe
1812	tTypHut.exe
1624	kHsMFVv.exe
5104	MyMinrY.exe
1704	KnEjmLS.exe
4656	ODWyvTr.exe
3500	EJifzea.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4396-0-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/files/0x000b000000023b6d-4.dat	upx
behavioral2/memory/1492-6-0x00007FF6344C0000-0x00007FF634811000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-10.dat	upx
behavioral2/files/0x000a000000023b72-9.dat	upx
behavioral2/files/0x000a000000023b73-20.dat	upx
behavioral2/memory/1788-25-0x00007FF660990000-0x00007FF660CE1000-memory.dmp	upx
behavioral2/memory/2924-16-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp	upx
behavioral2/memory/4360-15-0x00007FF659D20000-0x00007FF65A071000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-28.dat	upx
behavioral2/memory/3568-30-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-36.dat	upx
behavioral2/files/0x000b000000023b6e-41.dat	upx
behavioral2/files/0x000a000000023b77-47.dat	upx
behavioral2/files/0x000a000000023b79-58.dat	upx
behavioral2/memory/1892-65-0x00007FF7DFE00000-0x00007FF7E0151000-memory.dmp	upx
behavioral2/memory/4396-66-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/1492-72-0x00007FF6344C0000-0x00007FF634811000-memory.dmp	upx
behavioral2/memory/4360-73-0x00007FF659D20000-0x00007FF65A071000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-76.dat	upx
behavioral2/files/0x000a000000023b7d-86.dat	upx
behavioral2/memory/3388-88-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp	upx
behavioral2/memory/2420-94-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-95.dat	upx
behavioral2/memory/1788-93-0x00007FF660990000-0x00007FF660CE1000-memory.dmp	upx
behavioral2/memory/2924-87-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-82.dat	upx
behavioral2/memory/4028-81-0x00007FF7962D0000-0x00007FF796621000-memory.dmp	upx
behavioral2/memory/3600-74-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-69.dat	upx
behavioral2/memory/1768-68-0x00007FF788000000-0x00007FF788351000-memory.dmp	upx
behavioral2/memory/1224-64-0x00007FF6A7BC0000-0x00007FF6A7F11000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-60.dat	upx
behavioral2/memory/400-51-0x00007FF630A30000-0x00007FF630D81000-memory.dmp	upx
behavioral2/memory/2468-48-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp	upx
behavioral2/memory/4168-40-0x00007FF7B1EF0000-0x00007FF7B2241000-memory.dmp	upx
behavioral2/memory/3568-97-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-109.dat	upx
behavioral2/files/0x000a000000023b81-114.dat	upx
behavioral2/files/0x000a000000023b82-122.dat	upx
behavioral2/files/0x000a000000023b83-127.dat	upx
behavioral2/memory/1768-128-0x00007FF788000000-0x00007FF788351000-memory.dmp	upx
behavioral2/memory/4656-129-0x00007FF781520000-0x00007FF781871000-memory.dmp	upx
behavioral2/memory/1704-124-0x00007FF692FA0000-0x00007FF6932F1000-memory.dmp	upx
behavioral2/memory/5104-116-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp	upx
behavioral2/memory/400-115-0x00007FF630A30000-0x00007FF630D81000-memory.dmp	upx
behavioral2/memory/1624-111-0x00007FF7FDDC0000-0x00007FF7FE111000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-104.dat	upx
behavioral2/memory/1812-103-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	upx
behavioral2/memory/2468-102-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp	upx
behavioral2/memory/3500-138-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp	upx
behavioral2/memory/4028-136-0x00007FF7962D0000-0x00007FF796621000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-135.dat	upx
behavioral2/memory/3600-133-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp	upx
behavioral2/memory/3388-139-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp	upx
behavioral2/memory/2420-140-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp	upx
behavioral2/memory/1812-148-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp	upx
behavioral2/memory/4396-141-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/5104-158-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp	upx
behavioral2/memory/4656-159-0x00007FF781520000-0x00007FF781871000-memory.dmp	upx
behavioral2/memory/3500-165-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp	upx
behavioral2/memory/4396-166-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp	upx
behavioral2/memory/1492-222-0x00007FF6344C0000-0x00007FF634811000-memory.dmp	upx
behavioral2/memory/4360-224-0x00007FF659D20000-0x00007FF65A071000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PeTySRF.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnEjmLS.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ODWyvTr.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EJifzea.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TpNzOIo.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YtjNJbV.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdLuCOt.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rSCxxZK.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\diZiWMp.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NSkgfwP.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTypHut.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kHsMFVv.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKRXIks.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\URwPTDP.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MyMinrY.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxTewaU.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhNSaUJ.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHbxQWy.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yurPgGh.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RoFlXhm.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtxAaqA.exe	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1492	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4396 wrote to memory of 1492	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4396 wrote to memory of 4360	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4396 wrote to memory of 4360	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4396 wrote to memory of 2924	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4396 wrote to memory of 2924	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4396 wrote to memory of 1788	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4396 wrote to memory of 1788	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4396 wrote to memory of 3568	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4396 wrote to memory of 3568	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4396 wrote to memory of 4168	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4396 wrote to memory of 4168	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4396 wrote to memory of 2468	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4396 wrote to memory of 2468	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4396 wrote to memory of 400	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4396 wrote to memory of 400	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4396 wrote to memory of 1224	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4396 wrote to memory of 1224	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4396 wrote to memory of 1892	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4396 wrote to memory of 1892	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4396 wrote to memory of 1768	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4396 wrote to memory of 1768	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4396 wrote to memory of 3600	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4396 wrote to memory of 3600	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4396 wrote to memory of 4028	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4396 wrote to memory of 4028	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4396 wrote to memory of 3388	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4396 wrote to memory of 3388	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4396 wrote to memory of 2420	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4396 wrote to memory of 2420	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4396 wrote to memory of 1812	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4396 wrote to memory of 1812	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4396 wrote to memory of 1624	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4396 wrote to memory of 1624	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4396 wrote to memory of 5104	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4396 wrote to memory of 5104	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4396 wrote to memory of 1704	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4396 wrote to memory of 1704	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4396 wrote to memory of 4656	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4396 wrote to memory of 4656	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4396 wrote to memory of 3500	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4396 wrote to memory of 3500	4396	2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_20de294bc562ce9b884ed98bd9172835_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\System\jxTewaU.exe
  C:\Windows\System\jxTewaU.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\TpNzOIo.exe
  C:\Windows\System\TpNzOIo.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\YtjNJbV.exe
  C:\Windows\System\YtjNJbV.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\NhNSaUJ.exe
  C:\Windows\System\NhNSaUJ.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\RoFlXhm.exe
  C:\Windows\System\RoFlXhm.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\xHbxQWy.exe
  C:\Windows\System\xHbxQWy.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\yurPgGh.exe
  C:\Windows\System\yurPgGh.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\IdLuCOt.exe
  C:\Windows\System\IdLuCOt.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\DKRXIks.exe
  C:\Windows\System\DKRXIks.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\rSCxxZK.exe
  C:\Windows\System\rSCxxZK.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\diZiWMp.exe
  C:\Windows\System\diZiWMp.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\PeTySRF.exe
  C:\Windows\System\PeTySRF.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\NSkgfwP.exe
  C:\Windows\System\NSkgfwP.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\URwPTDP.exe
  C:\Windows\System\URwPTDP.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\vtxAaqA.exe
  C:\Windows\System\vtxAaqA.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\tTypHut.exe
  C:\Windows\System\tTypHut.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\kHsMFVv.exe
  C:\Windows\System\kHsMFVv.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\MyMinrY.exe
  C:\Windows\System\MyMinrY.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\KnEjmLS.exe
  C:\Windows\System\KnEjmLS.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\ODWyvTr.exe
  C:\Windows\System\ODWyvTr.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\EJifzea.exe
  C:\Windows\System\EJifzea.exe
  2⤵
  - Executes dropped EXE
  PID:3500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DKRXIks.exe

Filesize
5.2MB

MD5
e4c28e4b8a371e71bc8e7d3583f1016a

SHA1
0d06e1fd63e4d561b585c7a39131f0c00356c87b

SHA256
c40ee27f27db991c2fc0b64ba5737f23cb869a4c7dc05fc4e34bbacb59507f0e

SHA512
00a36c3029dadebe89280fd0452c9457142dfca20eb466d3d942599d4b9e25eb9e4d0c8631395623ae9e2b3802b39d8105b9037c1e3df8515ce282ddc39ab433

Download Submit
C:\Windows\System\EJifzea.exe

Filesize
5.2MB

MD5
5bebaf1838d6a9deea6c6b89b32b67d3

SHA1
f8f95b46ac8bc51ac4c2bbac9dff4fb3babc6378

SHA256
9adb479bcaceee154c622f237bc5a2f819cd6b9f0ecba7b69232e26d0e119f9c

SHA512
e19b8b57c3e0416d1f520d2c443d33660513a0b1898b66c29c674611c2f0cc051a3e2b3956176d55ad9e34a3845b91c8c28f09f622a61210dbfe2d910210a1d3

Download Submit
C:\Windows\System\IdLuCOt.exe

Filesize
5.2MB

MD5
4c19d608c2f957c67ee62705ee8a4cb4

SHA1
e608f45dd09eb9c1578a1f9476b0e576e0584b64

SHA256
38f03f4db6ee2a2fd2e49cec21a13ab8dcc3858ba53a6062298a3b9df202323f

SHA512
8037386db5cacb077b75b77642e6c452e3ec3802324a5d7fe2e6187fbafe31ed09a95a6fcf81ff2a1134799ad075bcfeb003bd500cdd023dbb5706f4517023d5

Download Submit
C:\Windows\System\KnEjmLS.exe

Filesize
5.2MB

MD5
fa3462f9ad2f67984eefeb0b475cc0a4

SHA1
0da82ce75bd52f9f14eee0b2f825cb542cece297

SHA256
eb987836f1cb74b535405498757136c833ed664510623f503cd15eb000125565

SHA512
389c54eccf5ff4dc1ec72eee7ef5182926fcc0ef2f11f3b24f598e2de507cc31edcb165e2748daaa44c114bae158379a3e27401f5c60b723274faf827c194320

Download Submit
C:\Windows\System\MyMinrY.exe

Filesize
5.2MB

MD5
a09a0efcf515cc07ee83ea3060ee77eb

SHA1
df890600dec5a7fc3598ced264eb829c6dfd4367

SHA256
d3661de173fa4ff74069159110d60e5181d98ebf895ff5f89619a1104f325bbd

SHA512
ed45fab18a5128d20938181a143edaed3fb116dc604a2c27e85d302d0f3bb16b6cac1aa25becd7b55c05bd5bf9b6416b02ec1693d55480db86dd9413a43ce043

Download Submit
C:\Windows\System\NSkgfwP.exe

Filesize
5.2MB

MD5
24f48c5ca862f8c8ff054d587170fbe5

SHA1
e5ed80fa901fcc3fea8c623e72c58cd25f60a128

SHA256
0e6a464b1f5559fbbd75c09385967e100eff55e3ebeb34d4cd6d6d0e7b0e536a

SHA512
77f37062eb24d79de369c7fd791de3e6a8abb06101b55c4ccb04e79a8eebec49734e33b528d3a88793173cc60b80a237be9b813ab7feb08e8967117fd9b260b7

Download Submit
C:\Windows\System\NhNSaUJ.exe

Filesize
5.2MB

MD5
6df621d5527f92584a4d37875a81a7c0

SHA1
0fe3a06ba12644f6bf03c20195dc0c1d7de9d59b

SHA256
374369e94a121df6b739ae160971dff694d6a8ff3546af8104e3e08d22c5348d

SHA512
92212f46222c9ed58ffb120d9a4d6fe23e293cc3a0482e373efe601069664a26ba502d402e3e3401bc869d7d4c1ba4fe7455f132193c53c95df4275ac670fcb4

Download Submit
C:\Windows\System\ODWyvTr.exe

Filesize
5.2MB

MD5
6e5b8b1574b3d38bf888caec4fbbb5d6

SHA1
f034fc2f7d34522c2e189d40773c14f8af28844c

SHA256
925a8b3202eea6f6771266c5d6dd4b68f201b7f2771d2cb3cb91fd28e7343bd0

SHA512
1a940563f72742c86ac8267217b5a4ab4eaa8e4af31d6debd6878beec2f86a92e769681a57f648311cf80000b33ae75e379581316f83ad746e75f644dbf3df0f

Download Submit
C:\Windows\System\PeTySRF.exe

Filesize
5.2MB

MD5
34d2d543558c70ff0a559e45f30156fd

SHA1
2acf3897f5c4f73fbdc32e187a67ca5a21cb0463

SHA256
63b8efb778cf454f6196b18444489849c80e18f2359d7f250094a010c229cd80

SHA512
eefc7ff5fea024fe9cfbc45cecfa2652277fefc96aeb52c6eacd64476c265a38f20383e09acb4ff038e292757cf38d7c0d8898451b30202232928c9d910e5a35

Download Submit
C:\Windows\System\RoFlXhm.exe

Filesize
5.2MB

MD5
24cc996fe206268c038bd324de7f8265

SHA1
f370f4e95a6d56667a29810540f7fe1012382609

SHA256
9aaf661dd84334ecabfca8cd4d3c3ecfb8a3e6a304cfdbe02544624b784c482f

SHA512
b29770490308b0c39461bac312595c2833374ed91490b9bd29c513a7cdba6f4aaa268b2ad0133852e185e98f93dc47a2a5c5cfe7d8fa3e819b024bff4581d5ad

Download Submit
C:\Windows\System\TpNzOIo.exe

Filesize
5.2MB

MD5
d4b2264701ba9ae043bd473fd4d22c3b

SHA1
512c5cda8df5b73d770e30e213c574691eb2dbcf

SHA256
2174e78a2501fd63c78442eb57639cb4ddc9b490bb362bbc93d332420966090d

SHA512
966c765db4eff65d06794c36068b39a7cb0ef128c7cf69be8085c934a0bc8d2bea10935203096bf7c07320226f0dc2780340e8f9fb8c8b71ada1b2ff86059224

Download Submit
C:\Windows\System\URwPTDP.exe

Filesize
5.2MB

MD5
58bfcf88ac145c803da476d0fa540204

SHA1
4deaa9fc9e02593daee67a039412b62ac5e4764f

SHA256
931477609cb582840a1f72bbbe2d56a7cd80dceec8e52471ca35a0eca3b8cbe3

SHA512
3d0bd6853ebe26a5caa92c0bb914b0ccd6430c10840bf146e18fed6b7e429324084367a64385d3635daf207ecd5993f6cd8b97778f8897acd69bd2b33414a05e

Download Submit
C:\Windows\System\YtjNJbV.exe

Filesize
5.2MB

MD5
4309f1d252e5754221e366895d7baf87

SHA1
c4c1405970a225ba4d85221dbab77fc6a0dfcc1b

SHA256
3d6473be66e7d01c5be4a7a8995c48a0ac97c4fe74331169bd1305a6ee5be5a1

SHA512
3ffba00ced36e07d74e61c828029701c7251fe94fe93c72f139af43f567d7f8851003ad234e4ea645e422b9e57c9a7e3d65373c6cce69efa3fefee73ca68f592

Download Submit
C:\Windows\System\diZiWMp.exe

Filesize
5.2MB

MD5
939f367192ce154e12800175a5c56059

SHA1
046b9c0c721534ddf26429ba9e8a076143806a53

SHA256
1a65007dc5bb95c21f1bf26e13e2d58a3e2a272e2955758bb5a99ee0f9bf7e85

SHA512
e33feeb3634c1de51c5895301147243753b87195a25c7390a06b75649d2a48676ed7f3ba55de5bc619b54cb518fe84d907c7a547504ffcc9424f86d0bccb72a8

Download Submit
C:\Windows\System\jxTewaU.exe

Filesize
5.2MB

MD5
34de77e86d77bdb323ea2742d4f97633

SHA1
498aa722ef297f5ec2bba5cf5611ae4c3269dd09

SHA256
fca613df0d9a2fc35d96530fa1b81b5b32440c4f158d9754b0e189a45df8f1ec

SHA512
c34150f6e89557c9ad1fac0c56842597d862102612c61b515599504b91b7f8471eb8974d7c4dfe05bad39bd8daa5eb43e4e4cc40dca2187020b24b6bd396ef8d

Download Submit
C:\Windows\System\kHsMFVv.exe

Filesize
5.2MB

MD5
8435428141f7cf069e8e2d03e4a25d17

SHA1
ca01081ddf607f68c39ede65c7c38469a1ff2264

SHA256
c156102124e67386a0df8a7fcd53211de627319fb50a8168d170776b64f3871f

SHA512
61b57c7af9915a3b6c46a26d105addc5b8588d21999ff72af53ea1bcdb1217dc48bb5f56903a68b6d15e91758b0c9719a3bb987d9f3839016ddc8f2c6e37b5c0

Download Submit
C:\Windows\System\rSCxxZK.exe

Filesize
5.2MB

MD5
903967a81e0b501caaf7e74319f8f4d8

SHA1
d7f668e5fb6d091b57625363a008e965758620d1

SHA256
a2758f52b3ed334853f5c9af51fb69b81f01df9a5c8feb73d8a7621f55503a44

SHA512
706e442b2f627c118cac46e3a803fb77ab69ac1577895d98b787f07f2f708cb93bfb8f0863de172a03b4a2faf35778fd7519cd88f6e11684245fa389434a2b66

Download Submit
C:\Windows\System\tTypHut.exe

Filesize
5.2MB

MD5
9e2a0e1168754e1f55d8780ba1a29b29

SHA1
7e6f80d92d50365282880486509b76ed0f4e4cb4

SHA256
14ebb9449e351820cfd8665c6eee41d3838b6328dedc91160b54b166a2202353

SHA512
2c5f8cdba8a21b61c1a0c7ff37110fc71975ed49d1d8dbe51bd39c0b2d08a020f4f178b5ad7703b49fa3c5931d198c93b96f71ce74ae20746cd2d66de3f0d67b

Download Submit
C:\Windows\System\vtxAaqA.exe

Filesize
5.2MB

MD5
1290103c236f6308e5264c0dcef4090d

SHA1
b5ab192bdab6b0c74f8d11fd28728a36d7efddb6

SHA256
75bd2aaa24ff6cb9e92f49f33c54583a11dffda8c7db5d56c523b78d40bcfe12

SHA512
aec87b3326f345bc24ced2ec38753077aa31f48a0f89b3ff8ecbaa6ddc337b81f299244ae7cb986b516a3887b3c4262a3950b8f05226b3c2f85125b45023a1e1

Download Submit
C:\Windows\System\xHbxQWy.exe

Filesize
5.2MB

MD5
0501bb4b4dc706e19cd75004c6a5a42a

SHA1
6d93d939d598a9f2bd6200a6e6b13aec50e26de2

SHA256
4ff0891d54385789d044c427d8ae0657e5bcb0e0773f3bbda79f14804449e412

SHA512
998ed93d47067d07dda2f83f12a8dbc675cf2fa796db0d6e704bdcb6b8806aa8ca6be75021f50c1f3b31c4759613fed32bf7e535d5939f6df655d8cad4bfe038

Download Submit
C:\Windows\System\yurPgGh.exe

Filesize
5.2MB

MD5
2c42d0377cc22f673e8ac360135c658d

SHA1
c3ac4de05396f6a0435954bf21e7d1a553737db8

SHA256
b0ef327de578013047a7d739b7d903ce0498e23b425853b694bbd3bef4e9b0a2

SHA512
2f60651f4336668a483f50a7236553717482338087f11e6f6b0971fbbf04b181c396d36e3fae0f2d2ee772ff736a82e47b137b53ce4d9fb733781b90508bbb59

Download Submit
memory/400-241-0x00007FF630A30000-0x00007FF630D81000-memory.dmp

Filesize
3.3MB

Download
memory/400-115-0x00007FF630A30000-0x00007FF630D81000-memory.dmp

Filesize
3.3MB

Download
memory/400-51-0x00007FF630A30000-0x00007FF630D81000-memory.dmp

Filesize
3.3MB

Download
memory/1224-64-0x00007FF6A7BC0000-0x00007FF6A7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1224-243-0x00007FF6A7BC0000-0x00007FF6A7F11000-memory.dmp

Filesize
3.3MB

Download
memory/1492-222-0x00007FF6344C0000-0x00007FF634811000-memory.dmp

Filesize
3.3MB

Download
memory/1492-6-0x00007FF6344C0000-0x00007FF634811000-memory.dmp

Filesize
3.3MB

Download
memory/1492-72-0x00007FF6344C0000-0x00007FF634811000-memory.dmp

Filesize
3.3MB

Download
memory/1624-111-0x00007FF7FDDC0000-0x00007FF7FE111000-memory.dmp

Filesize
3.3MB

Download
memory/1624-262-0x00007FF7FDDC0000-0x00007FF7FE111000-memory.dmp

Filesize
3.3MB

Download
memory/1704-269-0x00007FF692FA0000-0x00007FF6932F1000-memory.dmp

Filesize
3.3MB

Download
memory/1704-124-0x00007FF692FA0000-0x00007FF6932F1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-128-0x00007FF788000000-0x00007FF788351000-memory.dmp

Filesize
3.3MB

Download
memory/1768-247-0x00007FF788000000-0x00007FF788351000-memory.dmp

Filesize
3.3MB

Download
memory/1768-68-0x00007FF788000000-0x00007FF788351000-memory.dmp

Filesize
3.3MB

Download
memory/1788-228-0x00007FF660990000-0x00007FF660CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-25-0x00007FF660990000-0x00007FF660CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-93-0x00007FF660990000-0x00007FF660CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1812-148-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1812-103-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1812-260-0x00007FF6BAF00000-0x00007FF6BB251000-memory.dmp

Filesize
3.3MB

Download
memory/1892-245-0x00007FF7DFE00000-0x00007FF7E0151000-memory.dmp

Filesize
3.3MB

Download
memory/1892-65-0x00007FF7DFE00000-0x00007FF7E0151000-memory.dmp

Filesize
3.3MB

Download
memory/2420-94-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-140-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-255-0x00007FF6A4E50000-0x00007FF6A51A1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-234-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-102-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-48-0x00007FF7D9E60000-0x00007FF7DA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-87-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-226-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-16-0x00007FF6F2A60000-0x00007FF6F2DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-88-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3388-253-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3388-139-0x00007FF7E5C00000-0x00007FF7E5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3500-165-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp

Filesize
3.3MB

Download
memory/3500-138-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp

Filesize
3.3MB

Download
memory/3500-273-0x00007FF6FDFE0000-0x00007FF6FE331000-memory.dmp

Filesize
3.3MB

Download
memory/3568-97-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp

Filesize
3.3MB

Download
memory/3568-30-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp

Filesize
3.3MB

Download
memory/3568-230-0x00007FF61E4C0000-0x00007FF61E811000-memory.dmp

Filesize
3.3MB

Download
memory/3600-249-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp

Filesize
3.3MB

Download
memory/3600-74-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp

Filesize
3.3MB

Download
memory/3600-133-0x00007FF6D6090000-0x00007FF6D63E1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-251-0x00007FF7962D0000-0x00007FF796621000-memory.dmp

Filesize
3.3MB

Download
memory/4028-136-0x00007FF7962D0000-0x00007FF796621000-memory.dmp

Filesize
3.3MB

Download
memory/4028-81-0x00007FF7962D0000-0x00007FF796621000-memory.dmp

Filesize
3.3MB

Download
memory/4168-232-0x00007FF7B1EF0000-0x00007FF7B2241000-memory.dmp

Filesize
3.3MB

Download
memory/4168-40-0x00007FF7B1EF0000-0x00007FF7B2241000-memory.dmp

Filesize
3.3MB

Download
memory/4360-73-0x00007FF659D20000-0x00007FF65A071000-memory.dmp

Filesize
3.3MB

Download
memory/4360-224-0x00007FF659D20000-0x00007FF65A071000-memory.dmp

Filesize
3.3MB

Download
memory/4360-15-0x00007FF659D20000-0x00007FF65A071000-memory.dmp

Filesize
3.3MB

Download
memory/4396-1-0x00000236CDC90000-0x00000236CDCA0000-memory.dmp

Filesize
64KB

Download
memory/4396-166-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4396-0-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4396-141-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4396-66-0x00007FF7C0DE0000-0x00007FF7C1131000-memory.dmp

Filesize
3.3MB

Download
memory/4656-159-0x00007FF781520000-0x00007FF781871000-memory.dmp

Filesize
3.3MB

Download
memory/4656-129-0x00007FF781520000-0x00007FF781871000-memory.dmp

Filesize
3.3MB

Download
memory/4656-271-0x00007FF781520000-0x00007FF781871000-memory.dmp

Filesize
3.3MB

Download
memory/5104-267-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-116-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-158-0x00007FF6D6350000-0x00007FF6D66A1000-memory.dmp

Filesize
3.3MB

Download