cobaltstrike | 6c292f37713ce6b64a92e207176e9087dbe222d1c837eb4b373240664b7d2d5b

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3d43340b8eb46e2ee3fad8d2a5b66577
SHA1

407ce18eb349d46133d7e464881d749553399c5f
SHA256

6c292f37713ce6b64a92e207176e9087dbe222d1c837eb4b373240664b7d2d5b
SHA512

80e08209c755e839ec56d28a9494d55ed0a203039edee61a71fe7f73cb4d3154c5e848835649297fad1962f49fed916025639fbef120ea8de7df5c0acde2c79b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b7e-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-116.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c66-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4912-112-0x00007FF7DD440000-0x00007FF7DD791000-memory.dmp	xmrig
behavioral2/memory/1896-51-0x00007FF606CF0000-0x00007FF607041000-memory.dmp	xmrig
behavioral2/memory/5020-124-0x00007FF778980000-0x00007FF778CD1000-memory.dmp	xmrig
behavioral2/memory/3080-123-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	xmrig
behavioral2/memory/1732-128-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp	xmrig
behavioral2/memory/2136-130-0x00007FF6839B0000-0x00007FF683D01000-memory.dmp	xmrig
behavioral2/memory/692-131-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp	xmrig
behavioral2/memory/2192-132-0x00007FF606D30000-0x00007FF607081000-memory.dmp	xmrig
behavioral2/memory/1328-133-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp	xmrig
behavioral2/memory/628-135-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp	xmrig
behavioral2/memory/1772-134-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp	xmrig
behavioral2/memory/3904-136-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp	xmrig
behavioral2/memory/1612-139-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp	xmrig
behavioral2/memory/1820-141-0x00007FF652E40000-0x00007FF653191000-memory.dmp	xmrig
behavioral2/memory/3080-137-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	xmrig
behavioral2/memory/1352-157-0x00007FF64F240000-0x00007FF64F591000-memory.dmp	xmrig
behavioral2/memory/3960-159-0x00007FF72E220000-0x00007FF72E571000-memory.dmp	xmrig
behavioral2/memory/2848-160-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp	xmrig
behavioral2/memory/2932-158-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp	xmrig
behavioral2/memory/3500-156-0x00007FF608690000-0x00007FF6089E1000-memory.dmp	xmrig
behavioral2/memory/3340-154-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	xmrig
behavioral2/memory/4880-153-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp	xmrig
behavioral2/memory/3464-161-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	xmrig
behavioral2/memory/3080-163-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	xmrig
behavioral2/memory/5020-220-0x00007FF778980000-0x00007FF778CD1000-memory.dmp	xmrig
behavioral2/memory/1732-222-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp	xmrig
behavioral2/memory/692-224-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp	xmrig
behavioral2/memory/2192-226-0x00007FF606D30000-0x00007FF607081000-memory.dmp	xmrig
behavioral2/memory/1328-230-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp	xmrig
behavioral2/memory/1896-229-0x00007FF606CF0000-0x00007FF607041000-memory.dmp	xmrig
behavioral2/memory/1772-232-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp	xmrig
behavioral2/memory/1612-244-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp	xmrig
behavioral2/memory/3904-246-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp	xmrig
behavioral2/memory/628-248-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp	xmrig
behavioral2/memory/3960-250-0x00007FF72E220000-0x00007FF72E571000-memory.dmp	xmrig
behavioral2/memory/4880-254-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp	xmrig
behavioral2/memory/1820-252-0x00007FF652E40000-0x00007FF653191000-memory.dmp	xmrig
behavioral2/memory/4912-258-0x00007FF7DD440000-0x00007FF7DD791000-memory.dmp	xmrig
behavioral2/memory/3340-260-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	xmrig
behavioral2/memory/2848-257-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp	xmrig
behavioral2/memory/3500-262-0x00007FF608690000-0x00007FF6089E1000-memory.dmp	xmrig
behavioral2/memory/1352-264-0x00007FF64F240000-0x00007FF64F591000-memory.dmp	xmrig
behavioral2/memory/3464-266-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	xmrig
behavioral2/memory/2932-268-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp	xmrig
behavioral2/memory/2136-270-0x00007FF6839B0000-0x00007FF683D01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5020	VPhCIJr.exe
1732	yQYOxBX.exe
692	KFKZWbe.exe
1772	raxKKbT.exe
2192	UaVFqis.exe
1328	QUTpiHe.exe
1612	vntiPxG.exe
1896	bRpTREH.exe
3904	uIAVOma.exe
628	OXdgLpD.exe
3960	LqXSUQd.exe
1820	ENKQMcF.exe
4880	uklQUnz.exe
2848	ozVkrVa.exe
3340	zamFFzx.exe
4912	ndpzdsw.exe
3500	YctLuHH.exe
1352	gLFezgz.exe
2932	dVRfDvF.exe
3464	sKGIBci.exe
2136	YlMPjLo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3080-0-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	upx
behavioral2/files/0x000c000000023b7e-5.dat	upx
behavioral2/files/0x0007000000023c72-10.dat	upx
behavioral2/files/0x0007000000023c74-21.dat	upx
behavioral2/files/0x0007000000023c73-25.dat	upx
behavioral2/files/0x0007000000023c7a-53.dat	upx
behavioral2/files/0x0007000000023c79-52.dat	upx
behavioral2/files/0x0007000000023c7d-80.dat	upx
behavioral2/files/0x0007000000023c7f-102.dat	upx
behavioral2/files/0x0007000000023c81-109.dat	upx
behavioral2/files/0x0007000000023c83-116.dat	upx
behavioral2/memory/3464-122-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	upx
behavioral2/files/0x000b000000023c66-120.dat	upx
behavioral2/memory/2932-117-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-114.dat	upx
behavioral2/memory/1352-113-0x00007FF64F240000-0x00007FF64F591000-memory.dmp	upx
behavioral2/memory/4912-112-0x00007FF7DD440000-0x00007FF7DD791000-memory.dmp	upx
behavioral2/memory/3500-104-0x00007FF608690000-0x00007FF6089E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-100.dat	upx
behavioral2/memory/3340-96-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	upx
behavioral2/memory/4880-89-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-88.dat	upx
behavioral2/files/0x0007000000023c7c-86.dat	upx
behavioral2/memory/2848-95-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp	upx
behavioral2/memory/3960-78-0x00007FF72E220000-0x00007FF72E571000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-72.dat	upx
behavioral2/memory/1820-71-0x00007FF652E40000-0x00007FF653191000-memory.dmp	upx
behavioral2/memory/3904-63-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp	upx
behavioral2/memory/1612-61-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp	upx
behavioral2/memory/628-54-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-55.dat	upx
behavioral2/memory/1896-51-0x00007FF606CF0000-0x00007FF607041000-memory.dmp	upx
behavioral2/memory/1328-48-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-43.dat	upx
behavioral2/files/0x0007000000023c76-38.dat	upx
behavioral2/memory/1772-34-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-33.dat	upx
behavioral2/memory/2192-32-0x00007FF606D30000-0x00007FF607081000-memory.dmp	upx
behavioral2/memory/692-23-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp	upx
behavioral2/memory/1732-19-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp	upx
behavioral2/memory/5020-11-0x00007FF778980000-0x00007FF778CD1000-memory.dmp	upx
behavioral2/memory/5020-124-0x00007FF778980000-0x00007FF778CD1000-memory.dmp	upx
behavioral2/memory/3080-123-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-127.dat	upx
behavioral2/memory/1732-128-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp	upx
behavioral2/memory/2136-130-0x00007FF6839B0000-0x00007FF683D01000-memory.dmp	upx
behavioral2/memory/692-131-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp	upx
behavioral2/memory/2192-132-0x00007FF606D30000-0x00007FF607081000-memory.dmp	upx
behavioral2/memory/1328-133-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp	upx
behavioral2/memory/628-135-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp	upx
behavioral2/memory/1772-134-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp	upx
behavioral2/memory/3904-136-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp	upx
behavioral2/memory/1612-139-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp	upx
behavioral2/memory/1820-141-0x00007FF652E40000-0x00007FF653191000-memory.dmp	upx
behavioral2/memory/3080-137-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	upx
behavioral2/memory/1352-157-0x00007FF64F240000-0x00007FF64F591000-memory.dmp	upx
behavioral2/memory/3960-159-0x00007FF72E220000-0x00007FF72E571000-memory.dmp	upx
behavioral2/memory/2848-160-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp	upx
behavioral2/memory/2932-158-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp	upx
behavioral2/memory/3500-156-0x00007FF608690000-0x00007FF6089E1000-memory.dmp	upx
behavioral2/memory/3340-154-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	upx
behavioral2/memory/4880-153-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp	upx
behavioral2/memory/3464-161-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp	upx
behavioral2/memory/3080-163-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uklQUnz.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zamFFzx.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLFezgz.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQYOxBX.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\raxKKbT.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OXdgLpD.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YctLuHH.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKGIBci.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vntiPxG.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ozVkrVa.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndpzdsw.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqXSUQd.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVRfDvF.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UaVFqis.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bRpTREH.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uIAVOma.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENKQMcF.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YlMPjLo.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VPhCIJr.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFKZWbe.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QUTpiHe.exe	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 5020	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3080 wrote to memory of 5020	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3080 wrote to memory of 1732	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3080 wrote to memory of 1732	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3080 wrote to memory of 692	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3080 wrote to memory of 692	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3080 wrote to memory of 1772	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3080 wrote to memory of 1772	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3080 wrote to memory of 2192	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3080 wrote to memory of 2192	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3080 wrote to memory of 1328	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3080 wrote to memory of 1328	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3080 wrote to memory of 1612	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3080 wrote to memory of 1612	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3080 wrote to memory of 1896	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3080 wrote to memory of 1896	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3080 wrote to memory of 3904	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3080 wrote to memory of 3904	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3080 wrote to memory of 628	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3080 wrote to memory of 628	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3080 wrote to memory of 3960	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3080 wrote to memory of 3960	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3080 wrote to memory of 1820	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3080 wrote to memory of 1820	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3080 wrote to memory of 2848	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3080 wrote to memory of 2848	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3080 wrote to memory of 4880	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3080 wrote to memory of 4880	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3080 wrote to memory of 3340	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3080 wrote to memory of 3340	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3080 wrote to memory of 4912	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3080 wrote to memory of 4912	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3080 wrote to memory of 3500	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3080 wrote to memory of 3500	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3080 wrote to memory of 1352	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3080 wrote to memory of 1352	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3080 wrote to memory of 2932	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3080 wrote to memory of 2932	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3080 wrote to memory of 3464	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3080 wrote to memory of 3464	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3080 wrote to memory of 2136	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3080 wrote to memory of 2136	3080	2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_3d43340b8eb46e2ee3fad8d2a5b66577_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\System\VPhCIJr.exe
  C:\Windows\System\VPhCIJr.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\yQYOxBX.exe
  C:\Windows\System\yQYOxBX.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\KFKZWbe.exe
  C:\Windows\System\KFKZWbe.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\raxKKbT.exe
  C:\Windows\System\raxKKbT.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\UaVFqis.exe
  C:\Windows\System\UaVFqis.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\QUTpiHe.exe
  C:\Windows\System\QUTpiHe.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\vntiPxG.exe
  C:\Windows\System\vntiPxG.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\bRpTREH.exe
  C:\Windows\System\bRpTREH.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\uIAVOma.exe
  C:\Windows\System\uIAVOma.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\OXdgLpD.exe
  C:\Windows\System\OXdgLpD.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\LqXSUQd.exe
  C:\Windows\System\LqXSUQd.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\ENKQMcF.exe
  C:\Windows\System\ENKQMcF.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ozVkrVa.exe
  C:\Windows\System\ozVkrVa.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\uklQUnz.exe
  C:\Windows\System\uklQUnz.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\zamFFzx.exe
  C:\Windows\System\zamFFzx.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\ndpzdsw.exe
  C:\Windows\System\ndpzdsw.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\YctLuHH.exe
  C:\Windows\System\YctLuHH.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\gLFezgz.exe
  C:\Windows\System\gLFezgz.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\dVRfDvF.exe
  C:\Windows\System\dVRfDvF.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\sKGIBci.exe
  C:\Windows\System\sKGIBci.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\YlMPjLo.exe
  C:\Windows\System\YlMPjLo.exe
  2⤵
  - Executes dropped EXE
  PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ENKQMcF.exe

Filesize
5.2MB

MD5
6041958fb31ed9d671bcf482839bf706

SHA1
b72d8297424a1021d6f12efb702224616238fc44

SHA256
c0432070d3fe81bfbc8f348930d28cfa1b0da8fa901f08870beac661f314c629

SHA512
e46bebe184cf5bde0806bf127556ce83a660d35dcb09002f2d52ec695fd8b376220add43bdc41f1bac7a08218a38ad208557732514256f3dae2c474a1ea76c8e

Download Submit
C:\Windows\System\KFKZWbe.exe

Filesize
5.2MB

MD5
40af84cc17dbc70b57169968bf267caf

SHA1
07a55b45a50a4c2138fa3b6015fbdf57d3e4c83e

SHA256
4bf69dc90d865f9a3ae041585127cd5e1c25e6a5ebfe73f9677e048266ec1701

SHA512
4450886be3fe5af005e54c941bf2e2b409a8dda16409932bce14fc3e6705c4e5aff3dd16a380d3864c56d2820f2bd915d6024d1a90f8c793c057e8e9eb029e50

Download Submit
C:\Windows\System\LqXSUQd.exe

Filesize
5.2MB

MD5
187a2f44d613010cd308626aac355012

SHA1
c1f6c1f9990881ccb5254eeba4811b667527d5bf

SHA256
e3011f6af9ab3025bfd2dc29971e0b7920100a6ef98e60054e3cd2227dd02af0

SHA512
0afc6aaf453d0d108804b7aa304e576aa6c2439c1f832338aa97fa3f499d094f455db5c1736e8fe8ccc2ae2abeb8a74e5bb3c232083e8e368809e18436574fd3

Download Submit
C:\Windows\System\OXdgLpD.exe

Filesize
5.2MB

MD5
357913edcb10341d85714462c984eabf

SHA1
72f4c61cf07e8e5198cd5855900fb7e666aaaffb

SHA256
4f2beeaeddafa5f120fb21fbc19802311fc4a50f318a156d0c404ea7b6190133

SHA512
2b464018c5e624bc4b6a81115ef047c862d66dbdd2c1daf9b416f1db51dddf4b6d00e201f1abc259d9c0691bad2968c352071e1d435700af6532c0e2fbb56817

Download Submit
C:\Windows\System\QUTpiHe.exe

Filesize
5.2MB

MD5
408c377efd52fc0048ea27570a11d2b4

SHA1
110600141e69fa66bdb01ed1e62da4ae2ccdb671

SHA256
362e138edcee0b11abd459b3978b3f7ac43b8425dd91ec46c59e3d3b609b2f36

SHA512
7cd7f8fcda13f199b0129c7aa495a78ebcdd5a73baaa592c7caa1461186740345f2e0d95d0d57b23d11cb46d7fa5c7654e1e30973d68a8279198ee784913011c

Download Submit
C:\Windows\System\UaVFqis.exe

Filesize
5.2MB

MD5
fd4d1065215b94ba219cf73f594e0ad1

SHA1
f7ccde482b43bdaa2e068e3ec7b33dfc0c9be6db

SHA256
6660b3c4487fcf074b9131112a0af354a73791bded67d65b3f88633484d3a0a2

SHA512
14b16c6993557e222db855d759252afc41635058d3c5a20b5d50d79d08c7c71b60e4165d2dd23d22a2b0e7258b404f7988fe99e1afa51440bc383dd073baa963

Download Submit
C:\Windows\System\VPhCIJr.exe

Filesize
5.2MB

MD5
6517b9ebf26547b1fc17620fe625a2d3

SHA1
cd12ddcc7de30021ea5f26b33014f584af83c92c

SHA256
3728ec99cefedd4504fd1d2283b0dc43d9037b508362871589971ef495d7e84d

SHA512
5b02de4115c793c6552b22ff96b746d8aaaff473bfb7ab05c9da8661412329bec114c5bda918cdff7d06cc7dbe9a48e3a6860bafe9a1df0d4d692dff93dd0eae

Download Submit
C:\Windows\System\YctLuHH.exe

Filesize
5.2MB

MD5
94fe9b2c1e0257ba5572757982bb6654

SHA1
dc278b0ec32754fe0af2a7cdaeb19b9489036dd7

SHA256
669c1dc33d363728d4b305cf0b2797d71a705cf1060143836d6c6ab117a1edcc

SHA512
dbd0e2d52dfce82a19131cd80ba34fffbbb9d3ad9062084579d92bd1a4d81f47b0d7e30ce7d9b70480ad9bf25e100a4f719215ffd3c1fb5fdfec5b8e9dc71c5b

Download Submit
C:\Windows\System\YlMPjLo.exe

Filesize
5.2MB

MD5
26327dec4b7afa6707d3e672218ec994

SHA1
d5145cc259096aa4b634e5ce9a7f4a92cef295b9

SHA256
901d22d624c28a0c410f9806d76d2131f4bab8e7e040140b3218a4cf80f37f3b

SHA512
e9d88495f5434db7c4e4e688f954465158992b2f671b595f1979898d00a0aabecd76ecb2892bc7ad558132ad4a271eb018ec17ff1c8394d1d94cb9e426132865

Download Submit
C:\Windows\System\bRpTREH.exe

Filesize
5.2MB

MD5
bd5b584f85ea133efd4f7f69a5c25bb9

SHA1
c51ba201aa29ebc975ebc1171df7c665de6cf1fc

SHA256
0725e14e18c81a9fddf1bf781882dc618efd2cdb5c3e0253cbe9ad12b771012b

SHA512
5cec83a07118d84b1f7892a2ea637d0fd6348954c33ea003b4d48ee3c3404e406da909f3adf701ac64358777baa37c96a2177979614e9ce523d867fe5d92b4b4

Download Submit
C:\Windows\System\dVRfDvF.exe

Filesize
5.2MB

MD5
539c3c147ad38f9c67f6b3b118e871eb

SHA1
82bd82caf2435eff89045cc9b24325b7aafdab2b

SHA256
5ef5315271579b03072512c49008706c46680bb0c619d025057c0964205392e8

SHA512
c8e233a3e86d64cf94135d37cd17e5ab8c71d502db24c83ce1ee4f9ea96d9f6bae70adbc7c3b0f4c134a48eee62519bb92bdd5a91c0a865baff64e235eb67e3f

Download Submit
C:\Windows\System\gLFezgz.exe

Filesize
5.2MB

MD5
3915c4bf62bba9a9e963517215087dcf

SHA1
b0ba72b2229d802ff3189b0dc0c5c32fa854da0f

SHA256
4450cfe07d95ab0339b7d3b7d4a12add0df7198d974c6c3d3a404e64032a5e6f

SHA512
0ee83ca18339edaf9d8bf2eb80378abd5c75b6ba7fe6c10b9ca4195cace8adec14c4421db095838a3e1306bc920340f1378d42084ff8c87323dce28c82f45685

Download Submit
C:\Windows\System\ndpzdsw.exe

Filesize
5.2MB

MD5
d2d8152a0dea91e997fe6328ee0f16c7

SHA1
c562f10684b4d3f795cef6be8a67cb1cbe1ad732

SHA256
92ce73d043c589a8fb4829ae8abbb3d77741faec679e39c93ddf6f521a5eb43b

SHA512
445e5d29149de94a96f1ba5a9e91702e05b43dcf5bdf5ec591665d7149cc43d153dad894c25dea2d3521c97f4d4f96d50edf4e7837764f3958dbde9fb0639527

Download Submit
C:\Windows\System\ozVkrVa.exe

Filesize
5.2MB

MD5
317c5b83bc1729c252b288d01ce89e3f

SHA1
4fea730b53a3508746a176b4cf9c2b51353cfad7

SHA256
7937ad8b7fc5076480b15e0485bb0aa6b53cc56294510e6c7306e4ee13d808e2

SHA512
6bcad3e511082320d6178a513d6c22c25e339647a8b5596342d3fb9c1a36d54be844a5965129d6156eeb4a62c33abc3dec44ae6a49d1cb70aae79488c74a2f57

Download Submit
C:\Windows\System\raxKKbT.exe

Filesize
5.2MB

MD5
e763950ff63dc52e91b100764426cf8d

SHA1
b560ee3e2cc6bcf304364568b996fd84b8c798fc

SHA256
540d84733fb1f8aad4d2f127c26b909cc46aa472d6008c5d16459708cd07133e

SHA512
2ebbac3505c62569d206c2dc5a1921e3d40c0f471a13dc5a39117940b5e28bd46d283c01504db93a5fc54f55692c592fb9f7ae979b0b3161d55939d093542771

Download Submit
C:\Windows\System\sKGIBci.exe

Filesize
5.2MB

MD5
ca1a1ea5be43d9777e6d0a47d033244b

SHA1
0f61213a76938955273a11f5a282c88a8e6f8bf7

SHA256
a01f88f1446fb2c3d3c1fc5f020b88d44fa49c7d38d08310555b306d5f71a7f1

SHA512
8ae6882fba49c689590a43eafc5b05e087ee5f711e77550f9bd75fdde7ee67440c405a036c8d97a1e00528f6e1051ab53216fb43f2d775bb94f96efcdaf14b07

Download Submit
C:\Windows\System\uIAVOma.exe

Filesize
5.2MB

MD5
ee0a9f7c7ee37636db5a5ab062548feb

SHA1
32889df84009922434c41e628c3bb0b704de4d05

SHA256
bc6abc99ce56f418bc7467094ba1aa63e843af261abb37c43de6323d33dd8916

SHA512
c4fdd58711bf50a30833c16cc9ba52f0fa04952f62faa44e523f1f9c9ff82ce194c424383c8b10971609b8287be8f3d1fd7dddcc57802ab92f125df3924c673f

Download Submit
C:\Windows\System\uklQUnz.exe

Filesize
5.2MB

MD5
cb11b74d502f0e3323239725ad55bd42

SHA1
133804cec53b383d83fb3590dcf7fd1aa67b7cd1

SHA256
0bf9ab8b4c7a681ab98a5f5a9f002917f7d5e9f0b81ef02ca35368c9e0b469a8

SHA512
b24d34935053dc81d7243e9e12f427259b4db1b0caa289ba5da13e6516fcc4d38cdab825cfb517fb9721723e21f9fd2767fb9bd6fec52316adf545697e91eaab

Download Submit
C:\Windows\System\vntiPxG.exe

Filesize
5.2MB

MD5
7d0519e0a13012922a9f485d90e8388d

SHA1
592baeff175fd6b4a2278d5ca571a64914d2323e

SHA256
3fdeaa83a5b58c456489ed8e8d9a0c2bf9d228d7b84a6a2a35385d222fa82dcf

SHA512
bc73a424e7ef3799f014c19771b24e079a7b2fa3b48119934e0c31594c254e152f57ffb7048d196435d61f5728cfe2fb73a878555278d83e2da42289902d5b1e

Download Submit
C:\Windows\System\yQYOxBX.exe

Filesize
5.2MB

MD5
955cc1366b160efca6f62e4b10a6dda9

SHA1
403ce221a17836dc3bcdbf0c26cc3e8326da9906

SHA256
baf379bdf8c5e0c9cd279425b74bad1fa42bb05c959fae26c012fc2fa3d90d0a

SHA512
858bb8063a4258b5d43fa352848c3973e73c3ca1d0f79e831952d582570c3ef3af323802b6ce556c5f96f7fb3c4e6143214572eeeaf432eb71c9d9af4ac1f042

Download Submit
C:\Windows\System\zamFFzx.exe

Filesize
5.2MB

MD5
384fcc621a34bf13e63dfccbcb1fca6a

SHA1
48b382bce3e93ce36f942e2f6bb6940b6e45800f

SHA256
3855b81db2b3a6c8b2a7005935adf5e3a7bb052f5831d0477b25357c362d6c6a

SHA512
c3face0c61a5c144d34679b5c0929cffd340b7dafa95c6c4aa38eb8d65537ea951a379e2285e0a8108b29697f3e8653db6c415ea32668e43ce88fd6836555bc4

Download Submit
memory/628-135-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/628-248-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/628-54-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/692-23-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp

Filesize
3.3MB

Download
memory/692-131-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp

Filesize
3.3MB

Download
memory/692-224-0x00007FF6DCA20000-0x00007FF6DCD71000-memory.dmp

Filesize
3.3MB

Download
memory/1328-133-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp

Filesize
3.3MB

Download
memory/1328-230-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp

Filesize
3.3MB

Download
memory/1328-48-0x00007FF69C810000-0x00007FF69CB61000-memory.dmp

Filesize
3.3MB

Download
memory/1352-157-0x00007FF64F240000-0x00007FF64F591000-memory.dmp

Filesize
3.3MB

Download
memory/1352-113-0x00007FF64F240000-0x00007FF64F591000-memory.dmp

Filesize
3.3MB

Download
memory/1352-264-0x00007FF64F240000-0x00007FF64F591000-memory.dmp

Filesize
3.3MB

Download
memory/1612-61-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp

Filesize
3.3MB

Download
memory/1612-139-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp

Filesize
3.3MB

Download
memory/1612-244-0x00007FF60EDD0000-0x00007FF60F121000-memory.dmp

Filesize
3.3MB

Download
memory/1732-222-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp

Filesize
3.3MB

Download
memory/1732-128-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp

Filesize
3.3MB

Download
memory/1732-19-0x00007FF60BEF0000-0x00007FF60C241000-memory.dmp

Filesize
3.3MB

Download
memory/1772-34-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1772-134-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1772-232-0x00007FF6B7940000-0x00007FF6B7C91000-memory.dmp

Filesize
3.3MB

Download
memory/1820-252-0x00007FF652E40000-0x00007FF653191000-memory.dmp

Filesize
3.3MB

Download
memory/1820-71-0x00007FF652E40000-0x00007FF653191000-memory.dmp

Filesize
3.3MB

Download
memory/1820-141-0x00007FF652E40000-0x00007FF653191000-memory.dmp

Filesize
3.3MB

Download
memory/1896-51-0x00007FF606CF0000-0x00007FF607041000-memory.dmp

Filesize
3.3MB

Download
memory/1896-229-0x00007FF606CF0000-0x00007FF607041000-memory.dmp

Filesize
3.3MB

Download
memory/2136-130-0x00007FF6839B0000-0x00007FF683D01000-memory.dmp

Filesize
3.3MB

Download
memory/2136-270-0x00007FF6839B0000-0x00007FF683D01000-memory.dmp

Filesize
3.3MB

Download
memory/2192-132-0x00007FF606D30000-0x00007FF607081000-memory.dmp

Filesize
3.3MB

Download
memory/2192-226-0x00007FF606D30000-0x00007FF607081000-memory.dmp

Filesize
3.3MB

Download
memory/2192-32-0x00007FF606D30000-0x00007FF607081000-memory.dmp

Filesize
3.3MB

Download
memory/2848-95-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-160-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-257-0x00007FF69DC70000-0x00007FF69DFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-117-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-158-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-268-0x00007FF6D7880000-0x00007FF6D7BD1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-137-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp

Filesize
3.3MB

Download
memory/3080-123-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp

Filesize
3.3MB

Download
memory/3080-0-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp

Filesize
3.3MB

Download
memory/3080-163-0x00007FF7C8CF0000-0x00007FF7C9041000-memory.dmp

Filesize
3.3MB

Download
memory/3080-1-0x00000159FED50000-0x00000159FED60000-memory.dmp

Filesize
64KB

Download
memory/3340-96-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/3340-154-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/3340-260-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/3464-161-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/3464-122-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/3464-266-0x00007FF6257D0000-0x00007FF625B21000-memory.dmp

Filesize
3.3MB

Download
memory/3500-156-0x00007FF608690000-0x00007FF6089E1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-104-0x00007FF608690000-0x00007FF6089E1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-262-0x00007FF608690000-0x00007FF6089E1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-63-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-136-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-246-0x00007FF67E990000-0x00007FF67ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-250-0x00007FF72E220000-0x00007FF72E571000-memory.dmp

Filesize
3.3MB

Download
memory/3960-78-0x00007FF72E220000-0x00007FF72E571000-memory.dmp

Filesize
3.3MB

Download
memory/3960-159-0x00007FF72E220000-0x00007FF72E571000-memory.dmp

Filesize
3.3MB

Download
memory/4880-254-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-89-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-153-0x00007FF7A9E50000-0x00007FF7AA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-258-0x00007FF7DD440000-0x00007FF7DD791000-memory.dmp

Filesize
3.3MB

Download
memory/4912-112-0x00007FF7DD440000-0x00007FF7DD791000-memory.dmp

Filesize
3.3MB

Download
memory/5020-220-0x00007FF778980000-0x00007FF778CD1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-11-0x00007FF778980000-0x00007FF778CD1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-124-0x00007FF778980000-0x00007FF778CD1000-memory.dmp

Filesize
3.3MB

Download