cobaltstrike | 7669205c5a9d3853792ff640a7aa52045f6b3e387618ee24b1402c9236e3267b

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a4105353cb4e931dd44836ec40bee483
SHA1

4aeb1979841731cb0063ffb88297e6bcab340161
SHA256

7669205c5a9d3853792ff640a7aa52045f6b3e387618ee24b1402c9236e3267b
SHA512

a504ab3ef408972d7e8fe69f43ef3c5bb68b0dcbaaefe9885f32c9240019fd502a3d2eb2edf777dbfbcaa150676e95ebb686091f6156dd87930641d06a64e0ed
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c12-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-106.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb7-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3996-120-0x00007FF672C40000-0x00007FF672F91000-memory.dmp	xmrig
behavioral2/memory/1972-121-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	xmrig
behavioral2/memory/2924-119-0x00007FF7CE5F0000-0x00007FF7CE941000-memory.dmp	xmrig
behavioral2/memory/2336-111-0x00007FF67C680000-0x00007FF67C9D1000-memory.dmp	xmrig
behavioral2/memory/2188-105-0x00007FF6C84E0000-0x00007FF6C8831000-memory.dmp	xmrig
behavioral2/memory/3352-82-0x00007FF7AAEA0000-0x00007FF7AB1F1000-memory.dmp	xmrig
behavioral2/memory/3528-72-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp	xmrig
behavioral2/memory/2268-69-0x00007FF620F40000-0x00007FF621291000-memory.dmp	xmrig
behavioral2/memory/1116-56-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp	xmrig
behavioral2/memory/4056-131-0x00007FF6634E0000-0x00007FF663831000-memory.dmp	xmrig
behavioral2/memory/2316-132-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp	xmrig
behavioral2/memory/5104-137-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp	xmrig
behavioral2/memory/3464-130-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp	xmrig
behavioral2/memory/3848-129-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp	xmrig
behavioral2/memory/640-135-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp	xmrig
behavioral2/memory/3264-128-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	xmrig
behavioral2/memory/1496-142-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp	xmrig
behavioral2/memory/336-149-0x00007FF712C20000-0x00007FF712F71000-memory.dmp	xmrig
behavioral2/memory/408-147-0x00007FF6672F0000-0x00007FF667641000-memory.dmp	xmrig
behavioral2/memory/3956-146-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp	xmrig
behavioral2/memory/4640-140-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp	xmrig
behavioral2/memory/4236-148-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp	xmrig
behavioral2/memory/3264-150-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	xmrig
behavioral2/memory/3264-151-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	xmrig
behavioral2/memory/3848-214-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp	xmrig
behavioral2/memory/3464-216-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp	xmrig
behavioral2/memory/2316-218-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp	xmrig
behavioral2/memory/2268-221-0x00007FF620F40000-0x00007FF621291000-memory.dmp	xmrig
behavioral2/memory/3528-222-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp	xmrig
behavioral2/memory/1116-226-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp	xmrig
behavioral2/memory/4056-225-0x00007FF6634E0000-0x00007FF663831000-memory.dmp	xmrig
behavioral2/memory/5104-241-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp	xmrig
behavioral2/memory/3352-242-0x00007FF7AAEA0000-0x00007FF7AB1F1000-memory.dmp	xmrig
behavioral2/memory/640-246-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp	xmrig
behavioral2/memory/1972-248-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	xmrig
behavioral2/memory/2924-244-0x00007FF7CE5F0000-0x00007FF7CE941000-memory.dmp	xmrig
behavioral2/memory/4640-238-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp	xmrig
behavioral2/memory/3996-237-0x00007FF672C40000-0x00007FF672F91000-memory.dmp	xmrig
behavioral2/memory/2188-235-0x00007FF6C84E0000-0x00007FF6C8831000-memory.dmp	xmrig
behavioral2/memory/2336-233-0x00007FF67C680000-0x00007FF67C9D1000-memory.dmp	xmrig
behavioral2/memory/408-250-0x00007FF6672F0000-0x00007FF667641000-memory.dmp	xmrig
behavioral2/memory/3956-258-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp	xmrig
behavioral2/memory/1496-257-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp	xmrig
behavioral2/memory/336-255-0x00007FF712C20000-0x00007FF712F71000-memory.dmp	xmrig
behavioral2/memory/4236-253-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3848	vzgbTzX.exe
3464	XdsRoxu.exe
4056	hlEDMgK.exe
2316	ifTPMty.exe
1116	gXfpKJt.exe
2268	KJCdQXE.exe
640	VeltKnU.exe
3528	YIYHCNx.exe
5104	kjmRmNR.exe
3352	fyKwhmk.exe
2924	lgnFiwP.exe
4640	ccDAaGW.exe
3996	nRZYKwA.exe
1496	gXVjORS.exe
2188	bPPkMgb.exe
2336	dnGVPsT.exe
1972	GWpJxXz.exe
3956	zCHEFHC.exe
408	ZEdtQJE.exe
4236	EgiyecK.exe
336	sphZfGY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3264-0-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	upx
behavioral2/files/0x000a000000023c12-5.dat	upx
behavioral2/files/0x0007000000023cbb-7.dat	upx
behavioral2/memory/3464-19-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-23.dat	upx
behavioral2/memory/4056-26-0x00007FF6634E0000-0x00007FF663831000-memory.dmp	upx
behavioral2/memory/2316-35-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-39.dat	upx
behavioral2/memory/640-49-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-75.dat	upx
behavioral2/files/0x0007000000023cc4-85.dat	upx
behavioral2/files/0x0007000000023cc6-94.dat	upx
behavioral2/files/0x0007000000023cc7-96.dat	upx
behavioral2/files/0x0007000000023ccb-109.dat	upx
behavioral2/memory/3956-113-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp	upx
behavioral2/memory/336-118-0x00007FF712C20000-0x00007FF712F71000-memory.dmp	upx
behavioral2/memory/3996-120-0x00007FF672C40000-0x00007FF672F91000-memory.dmp	upx
behavioral2/memory/408-122-0x00007FF6672F0000-0x00007FF667641000-memory.dmp	upx
behavioral2/memory/1972-121-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	upx
behavioral2/memory/2924-119-0x00007FF7CE5F0000-0x00007FF7CE941000-memory.dmp	upx
behavioral2/memory/4236-117-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-116.dat	upx
behavioral2/files/0x0007000000023cca-114.dat	upx
behavioral2/files/0x0007000000023cc9-112.dat	upx
behavioral2/memory/2336-111-0x00007FF67C680000-0x00007FF67C9D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-106.dat	upx
behavioral2/memory/2188-105-0x00007FF6C84E0000-0x00007FF6C8831000-memory.dmp	upx
behavioral2/memory/1496-104-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp	upx
behavioral2/files/0x0008000000023cb7-97.dat	upx
behavioral2/memory/4640-87-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp	upx
behavioral2/memory/3352-82-0x00007FF7AAEA0000-0x00007FF7AB1F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-80.dat	upx
behavioral2/memory/3528-72-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp	upx
behavioral2/memory/2268-69-0x00007FF620F40000-0x00007FF621291000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-59.dat	upx
behavioral2/files/0x0007000000023cc1-58.dat	upx
behavioral2/memory/1116-56-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-53.dat	upx
behavioral2/memory/5104-50-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-41.dat	upx
behavioral2/files/0x0007000000023cbc-33.dat	upx
behavioral2/files/0x0007000000023cba-27.dat	upx
behavioral2/memory/3848-11-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp	upx
behavioral2/memory/4056-131-0x00007FF6634E0000-0x00007FF663831000-memory.dmp	upx
behavioral2/memory/2316-132-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp	upx
behavioral2/memory/5104-137-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp	upx
behavioral2/memory/3464-130-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp	upx
behavioral2/memory/3848-129-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp	upx
behavioral2/memory/640-135-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp	upx
behavioral2/memory/3264-128-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	upx
behavioral2/memory/1496-142-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp	upx
behavioral2/memory/336-149-0x00007FF712C20000-0x00007FF712F71000-memory.dmp	upx
behavioral2/memory/408-147-0x00007FF6672F0000-0x00007FF667641000-memory.dmp	upx
behavioral2/memory/3956-146-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp	upx
behavioral2/memory/4640-140-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp	upx
behavioral2/memory/4236-148-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp	upx
behavioral2/memory/3264-150-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	upx
behavioral2/memory/3264-151-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp	upx
behavioral2/memory/3848-214-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp	upx
behavioral2/memory/3464-216-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp	upx
behavioral2/memory/2316-218-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp	upx
behavioral2/memory/2268-221-0x00007FF620F40000-0x00007FF621291000-memory.dmp	upx
behavioral2/memory/3528-222-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp	upx
behavioral2/memory/1116-226-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bPPkMgb.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GWpJxXz.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgiyecK.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ifTPMty.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KJCdQXE.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjmRmNR.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nRZYKwA.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gXVjORS.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZEdtQJE.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gXfpKJt.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YIYHCNx.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyKwhmk.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ccDAaGW.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zCHEFHC.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vzgbTzX.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdsRoxu.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hlEDMgK.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dnGVPsT.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sphZfGY.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VeltKnU.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgnFiwP.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 3848	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3264 wrote to memory of 3848	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3264 wrote to memory of 3464	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3264 wrote to memory of 3464	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3264 wrote to memory of 4056	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3264 wrote to memory of 4056	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3264 wrote to memory of 2316	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3264 wrote to memory of 2316	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3264 wrote to memory of 1116	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3264 wrote to memory of 1116	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3264 wrote to memory of 2268	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3264 wrote to memory of 2268	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3264 wrote to memory of 640	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3264 wrote to memory of 640	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3264 wrote to memory of 3528	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3264 wrote to memory of 3528	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3264 wrote to memory of 5104	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3264 wrote to memory of 5104	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3264 wrote to memory of 3352	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3264 wrote to memory of 3352	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3264 wrote to memory of 2924	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3264 wrote to memory of 2924	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3264 wrote to memory of 4640	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3264 wrote to memory of 4640	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3264 wrote to memory of 3996	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3264 wrote to memory of 3996	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3264 wrote to memory of 1496	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3264 wrote to memory of 1496	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3264 wrote to memory of 2188	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3264 wrote to memory of 2188	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3264 wrote to memory of 2336	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3264 wrote to memory of 2336	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3264 wrote to memory of 1972	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3264 wrote to memory of 1972	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3264 wrote to memory of 3956	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3264 wrote to memory of 3956	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3264 wrote to memory of 408	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3264 wrote to memory of 408	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3264 wrote to memory of 4236	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3264 wrote to memory of 4236	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3264 wrote to memory of 336	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3264 wrote to memory of 336	3264	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\System\vzgbTzX.exe
  C:\Windows\System\vzgbTzX.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\XdsRoxu.exe
  C:\Windows\System\XdsRoxu.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\hlEDMgK.exe
  C:\Windows\System\hlEDMgK.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\ifTPMty.exe
  C:\Windows\System\ifTPMty.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\gXfpKJt.exe
  C:\Windows\System\gXfpKJt.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\KJCdQXE.exe
  C:\Windows\System\KJCdQXE.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\VeltKnU.exe
  C:\Windows\System\VeltKnU.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\YIYHCNx.exe
  C:\Windows\System\YIYHCNx.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\kjmRmNR.exe
  C:\Windows\System\kjmRmNR.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\fyKwhmk.exe
  C:\Windows\System\fyKwhmk.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\lgnFiwP.exe
  C:\Windows\System\lgnFiwP.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\ccDAaGW.exe
  C:\Windows\System\ccDAaGW.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\nRZYKwA.exe
  C:\Windows\System\nRZYKwA.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\gXVjORS.exe
  C:\Windows\System\gXVjORS.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\bPPkMgb.exe
  C:\Windows\System\bPPkMgb.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\dnGVPsT.exe
  C:\Windows\System\dnGVPsT.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\GWpJxXz.exe
  C:\Windows\System\GWpJxXz.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\zCHEFHC.exe
  C:\Windows\System\zCHEFHC.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\ZEdtQJE.exe
  C:\Windows\System\ZEdtQJE.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\EgiyecK.exe
  C:\Windows\System\EgiyecK.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\sphZfGY.exe
  C:\Windows\System\sphZfGY.exe
  2⤵
  - Executes dropped EXE
  PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EgiyecK.exe

Filesize
5.2MB

MD5
a23e74762577eb48ca194e6de726c6da

SHA1
354cb9d9b935094c97b22e15f80e2fa3529e9acf

SHA256
c40c9ac4b65ca7dc32b9fe578c24514c66b1b4bdc413b470c6bee6facfa21056

SHA512
6fb83ea5a279e3489ce1791a92cebf47a18f826aa544f3f51acf2e6985887cc2934d796a93ea8c2747a51a76583a5226d4c3f5fbce6c72e6d726e20473768289

Download Submit
C:\Windows\System\GWpJxXz.exe

Filesize
5.2MB

MD5
9232ee69289caffd0678c0257e094c1f

SHA1
584efcc7cc76cf2a4d29a0df098b4357cedcdee1

SHA256
878559dadf7e96c99dd4617836a9a45e80f734dc77ec0cbf34db4a26401859a2

SHA512
98ef98955f948cb08f34ce74ad0d4285a907bcefc11d21775d0d4c8047b562fceef691e174b51d97b2f6f8195cf49fbfb074e35ce6b7c465243d43c737100230

Download Submit
C:\Windows\System\KJCdQXE.exe

Filesize
5.2MB

MD5
3fc976d141af55d548ef982932d7d49c

SHA1
fc757ecec44f8161a4e4f04faa004389bb1607cf

SHA256
8f114444f8dc7b1573a444b1b298de9cc5c1ee994ca2634d09ac5b76e0f69d33

SHA512
5384b30d5ca0b06dfe549e32ca58d59bef216b2d3b1c34a44df9d8d2291e666d132342319d697d6225857eb165c0c23a40db24c1dda6e4fba87b74ae8f304d16

Download Submit
C:\Windows\System\VeltKnU.exe

Filesize
5.2MB

MD5
0236bdca1da97304e74438da574bb214

SHA1
c4282f0548f8b573958b501b590e6cf8f8cabe95

SHA256
c22c293eadfbb369ef99cafa918d1636d5f1ccb716c28d29a97a12bb7d1d8b01

SHA512
7ab57ac052ab68ea2267cbf0edbed22b4014fdd8cc402112f7db25c3c6577ab02460b52b7a6761f5b33b15a5cf4f16e097edfd407e5fb97498bcfcfff5455174

Download Submit
C:\Windows\System\XdsRoxu.exe

Filesize
5.2MB

MD5
49b4999eb9a01f9e1e2a0449179d17ff

SHA1
7a4c8b664cdf269ccb2dd82d4679dc0a99af539b

SHA256
94f70cbf4611f9bf4b6db33cf1c59de9aa536c46da19d715414007094a5a45c4

SHA512
9675d7704baaf2dcc295844ae0be14e693ad0372b8fa9d49201f64d36725833a5e9048c7c71b83a28472f2fa5392001189d7c5a6801101d49ef29616f05fb563

Download Submit
C:\Windows\System\YIYHCNx.exe

Filesize
5.2MB

MD5
6d0455edbf3848d006794863deeacb82

SHA1
4c4708c80cfaf64cf0fc3ba9c7afb3b595a29526

SHA256
f2ad1159d6d2955297c7b99315d82177e563565ffa3a49690cb273f22dd858f5

SHA512
a57f979163da807baa35e2a03c00a672d1e2766274717e0933e8b54f5ba4190011f351c52125944be334583b677055796dda2fb8f17ed56a4bb0bd3d97a9591a

Download Submit
C:\Windows\System\ZEdtQJE.exe

Filesize
5.2MB

MD5
df497d18d5278bd8d64c13b58f695e66

SHA1
010448fe11ca6e95fd7e4e65496660fdd93ac95e

SHA256
60440d26c282f60602c6ef5b7cc27bfcc85d03dde17c7276c3c8d59c75277397

SHA512
8120b2d624539cf245f1bc956bc3c9a37b359fe83e68e2aac09291e251e2c3c5cd3c29a0298eed94450340dd11fe0ca06db3c0864b8db6b4c0e81c5bfe645bb9

Download Submit
C:\Windows\System\bPPkMgb.exe

Filesize
5.2MB

MD5
e62545440bffee7964f5ce1139e8de7b

SHA1
e1fec45863fc9fade33ea9e6150aa6f3860dd076

SHA256
42b48b827737577c7abacac4f9c0836a1356fc84ac98d985e28d3a4eb0fc4e22

SHA512
40d03d56ae4be8ec71be35ebbe6a759425029b770292d334699c2c262a1e874727188fbafc3a6cf9c6c9f503340fcc868a93005be8a0289d78f12a609345a148

Download Submit
C:\Windows\System\ccDAaGW.exe

Filesize
5.2MB

MD5
876f915e13ee099adb5a6d1ba24ebed7

SHA1
40195b9343445d735c1bc43ea603be6370fe1224

SHA256
b34cf58270e3ef4843adc9899c657c1aea7e3037c706c9b09d9e78f68b578708

SHA512
775b07756a2c7d600f34fb579a4280ff75d47f9b725d52d95030e75913c36b18636f14aa295f63c7075c41d9ca14850b199d83b85c53e45a87efd1ca840c46e9

Download Submit
C:\Windows\System\dnGVPsT.exe

Filesize
5.2MB

MD5
0b8697450bfeee06ac4a8e68accebdd7

SHA1
d8514b61f58c2236106dd04297e8a7f12822a236

SHA256
ff666186ce258cd7cd78ae93ba818bd65dd5dca60d8f3819b92276c0f3c46957

SHA512
fef853d3a80a9a058d51e3ac8c2d830222b455cdc95547fd2872651e5e07657fa31879d17b8482ba44b554bfa5f12e7f4df323adf65e49dcc566525da4d2b695

Download Submit
C:\Windows\System\fyKwhmk.exe

Filesize
5.2MB

MD5
1aa5de98336693a28dccb5f3c0c6ac06

SHA1
bca12b7a3303aaf2f0e75c17fb22521c86550dba

SHA256
e938de9ff7d48c318d02517c9f995d837e9353bc5e40f49c80f6b913f3b43d67

SHA512
813bcf1461708097608a66ef2493f47c002ada66c08a2604f51788ffdc5e24719ba3db890eb02d8a26e91d0095edeea9cce6a634418b5c303206b632df0acadd

Download Submit
C:\Windows\System\gXVjORS.exe

Filesize
5.2MB

MD5
6f8f82c2a5b0e804211fb34091dfd3ac

SHA1
ebd07c4d685e06dfff0e06bbe3b6386ee277b70b

SHA256
21c5f3baa751063896c06740ede48fa889b312f4d4deb7dba19972250e3139e7

SHA512
f7558a6b6a8d090fe4b8f79d3e549f01951696211da984a279205cf5f0ae7a4d8b699e647b0a3b760036718d8be50880291569cbb96926d1e11e8698e1ae913e

Download Submit
C:\Windows\System\gXfpKJt.exe

Filesize
5.2MB

MD5
dc5b0ac3f35adebd72636e9c9d764aa0

SHA1
a21e1d378aa285a376a736d99144de7c788f084d

SHA256
96f2328cd6f473d83548e3220faaa5c858c4a0ff4009d170baec4602276b3bf7

SHA512
a1592ff1351c01cb54bbc006959bcdabcfaf5f1a966e3cd3e4f50ae91575814ba56e7efc3772a8e973b095daf98595345226716fd2bae47672ec88f19af24049

Download Submit
C:\Windows\System\hlEDMgK.exe

Filesize
5.2MB

MD5
800128cecde51c1d74d1e585a00d2028

SHA1
3a37a31d5e49670d927caac12cab2090bde00e8e

SHA256
bccb75c8eed91690e43f2e5820fe000cf111e79cce0805410999216730254a29

SHA512
b066195e172f2ba0aaed2095ac10ce01abed5310c2938925bb890c418b8b16663c9ee5506a1aaa197cc2bf6df9a01c2364eaff9fb59df4bdeac91a0653ec3f7e

Download Submit
C:\Windows\System\ifTPMty.exe

Filesize
5.2MB

MD5
6481e74d4ae990198c9d46a6aa77fd1d

SHA1
a2f67e1dc832a4aacf5de7124d1019fd2916f244

SHA256
4b80d54e2d34596f343c30856bf9f2bb51b0dc417987908fa86658c8dd03eca9

SHA512
794f16f18b70d03486a4be949c6e349ecb721083fde31ba5f6c071b3a2c8628b20a9d7fae8c314795006ab1688ea4b0b70293d53dc59a59a38705c4e4bfdb1a0

Download Submit
C:\Windows\System\kjmRmNR.exe

Filesize
5.2MB

MD5
ac4049aa27abd7de1c67e6695ce7cd4a

SHA1
40c0149ce5df3269e36ed8bf5d1f53c2e301e8c6

SHA256
26555b4ece5fd90f98bbbc729515aa5fdab4d2fd72931efe8e2c60087e7b7494

SHA512
6e60cb215e69374a7bf1afab4a00e3403fdec0d1670c0819a55152d3badc7e7fa9f17781ca47a933f9b1fe50050bcd05b2348e52eb63ad327ac69c6b6d4eecf4

Download Submit
C:\Windows\System\lgnFiwP.exe

Filesize
5.2MB

MD5
d2b1b3b431e82556f3261e9db53ec52b

SHA1
dea494e482e59f8ba9dbdb8e9e93825e0689c9de

SHA256
210036ac9dfbf09f826b649a548fcfd89e1cfa88eff4e9f4b07a389da10caf3d

SHA512
24e630e1ec8958c48199dc52b3e53198a031f8ffe3761968e8538218450b815b66a5a38956b48e3e4d4f556f98667667bd4ce1d464c32ac72fdfa5616b261f88

Download Submit
C:\Windows\System\nRZYKwA.exe

Filesize
5.2MB

MD5
c22a27439fb81dfe04267780a4927b06

SHA1
7dcf3146bdfcd7f2c2f22cb61da1cd43a3cbe78a

SHA256
9f2c5f38f1f051057b33f94d749242733105caa26990ccd2abbb032bf639d711

SHA512
35d9fe314cb3fe09f087012b40ac5d4b756cc89f2387596d6038fdec5342a6bb320f513ff19800e75b4fe9df57fc2dead2e9f2a24daeb53a350016704c2389fe

Download Submit
C:\Windows\System\sphZfGY.exe

Filesize
5.2MB

MD5
abd13f4cb4cd0055c91500418c33edd9

SHA1
8bcf5a551bcc09dd94127d8422a69e99fbe365d6

SHA256
8f6ccd8651ab036f5b7d5716ef459d2f379971c89f66b9eb36c0f0d7f61910de

SHA512
892fc011808d7c509765a9afa59b1bb71c1ac86196253cf98bfe7a837796606c481bd325e187a81e35e4e70f912192bdcb272494396d2c90b7d239d8a9e3c431

Download Submit
C:\Windows\System\vzgbTzX.exe

Filesize
5.2MB

MD5
766b88c184ab62ce5e194b562c692783

SHA1
a52c91ec88518866ec851d6c777f2e7889990494

SHA256
b2ae14fe7b3459b08df371a60507afe808e78ef3838be74c84b2964d4d9714f9

SHA512
064af7c391251e1214c4f8ec163da2f02c313e6adf5ab096979d0c759f6a0df90d2f26c8310afafa3b0515693ffc3fa32246d9cbb70809906b00088ff07a8329

Download Submit
C:\Windows\System\zCHEFHC.exe

Filesize
5.2MB

MD5
d2e0b25604fc673f134ba259438068dc

SHA1
973e4a6f160ae69154ebca5da88c058d154e8bff

SHA256
3d1cf70c553fb8daa6ca22ecca9be625855d11010d0d6675951a953065383af4

SHA512
7550a33df78a34443bd6f04cfca7615164fafa28edd20e2c8e6ae1bf3019c6900436f4211852751fda3103ba3edb16082db02898e1fb37a56fdff181435ab81f

Download Submit
memory/336-118-0x00007FF712C20000-0x00007FF712F71000-memory.dmp

Filesize
3.3MB

Download
memory/336-255-0x00007FF712C20000-0x00007FF712F71000-memory.dmp

Filesize
3.3MB

Download
memory/336-149-0x00007FF712C20000-0x00007FF712F71000-memory.dmp

Filesize
3.3MB

Download
memory/408-122-0x00007FF6672F0000-0x00007FF667641000-memory.dmp

Filesize
3.3MB

Download
memory/408-147-0x00007FF6672F0000-0x00007FF667641000-memory.dmp

Filesize
3.3MB

Download
memory/408-250-0x00007FF6672F0000-0x00007FF667641000-memory.dmp

Filesize
3.3MB

Download
memory/640-135-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp

Filesize
3.3MB

Download
memory/640-49-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp

Filesize
3.3MB

Download
memory/640-246-0x00007FF687EA0000-0x00007FF6881F1000-memory.dmp

Filesize
3.3MB

Download
memory/1116-226-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp

Filesize
3.3MB

Download
memory/1116-56-0x00007FF6547E0000-0x00007FF654B31000-memory.dmp

Filesize
3.3MB

Download
memory/1496-104-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp

Filesize
3.3MB

Download
memory/1496-257-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp

Filesize
3.3MB

Download
memory/1496-142-0x00007FF68CBC0000-0x00007FF68CF11000-memory.dmp

Filesize
3.3MB

Download
memory/1972-121-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp

Filesize
3.3MB

Download
memory/1972-248-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp

Filesize
3.3MB

Download
memory/2188-105-0x00007FF6C84E0000-0x00007FF6C8831000-memory.dmp

Filesize
3.3MB

Download
memory/2188-235-0x00007FF6C84E0000-0x00007FF6C8831000-memory.dmp

Filesize
3.3MB

Download
memory/2268-221-0x00007FF620F40000-0x00007FF621291000-memory.dmp

Filesize
3.3MB

Download
memory/2268-69-0x00007FF620F40000-0x00007FF621291000-memory.dmp

Filesize
3.3MB

Download
memory/2316-35-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-218-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-132-0x00007FF75A350000-0x00007FF75A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-233-0x00007FF67C680000-0x00007FF67C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-111-0x00007FF67C680000-0x00007FF67C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-119-0x00007FF7CE5F0000-0x00007FF7CE941000-memory.dmp

Filesize
3.3MB

Download
memory/2924-244-0x00007FF7CE5F0000-0x00007FF7CE941000-memory.dmp

Filesize
3.3MB

Download
memory/3264-1-0x000001B756770000-0x000001B756780000-memory.dmp

Filesize
64KB

Download
memory/3264-0-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-128-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-150-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-151-0x00007FF7D68A0000-0x00007FF7D6BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-242-0x00007FF7AAEA0000-0x00007FF7AB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-82-0x00007FF7AAEA0000-0x00007FF7AB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-19-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-216-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-130-0x00007FF6B8A60000-0x00007FF6B8DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-222-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-72-0x00007FF7B84A0000-0x00007FF7B87F1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-214-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp

Filesize
3.3MB

Download
memory/3848-129-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp

Filesize
3.3MB

Download
memory/3848-11-0x00007FF77DEB0000-0x00007FF77E201000-memory.dmp

Filesize
3.3MB

Download
memory/3956-146-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp

Filesize
3.3MB

Download
memory/3956-258-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp

Filesize
3.3MB

Download
memory/3956-113-0x00007FF61AFD0000-0x00007FF61B321000-memory.dmp

Filesize
3.3MB

Download
memory/3996-237-0x00007FF672C40000-0x00007FF672F91000-memory.dmp

Filesize
3.3MB

Download
memory/3996-120-0x00007FF672C40000-0x00007FF672F91000-memory.dmp

Filesize
3.3MB

Download
memory/4056-225-0x00007FF6634E0000-0x00007FF663831000-memory.dmp

Filesize
3.3MB

Download
memory/4056-131-0x00007FF6634E0000-0x00007FF663831000-memory.dmp

Filesize
3.3MB

Download
memory/4056-26-0x00007FF6634E0000-0x00007FF663831000-memory.dmp

Filesize
3.3MB

Download
memory/4236-148-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp

Filesize
3.3MB

Download
memory/4236-117-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp

Filesize
3.3MB

Download
memory/4236-253-0x00007FF7954A0000-0x00007FF7957F1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-140-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-238-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-87-0x00007FF6C9180000-0x00007FF6C94D1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-241-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-50-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-137-0x00007FF7B4590000-0x00007FF7B48E1000-memory.dmp

Filesize
3.3MB

Download