cobaltstrike | a5e4c1e155a70bd1b69a43dac678063fa72e93903652a67476747da77ec09600

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ee12c8a1ca0471fd6ee220af7a22e514
SHA1

f56bf90eacb7677fe25d2dd72347dd4b53b328d3
SHA256

a5e4c1e155a70bd1b69a43dac678063fa72e93903652a67476747da77ec09600
SHA512

ba394b7c3634874818d0d72dd30a4b1a437773908743ef9a0f9c850e06abcc7a87218b6075db3cc265296380312a912f97eee6c6d2ea8db8ede009899279ba78
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibf56utgpPFotBER/mQ32lUv

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b84-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-106.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c74-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-30.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c73-17.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4416-98-0x00007FF6BE3F0000-0x00007FF6BE741000-memory.dmp	xmrig
behavioral2/memory/2288-70-0x00007FF731EF0000-0x00007FF732241000-memory.dmp	xmrig
behavioral2/memory/4276-62-0x00007FF7C9DC0000-0x00007FF7CA111000-memory.dmp	xmrig
behavioral2/memory/4396-59-0x00007FF727190000-0x00007FF7274E1000-memory.dmp	xmrig
behavioral2/memory/4800-127-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	xmrig
behavioral2/memory/4704-126-0x00007FF61BCB0000-0x00007FF61C001000-memory.dmp	xmrig
behavioral2/memory/4272-125-0x00007FF6EEE70000-0x00007FF6EF1C1000-memory.dmp	xmrig
behavioral2/memory/2252-128-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	xmrig
behavioral2/memory/3848-129-0x00007FF697560000-0x00007FF6978B1000-memory.dmp	xmrig
behavioral2/memory/3200-130-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	xmrig
behavioral2/memory/1560-131-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp	xmrig
behavioral2/memory/1720-134-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	xmrig
behavioral2/memory/1732-133-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	xmrig
behavioral2/memory/3348-132-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp	xmrig
behavioral2/memory/1160-150-0x00007FF682F30000-0x00007FF683281000-memory.dmp	xmrig
behavioral2/memory/2252-135-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	xmrig
behavioral2/memory/1724-151-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp	xmrig
behavioral2/memory/3392-149-0x00007FF64F200000-0x00007FF64F551000-memory.dmp	xmrig
behavioral2/memory/2396-147-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp	xmrig
behavioral2/memory/448-152-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp	xmrig
behavioral2/memory/3184-145-0x00007FF639880000-0x00007FF639BD1000-memory.dmp	xmrig
behavioral2/memory/3456-154-0x00007FF748720000-0x00007FF748A71000-memory.dmp	xmrig
behavioral2/memory/1112-153-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp	xmrig
behavioral2/memory/2252-158-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	xmrig
behavioral2/memory/3848-209-0x00007FF697560000-0x00007FF6978B1000-memory.dmp	xmrig
behavioral2/memory/3200-225-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	xmrig
behavioral2/memory/1560-227-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp	xmrig
behavioral2/memory/1732-229-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	xmrig
behavioral2/memory/4276-231-0x00007FF7C9DC0000-0x00007FF7CA111000-memory.dmp	xmrig
behavioral2/memory/4396-234-0x00007FF727190000-0x00007FF7274E1000-memory.dmp	xmrig
behavioral2/memory/3348-235-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp	xmrig
behavioral2/memory/1720-237-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	xmrig
behavioral2/memory/2288-239-0x00007FF731EF0000-0x00007FF732241000-memory.dmp	xmrig
behavioral2/memory/1160-241-0x00007FF682F30000-0x00007FF683281000-memory.dmp	xmrig
behavioral2/memory/3184-243-0x00007FF639880000-0x00007FF639BD1000-memory.dmp	xmrig
behavioral2/memory/2396-245-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp	xmrig
behavioral2/memory/4416-247-0x00007FF6BE3F0000-0x00007FF6BE741000-memory.dmp	xmrig
behavioral2/memory/448-249-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp	xmrig
behavioral2/memory/1724-251-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp	xmrig
behavioral2/memory/3392-253-0x00007FF64F200000-0x00007FF64F551000-memory.dmp	xmrig
behavioral2/memory/1112-255-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp	xmrig
behavioral2/memory/3456-259-0x00007FF748720000-0x00007FF748A71000-memory.dmp	xmrig
behavioral2/memory/4800-264-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	xmrig
behavioral2/memory/4704-261-0x00007FF61BCB0000-0x00007FF61C001000-memory.dmp	xmrig
behavioral2/memory/4272-265-0x00007FF6EEE70000-0x00007FF6EF1C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3848	dpDpWNY.exe
3200	ZgLkIqG.exe
1560	zQINqgD.exe
1732	iesJxgu.exe
3348	CinDXFo.exe
4396	GhgtdhM.exe
1720	wMFPPZr.exe
4276	zCkefxH.exe
1160	RThzjDY.exe
3184	CFySWlm.exe
2288	eFamLZh.exe
2396	MSNlvBt.exe
4416	QGIgrNV.exe
3392	diRgRmT.exe
1724	shCaIKR.exe
448	PLsUbxQ.exe
1112	tyFjQAX.exe
3456	iyJpSWM.exe
4800	fAXpTLs.exe
4272	kkLYVPl.exe
4704	SHAzsol.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2252-0-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	upx
behavioral2/files/0x000c000000023b84-4.dat	upx
behavioral2/memory/3200-18-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-26.dat	upx
behavioral2/files/0x0007000000023c78-37.dat	upx
behavioral2/files/0x0007000000023c7f-58.dat	upx
behavioral2/files/0x0007000000023c7d-66.dat	upx
behavioral2/files/0x0007000000023c82-81.dat	upx
behavioral2/files/0x0007000000023c83-82.dat	upx
behavioral2/memory/1112-103-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-106.dat	upx
behavioral2/files/0x0008000000023c74-111.dat	upx
behavioral2/files/0x0007000000023c88-122.dat	upx
behavioral2/files/0x0007000000023c87-120.dat	upx
behavioral2/files/0x0007000000023c86-110.dat	upx
behavioral2/memory/3392-102-0x00007FF64F200000-0x00007FF64F551000-memory.dmp	upx
behavioral2/memory/4416-98-0x00007FF6BE3F0000-0x00007FF6BE741000-memory.dmp	upx
behavioral2/memory/448-97-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-95.dat	upx
behavioral2/files/0x0007000000023c81-93.dat	upx
behavioral2/memory/1724-89-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp	upx
behavioral2/memory/2396-88-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-85.dat	upx
behavioral2/memory/3184-78-0x00007FF639880000-0x00007FF639BD1000-memory.dmp	upx
behavioral2/memory/2288-70-0x00007FF731EF0000-0x00007FF732241000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-71.dat	upx
behavioral2/memory/4276-62-0x00007FF7C9DC0000-0x00007FF7CA111000-memory.dmp	upx
behavioral2/memory/4396-59-0x00007FF727190000-0x00007FF7274E1000-memory.dmp	upx
behavioral2/memory/1160-54-0x00007FF682F30000-0x00007FF683281000-memory.dmp	upx
behavioral2/memory/1720-53-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-44.dat	upx
behavioral2/files/0x0007000000023c7a-43.dat	upx
behavioral2/files/0x0007000000023c7b-56.dat	upx
behavioral2/memory/1732-39-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	upx
behavioral2/memory/3348-29-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp	upx
behavioral2/memory/1560-28-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-30.dat	upx
behavioral2/files/0x0009000000023c73-17.dat	upx
behavioral2/memory/3848-7-0x00007FF697560000-0x00007FF6978B1000-memory.dmp	upx
behavioral2/memory/4800-127-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	upx
behavioral2/memory/4704-126-0x00007FF61BCB0000-0x00007FF61C001000-memory.dmp	upx
behavioral2/memory/4272-125-0x00007FF6EEE70000-0x00007FF6EF1C1000-memory.dmp	upx
behavioral2/memory/3456-124-0x00007FF748720000-0x00007FF748A71000-memory.dmp	upx
behavioral2/memory/2252-128-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	upx
behavioral2/memory/3848-129-0x00007FF697560000-0x00007FF6978B1000-memory.dmp	upx
behavioral2/memory/3200-130-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	upx
behavioral2/memory/1560-131-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp	upx
behavioral2/memory/1720-134-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp	upx
behavioral2/memory/1732-133-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	upx
behavioral2/memory/3348-132-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp	upx
behavioral2/memory/1160-150-0x00007FF682F30000-0x00007FF683281000-memory.dmp	upx
behavioral2/memory/2252-135-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	upx
behavioral2/memory/1724-151-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp	upx
behavioral2/memory/3392-149-0x00007FF64F200000-0x00007FF64F551000-memory.dmp	upx
behavioral2/memory/2396-147-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp	upx
behavioral2/memory/448-152-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp	upx
behavioral2/memory/3184-145-0x00007FF639880000-0x00007FF639BD1000-memory.dmp	upx
behavioral2/memory/3456-154-0x00007FF748720000-0x00007FF748A71000-memory.dmp	upx
behavioral2/memory/1112-153-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp	upx
behavioral2/memory/2252-158-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	upx
behavioral2/memory/3848-209-0x00007FF697560000-0x00007FF6978B1000-memory.dmp	upx
behavioral2/memory/3200-225-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	upx
behavioral2/memory/1560-227-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp	upx
behavioral2/memory/1732-229-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zCkefxH.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eFamLZh.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iyJpSWM.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQINqgD.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMFPPZr.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tyFjQAX.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SHAzsol.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RThzjDY.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\diRgRmT.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iesJxgu.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CinDXFo.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSNlvBt.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shCaIKR.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dpDpWNY.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgLkIqG.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QGIgrNV.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PLsUbxQ.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fAXpTLs.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kkLYVPl.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GhgtdhM.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFySWlm.exe	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3848	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2252 wrote to memory of 3848	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2252 wrote to memory of 3200	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2252 wrote to memory of 3200	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2252 wrote to memory of 1560	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2252 wrote to memory of 1560	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2252 wrote to memory of 1732	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2252 wrote to memory of 1732	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2252 wrote to memory of 3348	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2252 wrote to memory of 3348	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2252 wrote to memory of 4396	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2252 wrote to memory of 4396	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2252 wrote to memory of 1720	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2252 wrote to memory of 1720	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2252 wrote to memory of 4276	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2252 wrote to memory of 4276	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2252 wrote to memory of 1160	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2252 wrote to memory of 1160	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2252 wrote to memory of 3184	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2252 wrote to memory of 3184	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2252 wrote to memory of 2288	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2252 wrote to memory of 2288	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2252 wrote to memory of 2396	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2252 wrote to memory of 2396	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2252 wrote to memory of 4416	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2252 wrote to memory of 4416	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2252 wrote to memory of 3392	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2252 wrote to memory of 3392	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2252 wrote to memory of 1724	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2252 wrote to memory of 1724	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2252 wrote to memory of 448	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2252 wrote to memory of 448	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2252 wrote to memory of 1112	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2252 wrote to memory of 1112	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2252 wrote to memory of 3456	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2252 wrote to memory of 3456	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2252 wrote to memory of 4800	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2252 wrote to memory of 4800	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2252 wrote to memory of 4272	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2252 wrote to memory of 4272	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2252 wrote to memory of 4704	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2252 wrote to memory of 4704	2252	2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_ee12c8a1ca0471fd6ee220af7a22e514_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System\dpDpWNY.exe
  C:\Windows\System\dpDpWNY.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\ZgLkIqG.exe
  C:\Windows\System\ZgLkIqG.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\zQINqgD.exe
  C:\Windows\System\zQINqgD.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\iesJxgu.exe
  C:\Windows\System\iesJxgu.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\CinDXFo.exe
  C:\Windows\System\CinDXFo.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\GhgtdhM.exe
  C:\Windows\System\GhgtdhM.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\wMFPPZr.exe
  C:\Windows\System\wMFPPZr.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\zCkefxH.exe
  C:\Windows\System\zCkefxH.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\RThzjDY.exe
  C:\Windows\System\RThzjDY.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\CFySWlm.exe
  C:\Windows\System\CFySWlm.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\eFamLZh.exe
  C:\Windows\System\eFamLZh.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\MSNlvBt.exe
  C:\Windows\System\MSNlvBt.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\QGIgrNV.exe
  C:\Windows\System\QGIgrNV.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\diRgRmT.exe
  C:\Windows\System\diRgRmT.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\shCaIKR.exe
  C:\Windows\System\shCaIKR.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\PLsUbxQ.exe
  C:\Windows\System\PLsUbxQ.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\tyFjQAX.exe
  C:\Windows\System\tyFjQAX.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\iyJpSWM.exe
  C:\Windows\System\iyJpSWM.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\fAXpTLs.exe
  C:\Windows\System\fAXpTLs.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\kkLYVPl.exe
  C:\Windows\System\kkLYVPl.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\SHAzsol.exe
  C:\Windows\System\SHAzsol.exe
  2⤵
  - Executes dropped EXE
  PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CFySWlm.exe

Filesize
5.2MB

MD5
c029207f3ea714e6d0d8be4d9f3301bf

SHA1
089e33e1d44d1b4f415da2733f0b0f3c8c849757

SHA256
8c2b37e8eff0584edd0c348bceea6cd97524e8b60c70fc38b1b699f7203028d9

SHA512
f15129419b5ac15807af46e1c5b98f2d0de4d4dd31a65f6df399474b0bd68c65e0a2272f4946799ec6eb810571636a3d43578e54936989e0fb9ee9b3527dc5e5

Download Submit
C:\Windows\System\CinDXFo.exe

Filesize
5.2MB

MD5
901ccb024603874249d0852ab44fa305

SHA1
a218a866098e2cc63324b76e79d16585f30d2258

SHA256
329600ed53e2514f2c4d7b3484c93e488128134292c733b5b5b0f75468b80788

SHA512
5692d308602c9a6881a95ad4e1b34269537fe68a51f2ba9e4ac83c2f4a449acdd85da6ef6a9fd90329e92ae116e2b268083e5a21ca4dbfa3402fda5aa16d6f4d

Download Submit
C:\Windows\System\GhgtdhM.exe

Filesize
5.2MB

MD5
bfda57c2cdbbe98563cfa4efea197488

SHA1
ee9f9ae1c65857dc2c89f47744bbe39502d092aa

SHA256
b6993142e48be12be3c0f2c9e1b6017c8c1b41a32ba8992f132772f14c385cba

SHA512
69762ccd0a49527d12b52c40e531c1e6148a392364e36b8a013cc306180d40f366bbfaa79b20737bcdb1f372aa82964fe50715b037b39a2284f0e1878c2fcdbb

Download Submit
C:\Windows\System\MSNlvBt.exe

Filesize
5.2MB

MD5
76bd13c8f9c7dc72a02e3ad5d6adc6d0

SHA1
874a8e34a5221af240e26e99b2fba4c698df06f6

SHA256
14a8c6eb56f4b478d216fdcf72dd7dc7e6fd8fa5911426aa2e0d075d150bd661

SHA512
14373fe30bd0c69b0b916c0c7432252deebc0225caa64735a90e17adb6039661b7e9ef40496810d992a38b90f4f5545e0c3aabc7fab7b70b4c26bb5b87889569

Download Submit
C:\Windows\System\PLsUbxQ.exe

Filesize
5.2MB

MD5
454fd27d2c084205b586f41d37f9cea5

SHA1
02fba616fc25119e9d702c5502756e176df27da9

SHA256
bd3cd3697ad648cee296f58942b81c11f1adcd69e013bd35dfb106ec3367fec1

SHA512
923f04f53de1e8b38040eae68f4a28f763f2a9bbf7d93915126fecd1c099f31ebb8d75d1ad9aaa861970a180db3bf707d7add00db4e5cc1f181051ad19afa9fa

Download Submit
C:\Windows\System\QGIgrNV.exe

Filesize
5.2MB

MD5
5dbd9f82ad2a6f7e935b672d48e9c3ab

SHA1
1156d9969d8d3d96304c1fe90ff9cef3fc653ff0

SHA256
bf6bd8184ef8e452814d72e27c6f6374f48b5cbdf08bc99da30dd02b1e55f702

SHA512
376ec943f716466bdadd2475a9ee5549548ab56e76f525c72282896d3619b3e25ef0647026df70af45a29a3f7411031ec7b67ee17fee740c28d575c011b5f231

Download Submit
C:\Windows\System\RThzjDY.exe

Filesize
5.2MB

MD5
2fd88f8cf7b442eff42851c37c20686b

SHA1
ceaae5a2b464b9176b8cdda7733ab16dea54e50d

SHA256
1211f64a526e83bb7bb37846553936719d20f2c31f649f6fd90ac47778144926

SHA512
8107dfedf0e2b53b0eca7dd927744efad3e2a3bde18f778d3c7100726ad965dbafac8295194d928889b27e7556c60288ab640f488069cbbbee38279f538607e3

Download Submit
C:\Windows\System\SHAzsol.exe

Filesize
5.2MB

MD5
dd47902992bad9d1939f24bb7c952d71

SHA1
270dc5a51084c61b11b2350502f7a4b5cbd03094

SHA256
e560387784155b195a48bef3d6af5e77c284b8ca589f2f1699619577267a0772

SHA512
0e3f47964e0d5a8a16225a87cf2baf7729979ae209d8ef67146b57e024352db77b9de931fb91ab74dcad183149d4cfd343e1bee3bba49fd7da91f03afc43d3c3

Download Submit
C:\Windows\System\ZgLkIqG.exe

Filesize
5.2MB

MD5
669585920fb01c1ef22298bbb7e5f506

SHA1
1221843a58d5a19a46cf5c60bf0013ac6e0e7f6f

SHA256
3ea6cdee5b6a59ae924f08bc0d406325c37ce1691e3296ac2aaac33061eb144e

SHA512
00d9e18892e926ee8d0a97657710a38234daebf6d323a8726a4714adf2d402c32ddcf57925af5f9bd55acebffb327f710579a40c5f413cce7f78aa6dc7cd4854

Download Submit
C:\Windows\System\diRgRmT.exe

Filesize
5.2MB

MD5
97e045db4d96c4ceabec93ef0b0d0751

SHA1
8bb0f60bf5b27e92c491252754e4d17945dbcab2

SHA256
85422bdc45971ae68ec181f1923d8795d5a58cf1dedc51f83de6375fc88f62dc

SHA512
1bd20037a02b5c2eab8bf3a21a892260bf48011bf4603b4234b7d16fdff10f634ed84a84bed43d7ecc7cf91e683fab908acbb00ceb116ef86e3028ae844831b4

Download Submit
C:\Windows\System\dpDpWNY.exe

Filesize
5.2MB

MD5
af6f80fce7d515977251c9c956e3d328

SHA1
d3befeac2558269625311bf9619526e8c5f30c88

SHA256
92f2267022d4cbc50b7aa7f59484c1a2142382588a771f3ed44b17626e9ad86e

SHA512
da385b3361249254edb4c5ab23bf1e0bd836cff38594da84d1db25a1470aac7cb29b4f391e1f60dde4c09bd4a051f588290a1c00f10841c1175f2417cb7d66b3

Download Submit
C:\Windows\System\eFamLZh.exe

Filesize
5.2MB

MD5
52ad4ede02fbb4e5618c3ad8c2b21540

SHA1
97cce79d581e35e201cd2bf06ed72445557895f3

SHA256
c50e857153ec3f78e3821e1148bc5d7309478a2e880b2be2f10319b044443812

SHA512
3f934469a93a3c1006dc2184f64bf00dc5806303785ef7a178d07054b4894dff92add34df764f48fcc0cdfd3180ae713e564aacfa228ad8625545d6cf2a96bda

Download Submit
C:\Windows\System\fAXpTLs.exe

Filesize
5.2MB

MD5
20e31e2481b12a073375dfbb79611983

SHA1
c5ccbf7cd47d7012cb2e993c6788f76979315a9b

SHA256
11ff3cc0874067d607a6e21cc88d787914e8d8a30d44da865611999613e1dfd8

SHA512
a0e1991be2a5ac9d486e7e17a01e28cd38230d14b786cf50a8ac5d1f36b8982aff50149dbc02b1e84453edf4e9dd7a63059051eebabdc01d203e8393a52bd54d

Download Submit
C:\Windows\System\iesJxgu.exe

Filesize
5.2MB

MD5
0d889f0966e1853a313e657e39b994d6

SHA1
1ef5fcd85b7bec90643c39308e55534a931dcc47

SHA256
7536cb97e46545b410e5077694184011739778b29b1aec0c2c83c66acb9b9f1e

SHA512
45d779afcf8901c181707a676ac6fe3928dfb77ad2a24b5b5049731642d7e8426cfbf485c577ab7ac5404bf2c7620252d2ee49b5ddc0fa1c61e30fcc8c6b9e33

Download Submit
C:\Windows\System\iyJpSWM.exe

Filesize
5.2MB

MD5
1eb9b80177ac6a72a297d1bd994ecfdd

SHA1
d1f0ecfaed62122ee7ce60edcb6966d505de2f7f

SHA256
cfaf5f1322aa3e17f1527314b7d8f0880a9b4148840d9af2f34b0676726e9cd3

SHA512
d10d81386d73ec6e4fbcb84017b7026925d8638ac1c9d8f03e494016455521777b4f91ef76fd06a8dd0fed73a2eb197eb7f679f71f2235a1409ae4a65079a3a2

Download Submit
C:\Windows\System\kkLYVPl.exe

Filesize
5.2MB

MD5
98146ab7798f642eea02468376878c99

SHA1
f01dcfd5f40b119a0754e7e11cf66324a6c5d048

SHA256
81ec3f580e389b7734042ea533be9cab415749967e1b415f0034bbc5cba54c30

SHA512
0a576bdaea3be78900e3ebdcc8db3ec48a111b1c1896e3e8ae84d80741a8c22690cffbfb6a49c54d377dd8039b456e04b1bb1b560928fe7d2f884eee06774495

Download Submit
C:\Windows\System\shCaIKR.exe

Filesize
5.2MB

MD5
c12297dd2307da48dba3ae1d49ee132a

SHA1
4867cff30aafd84cc2ad424022cb8a900ba301e0

SHA256
e09cc9721d7828082b51b84396e39e592dde846111192c053cdb36651214361f

SHA512
4d137be992facef79bc7cc041dd9fc4cec626b8dfc79fd5d490b297f86738fead6526b61cd6cf4e2f1bd9a2e4862453ca03a738483ac7884b8d4094a1d04f84d

Download Submit
C:\Windows\System\tyFjQAX.exe

Filesize
5.2MB

MD5
6910e87c3d35c3c80429afaa8f8d8ab5

SHA1
9df5f48c334573c0de9f9aa0f35f61abf11f2064

SHA256
01f83f1c7bae396a14d6c7e3550ad477779e56fa273195b92e28455dc1cc7fc2

SHA512
2eb8c2a1faf6e89b79b5d3d4b907502aa404969defc7c0e9a7339888820b859bc51c648238838a31e329d8774d37dcec30fc8e1498fcda112d108a6e127ebdb6

Download Submit
C:\Windows\System\wMFPPZr.exe

Filesize
5.2MB

MD5
12e6702f07db58be97b78a9316d51c3e

SHA1
531aa13038da9c821bee309c413af07bb97890bc

SHA256
dc2de812cb440cb8fa999bfb00d440a37f19107e9c9dba48018db6b33a9a28ff

SHA512
239c51416a0c502feb5297624065eae78665d937061064eb3f79501cab3e3b5193b41f25526430894ad6487ac0bb58e852f0b55f63ea4ee2b22a4dd952bc4468

Download Submit
C:\Windows\System\zCkefxH.exe

Filesize
5.2MB

MD5
0fb44836416953f96b463cc0e219ab7e

SHA1
5aaa752065113d2d707a292953b236046d5c0bd6

SHA256
4c0c64ee82b32d3ce326ca13ee519f714bde74e256c715ab325571ed55570904

SHA512
4572a030a1d9ce69d6c83732a05362671370d514003e0e060fa2b4f4a4db7d9f1c9b171f6091683dc601293aa2c24c7975143373a6559c8a4cf1c58e5089d130

Download Submit
C:\Windows\System\zQINqgD.exe

Filesize
5.2MB

MD5
fd6179e36109fd1119c53096a004d595

SHA1
3bb111faf198b55f2b869325aa89f301bde77b64

SHA256
107c76a6660d0777d838c097fb00ab76573eca95c72890e162f5f82e23dca651

SHA512
ef1866215cc3c18f3fdf5c7548d2dd7edc85c74550afd2f7a40a90ec11c078f0de93e10f8ca960632df753bca543e49a868f8ba5702c31d54ec84da2f39eb8f9

Download Submit
memory/448-249-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp

Filesize
3.3MB

Download
memory/448-97-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp

Filesize
3.3MB

Download
memory/448-152-0x00007FF6DBE20000-0x00007FF6DC171000-memory.dmp

Filesize
3.3MB

Download
memory/1112-103-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-153-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-255-0x00007FF60F9F0000-0x00007FF60FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1160-241-0x00007FF682F30000-0x00007FF683281000-memory.dmp

Filesize
3.3MB

Download
memory/1160-150-0x00007FF682F30000-0x00007FF683281000-memory.dmp

Filesize
3.3MB

Download
memory/1160-54-0x00007FF682F30000-0x00007FF683281000-memory.dmp

Filesize
3.3MB

Download
memory/1560-131-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-227-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-28-0x00007FF739A90000-0x00007FF739DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-53-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1720-237-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1720-134-0x00007FF69F6F0000-0x00007FF69FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1724-89-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp

Filesize
3.3MB

Download
memory/1724-151-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp

Filesize
3.3MB

Download
memory/1724-251-0x00007FF6C70C0000-0x00007FF6C7411000-memory.dmp

Filesize
3.3MB

Download
memory/1732-39-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/1732-229-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/1732-133-0x00007FF6E4BD0000-0x00007FF6E4F21000-memory.dmp

Filesize
3.3MB

Download
memory/2252-158-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-128-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-1-0x0000018774770000-0x0000018774780000-memory.dmp

Filesize
64KB

Download
memory/2252-0-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-135-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-239-0x00007FF731EF0000-0x00007FF732241000-memory.dmp

Filesize
3.3MB

Download
memory/2288-70-0x00007FF731EF0000-0x00007FF732241000-memory.dmp

Filesize
3.3MB

Download
memory/2396-147-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp

Filesize
3.3MB

Download
memory/2396-88-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp

Filesize
3.3MB

Download
memory/2396-245-0x00007FF7EBA10000-0x00007FF7EBD61000-memory.dmp

Filesize
3.3MB

Download
memory/3184-78-0x00007FF639880000-0x00007FF639BD1000-memory.dmp

Filesize
3.3MB

Download
memory/3184-243-0x00007FF639880000-0x00007FF639BD1000-memory.dmp

Filesize
3.3MB

Download
memory/3184-145-0x00007FF639880000-0x00007FF639BD1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-18-0x00007FF774FF0000-0x00007FF775341000-memory.dmp

Filesize
3.3MB

Download
memory/3200-225-0x00007FF774FF0000-0x00007FF775341000-memory.dmp

Filesize
3.3MB

Download
memory/3200-130-0x00007FF774FF0000-0x00007FF775341000-memory.dmp

Filesize
3.3MB

Download
memory/3348-29-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-132-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-235-0x00007FF74D990000-0x00007FF74DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-149-0x00007FF64F200000-0x00007FF64F551000-memory.dmp

Filesize
3.3MB

Download
memory/3392-102-0x00007FF64F200000-0x00007FF64F551000-memory.dmp

Filesize
3.3MB

Download
memory/3392-253-0x00007FF64F200000-0x00007FF64F551000-memory.dmp

Filesize
3.3MB

Download
memory/3456-154-0x00007FF748720000-0x00007FF748A71000-memory.dmp

Filesize
3.3MB

Download
memory/3456-124-0x00007FF748720000-0x00007FF748A71000-memory.dmp

Filesize
3.3MB

Download
memory/3456-259-0x00007FF748720000-0x00007FF748A71000-memory.dmp

Filesize
3.3MB

Download
memory/3848-209-0x00007FF697560000-0x00007FF6978B1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-7-0x00007FF697560000-0x00007FF6978B1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-129-0x00007FF697560000-0x00007FF6978B1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-125-0x00007FF6EEE70000-0x00007FF6EF1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-265-0x00007FF6EEE70000-0x00007FF6EF1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-62-0x00007FF7C9DC0000-0x00007FF7CA111000-memory.dmp

Filesize
3.3MB

Download
memory/4276-231-0x00007FF7C9DC0000-0x00007FF7CA111000-memory.dmp

Filesize
3.3MB

Download
memory/4396-59-0x00007FF727190000-0x00007FF7274E1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-234-0x00007FF727190000-0x00007FF7274E1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-247-0x00007FF6BE3F0000-0x00007FF6BE741000-memory.dmp

Filesize
3.3MB

Download
memory/4416-98-0x00007FF6BE3F0000-0x00007FF6BE741000-memory.dmp

Filesize
3.3MB

Download
memory/4704-126-0x00007FF61BCB0000-0x00007FF61C001000-memory.dmp

Filesize
3.3MB

Download
memory/4704-261-0x00007FF61BCB0000-0x00007FF61C001000-memory.dmp

Filesize
3.3MB

Download
memory/4800-127-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-264-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp

Filesize
3.3MB

Download