cobaltstrike | 181a6a77b365446cbbe3135234e2c57108f939c74e9e639facccdc38b22c1b44

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

24044062239469c9bc1f0344e098cb1f
SHA1

d78e6da9370015cb8d654ce8afa32b187aafb26e
SHA256

181a6a77b365446cbbe3135234e2c57108f939c74e9e639facccdc38b22c1b44
SHA512

3a92866d5a88202924b627f1958826522c6a3a9922547fe60563cbfe49342f63eda739c68cb90e68fa41c6443359406ec78abbe38bd553e7d9273328261bace0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b60-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-72.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b71-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-114.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b72-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-108.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b70-92.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b61-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2252-57-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp	xmrig
behavioral2/memory/4664-122-0x00007FF661DC0000-0x00007FF662111000-memory.dmp	xmrig
behavioral2/memory/1816-130-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp	xmrig
behavioral2/memory/816-133-0x00007FF62FE70000-0x00007FF6301C1000-memory.dmp	xmrig
behavioral2/memory/388-132-0x00007FF6B1D00000-0x00007FF6B2051000-memory.dmp	xmrig
behavioral2/memory/3192-131-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	xmrig
behavioral2/memory/5072-129-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp	xmrig
behavioral2/memory/4976-127-0x00007FF73E500000-0x00007FF73E851000-memory.dmp	xmrig
behavioral2/memory/2456-126-0x00007FF655200000-0x00007FF655551000-memory.dmp	xmrig
behavioral2/memory/4744-128-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp	xmrig
behavioral2/memory/4260-124-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp	xmrig
behavioral2/memory/3956-123-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp	xmrig
behavioral2/memory/4356-121-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp	xmrig
behavioral2/memory/2256-120-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp	xmrig
behavioral2/memory/4024-119-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	xmrig
behavioral2/memory/4460-135-0x00007FF7F8940000-0x00007FF7F8C91000-memory.dmp	xmrig
behavioral2/memory/2956-140-0x00007FF72B8C0000-0x00007FF72BC11000-memory.dmp	xmrig
behavioral2/memory/2600-142-0x00007FF678060000-0x00007FF6783B1000-memory.dmp	xmrig
behavioral2/memory/3208-141-0x00007FF753690000-0x00007FF7539E1000-memory.dmp	xmrig
behavioral2/memory/4040-139-0x00007FF6DC2D0000-0x00007FF6DC621000-memory.dmp	xmrig
behavioral2/memory/1292-138-0x00007FF7B38D0000-0x00007FF7B3C21000-memory.dmp	xmrig
behavioral2/memory/468-137-0x00007FF601770000-0x00007FF601AC1000-memory.dmp	xmrig
behavioral2/memory/4024-143-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	xmrig
behavioral2/memory/4024-144-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	xmrig
behavioral2/memory/2256-202-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp	xmrig
behavioral2/memory/4356-204-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp	xmrig
behavioral2/memory/3956-206-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp	xmrig
behavioral2/memory/4664-208-0x00007FF661DC0000-0x00007FF662111000-memory.dmp	xmrig
behavioral2/memory/2252-210-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp	xmrig
behavioral2/memory/4260-212-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp	xmrig
behavioral2/memory/4976-223-0x00007FF73E500000-0x00007FF73E851000-memory.dmp	xmrig
behavioral2/memory/5072-227-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp	xmrig
behavioral2/memory/4744-226-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp	xmrig
behavioral2/memory/2456-233-0x00007FF655200000-0x00007FF655551000-memory.dmp	xmrig
behavioral2/memory/3192-231-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	xmrig
behavioral2/memory/1816-230-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp	xmrig
behavioral2/memory/816-236-0x00007FF62FE70000-0x00007FF6301C1000-memory.dmp	xmrig
behavioral2/memory/388-237-0x00007FF6B1D00000-0x00007FF6B2051000-memory.dmp	xmrig
behavioral2/memory/4460-247-0x00007FF7F8940000-0x00007FF7F8C91000-memory.dmp	xmrig
behavioral2/memory/4040-249-0x00007FF6DC2D0000-0x00007FF6DC621000-memory.dmp	xmrig
behavioral2/memory/2956-251-0x00007FF72B8C0000-0x00007FF72BC11000-memory.dmp	xmrig
behavioral2/memory/468-245-0x00007FF601770000-0x00007FF601AC1000-memory.dmp	xmrig
behavioral2/memory/1292-242-0x00007FF7B38D0000-0x00007FF7B3C21000-memory.dmp	xmrig
behavioral2/memory/2600-240-0x00007FF678060000-0x00007FF6783B1000-memory.dmp	xmrig
behavioral2/memory/3208-244-0x00007FF753690000-0x00007FF7539E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2256	NiNqHMp.exe
4356	ldamgsD.exe
4664	PqUnRbR.exe
3956	sanBsjk.exe
4260	urctzxi.exe
2252	DynqkgI.exe
4976	NeqsiuU.exe
4744	jZedGLt.exe
2456	doTmHKX.exe
5072	KanpWDk.exe
1816	diaCiaw.exe
3192	olxpOPZ.exe
388	UBsXdFO.exe
816	tTqpUFr.exe
4460	aMRXdsQ.exe
468	KKKZhRS.exe
1292	vSUvlPJ.exe
4040	oyJPhsc.exe
2956	NreNIhL.exe
3208	MXSpXXd.exe
2600	efyunQc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4024-0-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	upx
behavioral2/files/0x000c000000023b60-4.dat	upx
behavioral2/files/0x000a000000023b64-11.dat	upx
behavioral2/files/0x000a000000023b65-10.dat	upx
behavioral2/files/0x000a000000023b67-24.dat	upx
behavioral2/files/0x000a000000023b66-28.dat	upx
behavioral2/files/0x000a000000023b6a-39.dat	upx
behavioral2/files/0x000a000000023b6c-49.dat	upx
behavioral2/memory/5072-56-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp	upx
behavioral2/memory/2252-57-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp	upx
behavioral2/memory/4744-58-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp	upx
behavioral2/memory/2456-55-0x00007FF655200000-0x00007FF655551000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-65.dat	upx
behavioral2/files/0x000a000000023b6d-72.dat	upx
behavioral2/files/0x0031000000023b71-96.dat	upx
behavioral2/files/0x000a000000023b74-102.dat	upx
behavioral2/files/0x000a000000023b73-114.dat	upx
behavioral2/files/0x0031000000023b72-112.dat	upx
behavioral2/files/0x000a000000023b76-110.dat	upx
behavioral2/files/0x000a000000023b75-108.dat	upx
behavioral2/files/0x0031000000023b70-92.dat	upx
behavioral2/files/0x000c000000023b61-88.dat	upx
behavioral2/files/0x000a000000023b6f-85.dat	upx
behavioral2/files/0x000a000000023b6e-74.dat	upx
behavioral2/memory/1816-69-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-67.dat	upx
behavioral2/memory/4976-52-0x00007FF73E500000-0x00007FF73E851000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-46.dat	upx
behavioral2/memory/4260-36-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp	upx
behavioral2/memory/4664-25-0x00007FF661DC0000-0x00007FF662111000-memory.dmp	upx
behavioral2/memory/3956-23-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp	upx
behavioral2/memory/4356-20-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp	upx
behavioral2/memory/2256-7-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp	upx
behavioral2/memory/3192-118-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	upx
behavioral2/memory/4664-122-0x00007FF661DC0000-0x00007FF662111000-memory.dmp	upx
behavioral2/memory/1816-130-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp	upx
behavioral2/memory/816-133-0x00007FF62FE70000-0x00007FF6301C1000-memory.dmp	upx
behavioral2/memory/388-132-0x00007FF6B1D00000-0x00007FF6B2051000-memory.dmp	upx
behavioral2/memory/3192-131-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	upx
behavioral2/memory/5072-129-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp	upx
behavioral2/memory/4976-127-0x00007FF73E500000-0x00007FF73E851000-memory.dmp	upx
behavioral2/memory/2456-126-0x00007FF655200000-0x00007FF655551000-memory.dmp	upx
behavioral2/memory/4744-128-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp	upx
behavioral2/memory/4260-124-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp	upx
behavioral2/memory/3956-123-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp	upx
behavioral2/memory/4356-121-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp	upx
behavioral2/memory/2256-120-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp	upx
behavioral2/memory/4024-119-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	upx
behavioral2/memory/4460-135-0x00007FF7F8940000-0x00007FF7F8C91000-memory.dmp	upx
behavioral2/memory/2956-140-0x00007FF72B8C0000-0x00007FF72BC11000-memory.dmp	upx
behavioral2/memory/2600-142-0x00007FF678060000-0x00007FF6783B1000-memory.dmp	upx
behavioral2/memory/3208-141-0x00007FF753690000-0x00007FF7539E1000-memory.dmp	upx
behavioral2/memory/4040-139-0x00007FF6DC2D0000-0x00007FF6DC621000-memory.dmp	upx
behavioral2/memory/1292-138-0x00007FF7B38D0000-0x00007FF7B3C21000-memory.dmp	upx
behavioral2/memory/468-137-0x00007FF601770000-0x00007FF601AC1000-memory.dmp	upx
behavioral2/memory/4024-143-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	upx
behavioral2/memory/4024-144-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp	upx
behavioral2/memory/2256-202-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp	upx
behavioral2/memory/4356-204-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp	upx
behavioral2/memory/3956-206-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp	upx
behavioral2/memory/4664-208-0x00007FF661DC0000-0x00007FF662111000-memory.dmp	upx
behavioral2/memory/2252-210-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp	upx
behavioral2/memory/4260-212-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp	upx
behavioral2/memory/4976-223-0x00007FF73E500000-0x00007FF73E851000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\diaCiaw.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vSUvlPJ.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXSpXXd.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urctzxi.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DynqkgI.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KanpWDk.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\olxpOPZ.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTqpUFr.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KKKZhRS.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NreNIhL.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NiNqHMp.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PqUnRbR.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sanBsjk.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\doTmHKX.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NeqsiuU.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ldamgsD.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jZedGLt.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UBsXdFO.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMRXdsQ.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oyJPhsc.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\efyunQc.exe	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 2256	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4024 wrote to memory of 2256	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4024 wrote to memory of 4356	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4024 wrote to memory of 4356	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4024 wrote to memory of 4664	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4024 wrote to memory of 4664	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4024 wrote to memory of 3956	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4024 wrote to memory of 3956	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4024 wrote to memory of 4260	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4024 wrote to memory of 4260	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4024 wrote to memory of 2252	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4024 wrote to memory of 2252	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4024 wrote to memory of 2456	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4024 wrote to memory of 2456	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4024 wrote to memory of 4976	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4024 wrote to memory of 4976	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4024 wrote to memory of 4744	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4024 wrote to memory of 4744	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4024 wrote to memory of 5072	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4024 wrote to memory of 5072	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4024 wrote to memory of 1816	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4024 wrote to memory of 1816	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4024 wrote to memory of 3192	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4024 wrote to memory of 3192	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4024 wrote to memory of 388	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4024 wrote to memory of 388	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4024 wrote to memory of 816	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4024 wrote to memory of 816	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4024 wrote to memory of 4460	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4024 wrote to memory of 4460	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4024 wrote to memory of 468	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4024 wrote to memory of 468	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4024 wrote to memory of 1292	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4024 wrote to memory of 1292	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4024 wrote to memory of 4040	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4024 wrote to memory of 4040	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4024 wrote to memory of 2956	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4024 wrote to memory of 2956	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4024 wrote to memory of 3208	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4024 wrote to memory of 3208	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4024 wrote to memory of 2600	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4024 wrote to memory of 2600	4024	2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_24044062239469c9bc1f0344e098cb1f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\System\NiNqHMp.exe
  C:\Windows\System\NiNqHMp.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\ldamgsD.exe
  C:\Windows\System\ldamgsD.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\PqUnRbR.exe
  C:\Windows\System\PqUnRbR.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\sanBsjk.exe
  C:\Windows\System\sanBsjk.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\urctzxi.exe
  C:\Windows\System\urctzxi.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\DynqkgI.exe
  C:\Windows\System\DynqkgI.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\doTmHKX.exe
  C:\Windows\System\doTmHKX.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\NeqsiuU.exe
  C:\Windows\System\NeqsiuU.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\jZedGLt.exe
  C:\Windows\System\jZedGLt.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\KanpWDk.exe
  C:\Windows\System\KanpWDk.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\diaCiaw.exe
  C:\Windows\System\diaCiaw.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\olxpOPZ.exe
  C:\Windows\System\olxpOPZ.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\UBsXdFO.exe
  C:\Windows\System\UBsXdFO.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\tTqpUFr.exe
  C:\Windows\System\tTqpUFr.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\aMRXdsQ.exe
  C:\Windows\System\aMRXdsQ.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\KKKZhRS.exe
  C:\Windows\System\KKKZhRS.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\vSUvlPJ.exe
  C:\Windows\System\vSUvlPJ.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\oyJPhsc.exe
  C:\Windows\System\oyJPhsc.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\NreNIhL.exe
  C:\Windows\System\NreNIhL.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\MXSpXXd.exe
  C:\Windows\System\MXSpXXd.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\efyunQc.exe
  C:\Windows\System\efyunQc.exe
  2⤵
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DynqkgI.exe

Filesize
5.2MB

MD5
332330dacde1c6362a183341dd385be2

SHA1
3e576611396066215438f485a0c2533f48435bc3

SHA256
65cf2e900942b0741d7460e270fd0a408914c8ccd29e0b9fe869a1fdec8d6f40

SHA512
3ef2c5f86be4f60ab6a837090418cd3f7784df460c74b6ccdf22fc7b87c3395a21a874ec2c3b3d6bfcbe466ccd67048de5ec7b192fbfe7b2c58665be34be311b

Download Submit
C:\Windows\System\KKKZhRS.exe

Filesize
5.2MB

MD5
25d9a1b33fd69320cd71a01a1ebda647

SHA1
92c2d55e5cae6c925fb149743cd890402abf0d77

SHA256
8cab908ba85689c9eed1fcf8059ede8c3e83447a6e1a8bccd3c103ce80d4ea88

SHA512
44416451831bf0880eb91400d0c6f63cac551e9e73af3e3152f369ec896b86be4feeeb85ea3fe1e6b4cb84f6cb2b775cc3f324c5cb09ba42e9baa8580db65a46

Download Submit
C:\Windows\System\KanpWDk.exe

Filesize
5.2MB

MD5
679eeb6ed096a9e3f58abf1d2c168b5d

SHA1
f62898057a2ed1fd813e5fd6a5a8b55ea00fbd56

SHA256
e5bb8add1aa179914bc1f56dae0ddae94e3739368585d062d663108007f76a03

SHA512
c122138dbd3f833ba72e36a7c4a296c731213e3fde3cd6964f25fcc7382a143885e0b5ea58747e34d4594df20e3e0c38f0df5139cd8088307b2cd7bfd8df6d7c

Download Submit
C:\Windows\System\MXSpXXd.exe

Filesize
5.2MB

MD5
eccbe5089a2eb8cc71c6373e15f95230

SHA1
45d38777498c6d1be0f10205a7b36498c5abb46f

SHA256
2cc3b248e5e075751204b09fb1c4276e438e143dc7fb21af90b6b426c968564e

SHA512
c5b5a9779a48c3628d9feac9e1015128077af2f1c8c020981cc4804854058fbc29bd993f0d81efb3952a9ba7be9f73aabe3e6ad6be5cf6fd0ae300ea4f2a787f

Download Submit
C:\Windows\System\NeqsiuU.exe

Filesize
5.2MB

MD5
2fd1ec9ae067e486d95948040a0929d3

SHA1
3ec0f5b3dd3e62e522467ddbdf45492196e3d413

SHA256
8512f2f1a95c4f5b4ebc61674eb92ca08f50dee7bd431c48ad1d3092c2cf5387

SHA512
7ba3286d97e154d1365eacbbb457949de31490ab31f61a07eefabe0fd3e47177c8b541f61f069aa128a97ce65cc9476a72dd2e057d50b8ec3f4a3d63ed6923e2

Download Submit
C:\Windows\System\NiNqHMp.exe

Filesize
5.2MB

MD5
ca7f6701385e60c91c6f8dbc8594c31b

SHA1
cd12605f11708fb0e9637f58a23981bc34712e58

SHA256
e767988cd4c9b674b1c6ff7aa7645872bfc7ff67a258aff358aad3d2dbc41768

SHA512
1f5019c9f0a27af5bc52c8957e5346b09930b9fa2e316783c9599cf733c5b1abe0554ce6bb1550a028c88a76e8d16f2facb9293265be2ea0b88c0715e5f2002c

Download Submit
C:\Windows\System\NreNIhL.exe

Filesize
5.2MB

MD5
4f71b0bc35628388d59974d6b77889ee

SHA1
05721252ea2b91abcf63f45f3e7fea0c7659d7bb

SHA256
a169c3b32d8be0a8f7e9f252e89c3bc3e815f2f1f77629199cd0d6905c080bfa

SHA512
358a82669b262769242322a3f771f734c56c5fa51d31c515cfb1cf771a50c478aa77594825308076a6a83f943b44125728f54bf7180cbcc0d49ab0328a8e7814

Download Submit
C:\Windows\System\PqUnRbR.exe

Filesize
5.2MB

MD5
8d480d41d1efe5219a4ca615eb799972

SHA1
446d960d3462376f88e26c026c4ea34a20178f94

SHA256
ae516268319adae6b3e0a0580199db3689f53e4cd0eba0975edbc859a13ed327

SHA512
42fe07439100c9a7ffe6fa0f45043407241c8202cd74b5b3c1ab5e17ccece7ba3a490fe4d2b8e99800c8a4097f780c66259587a05cf69175e7507470dfb0b651

Download Submit
C:\Windows\System\UBsXdFO.exe

Filesize
5.2MB

MD5
3c069f78d2a838a548910ff8baa54bbd

SHA1
8a6d11ee51ddb239de031b727033e9963bc66159

SHA256
75d0afb62b0586d39ef8d1a2f292964e012a68fc648be8a5ba648653bdf34c15

SHA512
cb4de020fc07d54074d7e94e969d3e70abedcbc9f438dab7b1d434d430ceeafb0734e48402044ba149b7bee1b5a7f641adb8d12b35e79b746620ac84a6abc3dd

Download Submit
C:\Windows\System\aMRXdsQ.exe

Filesize
5.2MB

MD5
ed2b19c59ef759759dd3170b90602a81

SHA1
5db5701b41b3eb7dd018e4a0cf0c856114ecf19d

SHA256
bfbce08f0fdaf609759311d76940710ddfa58dc777231c42a5e28e89c3750316

SHA512
2e4519d8680d5296cf364f2b912ebe5117e169b0391d689d13867396a5cc8c7fb9d699e00b201a09fdfbe052a0c3662a5db6369bd0baa80ffc39ad0a6205ae30

Download Submit
C:\Windows\System\diaCiaw.exe

Filesize
5.2MB

MD5
19ff25723c268fefc9d69851adcf3e96

SHA1
50ce82136f5c1538f61449443f5b314f991ca5bd

SHA256
e568084c1707d30a1338698161fbdcf2d6a4b36c0acc09dff28414ce39015667

SHA512
f76eeee50ba791a3053047e0085dfced87e1f47e9447a013189ef166bcaaffe4e4b7acb1dbdc43c4b7c610de5eadcb006ea526f3cf315289289dccc37cd0e8ee

Download Submit
C:\Windows\System\doTmHKX.exe

Filesize
5.2MB

MD5
1bf9a44d64cb7d5ceba485695e415985

SHA1
84d209a366e2c4d78bf85b3ae45e98fb30f1f7a0

SHA256
1ec113af4112b18c477cda059e0e0923acfc50a12100ac2b938e26a9c7c01462

SHA512
855f4978ee9597695fe112429eb2a142374a2ad949cf01801c7bd8d73c3305ffd16a9bbf86c0cf8f6eba08b2fa0f014d7f58a35512fec4eb35563df08a430aa0

Download Submit
C:\Windows\System\efyunQc.exe

Filesize
5.2MB

MD5
b2aa47503ba715f854b1b682f5802967

SHA1
d98c2419f6e40b8bb7e8edb103490383f6187c97

SHA256
96a549253b7df44baa78a05a53d46e688ecf8872f40f1bf3576b4897bec90963

SHA512
9e7cbbef5a5bd8bee7737f5b5dd31ea01db13c1edafd6bc8ae76af55824ba2b2da6ef25e40124c6477500da9d85a888f51f3c04ba30685caccf82bc19cdcc090

Download Submit
C:\Windows\System\jZedGLt.exe

Filesize
5.2MB

MD5
79f007c635e22a4496f32fb239306678

SHA1
718189fa9466399bbc9515fa84386ef2b8eb0ca0

SHA256
8eda6c6f49195b46727d6f0fea368f2cfd8743d88a9749aeea2da9ee03edbae9

SHA512
03b40ca95927ea554ccc8cc9b291b74d1470bd811e4e36d9891bf93e9141aa39b54b5c17363667ae9ef15847f86d5d4b69707f449c46a94ff88c4b468c356d8c

Download Submit
C:\Windows\System\ldamgsD.exe

Filesize
5.2MB

MD5
a18937f7c461c7eba9552c12f8e955c9

SHA1
61007c7da6a1c361a4326a4b8472723b08928922

SHA256
dff9cb0775cb927fcf060e0e094f02f1f8998791d4487b37557632b03f733aee

SHA512
fdf6c053a3828ea6b0ab25e6d87ab24e18a6443d7895b6598b4c5db2e985da0036a1f135d0381ad2d4ca4d409abe5f7a9d34dafe9802f7af54aafdf031b2c3be

Download Submit
C:\Windows\System\olxpOPZ.exe

Filesize
5.2MB

MD5
0ee579310a2b556ea391bb65b7d2129d

SHA1
ba7fb3f4306631dfe9340b79e106b70a41c9d661

SHA256
4d1fb957e9b6cc321e2e708d53573490851d3a750d0aad81f610139e05740be2

SHA512
13c22160fd0c60735bb25399c8c26f6314aae9c402e52b1f86b407cdf9b59cd3fffcb7f0fe929852b079f601e79f2ad253164fd776b7f0f438cbcaa0f1db8f00

Download Submit
C:\Windows\System\oyJPhsc.exe

Filesize
5.2MB

MD5
1b166e7db356c5f28b442dcf797c68a1

SHA1
d9fe868e240b8408abe8fe1d005dae15ce6731be

SHA256
073cd30a57ce55e71aa6d7983e66628bab52725c06d9be894333ec9208be4c98

SHA512
7c8a8dc01485a910ba6a929b96376163975dda124cbeed4fa03d5a9a88cfcdd602acd8469bb87e87e6335e25ee06ac6d056b2540be587fb03a5b9319858b9572

Download Submit
C:\Windows\System\sanBsjk.exe

Filesize
5.2MB

MD5
b3a8f9ca582ef9586be754ebb979b49e

SHA1
917ad76850820235160bda316b3409c6bee10dfe

SHA256
8d8c306f294ee761d35da988de49146d2292081dc44e750241ee5cc294bd70b4

SHA512
45eb7056d8faf92e006abef8cc80290cc5ead12a010abe5cbe3179b605507433a50a7c3950832486de122303d9bda1927d11a0b74c22dcee87b5159115025330

Download Submit
C:\Windows\System\tTqpUFr.exe

Filesize
5.2MB

MD5
c88df61b779706038db4a6cf617076cb

SHA1
3be91ed6b13854f8c9854f27f2a47d5ad10e4dd0

SHA256
0c89389a44317ba4c0dc0c69cabe1dfe937745770a1573df71e1128fd499094f

SHA512
fa2ebca3aea57158365ea4a5f3c6a7a87359ac3dfe5930af269520b3ade9ec355a546f7088010113ae8bfb1b2755c9b14567b7f33976ea1082d0648738b13fbd

Download Submit
C:\Windows\System\urctzxi.exe

Filesize
5.2MB

MD5
e51b3a38c910a5092b0024d0bd4ef051

SHA1
4ba7fb0bc109cf3f056f6cafcb289b102d062244

SHA256
15cda20e1a262f9bc0597a3f8e04ae4335ec1a313550a46e9521201d837de32e

SHA512
3ab19f6884b175b83c6675d1ec34e9dc48b5b97b23a98ee27d2eff27319d526858f975b42eccf6c0b4426d76ec29c13b0b65a09e5a4b9a77bfa7740ed8435202

Download Submit
C:\Windows\System\vSUvlPJ.exe

Filesize
5.2MB

MD5
e1760ece9574d9867ab5db3b5e681175

SHA1
caf4c84274f38bc1aefcf13967de1a7f3aecfb15

SHA256
22676c7ba657b05e78d47e85379812809b92282d532967de442169aef89d150d

SHA512
b259ad46b335c6d064382468256386b1402b203bc168d243dde4303e460bd3bb76c59fdcc80b09ccc5fe5e2aed3668ddb679f04aad1309cb838768a9e93bbe79

Download Submit
memory/388-132-0x00007FF6B1D00000-0x00007FF6B2051000-memory.dmp

Filesize
3.3MB

Download
memory/388-237-0x00007FF6B1D00000-0x00007FF6B2051000-memory.dmp

Filesize
3.3MB

Download
memory/468-137-0x00007FF601770000-0x00007FF601AC1000-memory.dmp

Filesize
3.3MB

Download
memory/468-245-0x00007FF601770000-0x00007FF601AC1000-memory.dmp

Filesize
3.3MB

Download
memory/816-133-0x00007FF62FE70000-0x00007FF6301C1000-memory.dmp

Filesize
3.3MB

Download
memory/816-236-0x00007FF62FE70000-0x00007FF6301C1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-138-0x00007FF7B38D0000-0x00007FF7B3C21000-memory.dmp

Filesize
3.3MB

Download
memory/1292-242-0x00007FF7B38D0000-0x00007FF7B3C21000-memory.dmp

Filesize
3.3MB

Download
memory/1816-130-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-230-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-69-0x00007FF7BA9A0000-0x00007FF7BACF1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-57-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp

Filesize
3.3MB

Download
memory/2252-210-0x00007FF7E5EE0000-0x00007FF7E6231000-memory.dmp

Filesize
3.3MB

Download
memory/2256-202-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp

Filesize
3.3MB

Download
memory/2256-120-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp

Filesize
3.3MB

Download
memory/2256-7-0x00007FF73BCF0000-0x00007FF73C041000-memory.dmp

Filesize
3.3MB

Download
memory/2456-233-0x00007FF655200000-0x00007FF655551000-memory.dmp

Filesize
3.3MB

Download
memory/2456-126-0x00007FF655200000-0x00007FF655551000-memory.dmp

Filesize
3.3MB

Download
memory/2456-55-0x00007FF655200000-0x00007FF655551000-memory.dmp

Filesize
3.3MB

Download
memory/2600-142-0x00007FF678060000-0x00007FF6783B1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-240-0x00007FF678060000-0x00007FF6783B1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-251-0x00007FF72B8C0000-0x00007FF72BC11000-memory.dmp

Filesize
3.3MB

Download
memory/2956-140-0x00007FF72B8C0000-0x00007FF72BC11000-memory.dmp

Filesize
3.3MB

Download
memory/3192-131-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-231-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-118-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-141-0x00007FF753690000-0x00007FF7539E1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-244-0x00007FF753690000-0x00007FF7539E1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-123-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-206-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-23-0x00007FF6A2360000-0x00007FF6A26B1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-119-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-144-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-0-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-1-0x000001CC2E890000-0x000001CC2E8A0000-memory.dmp

Filesize
64KB

Download
memory/4024-143-0x00007FF78BC60000-0x00007FF78BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-249-0x00007FF6DC2D0000-0x00007FF6DC621000-memory.dmp

Filesize
3.3MB

Download
memory/4040-139-0x00007FF6DC2D0000-0x00007FF6DC621000-memory.dmp

Filesize
3.3MB

Download
memory/4260-124-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-212-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-36-0x00007FF726A80000-0x00007FF726DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-204-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp

Filesize
3.3MB

Download
memory/4356-121-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp

Filesize
3.3MB

Download
memory/4356-20-0x00007FF7F10D0000-0x00007FF7F1421000-memory.dmp

Filesize
3.3MB

Download
memory/4460-135-0x00007FF7F8940000-0x00007FF7F8C91000-memory.dmp

Filesize
3.3MB

Download
memory/4460-247-0x00007FF7F8940000-0x00007FF7F8C91000-memory.dmp

Filesize
3.3MB

Download
memory/4664-208-0x00007FF661DC0000-0x00007FF662111000-memory.dmp

Filesize
3.3MB

Download
memory/4664-122-0x00007FF661DC0000-0x00007FF662111000-memory.dmp

Filesize
3.3MB

Download
memory/4664-25-0x00007FF661DC0000-0x00007FF662111000-memory.dmp

Filesize
3.3MB

Download
memory/4744-58-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-226-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-128-0x00007FF6D4950000-0x00007FF6D4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-223-0x00007FF73E500000-0x00007FF73E851000-memory.dmp

Filesize
3.3MB

Download
memory/4976-127-0x00007FF73E500000-0x00007FF73E851000-memory.dmp

Filesize
3.3MB

Download
memory/4976-52-0x00007FF73E500000-0x00007FF73E851000-memory.dmp

Filesize
3.3MB

Download
memory/5072-56-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp

Filesize
3.3MB

Download
memory/5072-227-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp

Filesize
3.3MB

Download
memory/5072-129-0x00007FF7A9200000-0x00007FF7A9551000-memory.dmp

Filesize
3.3MB

Download