cobaltstrike | 0e7345cbffdfb15be556d90d965035c8f41a0121abfb43b096027ebb6a9d19c8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b6a8ae177931fdc6ea33991d2bd5598d
SHA1

71d71480e944d804ded1cf3b2a8fd4801b6397e3
SHA256

0e7345cbffdfb15be556d90d965035c8f41a0121abfb43b096027ebb6a9d19c8
SHA512

db1275989fb6aff2fb6aa9133dd347f477fac2a4afe71794760ba2c9b5c2a74bf96c7bd1d76e8b0eb8adae2a4120492b408ba398cd3e2014867a4f5b6157b01e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bb6-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023c99-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-44.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c98-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-18.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3020-124-0x00007FF674020000-0x00007FF674371000-memory.dmp	xmrig
behavioral2/memory/2428-127-0x00007FF636A90000-0x00007FF636DE1000-memory.dmp	xmrig
behavioral2/memory/4676-126-0x00007FF714160000-0x00007FF7144B1000-memory.dmp	xmrig
behavioral2/memory/4956-125-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp	xmrig
behavioral2/memory/2552-123-0x00007FF635AC0000-0x00007FF635E11000-memory.dmp	xmrig
behavioral2/memory/2668-122-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp	xmrig
behavioral2/memory/4492-120-0x00007FF62AFE0000-0x00007FF62B331000-memory.dmp	xmrig
behavioral2/memory/4904-114-0x00007FF7A5190000-0x00007FF7A54E1000-memory.dmp	xmrig
behavioral2/memory/3668-109-0x00007FF706710000-0x00007FF706A61000-memory.dmp	xmrig
behavioral2/memory/224-103-0x00007FF657120000-0x00007FF657471000-memory.dmp	xmrig
behavioral2/memory/3840-102-0x00007FF6DA420000-0x00007FF6DA771000-memory.dmp	xmrig
behavioral2/memory/1544-92-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp	xmrig
behavioral2/memory/4996-83-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp	xmrig
behavioral2/memory/312-77-0x00007FF688510000-0x00007FF688861000-memory.dmp	xmrig
behavioral2/memory/3048-128-0x00007FF792110000-0x00007FF792461000-memory.dmp	xmrig
behavioral2/memory/1152-132-0x00007FF765ED0000-0x00007FF766221000-memory.dmp	xmrig
behavioral2/memory/4588-135-0x00007FF695390000-0x00007FF6956E1000-memory.dmp	xmrig
behavioral2/memory/5028-134-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp	xmrig
behavioral2/memory/2452-146-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp	xmrig
behavioral2/memory/5104-130-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp	xmrig
behavioral2/memory/5060-129-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp	xmrig
behavioral2/memory/4724-131-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp	xmrig
behavioral2/memory/3048-150-0x00007FF792110000-0x00007FF792461000-memory.dmp	xmrig
behavioral2/memory/3048-151-0x00007FF792110000-0x00007FF792461000-memory.dmp	xmrig
behavioral2/memory/5060-209-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp	xmrig
behavioral2/memory/4724-211-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp	xmrig
behavioral2/memory/5104-213-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp	xmrig
behavioral2/memory/1152-217-0x00007FF765ED0000-0x00007FF766221000-memory.dmp	xmrig
behavioral2/memory/5028-216-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp	xmrig
behavioral2/memory/2668-224-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp	xmrig
behavioral2/memory/312-230-0x00007FF688510000-0x00007FF688861000-memory.dmp	xmrig
behavioral2/memory/4996-234-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp	xmrig
behavioral2/memory/1544-236-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp	xmrig
behavioral2/memory/4588-233-0x00007FF695390000-0x00007FF6956E1000-memory.dmp	xmrig
behavioral2/memory/4956-251-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp	xmrig
behavioral2/memory/3840-253-0x00007FF6DA420000-0x00007FF6DA771000-memory.dmp	xmrig
behavioral2/memory/4904-254-0x00007FF7A5190000-0x00007FF7A54E1000-memory.dmp	xmrig
behavioral2/memory/2428-258-0x00007FF636A90000-0x00007FF636DE1000-memory.dmp	xmrig
behavioral2/memory/4492-249-0x00007FF62AFE0000-0x00007FF62B331000-memory.dmp	xmrig
behavioral2/memory/2452-256-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp	xmrig
behavioral2/memory/2552-244-0x00007FF635AC0000-0x00007FF635E11000-memory.dmp	xmrig
behavioral2/memory/3668-243-0x00007FF706710000-0x00007FF706A61000-memory.dmp	xmrig
behavioral2/memory/224-241-0x00007FF657120000-0x00007FF657471000-memory.dmp	xmrig
behavioral2/memory/4676-247-0x00007FF714160000-0x00007FF7144B1000-memory.dmp	xmrig
behavioral2/memory/3020-239-0x00007FF674020000-0x00007FF674371000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5060	HkqQGjN.exe
5104	sehpGFS.exe
4724	tcaLmuv.exe
1152	coxNpqB.exe
2668	ZjgoTKn.exe
5028	fiJXSKr.exe
4588	qRAhQay.exe
312	wocllvC.exe
4996	NLvaSmo.exe
2552	MknKgBS.exe
1544	jMejswQ.exe
3840	PgarKlR.exe
3020	izPIYlq.exe
224	WWqYdlU.exe
3668	DvJUjTk.exe
4956	lCWIkDm.exe
4904	TPohyih.exe
2452	pcjEBhn.exe
4676	QfGFQvO.exe
4492	YIUlOoG.exe
2428	rAmofeL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3048-0-0x00007FF792110000-0x00007FF792461000-memory.dmp	upx
behavioral2/memory/5060-7-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp	upx
behavioral2/files/0x000c000000023bb6-9.dat	upx
behavioral2/memory/5104-16-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-24.dat	upx
behavioral2/files/0x0007000000023ca4-33.dat	upx
behavioral2/files/0x0007000000023ca5-51.dat	upx
behavioral2/memory/5028-48-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp	upx
behavioral2/memory/4588-60-0x00007FF695390000-0x00007FF6956E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-71.dat	upx
behavioral2/files/0x0007000000023cac-85.dat	upx
behavioral2/files/0x0007000000023cab-94.dat	upx
behavioral2/files/0x0007000000023caf-106.dat	upx
behavioral2/files/0x0007000000023cad-110.dat	upx
behavioral2/files/0x0007000000023cb2-115.dat	upx
behavioral2/memory/3020-124-0x00007FF674020000-0x00007FF674371000-memory.dmp	upx
behavioral2/memory/2428-127-0x00007FF636A90000-0x00007FF636DE1000-memory.dmp	upx
behavioral2/memory/4676-126-0x00007FF714160000-0x00007FF7144B1000-memory.dmp	upx
behavioral2/memory/4956-125-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp	upx
behavioral2/memory/2552-123-0x00007FF635AC0000-0x00007FF635E11000-memory.dmp	upx
behavioral2/memory/2668-122-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp	upx
behavioral2/memory/4492-120-0x00007FF62AFE0000-0x00007FF62B331000-memory.dmp	upx
behavioral2/memory/2452-119-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp	upx
behavioral2/memory/4904-114-0x00007FF7A5190000-0x00007FF7A54E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-112.dat	upx
behavioral2/files/0x0007000000023cb0-111.dat	upx
behavioral2/memory/3668-109-0x00007FF706710000-0x00007FF706A61000-memory.dmp	upx
behavioral2/files/0x000a000000023c99-108.dat	upx
behavioral2/memory/224-103-0x00007FF657120000-0x00007FF657471000-memory.dmp	upx
behavioral2/memory/3840-102-0x00007FF6DA420000-0x00007FF6DA771000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-96.dat	upx
behavioral2/memory/1544-92-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-84.dat	upx
behavioral2/memory/4996-83-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp	upx
behavioral2/memory/312-77-0x00007FF688510000-0x00007FF688861000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-73.dat	upx
behavioral2/files/0x0007000000023ca7-67.dat	upx
behavioral2/files/0x0007000000023ca6-55.dat	upx
behavioral2/files/0x0007000000023ca3-44.dat	upx
behavioral2/memory/1152-40-0x00007FF765ED0000-0x00007FF766221000-memory.dmp	upx
behavioral2/memory/4724-25-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp	upx
behavioral2/files/0x0009000000023c98-20.dat	upx
behavioral2/files/0x0007000000023ca1-18.dat	upx
behavioral2/memory/3048-128-0x00007FF792110000-0x00007FF792461000-memory.dmp	upx
behavioral2/memory/1152-132-0x00007FF765ED0000-0x00007FF766221000-memory.dmp	upx
behavioral2/memory/4588-135-0x00007FF695390000-0x00007FF6956E1000-memory.dmp	upx
behavioral2/memory/5028-134-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp	upx
behavioral2/memory/2452-146-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp	upx
behavioral2/memory/5104-130-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp	upx
behavioral2/memory/5060-129-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp	upx
behavioral2/memory/4724-131-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp	upx
behavioral2/memory/3048-150-0x00007FF792110000-0x00007FF792461000-memory.dmp	upx
behavioral2/memory/3048-151-0x00007FF792110000-0x00007FF792461000-memory.dmp	upx
behavioral2/memory/5060-209-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp	upx
behavioral2/memory/4724-211-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp	upx
behavioral2/memory/5104-213-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp	upx
behavioral2/memory/1152-217-0x00007FF765ED0000-0x00007FF766221000-memory.dmp	upx
behavioral2/memory/5028-216-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp	upx
behavioral2/memory/2668-224-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp	upx
behavioral2/memory/312-230-0x00007FF688510000-0x00007FF688861000-memory.dmp	upx
behavioral2/memory/4996-234-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp	upx
behavioral2/memory/1544-236-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp	upx
behavioral2/memory/4588-233-0x00007FF695390000-0x00007FF6956E1000-memory.dmp	upx
behavioral2/memory/4956-251-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YIUlOoG.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZjgoTKn.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fiJXSKr.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qRAhQay.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wocllvC.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgarKlR.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izPIYlq.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCWIkDm.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPohyih.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rAmofeL.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkqQGjN.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jMejswQ.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcjEBhn.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sehpGFS.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tcaLmuv.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\coxNpqB.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NLvaSmo.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MknKgBS.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWqYdlU.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvJUjTk.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfGFQvO.exe	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 5060	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3048 wrote to memory of 5060	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3048 wrote to memory of 5104	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3048 wrote to memory of 5104	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3048 wrote to memory of 4724	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3048 wrote to memory of 4724	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3048 wrote to memory of 1152	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3048 wrote to memory of 1152	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3048 wrote to memory of 2668	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3048 wrote to memory of 2668	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3048 wrote to memory of 5028	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3048 wrote to memory of 5028	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3048 wrote to memory of 4588	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3048 wrote to memory of 4588	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3048 wrote to memory of 312	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3048 wrote to memory of 312	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3048 wrote to memory of 4996	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3048 wrote to memory of 4996	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3048 wrote to memory of 1544	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3048 wrote to memory of 1544	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3048 wrote to memory of 2552	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3048 wrote to memory of 2552	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3048 wrote to memory of 3840	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3048 wrote to memory of 3840	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3048 wrote to memory of 3020	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3048 wrote to memory of 3020	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3048 wrote to memory of 224	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3048 wrote to memory of 224	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3048 wrote to memory of 4956	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3048 wrote to memory of 4956	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3048 wrote to memory of 3668	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3048 wrote to memory of 3668	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3048 wrote to memory of 4904	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3048 wrote to memory of 4904	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3048 wrote to memory of 2452	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3048 wrote to memory of 2452	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3048 wrote to memory of 4676	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3048 wrote to memory of 4676	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3048 wrote to memory of 4492	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3048 wrote to memory of 4492	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3048 wrote to memory of 2428	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3048 wrote to memory of 2428	3048	2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_b6a8ae177931fdc6ea33991d2bd5598d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System\HkqQGjN.exe
  C:\Windows\System\HkqQGjN.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\sehpGFS.exe
  C:\Windows\System\sehpGFS.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\tcaLmuv.exe
  C:\Windows\System\tcaLmuv.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\coxNpqB.exe
  C:\Windows\System\coxNpqB.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\ZjgoTKn.exe
  C:\Windows\System\ZjgoTKn.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\fiJXSKr.exe
  C:\Windows\System\fiJXSKr.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\qRAhQay.exe
  C:\Windows\System\qRAhQay.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\wocllvC.exe
  C:\Windows\System\wocllvC.exe
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\System\NLvaSmo.exe
  C:\Windows\System\NLvaSmo.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\jMejswQ.exe
  C:\Windows\System\jMejswQ.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\MknKgBS.exe
  C:\Windows\System\MknKgBS.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\PgarKlR.exe
  C:\Windows\System\PgarKlR.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\izPIYlq.exe
  C:\Windows\System\izPIYlq.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\WWqYdlU.exe
  C:\Windows\System\WWqYdlU.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\lCWIkDm.exe
  C:\Windows\System\lCWIkDm.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\DvJUjTk.exe
  C:\Windows\System\DvJUjTk.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\TPohyih.exe
  C:\Windows\System\TPohyih.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\pcjEBhn.exe
  C:\Windows\System\pcjEBhn.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\QfGFQvO.exe
  C:\Windows\System\QfGFQvO.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\YIUlOoG.exe
  C:\Windows\System\YIUlOoG.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\rAmofeL.exe
  C:\Windows\System\rAmofeL.exe
  2⤵
  - Executes dropped EXE
  PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DvJUjTk.exe

Filesize
5.2MB

MD5
e80946c00056f5847bad567523aee83a

SHA1
219448fdad16a18302a541abb9914c3f23d9003c

SHA256
f0470dcc36e4b4749f3a1aedb6c98b57cb13b85e0fecbc6743715604f4c7a442

SHA512
69bf03e11e578c204006f4673c941d0f2a02a3752ceb23db251afa872c6d162cc30e88cbb4e58a64e5bb4558df5d86ea980490e9da3431aaa70f6e0a83900652

Download Submit
C:\Windows\System\HkqQGjN.exe

Filesize
5.2MB

MD5
43ca796ad0e812397aac35eafe2b508b

SHA1
b6e5d47305cfb2a4830ba4286bab846e8933645a

SHA256
4c440e9ae92ccfbe7f63faed07eeab0a9514eaad59a65411c68dcb8eed2afc5b

SHA512
d936c4da1057019f8ddf4848708bafa1b94942eb9f207db0529dfc698f213f8a01724545ac8d6f43475f5e14d09e331ee0296272780e73f1ad4c205216fcd8c7

Download Submit
C:\Windows\System\MknKgBS.exe

Filesize
5.2MB

MD5
3a693f0fc601ae702ae3ed6696b86bf2

SHA1
1aaf7a62b1b691fd437d557c1239932486b4d025

SHA256
b29c442c7873830cf0421a1639cbc558d3ef64573265bcc8dad204b6e677ba18

SHA512
c3192d7c179588418f4a22e7219896e42cfc15481def0af476ff3093ed4e4fe82668f0a1608a3993643737f981b0ce6bbe049926f6ca1d0709b1934876b7d764

Download Submit
C:\Windows\System\NLvaSmo.exe

Filesize
5.2MB

MD5
32617670a78e03f9d6c402f23bccd212

SHA1
ebd3734b9e881f4994b0a18bf932e14671f11ae3

SHA256
0dc238ca00cecc3e61692e81115ab3b15f2aaf820b8b1987a93e0ec81081653e

SHA512
58346bd503c42bb6c658533d0bf1c613353f3733e33860e35dad9ab9011e552bc399b54ef09dd02e83a7c88836cfaf2717f6fddaa1efab283b9f675a41f0cd53

Download Submit
C:\Windows\System\PgarKlR.exe

Filesize
5.2MB

MD5
e152f8073e8098c34b1adf3f85f803d9

SHA1
d3b68ee418ddf34ad022fb2850cd142efac016c3

SHA256
4952ceab17e56c6d85f9c5ae3fed96d0bf8fa5f7ebc1c30edb6b621a38041c06

SHA512
4b829520d1b2891f1986149b24b2363484b22d3509dfb73309e2eb5b074a5efe911493a01cb99241e30d2524addc77747ec6948d3a212e6eb29a4f1f53170470

Download Submit
C:\Windows\System\QfGFQvO.exe

Filesize
5.2MB

MD5
c6b2a50af0caaf369e2ad12cf50f4087

SHA1
ff5667f88ff82502a9398858bdbac51fd9ae4d94

SHA256
8fc7d50e9302378e21b7071f6c5f2d8cb387836e9a0b82d42b8251c7d62f2f33

SHA512
d240e39bb9c50aa59843d1f5ae3257baac01225bbb4f9c27e8e6d52f0a28c53d0a0a60e9441041bc259fd14a18a7ffc5537f46caaefcbfbe444135dbef799b74

Download Submit
C:\Windows\System\TPohyih.exe

Filesize
5.2MB

MD5
f27bd7ec767e15943553f020bda4a06e

SHA1
0c2ba48c6d37e5128501d04056112177d04c395a

SHA256
0b905fd22eb8ddc9c2e2de202ceb268b3cc2074243372a601d3f9749cad9f630

SHA512
b89122ad8d90599219dd927af04f008f270147f4f1a6bc4e9d57648a111235c2caaa0d8af3178ec4993812a206ca635b445f41d301c363803ed28613d74a9dc7

Download Submit
C:\Windows\System\WWqYdlU.exe

Filesize
5.2MB

MD5
1a726bc46d85a0c49b727d50c0da16c9

SHA1
9f54ce38f34517037828d2bc9cb34f09336621a3

SHA256
1a70b06f99933128caceed7e5d1d29a00922f3c4e0fc23805eedc140aa74bf36

SHA512
949a5d020d65724b224a285e7fa4ffcb8711735c83f6bf4acf0bfcab079c1e89317e17353905666b6498baed3fa5201a62e7775a25ddc36352cfa090c5bb0d72

Download Submit
C:\Windows\System\YIUlOoG.exe

Filesize
5.2MB

MD5
7359f9b9b92fac28f0c63d91f88601df

SHA1
a3f5e545b21edf944afe1ce7b6127298e64521c2

SHA256
b04746ee5e2aadb873f8c4cf5e1edb06f3e5c5cf36f70864f278b8c5fe950158

SHA512
0919718eb4cd2b9dc28e7873ed4b5ba579cd08190648001a48d661a55ebce84388f1952cd1f0eda52b68b832da940b25f0cc4d24cde009272001e07babe10745

Download Submit
C:\Windows\System\ZjgoTKn.exe

Filesize
5.2MB

MD5
5854a92a29c393e3d46fff5be942d059

SHA1
621054a21c8e73fa4562772aef60300a50d3bfd1

SHA256
031f22d9cb46a0b838bb93ca268cfd8f122c61dcaf108efbe19f2e45bb3a8ff8

SHA512
a318bbf83898e1ce154640a95a1bb8bba062ec30910ff4be53bcee3f66c356775f41d71de5561b1e7ea6c58d07cfdb12e061d229b194eead07479ff4e54040fc

Download Submit
C:\Windows\System\coxNpqB.exe

Filesize
5.2MB

MD5
441f34236dc3b949d94b3987b1e57e49

SHA1
4f033862fd74d9aaf7ff3fe4ca53452d10790849

SHA256
6a94339c0dcd80cfa57be74dbda48e96b4ba9cd0dba1cf4eac3b83ce422fdf7e

SHA512
e0d3b071bcab256ef79776d245b65e9586c5616782bab10c9578f52a7900e072e2646eb2fc74a17cc7e84a8fad5273a039565b2bb36d63ca9da8191d20ee3f37

Download Submit
C:\Windows\System\fiJXSKr.exe

Filesize
5.2MB

MD5
a526c03c7d166e302243885e3dac2212

SHA1
1f852b4cd74ba84308c9d88e966c83719f063ab6

SHA256
ea6119312e44563297f7c55387b2df40c7ab2dc6cde63d0c6f310e1eeeab66c2

SHA512
6c63696097d99329fcb21bd27696324d863663baa29a8504da6d5e76d72df11b02b28ef600d30287100b52c862031b9cbd7872bc2040a20eff7a4a941a31912a

Download Submit
C:\Windows\System\izPIYlq.exe

Filesize
5.2MB

MD5
4171c98814c9d64c8c8fe699d9a1182a

SHA1
949831d217c01f78adcca7a39b8cb76bbe5bdf0b

SHA256
a49a5d4eb7ca9dd988c611be6c2c301df8d02921fed72b869033c14e7f17eecb

SHA512
ebcee63d16ae65127a1cfa0379767aee260d53d276622024fbe86958a3904afc44b898c57a3dd07827ccc30d090166e4f96150f4ef3875a278d20a472f6838a4

Download Submit
C:\Windows\System\jMejswQ.exe

Filesize
5.2MB

MD5
ac3cc1c2bc27b5ea62acbbed4467708e

SHA1
5cf22eebfde88781c9bb913cdc007b07c4de4ede

SHA256
d3ff5232a4b8cb52d671e9e5f3b51a961723f336dcaab0700bac57cc78a990d5

SHA512
122dbc909e44ad4c96799fcc4a98d7f70ce82a8c5d5a6866d273ef3bc793cab4349a15026414d320c41b2846a263311090627a49ffe14aa8fcea46bbdbf0e478

Download Submit
C:\Windows\System\lCWIkDm.exe

Filesize
5.2MB

MD5
bd18108943935019e27fda7680a5ec15

SHA1
ec54fdb0955f2630754e41f9bf9f06ca43383f28

SHA256
db36d2349207bcc9ffdf07a3963923bbd1d5939c02a210704a6544330875b8a6

SHA512
31b818e369afe2e1176686975e44d137d2b34c4c261786d8ea6f7988b494714f11de4e37a85eeed98ee23b1a48fde383b307387b4a58a0cf8502958cb55dc80d

Download Submit
C:\Windows\System\pcjEBhn.exe

Filesize
5.2MB

MD5
59cf90abdbd4d36e67d4c83e774704bc

SHA1
a1889f5626bb5a0ac8ab570928d2203d32c2dd73

SHA256
c1f5602fdfeba04b7d59be53f43ab3ba41ca99ea573e09826da0d5eb298d3f3a

SHA512
6df176a4c16bc4c42af447a9df12d3902f6a5e76c92771de8e3c3c2262bb73ebf08e3ee2b838d2c1e592f27e0215732af746eee9bdca5ecafdf19069110f7071

Download Submit
C:\Windows\System\qRAhQay.exe

Filesize
5.2MB

MD5
f4c22e9033d73f2ee106cb46a4c2837e

SHA1
0122566ada2740ca7cc812eaac47e420c74fd397

SHA256
58cceeabc14dedce7e376b4543d0537dd22e7c5cbfc3d590eb29b19c77dcd56d

SHA512
2b4973debe1963db082086005bbcd46a73f6e4f205e83cb1f7ce2f09a0fe9dc15da103574f179218a4dd841b8ac371c1ad28b01b55555b65625069f90f70dec2

Download Submit
C:\Windows\System\rAmofeL.exe

Filesize
5.2MB

MD5
a6e3b1659358c9b7348649a44f51e467

SHA1
7a6cb19b0e83d31d0ea2d426b4a01d54aed10bc2

SHA256
9b21bf60186154f78ebc81c12fed511002dbc89f7638b053bab9f6455ae278b2

SHA512
89661c1c132a1c844264b21d5c2d593444db74692588fdd2c345541b9a9ffc14f6430a57dd1f356432bc208fa7347837f56946ab47781687d98cf1d6e59f3b52

Download Submit
C:\Windows\System\sehpGFS.exe

Filesize
5.2MB

MD5
16f98c718f498dd72c27148ac6fdb709

SHA1
5bf0db65ff9f26c89e4b602a4c6efb03d06f3c8c

SHA256
5557f8117e4a7e4a97b9650023ed5993e20fd8a8b7258325463bd5572d4e3711

SHA512
8f654fa7eb75987726d0a2bb88b7de730a83a350e524f2d6e9e97ffd9e51829dce69f082e59d77e2fd2a6c87f42726b9d771764b964a4052f5ad9bfc6744d0c5

Download Submit
C:\Windows\System\tcaLmuv.exe

Filesize
5.2MB

MD5
3df3522cfe47ead32d1e780255e94f30

SHA1
b94e4fcba84d7ffaf79e5c33a930c9c1e20f7a11

SHA256
182b20ba33d905beb1855af70d9a31764e17900fc65bab9647a0fb67211de034

SHA512
496468c74620cde34b2d2448e40616802c0f0b5924dec76326429268e2510055feccffcc203d3de044f5fa511c027f2f4e78b698906971ca5c8528c088cebcea

Download Submit
C:\Windows\System\wocllvC.exe

Filesize
5.2MB

MD5
53ea34abbf6450b94fc5ff540d75abb1

SHA1
2312abb557ebf154d32b733692df3d69203c4b65

SHA256
412acf7fe12e9fc763f0030634f68658ff6ce7d2135eb69db1e53c103d08841b

SHA512
279782a37bd4bc033c83abf4836660a2bdb05037fa0a564b041d1aa5ae27954b3cef4d8d929ef69924db5d95b50b688ec807b8105f9906866952c1d057f8dc6c

Download Submit
memory/224-241-0x00007FF657120000-0x00007FF657471000-memory.dmp

Filesize
3.3MB

Download
memory/224-103-0x00007FF657120000-0x00007FF657471000-memory.dmp

Filesize
3.3MB

Download
memory/312-77-0x00007FF688510000-0x00007FF688861000-memory.dmp

Filesize
3.3MB

Download
memory/312-230-0x00007FF688510000-0x00007FF688861000-memory.dmp

Filesize
3.3MB

Download
memory/1152-40-0x00007FF765ED0000-0x00007FF766221000-memory.dmp

Filesize
3.3MB

Download
memory/1152-217-0x00007FF765ED0000-0x00007FF766221000-memory.dmp

Filesize
3.3MB

Download
memory/1152-132-0x00007FF765ED0000-0x00007FF766221000-memory.dmp

Filesize
3.3MB

Download
memory/1544-92-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp

Filesize
3.3MB

Download
memory/1544-236-0x00007FF64C8E0000-0x00007FF64CC31000-memory.dmp

Filesize
3.3MB

Download
memory/2428-127-0x00007FF636A90000-0x00007FF636DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-258-0x00007FF636A90000-0x00007FF636DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-146-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-256-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-119-0x00007FF6FE170000-0x00007FF6FE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-123-0x00007FF635AC0000-0x00007FF635E11000-memory.dmp

Filesize
3.3MB

Download
memory/2552-244-0x00007FF635AC0000-0x00007FF635E11000-memory.dmp

Filesize
3.3MB

Download
memory/2668-224-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp

Filesize
3.3MB

Download
memory/2668-122-0x00007FF60C930000-0x00007FF60CC81000-memory.dmp

Filesize
3.3MB

Download
memory/3020-239-0x00007FF674020000-0x00007FF674371000-memory.dmp

Filesize
3.3MB

Download
memory/3020-124-0x00007FF674020000-0x00007FF674371000-memory.dmp

Filesize
3.3MB

Download
memory/3048-0-0x00007FF792110000-0x00007FF792461000-memory.dmp

Filesize
3.3MB

Download
memory/3048-1-0x000001DB3D770000-0x000001DB3D780000-memory.dmp

Filesize
64KB

Download
memory/3048-151-0x00007FF792110000-0x00007FF792461000-memory.dmp

Filesize
3.3MB

Download
memory/3048-128-0x00007FF792110000-0x00007FF792461000-memory.dmp

Filesize
3.3MB

Download
memory/3048-150-0x00007FF792110000-0x00007FF792461000-memory.dmp

Filesize
3.3MB

Download
memory/3668-243-0x00007FF706710000-0x00007FF706A61000-memory.dmp

Filesize
3.3MB

Download
memory/3668-109-0x00007FF706710000-0x00007FF706A61000-memory.dmp

Filesize
3.3MB

Download
memory/3840-102-0x00007FF6DA420000-0x00007FF6DA771000-memory.dmp

Filesize
3.3MB

Download
memory/3840-253-0x00007FF6DA420000-0x00007FF6DA771000-memory.dmp

Filesize
3.3MB

Download
memory/4492-249-0x00007FF62AFE0000-0x00007FF62B331000-memory.dmp

Filesize
3.3MB

Download
memory/4492-120-0x00007FF62AFE0000-0x00007FF62B331000-memory.dmp

Filesize
3.3MB

Download
memory/4588-233-0x00007FF695390000-0x00007FF6956E1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-60-0x00007FF695390000-0x00007FF6956E1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-135-0x00007FF695390000-0x00007FF6956E1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-126-0x00007FF714160000-0x00007FF7144B1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-247-0x00007FF714160000-0x00007FF7144B1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-211-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp

Filesize
3.3MB

Download
memory/4724-131-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp

Filesize
3.3MB

Download
memory/4724-25-0x00007FF64F700000-0x00007FF64FA51000-memory.dmp

Filesize
3.3MB

Download
memory/4904-254-0x00007FF7A5190000-0x00007FF7A54E1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-114-0x00007FF7A5190000-0x00007FF7A54E1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-251-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp

Filesize
3.3MB

Download
memory/4956-125-0x00007FF744BF0000-0x00007FF744F41000-memory.dmp

Filesize
3.3MB

Download
memory/4996-234-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-83-0x00007FF61E850000-0x00007FF61EBA1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-134-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp

Filesize
3.3MB

Download
memory/5028-48-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp

Filesize
3.3MB

Download
memory/5028-216-0x00007FF78ECD0000-0x00007FF78F021000-memory.dmp

Filesize
3.3MB

Download
memory/5060-129-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp

Filesize
3.3MB

Download
memory/5060-209-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp

Filesize
3.3MB

Download
memory/5060-7-0x00007FF73A6B0000-0x00007FF73AA01000-memory.dmp

Filesize
3.3MB

Download
memory/5104-130-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-213-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-16-0x00007FF7F8550000-0x00007FF7F88A1000-memory.dmp

Filesize
3.3MB

Download