cobaltstrike | faf768feca324a2b2b4d68694de66721fb381d2043d51a218dd77b55be4a1e0c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b860258632d157f379d4686fad8c4c62
SHA1

48ab204263be068280cabef1d332c9595484c46a
SHA256

faf768feca324a2b2b4d68694de66721fb381d2043d51a218dd77b55be4a1e0c
SHA512

0d2480d406789dcfc7f1fb1fdd367b78a05c6e9462eb71afc436849290ae6ad6fc1e62bc61da28befcf65b9322f1d4ca7b59300215a7c152245a817c5b86ed33
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023cce-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cd1-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cd2-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdb-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cde-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdf-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce0-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdd-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdc-57.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1616-14-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp	xmrig
behavioral2/memory/2452-33-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp	xmrig
behavioral2/memory/2368-59-0x00007FF655760000-0x00007FF655AB1000-memory.dmp	xmrig
behavioral2/memory/2300-108-0x00007FF7BEBA0000-0x00007FF7BEEF1000-memory.dmp	xmrig
behavioral2/memory/844-80-0x00007FF73D810000-0x00007FF73DB61000-memory.dmp	xmrig
behavioral2/memory/3844-58-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	xmrig
behavioral2/memory/3672-124-0x00007FF72BF00000-0x00007FF72C251000-memory.dmp	xmrig
behavioral2/memory/3844-125-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	xmrig
behavioral2/memory/3400-128-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp	xmrig
behavioral2/memory/2216-132-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp	xmrig
behavioral2/memory/3360-133-0x00007FF738900000-0x00007FF738C51000-memory.dmp	xmrig
behavioral2/memory/2172-135-0x00007FF767940000-0x00007FF767C91000-memory.dmp	xmrig
behavioral2/memory/3712-136-0x00007FF7B9C10000-0x00007FF7B9F61000-memory.dmp	xmrig
behavioral2/memory/592-137-0x00007FF6312B0000-0x00007FF631601000-memory.dmp	xmrig
behavioral2/memory/2052-138-0x00007FF6D37B0000-0x00007FF6D3B01000-memory.dmp	xmrig
behavioral2/memory/2496-134-0x00007FF74A2E0000-0x00007FF74A631000-memory.dmp	xmrig
behavioral2/memory/1984-131-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp	xmrig
behavioral2/memory/1332-129-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp	xmrig
behavioral2/memory/4356-143-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp	xmrig
behavioral2/memory/316-146-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp	xmrig
behavioral2/memory/4160-140-0x00007FF6950D0000-0x00007FF695421000-memory.dmp	xmrig
behavioral2/memory/3652-145-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp	xmrig
behavioral2/memory/3120-139-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp	xmrig
behavioral2/memory/3844-152-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	xmrig
behavioral2/memory/2368-204-0x00007FF655760000-0x00007FF655AB1000-memory.dmp	xmrig
behavioral2/memory/1616-206-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp	xmrig
behavioral2/memory/3400-208-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp	xmrig
behavioral2/memory/1332-212-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp	xmrig
behavioral2/memory/2452-211-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp	xmrig
behavioral2/memory/1984-216-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp	xmrig
behavioral2/memory/2216-218-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp	xmrig
behavioral2/memory/3360-220-0x00007FF738900000-0x00007FF738C51000-memory.dmp	xmrig
behavioral2/memory/3120-235-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp	xmrig
behavioral2/memory/844-237-0x00007FF73D810000-0x00007FF73DB61000-memory.dmp	xmrig
behavioral2/memory/2300-239-0x00007FF7BEBA0000-0x00007FF7BEEF1000-memory.dmp	xmrig
behavioral2/memory/4160-241-0x00007FF6950D0000-0x00007FF695421000-memory.dmp	xmrig
behavioral2/memory/4356-243-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp	xmrig
behavioral2/memory/3672-245-0x00007FF72BF00000-0x00007FF72C251000-memory.dmp	xmrig
behavioral2/memory/316-247-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp	xmrig
behavioral2/memory/3652-249-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp	xmrig
behavioral2/memory/592-255-0x00007FF6312B0000-0x00007FF631601000-memory.dmp	xmrig
behavioral2/memory/2172-253-0x00007FF767940000-0x00007FF767C91000-memory.dmp	xmrig
behavioral2/memory/2496-252-0x00007FF74A2E0000-0x00007FF74A631000-memory.dmp	xmrig
behavioral2/memory/2052-257-0x00007FF6D37B0000-0x00007FF6D3B01000-memory.dmp	xmrig
behavioral2/memory/3712-259-0x00007FF7B9C10000-0x00007FF7B9F61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2368	mKNsPeb.exe
1616	HUrnqiA.exe
3400	fuiHoaU.exe
1332	vUsyxGq.exe
2452	zqLHyQC.exe
1984	KfRJNDs.exe
2216	Hxlllic.exe
3360	dNCYcVw.exe
3120	DOBhvhJ.exe
4160	ugkmVsZ.exe
844	OidfrGN.exe
2300	tPIheAk.exe
4356	ahGkJbU.exe
3672	cBMUtwM.exe
3652	DGcITli.exe
316	eSFplGr.exe
2496	ramfuBN.exe
2172	wKUNzod.exe
592	HlZvPIH.exe
2052	IzjHDNV.exe
3712	kFODwiQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3844-0-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	upx
behavioral2/files/0x0009000000023cce-6.dat	upx
behavioral2/files/0x0007000000023cd5-9.dat	upx
behavioral2/files/0x0008000000023cd1-11.dat	upx
behavioral2/memory/1616-14-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp	upx
behavioral2/memory/2368-13-0x00007FF655760000-0x00007FF655AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd8-29.dat	upx
behavioral2/files/0x0008000000023cd2-35.dat	upx
behavioral2/memory/1984-36-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp	upx
behavioral2/memory/2452-33-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd7-26.dat	upx
behavioral2/memory/1332-25-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp	upx
behavioral2/memory/3400-20-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp	upx
behavioral2/memory/2216-44-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd9-41.dat	upx
behavioral2/files/0x0007000000023cdb-49.dat	upx
behavioral2/memory/3360-48-0x00007FF738900000-0x00007FF738C51000-memory.dmp	upx
behavioral2/memory/2368-59-0x00007FF655760000-0x00007FF655AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cde-62.dat	upx
behavioral2/files/0x0007000000023cdf-69.dat	upx
behavioral2/files/0x0007000000023ce2-82.dat	upx
behavioral2/files/0x0007000000023ce1-97.dat	upx
behavioral2/memory/2300-108-0x00007FF7BEBA0000-0x00007FF7BEEF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-107.dat	upx
behavioral2/files/0x0007000000023ce8-115.dat	upx
behavioral2/files/0x0007000000023ce7-122.dat	upx
behavioral2/files/0x0007000000023ce4-113.dat	upx
behavioral2/files/0x0007000000023ce5-112.dat	upx
behavioral2/memory/316-103-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp	upx
behavioral2/files/0x0007000000023ce3-100.dat	upx
behavioral2/memory/3652-96-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp	upx
behavioral2/memory/4356-88-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp	upx
behavioral2/files/0x0007000000023ce0-90.dat	upx
behavioral2/memory/844-80-0x00007FF73D810000-0x00007FF73DB61000-memory.dmp	upx
behavioral2/files/0x0007000000023cdd-71.dat	upx
behavioral2/memory/3120-68-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp	upx
behavioral2/memory/4160-70-0x00007FF6950D0000-0x00007FF695421000-memory.dmp	upx
behavioral2/memory/3844-58-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	upx
behavioral2/files/0x0007000000023cdc-57.dat	upx
behavioral2/memory/3672-124-0x00007FF72BF00000-0x00007FF72C251000-memory.dmp	upx
behavioral2/memory/3844-125-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	upx
behavioral2/memory/3400-128-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp	upx
behavioral2/memory/2216-132-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp	upx
behavioral2/memory/3360-133-0x00007FF738900000-0x00007FF738C51000-memory.dmp	upx
behavioral2/memory/2172-135-0x00007FF767940000-0x00007FF767C91000-memory.dmp	upx
behavioral2/memory/3712-136-0x00007FF7B9C10000-0x00007FF7B9F61000-memory.dmp	upx
behavioral2/memory/592-137-0x00007FF6312B0000-0x00007FF631601000-memory.dmp	upx
behavioral2/memory/2052-138-0x00007FF6D37B0000-0x00007FF6D3B01000-memory.dmp	upx
behavioral2/memory/2496-134-0x00007FF74A2E0000-0x00007FF74A631000-memory.dmp	upx
behavioral2/memory/1984-131-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp	upx
behavioral2/memory/1332-129-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp	upx
behavioral2/memory/4356-143-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp	upx
behavioral2/memory/316-146-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp	upx
behavioral2/memory/4160-140-0x00007FF6950D0000-0x00007FF695421000-memory.dmp	upx
behavioral2/memory/3652-145-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp	upx
behavioral2/memory/3120-139-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp	upx
behavioral2/memory/3844-152-0x00007FF738C10000-0x00007FF738F61000-memory.dmp	upx
behavioral2/memory/2368-204-0x00007FF655760000-0x00007FF655AB1000-memory.dmp	upx
behavioral2/memory/1616-206-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp	upx
behavioral2/memory/3400-208-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp	upx
behavioral2/memory/1332-212-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp	upx
behavioral2/memory/2452-211-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp	upx
behavioral2/memory/1984-216-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp	upx
behavioral2/memory/2216-218-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wKUNzod.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKNsPeb.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HUrnqiA.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNCYcVw.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugkmVsZ.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlZvPIH.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqLHyQC.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KfRJNDs.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGcITli.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ramfuBN.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ahGkJbU.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cBMUtwM.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fuiHoaU.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOBhvhJ.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OidfrGN.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tPIheAk.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzjHDNV.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vUsyxGq.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Hxlllic.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eSFplGr.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kFODwiQ.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 2368	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3844 wrote to memory of 2368	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3844 wrote to memory of 1616	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3844 wrote to memory of 1616	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3844 wrote to memory of 3400	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3844 wrote to memory of 3400	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3844 wrote to memory of 1332	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3844 wrote to memory of 1332	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3844 wrote to memory of 2452	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3844 wrote to memory of 2452	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3844 wrote to memory of 1984	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3844 wrote to memory of 1984	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3844 wrote to memory of 2216	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3844 wrote to memory of 2216	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3844 wrote to memory of 3360	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3844 wrote to memory of 3360	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3844 wrote to memory of 3120	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3844 wrote to memory of 3120	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3844 wrote to memory of 4160	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3844 wrote to memory of 4160	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3844 wrote to memory of 844	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3844 wrote to memory of 844	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3844 wrote to memory of 2300	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3844 wrote to memory of 2300	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3844 wrote to memory of 4356	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3844 wrote to memory of 4356	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3844 wrote to memory of 3672	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3844 wrote to memory of 3672	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3844 wrote to memory of 3652	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3844 wrote to memory of 3652	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3844 wrote to memory of 316	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3844 wrote to memory of 316	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3844 wrote to memory of 2496	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3844 wrote to memory of 2496	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3844 wrote to memory of 2172	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3844 wrote to memory of 2172	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3844 wrote to memory of 592	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3844 wrote to memory of 592	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3844 wrote to memory of 3712	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3844 wrote to memory of 3712	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3844 wrote to memory of 2052	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3844 wrote to memory of 2052	3844	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\System\mKNsPeb.exe
  C:\Windows\System\mKNsPeb.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\HUrnqiA.exe
  C:\Windows\System\HUrnqiA.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\fuiHoaU.exe
  C:\Windows\System\fuiHoaU.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\vUsyxGq.exe
  C:\Windows\System\vUsyxGq.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\zqLHyQC.exe
  C:\Windows\System\zqLHyQC.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\KfRJNDs.exe
  C:\Windows\System\KfRJNDs.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\Hxlllic.exe
  C:\Windows\System\Hxlllic.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\dNCYcVw.exe
  C:\Windows\System\dNCYcVw.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\DOBhvhJ.exe
  C:\Windows\System\DOBhvhJ.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\ugkmVsZ.exe
  C:\Windows\System\ugkmVsZ.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\OidfrGN.exe
  C:\Windows\System\OidfrGN.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\tPIheAk.exe
  C:\Windows\System\tPIheAk.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\ahGkJbU.exe
  C:\Windows\System\ahGkJbU.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\cBMUtwM.exe
  C:\Windows\System\cBMUtwM.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\DGcITli.exe
  C:\Windows\System\DGcITli.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\eSFplGr.exe
  C:\Windows\System\eSFplGr.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\ramfuBN.exe
  C:\Windows\System\ramfuBN.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\wKUNzod.exe
  C:\Windows\System\wKUNzod.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\HlZvPIH.exe
  C:\Windows\System\HlZvPIH.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\kFODwiQ.exe
  C:\Windows\System\kFODwiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\IzjHDNV.exe
  C:\Windows\System\IzjHDNV.exe
  2⤵
  - Executes dropped EXE
  PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DGcITli.exe

Filesize
5.2MB

MD5
8c6295e715f0138b9958210984c01bd1

SHA1
9456fe228f73e7910106afbe7e984c6c8827206e

SHA256
7866cf4efcdd1c7a575df84048b1a5d6fec6880e084ec87087116ee4aaa2ae88

SHA512
7f3a29581d903de3675393540cf88f3d3ec45bcba62b0a5bfadb3097301d566ad7ff4b3597155ecff4bf984783461b551559f927cf71f599faa5f61c486bac68

Download Submit
C:\Windows\System\DOBhvhJ.exe

Filesize
5.2MB

MD5
66e8a67b3b8b5be07d04e0ceedc4cf66

SHA1
87317159a0945727342555cd92227b34610ca661

SHA256
0fab97e869696e9b294295a4c294c1ca12b00c512a0c33229f1981ce3e95e01c

SHA512
292800b5d27c122a96f61c89b465b97eae43de3d7020303d57668a5468842123d42b25dc7104b9cb892c072f29a717df4086c2e3a0374e1679e37215fafada6c

Download Submit
C:\Windows\System\HUrnqiA.exe

Filesize
5.2MB

MD5
dedc0901201ef2b4d7824516390fe3b0

SHA1
429f11c40a8e10bd1411b6dc76ac95b492cf477d

SHA256
3b439797ca0ff79a58b1009b2a01897449149be8adae5ecaea1282543d7d30ab

SHA512
b2e563bd2eae87f4f4c28d30b0e879317ab3e4bb8d48213ddd8427441f9dc10deeba8f2cebd48069bd15028760a891270a4e586f8d4c01b868745bcd75469baa

Download Submit
C:\Windows\System\HlZvPIH.exe

Filesize
5.2MB

MD5
5893ff3af215c01e0aa978a54d30b1c7

SHA1
0e700374f6807cab655c99375bc25ccc0162b034

SHA256
7f93fbd65ecd336f4e94a4b77217419cb3502442ee2fbe9382cf5bfa93b67d87

SHA512
fd7cf1815987cb47dd4c18e17a09e2c80bec6b4288d00c9120c61b45f67a272ce8ce7a38ca95d8d74c8f1aff97986c6df0f0790d9c4a6cdfc06937aa8121a998

Download Submit
C:\Windows\System\Hxlllic.exe

Filesize
5.2MB

MD5
848958650c85676171b6693b12ef3b7e

SHA1
98272c7d9aae612041dfac3681b4d8a216a99d9f

SHA256
5a84da81afc68e7a2a0c019b767e76d900f1d6257128b4b6645e3901880da6c1

SHA512
0e1a3e83a86d6ccbdf34da52cd8f071f343f09fe421394da05328e9db33ac7b7c070e3225c5b55f14323402954a9122dafd23589dd285836f4298f7960a5856d

Download Submit
C:\Windows\System\IzjHDNV.exe

Filesize
5.2MB

MD5
fe2ba3a946911735a7432645533f4840

SHA1
449c99003f71c3ed6625ec17354bd8b3b7e060f8

SHA256
7f25bd6f787c72db9994dbe85cd43910852eeeb6a89128a0eb8f6a71267b56ae

SHA512
dafb59a56f5d942f52b33834183db7393c3a60b59090fdf73f467bc423d9a227b6909f277b229fd025b66867bf6d7e18cd273d5db0067064c193734a9532c3d2

Download Submit
C:\Windows\System\KfRJNDs.exe

Filesize
5.2MB

MD5
decb37f13c61cc6e88a4a6057e4ddf91

SHA1
c0316ef79e5d30d4d3d2a9bbdfeb751e8991b2fc

SHA256
5a69c3c28d659de53e031842c6bc4c56d34c04b54775d4836944bdb1512f1d96

SHA512
7cafec4d443c21d283aa2de2dd5d776b1eab72a0ac938fdfcab341fb7c3e63b31ae449a3e1cd27147dae06869ad0c6d2e2b7722261715b6b6cc6426e0eb2d00d

Download Submit
C:\Windows\System\OidfrGN.exe

Filesize
5.2MB

MD5
7d890c2c753cfa2f68b2d1f23469875d

SHA1
7b910b120fb21c36241b2715695aeb5b5d26af3d

SHA256
62ebd0be5fa73f1340aa931e258810e8cd143fb7bff5b2909badaf8cc450ed4f

SHA512
1317b18e2e6308d24cadbc99cdf3dd40bf0f2aea2c128dcaf0fe900657a6ddf0fe202aca9563d71db155d875caa758c48f5e1d7194cc0f9f42726b5eed4268f4

Download Submit
C:\Windows\System\ahGkJbU.exe

Filesize
5.2MB

MD5
93d97920494b6f48feac4c790b5af3d5

SHA1
cb3ddc8107a4085ee5b3016f60821703b8553273

SHA256
f959b1cf56cb1dbe95237387af210ba30112fe9dfdbf75815794aa7fe436eb36

SHA512
4962699fb4f366418b43799858bb4820323aff861cb8bf031da9db547066109c7747bfd1ad67ab57da9ddc32ecaa386c4fbac8062b4a53bb41d21bcd256bb463

Download Submit
C:\Windows\System\cBMUtwM.exe

Filesize
5.2MB

MD5
f2895b693e8bef5a4f4c20cf9447844c

SHA1
670d70696ee1b54b92cc12db75d60ecddde00f6b

SHA256
e69a01a03c3045ccf2743f848c09887693fd5aff2217983c68b6bbaab3155712

SHA512
793b3e45f1b5835d8a2a98af7915e4ccd10621fe59a9edd28a1f1a9b18a464dcbef6565534c7dd8366001d5aa8ee5cbfc1407de25db4d85791f81b91d2fe04fd

Download Submit
C:\Windows\System\dNCYcVw.exe

Filesize
5.2MB

MD5
bf804e6d2a8a40054a45529ffb1e20f0

SHA1
fcdcaf247dc827d0c6a4adf48c5bb424be3834e1

SHA256
69e5a87c88432e34d2c23a4801792a8cb9eb5bdad4a87a83d68dcd45cdacb00f

SHA512
bbbd584ea0bb771ecc99c5ee8b784047d1587a0bdd62ffb0029cabd97099892b432f975d9921da2b916c34490cf4111b0120b5b71ca7eb78386c8ab3f4929b2d

Download Submit
C:\Windows\System\eSFplGr.exe

Filesize
5.2MB

MD5
6d25024c96d031d23c39a1e50dddea61

SHA1
bbae45d872e3b2fcb2dd1ca101643cb4fb176a99

SHA256
8cce2f2900a7255644a8fd8f0a658188b65fe2d97f9f9e6c547f82ec2930f7c3

SHA512
a39a9e30b24ba59fac50bfcbfb3ee14eeb0ae65b824928c5f81363356df48a039b2b6e9f57ab2613430078922f8746e1df1143110cd8b2a25f15f9dc2c41d4fb

Download Submit
C:\Windows\System\fuiHoaU.exe

Filesize
5.2MB

MD5
66abe81c80bffa7a586ceffaad3e2dca

SHA1
05021b6cc3955798e587a3e638b122eb3ee27a52

SHA256
508be20b58d9c54549b0326d6476a37bb40fdf11dbaf17195239e8933265912e

SHA512
de230df35d2ea1e6079fcb873ef3c41dbedf0c4e6201c68347447ec2ce09a0bd0ea9578305da14ec4ca65cd2b5d14caad92e444c9dbc5b2c733f5356c41209a1

Download Submit
C:\Windows\System\kFODwiQ.exe

Filesize
5.2MB

MD5
105bfebf390b04b24255e3460737984c

SHA1
68a9964fafbdefd7da48c61499c740e0d6c36e00

SHA256
66c17489301c2a352e5e00d424a0a3c06b116a709e502b570d7fc2389ff0d7fb

SHA512
81a951281ac5ba2c1b83e3162fe8c26a64e03791d4f1073649f9ab8a822f2cf4afb10fb159d68df9238df4390176b78c70f63d8ca63b131362df50326dd768d5

Download Submit
C:\Windows\System\mKNsPeb.exe

Filesize
5.2MB

MD5
82408b6b61deb798322eedd9144de948

SHA1
4b066128dc65f46cb7135ff34e705f912fc0bb96

SHA256
74810455548d6a84506aa46c7a320f0503ada078446f2af9a315322be6799de5

SHA512
f56c6672f936ff19903751cd79214a4ee372b0a7ff5ce5b48637a126c4dc2f2b96385caffb6e69ea0dac0e50eb012387faddffb63de364446a3fddb6621916d0

Download Submit
C:\Windows\System\ramfuBN.exe

Filesize
5.2MB

MD5
45d52306b864b8ba63efd8ed51654dcd

SHA1
af33963c55f96b9162edc8528241309feb6af23c

SHA256
ce883d7da7abdd6baf208a1be57a9e399c633340e81e58f5f295c56f7aac5e9a

SHA512
93ea54ca9fa5645fbd16c1540827163960134aa26aa9d90409cd10d32ac794d2012a99aa019346af079fc4b825dd30a0353c64904c44b7dc93baf39a0ae7deb9

Download Submit
C:\Windows\System\tPIheAk.exe

Filesize
5.2MB

MD5
89050339e244eb3380678f3554e22902

SHA1
547026fba10bfdd381e364bdfa4a2ca013db5c16

SHA256
f42efffab9ea9bc32ad2dd8d2138997846d8a9395018f1ca76d92ce60f0189a1

SHA512
5514b3085815a6319262928eec904a96e7eb8a394fcb7c30e40320d0653038f86ab4a93d615a856dbc5d11d4b8c15faeec8e782f566c1b81ddfdb489b63a6eb9

Download Submit
C:\Windows\System\ugkmVsZ.exe

Filesize
5.2MB

MD5
51bdcea531427f26ad9fd8e2ea68f46c

SHA1
28b579bac5be3a82eee18f0d07013090c52ad77e

SHA256
d9061a1893aca2199291449628f5214514b3f3dc2cfcfc38d3b6b4406208a1d3

SHA512
5311c69ab77114910f01367b12c5cf79bad23aa9be3a1fa532954795c92c4ce96e2e9e42fe73c66e786bf8cf7ff865dbb9549e03d67c35d5db91f8bbdc508863

Download Submit
C:\Windows\System\vUsyxGq.exe

Filesize
5.2MB

MD5
0a2faf1f9478ec45bbb56a9756564532

SHA1
c83af595d47bff4291f26deae6fc00c33b3d3040

SHA256
a102a1840d049a1f3e11b2fd849f84388b211c3258cbc97f42b079be2016194f

SHA512
fb9d3dcf49e06c6e2c0b74fcfae66e2efbe8fdbefb2642b44322756ffb18192854c52ac6372215272d160ea62577af0519d0f7865459fefbd87a05c8ea084fa4

Download Submit
C:\Windows\System\wKUNzod.exe

Filesize
5.2MB

MD5
c1e1ffd6fb175df7121f2fbe0cdaaab8

SHA1
bede190d07ea0d8581d52b5d5d1df353d25a35ac

SHA256
9391cdb38ba77ebbb8ad1ac0cc0077ee63af63c31f2328a36afc689b1e7642b7

SHA512
5726342202d41a4b010a2a3ba59d863a16cc3b43498a9cd999ef69aecc691af92d9d8699edf467f8093eb0a7dfeeecd14d98baf273d17ab37cfec7e24a1adec9

Download Submit
C:\Windows\System\zqLHyQC.exe

Filesize
5.2MB

MD5
fff7c52b7c1e595462168c16c2bdd420

SHA1
8a6c7533d60b002a6dbb441d385d96d84fd21ab0

SHA256
56e11968f43c4c7ca21d03bb663374270bf42cde792c80587a2eb1ecfb356bdf

SHA512
79ab8b0825ab369f2ee52dfa7875a4be1d0125fed90d08eece4bb409c7c1a3946f26a1d01af9974dbecf50a68a58b3b9cc05c584619d9dee3ad6eec0155fe620

Download Submit
memory/316-146-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp

Filesize
3.3MB

Download
memory/316-103-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp

Filesize
3.3MB

Download
memory/316-247-0x00007FF6F7740000-0x00007FF6F7A91000-memory.dmp

Filesize
3.3MB

Download
memory/592-137-0x00007FF6312B0000-0x00007FF631601000-memory.dmp

Filesize
3.3MB

Download
memory/592-255-0x00007FF6312B0000-0x00007FF631601000-memory.dmp

Filesize
3.3MB

Download
memory/844-237-0x00007FF73D810000-0x00007FF73DB61000-memory.dmp

Filesize
3.3MB

Download
memory/844-80-0x00007FF73D810000-0x00007FF73DB61000-memory.dmp

Filesize
3.3MB

Download
memory/1332-129-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-25-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-212-0x00007FF60D860000-0x00007FF60DBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-14-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-206-0x00007FF7FC360000-0x00007FF7FC6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-216-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp

Filesize
3.3MB

Download
memory/1984-131-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp

Filesize
3.3MB

Download
memory/1984-36-0x00007FF77A6D0000-0x00007FF77AA21000-memory.dmp

Filesize
3.3MB

Download
memory/2052-257-0x00007FF6D37B0000-0x00007FF6D3B01000-memory.dmp

Filesize
3.3MB

Download
memory/2052-138-0x00007FF6D37B0000-0x00007FF6D3B01000-memory.dmp

Filesize
3.3MB

Download
memory/2172-135-0x00007FF767940000-0x00007FF767C91000-memory.dmp

Filesize
3.3MB

Download
memory/2172-253-0x00007FF767940000-0x00007FF767C91000-memory.dmp

Filesize
3.3MB

Download
memory/2216-218-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-44-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-132-0x00007FF6E4280000-0x00007FF6E45D1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-239-0x00007FF7BEBA0000-0x00007FF7BEEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-108-0x00007FF7BEBA0000-0x00007FF7BEEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-204-0x00007FF655760000-0x00007FF655AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-13-0x00007FF655760000-0x00007FF655AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-59-0x00007FF655760000-0x00007FF655AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-33-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-211-0x00007FF6D0480000-0x00007FF6D07D1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-134-0x00007FF74A2E0000-0x00007FF74A631000-memory.dmp

Filesize
3.3MB

Download
memory/2496-252-0x00007FF74A2E0000-0x00007FF74A631000-memory.dmp

Filesize
3.3MB

Download
memory/3120-139-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3120-235-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3120-68-0x00007FF74CDA0000-0x00007FF74D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3360-220-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/3360-48-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/3360-133-0x00007FF738900000-0x00007FF738C51000-memory.dmp

Filesize
3.3MB

Download
memory/3400-128-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp

Filesize
3.3MB

Download
memory/3400-20-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp

Filesize
3.3MB

Download
memory/3400-208-0x00007FF7B85E0000-0x00007FF7B8931000-memory.dmp

Filesize
3.3MB

Download
memory/3652-145-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3652-249-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3652-96-0x00007FF6C77D0000-0x00007FF6C7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3672-124-0x00007FF72BF00000-0x00007FF72C251000-memory.dmp

Filesize
3.3MB

Download
memory/3672-245-0x00007FF72BF00000-0x00007FF72C251000-memory.dmp

Filesize
3.3MB

Download
memory/3712-136-0x00007FF7B9C10000-0x00007FF7B9F61000-memory.dmp

Filesize
3.3MB

Download
memory/3712-259-0x00007FF7B9C10000-0x00007FF7B9F61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-58-0x00007FF738C10000-0x00007FF738F61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-0-0x00007FF738C10000-0x00007FF738F61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-125-0x00007FF738C10000-0x00007FF738F61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-152-0x00007FF738C10000-0x00007FF738F61000-memory.dmp

Filesize
3.3MB

Download
memory/3844-1-0x0000015DD9830000-0x0000015DD9840000-memory.dmp

Filesize
64KB

Download
memory/4160-140-0x00007FF6950D0000-0x00007FF695421000-memory.dmp

Filesize
3.3MB

Download
memory/4160-70-0x00007FF6950D0000-0x00007FF695421000-memory.dmp

Filesize
3.3MB

Download
memory/4160-241-0x00007FF6950D0000-0x00007FF695421000-memory.dmp

Filesize
3.3MB

Download
memory/4356-143-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp

Filesize
3.3MB

Download
memory/4356-88-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp

Filesize
3.3MB

Download
memory/4356-243-0x00007FF73EAB0000-0x00007FF73EE01000-memory.dmp

Filesize
3.3MB

Download