cobaltstrike | 6dd913a33202ff1472777c3570572e9ceb6a41212774cf48b5fd445c5efb3d0d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a376594f497916331d7d92f146d654a1
SHA1

eac367230ba2f4463efdb440b3399fead983e730
SHA256

6dd913a33202ff1472777c3570572e9ceb6a41212774cf48b5fd445c5efb3d0d
SHA512

bdbe6e426136b25b20f3a95031a495c3b26f61575cad6563ed0bf75cd9ae27313cb26a4988edd5c7c9658bc79cd17cca036f92d9cf5fd4a2dd56bac11d9aa258
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lUb

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023cbc-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cbd-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-48.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2584-119-0x00007FF6CE420000-0x00007FF6CE771000-memory.dmp	xmrig
behavioral2/memory/2524-116-0x00007FF62B320000-0x00007FF62B671000-memory.dmp	xmrig
behavioral2/memory/4712-115-0x00007FF7C2320000-0x00007FF7C2671000-memory.dmp	xmrig
behavioral2/memory/900-114-0x00007FF6B4E60000-0x00007FF6B51B1000-memory.dmp	xmrig
behavioral2/memory/2436-108-0x00007FF748640000-0x00007FF748991000-memory.dmp	xmrig
behavioral2/memory/4620-107-0x00007FF7CA870000-0x00007FF7CABC1000-memory.dmp	xmrig
behavioral2/memory/2132-129-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp	xmrig
behavioral2/memory/4576-144-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp	xmrig
behavioral2/memory/2932-142-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp	xmrig
behavioral2/memory/2768-141-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	xmrig
behavioral2/memory/3972-139-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp	xmrig
behavioral2/memory/2640-136-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp	xmrig
behavioral2/memory/3460-132-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp	xmrig
behavioral2/memory/2124-130-0x00007FF747150000-0x00007FF7474A1000-memory.dmp	xmrig
behavioral2/memory/2524-145-0x00007FF62B320000-0x00007FF62B671000-memory.dmp	xmrig
behavioral2/memory/2136-140-0x00007FF659660000-0x00007FF6599B1000-memory.dmp	xmrig
behavioral2/memory/2392-134-0x00007FF642FB0000-0x00007FF643301000-memory.dmp	xmrig
behavioral2/memory/3992-133-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp	xmrig
behavioral2/memory/5044-131-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp	xmrig
behavioral2/memory/3656-128-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	xmrig
behavioral2/memory/4248-148-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp	xmrig
behavioral2/memory/2260-149-0x00007FF699090000-0x00007FF6993E1000-memory.dmp	xmrig
behavioral2/memory/4772-147-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp	xmrig
behavioral2/memory/3656-150-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	xmrig
behavioral2/memory/3656-151-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	xmrig
behavioral2/memory/2132-211-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp	xmrig
behavioral2/memory/2124-213-0x00007FF747150000-0x00007FF7474A1000-memory.dmp	xmrig
behavioral2/memory/5044-215-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp	xmrig
behavioral2/memory/3460-217-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp	xmrig
behavioral2/memory/3992-219-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp	xmrig
behavioral2/memory/2392-228-0x00007FF642FB0000-0x00007FF643301000-memory.dmp	xmrig
behavioral2/memory/4620-230-0x00007FF7CA870000-0x00007FF7CABC1000-memory.dmp	xmrig
behavioral2/memory/2640-232-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp	xmrig
behavioral2/memory/900-236-0x00007FF6B4E60000-0x00007FF6B51B1000-memory.dmp	xmrig
behavioral2/memory/3972-238-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp	xmrig
behavioral2/memory/2436-235-0x00007FF748640000-0x00007FF748991000-memory.dmp	xmrig
behavioral2/memory/2932-240-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp	xmrig
behavioral2/memory/2136-248-0x00007FF659660000-0x00007FF6599B1000-memory.dmp	xmrig
behavioral2/memory/4712-247-0x00007FF7C2320000-0x00007FF7C2671000-memory.dmp	xmrig
behavioral2/memory/2584-250-0x00007FF6CE420000-0x00007FF6CE771000-memory.dmp	xmrig
behavioral2/memory/4576-244-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp	xmrig
behavioral2/memory/2768-243-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	xmrig
behavioral2/memory/2260-253-0x00007FF699090000-0x00007FF6993E1000-memory.dmp	xmrig
behavioral2/memory/4248-254-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp	xmrig
behavioral2/memory/4772-256-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp	xmrig
behavioral2/memory/2524-260-0x00007FF62B320000-0x00007FF62B671000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2132	RNRnXOO.exe
2124	VGMQgDb.exe
5044	VekKkYz.exe
3460	UrhLoFG.exe
3992	cANXguK.exe
2392	KdnQauc.exe
4620	KmRnwwE.exe
2640	xNBEUKY.exe
2436	zCbVPFp.exe
3972	CNUQwAq.exe
900	jgDTeFx.exe
2136	CmKxgsc.exe
2768	AqfLDTq.exe
2932	IdtVEbQ.exe
4712	RFfptLL.exe
4576	JfTDZoW.exe
2524	LSMknuX.exe
2584	XbDOEZA.exe
4772	SWZkJWg.exe
4248	imUoUTd.exe
2260	pNZzjkA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3656-0-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	upx
behavioral2/files/0x000a000000023cbc-4.dat	upx
behavioral2/files/0x0007000000023cc1-8.dat	upx
behavioral2/memory/2132-9-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-11.dat	upx
behavioral2/files/0x0007000000023cc2-23.dat	upx
behavioral2/files/0x0007000000023cc4-40.dat	upx
behavioral2/files/0x0007000000023cc5-53.dat	upx
behavioral2/files/0x0008000000023cbd-61.dat	upx
behavioral2/files/0x0007000000023ccc-74.dat	upx
behavioral2/files/0x0007000000023cce-110.dat	upx
behavioral2/memory/4248-120-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-123.dat	upx
behavioral2/files/0x0007000000023cd1-122.dat	upx
behavioral2/files/0x0007000000023cd0-121.dat	upx
behavioral2/memory/2584-119-0x00007FF6CE420000-0x00007FF6CE771000-memory.dmp	upx
behavioral2/memory/2260-118-0x00007FF699090000-0x00007FF6993E1000-memory.dmp	upx
behavioral2/memory/4772-117-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp	upx
behavioral2/memory/2524-116-0x00007FF62B320000-0x00007FF62B671000-memory.dmp	upx
behavioral2/memory/4712-115-0x00007FF7C2320000-0x00007FF7C2671000-memory.dmp	upx
behavioral2/memory/900-114-0x00007FF6B4E60000-0x00007FF6B51B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-112.dat	upx
behavioral2/memory/2436-108-0x00007FF748640000-0x00007FF748991000-memory.dmp	upx
behavioral2/memory/4620-107-0x00007FF7CA870000-0x00007FF7CABC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-104.dat	upx
behavioral2/files/0x0007000000023cc9-96.dat	upx
behavioral2/memory/4576-95-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp	upx
behavioral2/memory/2932-94-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-89.dat	upx
behavioral2/files/0x0007000000023cca-86.dat	upx
behavioral2/files/0x0007000000023cc7-79.dat	upx
behavioral2/memory/2768-78-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	upx
behavioral2/memory/2136-73-0x00007FF659660000-0x00007FF6599B1000-memory.dmp	upx
behavioral2/memory/3972-72-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-76.dat	upx
behavioral2/files/0x0007000000023cc6-64.dat	upx
behavioral2/memory/2640-55-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-48.dat	upx
behavioral2/memory/2392-47-0x00007FF642FB0000-0x00007FF643301000-memory.dmp	upx
behavioral2/memory/3992-31-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp	upx
behavioral2/memory/3460-26-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp	upx
behavioral2/memory/5044-20-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp	upx
behavioral2/memory/2124-17-0x00007FF747150000-0x00007FF7474A1000-memory.dmp	upx
behavioral2/memory/2132-129-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp	upx
behavioral2/memory/4576-144-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp	upx
behavioral2/memory/2932-142-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp	upx
behavioral2/memory/2768-141-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp	upx
behavioral2/memory/3972-139-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp	upx
behavioral2/memory/2640-136-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp	upx
behavioral2/memory/3460-132-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp	upx
behavioral2/memory/2124-130-0x00007FF747150000-0x00007FF7474A1000-memory.dmp	upx
behavioral2/memory/2524-145-0x00007FF62B320000-0x00007FF62B671000-memory.dmp	upx
behavioral2/memory/2136-140-0x00007FF659660000-0x00007FF6599B1000-memory.dmp	upx
behavioral2/memory/2392-134-0x00007FF642FB0000-0x00007FF643301000-memory.dmp	upx
behavioral2/memory/3992-133-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp	upx
behavioral2/memory/5044-131-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp	upx
behavioral2/memory/3656-128-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	upx
behavioral2/memory/4248-148-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp	upx
behavioral2/memory/2260-149-0x00007FF699090000-0x00007FF6993E1000-memory.dmp	upx
behavioral2/memory/4772-147-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp	upx
behavioral2/memory/3656-150-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	upx
behavioral2/memory/3656-151-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp	upx
behavioral2/memory/2132-211-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp	upx
behavioral2/memory/2124-213-0x00007FF747150000-0x00007FF7474A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VGMQgDb.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UrhLoFG.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgDTeFx.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zCbVPFp.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\imUoUTd.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RNRnXOO.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cANXguK.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CNUQwAq.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmKxgsc.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWZkJWg.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pNZzjkA.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VekKkYz.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AqfLDTq.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdtVEbQ.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfTDZoW.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XbDOEZA.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdnQauc.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNBEUKY.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RFfptLL.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LSMknuX.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KmRnwwE.exe	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 2132	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3656 wrote to memory of 2132	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3656 wrote to memory of 2124	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3656 wrote to memory of 2124	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3656 wrote to memory of 5044	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3656 wrote to memory of 5044	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3656 wrote to memory of 3460	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3656 wrote to memory of 3460	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3656 wrote to memory of 3992	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3656 wrote to memory of 3992	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3656 wrote to memory of 2392	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3656 wrote to memory of 2392	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3656 wrote to memory of 4620	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3656 wrote to memory of 4620	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3656 wrote to memory of 2640	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3656 wrote to memory of 2640	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3656 wrote to memory of 900	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3656 wrote to memory of 900	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3656 wrote to memory of 2436	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3656 wrote to memory of 2436	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3656 wrote to memory of 3972	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3656 wrote to memory of 3972	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3656 wrote to memory of 2136	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3656 wrote to memory of 2136	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3656 wrote to memory of 2768	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3656 wrote to memory of 2768	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3656 wrote to memory of 2932	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3656 wrote to memory of 2932	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3656 wrote to memory of 4712	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3656 wrote to memory of 4712	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3656 wrote to memory of 4576	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3656 wrote to memory of 4576	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3656 wrote to memory of 2524	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3656 wrote to memory of 2524	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3656 wrote to memory of 2584	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3656 wrote to memory of 2584	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3656 wrote to memory of 4772	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3656 wrote to memory of 4772	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3656 wrote to memory of 4248	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3656 wrote to memory of 4248	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3656 wrote to memory of 2260	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3656 wrote to memory of 2260	3656	2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_a376594f497916331d7d92f146d654a1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\System\RNRnXOO.exe
  C:\Windows\System\RNRnXOO.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\VGMQgDb.exe
  C:\Windows\System\VGMQgDb.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\VekKkYz.exe
  C:\Windows\System\VekKkYz.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\UrhLoFG.exe
  C:\Windows\System\UrhLoFG.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\cANXguK.exe
  C:\Windows\System\cANXguK.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\KdnQauc.exe
  C:\Windows\System\KdnQauc.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\KmRnwwE.exe
  C:\Windows\System\KmRnwwE.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\xNBEUKY.exe
  C:\Windows\System\xNBEUKY.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\jgDTeFx.exe
  C:\Windows\System\jgDTeFx.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System\zCbVPFp.exe
  C:\Windows\System\zCbVPFp.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\CNUQwAq.exe
  C:\Windows\System\CNUQwAq.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\CmKxgsc.exe
  C:\Windows\System\CmKxgsc.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\AqfLDTq.exe
  C:\Windows\System\AqfLDTq.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\IdtVEbQ.exe
  C:\Windows\System\IdtVEbQ.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\RFfptLL.exe
  C:\Windows\System\RFfptLL.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\JfTDZoW.exe
  C:\Windows\System\JfTDZoW.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\LSMknuX.exe
  C:\Windows\System\LSMknuX.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\XbDOEZA.exe
  C:\Windows\System\XbDOEZA.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\SWZkJWg.exe
  C:\Windows\System\SWZkJWg.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\imUoUTd.exe
  C:\Windows\System\imUoUTd.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\pNZzjkA.exe
  C:\Windows\System\pNZzjkA.exe
  2⤵
  - Executes dropped EXE
  PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AqfLDTq.exe

Filesize
5.2MB

MD5
70b843445f945145bf2f1974efd79c9a

SHA1
2848ed32699d1392777580a5ec55de00a56d852e

SHA256
3da73d0ea6ef782f8af51a2c4f3fb125e5d7fd157cc622aa12d6e4cce1b40592

SHA512
beb590c8abb47912f1440e4c645002250fc9ddc16d8b82a35a0119eb35b8ad1733698a794de7a4463efb90caaa9b79ad84a7907b7d7c0ff6a67fb24de0d04b83

Download Submit
C:\Windows\System\CNUQwAq.exe

Filesize
5.2MB

MD5
49a63e2c0fc68907808301f348db39a3

SHA1
d70759c6a3a48346246dccdc42820db8429de0a9

SHA256
e553b466f8802be2807140f1ac7a676411f8301e6ae35c870b22d92ccec399a1

SHA512
20981e6aab8888c021850b7a7415492c516faa557a0d39caae045188ae7cf56cb2e31cfc1e294accf678b97ff1db551cdddd4419a82ab1d6c7d30097773cf799

Download Submit
C:\Windows\System\CmKxgsc.exe

Filesize
5.2MB

MD5
d3dedce3d35426bdd9dd10f8de9a571d

SHA1
811b570e6783deb1fcb243d74a938059ff51ad03

SHA256
58d316fd182b7c3e72066b014d1f915547a73ac37570da01dffe31d659a1a882

SHA512
cb5d77d7c723570d5228bef49073ed3bfd447eb3302f5d68b874ce06e0184ccac783dbb727d4d42e149e0faef1758dc574fd0805f9c4bf7d8c9faad2eeaee33f

Download Submit
C:\Windows\System\IdtVEbQ.exe

Filesize
5.2MB

MD5
d2eb61149a3a8e473a4ba3041bf917ce

SHA1
47817f5d879b570e6d256b8c097ea8c328feb482

SHA256
d264babdffd30d804517f1bfba33fa5158c18a10c0a43121ee4bf9229ee332cc

SHA512
b4cd6beb95d2666cf0f0f8e6c9e13c03fee1e0ae6584887861619342d3cb4699d7e47788fb0d5dd8045203c144e66891acdbcce26e1c681a167dad24a13a3a33

Download Submit
C:\Windows\System\JfTDZoW.exe

Filesize
5.2MB

MD5
0c3812d6beaeec3995dcaae482df82d1

SHA1
2257df61d9c4e382bebb8fa0e088a4a490586ddc

SHA256
8077ed97172ed1b07f8f9766170303bb1606495a8877169c6e5e06e51da972dc

SHA512
33a4a6d97a09580f922f3317a41bed407eaea158338370a930bb73b3de5daa1509f745a48f55bf911139e587234b2a2a07f241ecdb9694f74e980b4cacb0e3a2

Download Submit
C:\Windows\System\KdnQauc.exe

Filesize
5.2MB

MD5
4b74cc11aed17f83b55053d0aee6b49a

SHA1
47d26fe54b0a9d879b9c0956a31b0d7e89dbd482

SHA256
e88e8e3a1b74555944b9798da087695db802274af45c3a2041d09dd3c610128f

SHA512
21a362a60418c98a807fb11ce4f0e2555a24d5ce220f246f189145868a9f79f2322d0e0b28abdb14f85da07262a316453023305efe3c630ecadc6a01d9e72aa2

Download Submit
C:\Windows\System\KmRnwwE.exe

Filesize
5.2MB

MD5
9f4fb9a23e293298d386bb02dfb8cd1f

SHA1
616793c110c044d5af2b4cdf49fb50e5614a1ba3

SHA256
704d0768ad5d67faae4bed14a51ea41dd48444ef9b000c69467add92c8990e0c

SHA512
e30eecf2b3d87c1c24971359598272ed7b0ce0e7a6b6fd42c26e6e1861ef1fb4290d73a2c7c0d622921435b534735a4f2bf42f7a10c68787f7b65c4550729d54

Download Submit
C:\Windows\System\LSMknuX.exe

Filesize
5.2MB

MD5
d8b132be5e7dbce3cfbfa0fe6f203788

SHA1
d2e9b09be9aa78f3ecb83a611829a1a49c62a586

SHA256
f1a073abba67d4561ce80bf3bbcb3091fbaa0a4eceb074bc53d574bcae7a802e

SHA512
2a41cbade95e13097dacb8ee8eac0e79a2a02ebbbc1c54ae7d83c615bdb467398e6d8e1d2ee4608986ccc3b5001c270ea661d992a4a44942d7e9dcecb0fdb72a

Download Submit
C:\Windows\System\RFfptLL.exe

Filesize
5.2MB

MD5
7926027529edad7a07e935bb6c800254

SHA1
f1297c5bfbba770d505fe154fcc2af8bca4eedce

SHA256
9713f7325458275b493adb53841c2075190442ca351615638dbdea29bd14e475

SHA512
b0117f3c0819cfedcf9f6fa68eb6cfc826bb5032697ce1e1f784d6394593ae6468a333c7965afbfed44663f7f34b557f31ee23865bca2e1b0b0aed4ba0e121ab

Download Submit
C:\Windows\System\RNRnXOO.exe

Filesize
5.2MB

MD5
1fec96a7ee9b42391c33ada7c792732c

SHA1
b9647f71d1836170b7c646cf0b04de75bfda21fb

SHA256
fcab7d3d7284972d3fbaf93ec577f0fa522f9634e1916423c8d3ec728931e6e0

SHA512
ab8ef81a2d088359a8e10d6ecf8d34126ba09a63b825b73a4c015efb0c798ff03fe560770b74c9784c4ff9602714e193198fc4273542084277f10fea4b678dfa

Download Submit
C:\Windows\System\SWZkJWg.exe

Filesize
5.2MB

MD5
3ed886c6855433feecf449ce227a85f5

SHA1
b1a87758cda56e85ca1c5684d03aa47b4fddc0bd

SHA256
b45b21c84b612d6f1c451940d0a252951e9ada0413ba20adce3c838c88893439

SHA512
edd886d42694a0b83ed598ecdae71de158d89eb9c0df54349e9db5270bccd2ce1a2933404c400d39bece076e3ae6f14c7f51b3eb29351582ef7318f35980d659

Download Submit
C:\Windows\System\UrhLoFG.exe

Filesize
5.2MB

MD5
a8c6010d7bdca0014a32d1ef1a8a64c5

SHA1
ac4435ef84d6345da9a60050801552f600bec4d4

SHA256
68cfaafb176c49c7be75a9a5040e68775fd51043c2794194c1344de2e890fb72

SHA512
08eb4de8f761b7848454f7f1fd0e570095e75c953878fc65bd088122a32ab868a5d5091754065ee093fb93fb563ab64f24ed547ef4144840e42cd68ecc3190d5

Download Submit
C:\Windows\System\VGMQgDb.exe

Filesize
5.2MB

MD5
1a221ab3234a1d92ce8801ed94f08a46

SHA1
1f62ad9c2097732e7c326d8e48fd5fd079b54375

SHA256
c98f28fb1b87c3d8903f4f3c7c5a5ec76a10408ff78e4dbfdbb977d6d9a56789

SHA512
316179fa9b39a18fa922c18da3360c6657c950cd61b04970c383ed60fdfae29e627d26103be392a8f95831e2933bd3cecbc6cee38528d54fd3e0d3ed29e305e8

Download Submit
C:\Windows\System\VekKkYz.exe

Filesize
5.2MB

MD5
20a71ced08e6b67b363f3de87b0b611a

SHA1
126102a533c94f131fecc6b3e5f5e5f97d3ed86b

SHA256
da535a40b9c1209492d90d35517dc664406c03456c76b776e4a8c90dd7fe80fd

SHA512
66cacc9bed7c94874898bd9757bfdf3573a7ee9b11a44594dfc285d09b7710e25ea963c2e7d0ba5faacb6c851c225cf2ac6ab28a19a44101fba07193c654f0fe

Download Submit
C:\Windows\System\XbDOEZA.exe

Filesize
5.2MB

MD5
cbdb10e9adf377c7a75e4c707ea2befa

SHA1
4bc6993d1160ae2a06fc2763e818d7379ced055b

SHA256
5b8baaa43726ca6b6328be21b20f9d69722cfd2447cffa7915bea7cccc008c8d

SHA512
90fee6bd6ec2fe401c4916c4e5b585bf826890241b6fce84f73df2aef15e18d2fa1ccd2e458ecac9ed4e91911061a2ce491f9a5437fde425d887708291334b52

Download Submit
C:\Windows\System\cANXguK.exe

Filesize
5.2MB

MD5
51d436870463a2ae814f5a22512e9363

SHA1
bbd700ed26b3890dd464d8bbed9ac371c8c0f265

SHA256
2c4fe5c46b77cbdb368ddfe456dfb67befb698ec70e31f0f7c43e361850d925f

SHA512
fdeb1b930237e8b3e9e1e3f90d359cd0bcfe47474a786526c291668e86e8badaab409fcdca485f6708aec6805350c1c8125babde1be655983ca25a902b79730c

Download Submit
C:\Windows\System\imUoUTd.exe

Filesize
5.2MB

MD5
f433f17e5f1830c8a9a538b252fdcd83

SHA1
aa00b05a861e7efb13377db70259874db70bb0b2

SHA256
78c22a8ecb64f841a4f429facffee0fdb16a3db7383b376193159fa9573f9f37

SHA512
f4172fcd36837f4523062d5cc19303cc103ead103d518a2f0b861654ee3c3f50b9a9399846e816573da27bf817a1948d8a74625f30ca9714813a15362d476ac3

Download Submit
C:\Windows\System\jgDTeFx.exe

Filesize
5.2MB

MD5
2f2f9e864ec32d1c26222f15e3c94567

SHA1
75059cf265ae19acc0a008bc97bf1cf8537a1255

SHA256
2313a09deec393a26454216e2d8a5c4d1b3da87102adfe0069df5175b44594cf

SHA512
3dacb41a58bd0b4fbd7d23955526d43fb63ac0eb86fda27304a6b59da50feaf08b25bc53390295e58cb02464ded1827b16a0ff099876ba9c8349da4f005eadae

Download Submit
C:\Windows\System\pNZzjkA.exe

Filesize
5.2MB

MD5
f48824197761c78f7bfcdddb78a0ddfe

SHA1
d7bf6fc1da612c5377d03551d05ed9ec221e94ba

SHA256
cdd6319b6ccb64ad3114691b7141b473803dff9ac69a856e3d6290d3d9a11bc9

SHA512
e38c14ab8537f3e2fbcf142b2a281c47c587ae43b84277e78973654184cbd4dc10c1019da4f29073e8780e5a74fc88652fc9acf8b12b1c40859a480ade8a2c6d

Download Submit
C:\Windows\System\xNBEUKY.exe

Filesize
5.2MB

MD5
8704d086165453f2d195c87ac66830b9

SHA1
f2f8b47e67e43a2d14453b4a14d654da487a29a4

SHA256
3664758e6a2902418378d3cd7330dec52f1c1041a57f460cf01dbbc7245023ad

SHA512
44892949d882806dc9039098497bf237e11a4ac24141e7939962f90885f8ca065dc825b5e52a5f544a14bbb645022d0f32b3acee40c6d69879b514f56340ee8a

Download Submit
C:\Windows\System\zCbVPFp.exe

Filesize
5.2MB

MD5
1b1938e098af214e484b77c531a8bec2

SHA1
dc15cdb912a6db3363a280d6106b4b4f49c6dd85

SHA256
e6623b9eb84a359f27a0007e30d014b94aa2349eafdd643eb24c3e8ee8625599

SHA512
cd5f1f2d7e7c5775081b65c0e7db01578cdc3c7748b222343bb88c008468ed1557655ba00750c0b2bd7a725f4154b767244ddcfbd7d6198bd144ee8920183d4f

Download Submit
memory/900-114-0x00007FF6B4E60000-0x00007FF6B51B1000-memory.dmp

Filesize
3.3MB

Download
memory/900-236-0x00007FF6B4E60000-0x00007FF6B51B1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-17-0x00007FF747150000-0x00007FF7474A1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-130-0x00007FF747150000-0x00007FF7474A1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-213-0x00007FF747150000-0x00007FF7474A1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-211-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2132-9-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2132-129-0x00007FF7B1740000-0x00007FF7B1A91000-memory.dmp

Filesize
3.3MB

Download
memory/2136-140-0x00007FF659660000-0x00007FF6599B1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-248-0x00007FF659660000-0x00007FF6599B1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-73-0x00007FF659660000-0x00007FF6599B1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-118-0x00007FF699090000-0x00007FF6993E1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-253-0x00007FF699090000-0x00007FF6993E1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-149-0x00007FF699090000-0x00007FF6993E1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-228-0x00007FF642FB0000-0x00007FF643301000-memory.dmp

Filesize
3.3MB

Download
memory/2392-47-0x00007FF642FB0000-0x00007FF643301000-memory.dmp

Filesize
3.3MB

Download
memory/2392-134-0x00007FF642FB0000-0x00007FF643301000-memory.dmp

Filesize
3.3MB

Download
memory/2436-108-0x00007FF748640000-0x00007FF748991000-memory.dmp

Filesize
3.3MB

Download
memory/2436-235-0x00007FF748640000-0x00007FF748991000-memory.dmp

Filesize
3.3MB

Download
memory/2524-116-0x00007FF62B320000-0x00007FF62B671000-memory.dmp

Filesize
3.3MB

Download
memory/2524-260-0x00007FF62B320000-0x00007FF62B671000-memory.dmp

Filesize
3.3MB

Download
memory/2524-145-0x00007FF62B320000-0x00007FF62B671000-memory.dmp

Filesize
3.3MB

Download
memory/2584-250-0x00007FF6CE420000-0x00007FF6CE771000-memory.dmp

Filesize
3.3MB

Download
memory/2584-119-0x00007FF6CE420000-0x00007FF6CE771000-memory.dmp

Filesize
3.3MB

Download
memory/2640-232-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-55-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-136-0x00007FF77F180000-0x00007FF77F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-243-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/2768-141-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/2768-78-0x00007FF78CD00000-0x00007FF78D051000-memory.dmp

Filesize
3.3MB

Download
memory/2932-142-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-240-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-94-0x00007FF79A8A0000-0x00007FF79ABF1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-217-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp

Filesize
3.3MB

Download
memory/3460-132-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp

Filesize
3.3MB

Download
memory/3460-26-0x00007FF78B7F0000-0x00007FF78BB41000-memory.dmp

Filesize
3.3MB

Download
memory/3656-128-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp

Filesize
3.3MB

Download
memory/3656-1-0x000001D922530000-0x000001D922540000-memory.dmp

Filesize
64KB

Download
memory/3656-150-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp

Filesize
3.3MB

Download
memory/3656-151-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp

Filesize
3.3MB

Download
memory/3656-0-0x00007FF665BC0000-0x00007FF665F11000-memory.dmp

Filesize
3.3MB

Download
memory/3972-139-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-72-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-238-0x00007FF6AB450000-0x00007FF6AB7A1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-31-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp

Filesize
3.3MB

Download
memory/3992-133-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp

Filesize
3.3MB

Download
memory/3992-219-0x00007FF6B5510000-0x00007FF6B5861000-memory.dmp

Filesize
3.3MB

Download
memory/4248-254-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp

Filesize
3.3MB

Download
memory/4248-120-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp

Filesize
3.3MB

Download
memory/4248-148-0x00007FF72DCC0000-0x00007FF72E011000-memory.dmp

Filesize
3.3MB

Download
memory/4576-144-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-95-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-244-0x00007FF61FB80000-0x00007FF61FED1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-230-0x00007FF7CA870000-0x00007FF7CABC1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-107-0x00007FF7CA870000-0x00007FF7CABC1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-247-0x00007FF7C2320000-0x00007FF7C2671000-memory.dmp

Filesize
3.3MB

Download
memory/4712-115-0x00007FF7C2320000-0x00007FF7C2671000-memory.dmp

Filesize
3.3MB

Download
memory/4772-117-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp

Filesize
3.3MB

Download
memory/4772-147-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp

Filesize
3.3MB

Download
memory/4772-256-0x00007FF6A9940000-0x00007FF6A9C91000-memory.dmp

Filesize
3.3MB

Download
memory/5044-131-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp

Filesize
3.3MB

Download
memory/5044-215-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp

Filesize
3.3MB

Download
memory/5044-20-0x00007FF60A800000-0x00007FF60AB51000-memory.dmp

Filesize
3.3MB

Download