cobaltstrike | 983582df3f151ff1dae20c63de8663d19c971657bc4214fc9f9d91b7e6bda3fc

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8db729f6ef02c40a1d44e50fcbf165ba
SHA1

ffa781811275f77eaf038828009ac1facc39e283
SHA256

983582df3f151ff1dae20c63de8663d19c971657bc4214fc9f9d91b7e6bda3fc
SHA512

7f15ade0c510de261d68a3c0f2534e04626466c3aafe1984652b1a8599c86ae644018f9492b21f39ea6ed3899d1ab911298cdeb90f62be8bba13fa0f49807666
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023433-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-39.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-60.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023431-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-133.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-96.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2264-40-0x00007FF79E8E0000-0x00007FF79EC31000-memory.dmp	xmrig
behavioral2/memory/3120-49-0x00007FF7162F0000-0x00007FF716641000-memory.dmp	xmrig
behavioral2/memory/1112-44-0x00007FF7D3EE0000-0x00007FF7D4231000-memory.dmp	xmrig
behavioral2/memory/5072-72-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	xmrig
behavioral2/memory/3628-79-0x00007FF645770000-0x00007FF645AC1000-memory.dmp	xmrig
behavioral2/memory/3512-92-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp	xmrig
behavioral2/memory/1612-101-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp	xmrig
behavioral2/memory/1500-108-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp	xmrig
behavioral2/memory/2972-123-0x00007FF715330000-0x00007FF715681000-memory.dmp	xmrig
behavioral2/memory/4732-127-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp	xmrig
behavioral2/memory/536-130-0x00007FF632150000-0x00007FF6324A1000-memory.dmp	xmrig
behavioral2/memory/2148-99-0x00007FF6D2880000-0x00007FF6D2BD1000-memory.dmp	xmrig
behavioral2/memory/1052-91-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp	xmrig
behavioral2/memory/416-83-0x00007FF614F40000-0x00007FF615291000-memory.dmp	xmrig
behavioral2/memory/1432-138-0x00007FF669B00000-0x00007FF669E51000-memory.dmp	xmrig
behavioral2/memory/5072-139-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	xmrig
behavioral2/memory/4764-149-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp	xmrig
behavioral2/memory/1600-150-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp	xmrig
behavioral2/memory/4528-156-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp	xmrig
behavioral2/memory/2432-157-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp	xmrig
behavioral2/memory/2912-163-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp	xmrig
behavioral2/memory/2428-162-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp	xmrig
behavioral2/memory/1216-166-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp	xmrig
behavioral2/memory/5072-167-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	xmrig
behavioral2/memory/3628-219-0x00007FF645770000-0x00007FF645AC1000-memory.dmp	xmrig
behavioral2/memory/416-221-0x00007FF614F40000-0x00007FF615291000-memory.dmp	xmrig
behavioral2/memory/3512-225-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp	xmrig
behavioral2/memory/1052-224-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp	xmrig
behavioral2/memory/2264-231-0x00007FF79E8E0000-0x00007FF79EC31000-memory.dmp	xmrig
behavioral2/memory/1112-232-0x00007FF7D3EE0000-0x00007FF7D4231000-memory.dmp	xmrig
behavioral2/memory/3120-234-0x00007FF7162F0000-0x00007FF716641000-memory.dmp	xmrig
behavioral2/memory/1500-238-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp	xmrig
behavioral2/memory/1612-237-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp	xmrig
behavioral2/memory/2972-245-0x00007FF715330000-0x00007FF715681000-memory.dmp	xmrig
behavioral2/memory/4732-247-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp	xmrig
behavioral2/memory/536-249-0x00007FF632150000-0x00007FF6324A1000-memory.dmp	xmrig
behavioral2/memory/1432-251-0x00007FF669B00000-0x00007FF669E51000-memory.dmp	xmrig
behavioral2/memory/2148-257-0x00007FF6D2880000-0x00007FF6D2BD1000-memory.dmp	xmrig
behavioral2/memory/4764-259-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp	xmrig
behavioral2/memory/1600-261-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp	xmrig
behavioral2/memory/4528-263-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp	xmrig
behavioral2/memory/2432-268-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp	xmrig
behavioral2/memory/2912-270-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp	xmrig
behavioral2/memory/2428-274-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp	xmrig
behavioral2/memory/1216-273-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3628	efaxyYb.exe
416	DCTpYCH.exe
1052	kSOeCzv.exe
3512	YKYwPQd.exe
1112	jCrBcPs.exe
2264	nmZSiir.exe
3120	VPoNNGK.exe
1500	uXBkSGv.exe
1612	bAkPbTe.exe
2972	OMYrNNE.exe
4732	zEsvtmd.exe
536	MTlbigq.exe
1432	jjAUoqR.exe
4764	Obsotpa.exe
2148	iDplYkY.exe
1600	NMTpqQW.exe
4528	UgAARGd.exe
2432	MyqOkng.exe
2428	KIEsQKX.exe
2912	UGBBaXM.exe
1216	EWqqCZD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-0-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	upx
behavioral2/files/0x0008000000023433-6.dat	upx
behavioral2/memory/3628-8-0x00007FF645770000-0x00007FF645AC1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-11.dat	upx
behavioral2/memory/416-13-0x00007FF614F40000-0x00007FF615291000-memory.dmp	upx
behavioral2/files/0x0007000000023435-21.dat	upx
behavioral2/files/0x0007000000023437-29.dat	upx
behavioral2/files/0x0007000000023438-34.dat	upx
behavioral2/files/0x0007000000023439-39.dat	upx
behavioral2/memory/2264-40-0x00007FF79E8E0000-0x00007FF79EC31000-memory.dmp	upx
behavioral2/files/0x000700000002343a-47.dat	upx
behavioral2/memory/1612-50-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp	upx
behavioral2/files/0x000700000002343b-54.dat	upx
behavioral2/memory/1500-51-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp	upx
behavioral2/memory/3120-49-0x00007FF7162F0000-0x00007FF716641000-memory.dmp	upx
behavioral2/memory/1112-44-0x00007FF7D3EE0000-0x00007FF7D4231000-memory.dmp	upx
behavioral2/memory/3512-38-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp	upx
behavioral2/files/0x0007000000023436-27.dat	upx
behavioral2/memory/1052-18-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp	upx
behavioral2/files/0x000700000002343c-60.dat	upx
behavioral2/files/0x0008000000023431-65.dat	upx
behavioral2/memory/5072-72-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	upx
behavioral2/files/0x000700000002343d-73.dat	upx
behavioral2/files/0x000700000002343e-78.dat	upx
behavioral2/memory/3628-79-0x00007FF645770000-0x00007FF645AC1000-memory.dmp	upx
behavioral2/memory/1432-80-0x00007FF669B00000-0x00007FF669E51000-memory.dmp	upx
behavioral2/memory/536-77-0x00007FF632150000-0x00007FF6324A1000-memory.dmp	upx
behavioral2/memory/4732-66-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp	upx
behavioral2/memory/2972-62-0x00007FF715330000-0x00007FF715681000-memory.dmp	upx
behavioral2/memory/3512-92-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp	upx
behavioral2/files/0x0007000000023441-90.dat	upx
behavioral2/memory/1612-101-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp	upx
behavioral2/files/0x0007000000023442-103.dat	upx
behavioral2/memory/1600-102-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp	upx
behavioral2/files/0x0007000000023443-110.dat	upx
behavioral2/memory/4528-109-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp	upx
behavioral2/memory/1500-108-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp	upx
behavioral2/files/0x0007000000023444-114.dat	upx
behavioral2/files/0x0007000000023445-120.dat	upx
behavioral2/memory/2972-123-0x00007FF715330000-0x00007FF715681000-memory.dmp	upx
behavioral2/memory/4732-127-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp	upx
behavioral2/files/0x0007000000023447-135.dat	upx
behavioral2/files/0x0007000000023446-133.dat	upx
behavioral2/memory/1216-132-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp	upx
behavioral2/memory/536-130-0x00007FF632150000-0x00007FF6324A1000-memory.dmp	upx
behavioral2/memory/2912-129-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp	upx
behavioral2/memory/2428-124-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp	upx
behavioral2/memory/2432-115-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp	upx
behavioral2/memory/2148-99-0x00007FF6D2880000-0x00007FF6D2BD1000-memory.dmp	upx
behavioral2/memory/4764-97-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp	upx
behavioral2/files/0x000700000002343f-96.dat	upx
behavioral2/memory/1052-91-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp	upx
behavioral2/memory/416-83-0x00007FF614F40000-0x00007FF615291000-memory.dmp	upx
behavioral2/memory/1432-138-0x00007FF669B00000-0x00007FF669E51000-memory.dmp	upx
behavioral2/memory/5072-139-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	upx
behavioral2/memory/4764-149-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp	upx
behavioral2/memory/1600-150-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp	upx
behavioral2/memory/4528-156-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp	upx
behavioral2/memory/2432-157-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp	upx
behavioral2/memory/2912-163-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp	upx
behavioral2/memory/2428-162-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp	upx
behavioral2/memory/1216-166-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp	upx
behavioral2/memory/5072-167-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp	upx
behavioral2/memory/3628-219-0x00007FF645770000-0x00007FF645AC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EWqqCZD.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\efaxyYb.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MTlbigq.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NMTpqQW.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jjAUoqR.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDplYkY.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCTpYCH.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jCrBcPs.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmZSiir.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Obsotpa.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgAARGd.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KIEsQKX.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSOeCzv.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKYwPQd.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXBkSGv.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEsvtmd.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MyqOkng.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGBBaXM.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VPoNNGK.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bAkPbTe.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OMYrNNE.exe	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3628	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5072 wrote to memory of 3628	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5072 wrote to memory of 416	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5072 wrote to memory of 416	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5072 wrote to memory of 1052	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5072 wrote to memory of 1052	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5072 wrote to memory of 3512	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5072 wrote to memory of 3512	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5072 wrote to memory of 1112	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5072 wrote to memory of 1112	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5072 wrote to memory of 2264	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5072 wrote to memory of 2264	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5072 wrote to memory of 3120	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5072 wrote to memory of 3120	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5072 wrote to memory of 1500	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5072 wrote to memory of 1500	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5072 wrote to memory of 1612	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5072 wrote to memory of 1612	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5072 wrote to memory of 2972	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5072 wrote to memory of 2972	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5072 wrote to memory of 4732	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5072 wrote to memory of 4732	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5072 wrote to memory of 536	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5072 wrote to memory of 536	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5072 wrote to memory of 1432	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5072 wrote to memory of 1432	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5072 wrote to memory of 4764	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5072 wrote to memory of 4764	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5072 wrote to memory of 2148	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5072 wrote to memory of 2148	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5072 wrote to memory of 1600	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5072 wrote to memory of 1600	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5072 wrote to memory of 4528	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5072 wrote to memory of 4528	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5072 wrote to memory of 2432	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5072 wrote to memory of 2432	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5072 wrote to memory of 2428	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5072 wrote to memory of 2428	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5072 wrote to memory of 2912	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5072 wrote to memory of 2912	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5072 wrote to memory of 1216	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 5072 wrote to memory of 1216	5072	2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_8db729f6ef02c40a1d44e50fcbf165ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\System\efaxyYb.exe
  C:\Windows\System\efaxyYb.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\DCTpYCH.exe
  C:\Windows\System\DCTpYCH.exe
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Windows\System\kSOeCzv.exe
  C:\Windows\System\kSOeCzv.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\YKYwPQd.exe
  C:\Windows\System\YKYwPQd.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\jCrBcPs.exe
  C:\Windows\System\jCrBcPs.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\nmZSiir.exe
  C:\Windows\System\nmZSiir.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\VPoNNGK.exe
  C:\Windows\System\VPoNNGK.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\uXBkSGv.exe
  C:\Windows\System\uXBkSGv.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\bAkPbTe.exe
  C:\Windows\System\bAkPbTe.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\OMYrNNE.exe
  C:\Windows\System\OMYrNNE.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\zEsvtmd.exe
  C:\Windows\System\zEsvtmd.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\MTlbigq.exe
  C:\Windows\System\MTlbigq.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\jjAUoqR.exe
  C:\Windows\System\jjAUoqR.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\Obsotpa.exe
  C:\Windows\System\Obsotpa.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\iDplYkY.exe
  C:\Windows\System\iDplYkY.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\NMTpqQW.exe
  C:\Windows\System\NMTpqQW.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\UgAARGd.exe
  C:\Windows\System\UgAARGd.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\MyqOkng.exe
  C:\Windows\System\MyqOkng.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\KIEsQKX.exe
  C:\Windows\System\KIEsQKX.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\UGBBaXM.exe
  C:\Windows\System\UGBBaXM.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\EWqqCZD.exe
  C:\Windows\System\EWqqCZD.exe
  2⤵
  - Executes dropped EXE
  PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DCTpYCH.exe

Filesize
5.2MB

MD5
214a4c525d8600d140139cabe7cbd50e

SHA1
53fa532da11ca368e0df94fdd1f5e98ae45602c9

SHA256
f553f74f5a15779f7840e642f71dcbb3270d8f832c7b876e2f6aa6c34f642948

SHA512
d859dbec566c8afdc781a10e3542d2de79b5cef9ccfaad0942ac8d5550fd3f72f73b92b182271db13d47242cbb7fcf2191d7e9b59637ea156a6c9501758ca8f9

Download Submit
C:\Windows\System\EWqqCZD.exe

Filesize
5.2MB

MD5
a17188954d6faed262b1f452d87207df

SHA1
a8530734493fcf4758aed7fccd6a3b766d44e108

SHA256
805441b9cdf2b2a030ea54a65868ea81757a93943bd1534cdf1fb627fda7b9ea

SHA512
05f928e9e0348949061b58edc722ea76d2d692609eb51d2d2ea64a2d33a8977ec1a91d65f5863181efaa21f66f37e77e6ba327cdaa923e98a1037990d4914bca

Download Submit
C:\Windows\System\KIEsQKX.exe

Filesize
5.2MB

MD5
2698f60b8eae72ed4b069e683d3e2871

SHA1
82cd4059e37d798a8aaf613fb24f8ea2efae1c53

SHA256
4ee6e2b8579230d8649504921a375f434ffb8bb307026360e1897a30076f94e5

SHA512
1aa20f49270bb92bc5edaf70699fdb5584fb75b9f46e09b70ea654fff0f766a57648a00efc6c458cf575c6052da692329330406582116a8a1b5b3d3edb8c72af

Download Submit
C:\Windows\System\MTlbigq.exe

Filesize
5.2MB

MD5
932214ac988084eea05d96f0755d89a5

SHA1
0f3e8245a5c2968ed015d584b5b0ba5ca61cd1ef

SHA256
5ba3663f9a9e2a27d05012fa416c0158bbda8dd220346edb05d0f006864f3206

SHA512
e3ca491aa79515b89a43553f64f0046678f2542d49b5939994ee1138093efd751cac346a98258040136b659aaaf832dc86bdec4f69b66a1421cb6d27adaa6431

Download Submit
C:\Windows\System\MyqOkng.exe

Filesize
5.2MB

MD5
dde8af4de87d553d95ef239e3a9ffd30

SHA1
d9c57a1abce0c0bbd51d060fe4552808cb90c2ab

SHA256
3f9e42279f613271ee0ec060f4a30f4f725592f7be541681bbd9affa01703d7e

SHA512
68ced69533799f0d136dda748f1068e9cf1c17fbbacfacbd469d9976ed1b80f58c7e0c303b6404d09709b6a4db0514565878c2e9cd7dfb9cf2040ac06ecdb941

Download Submit
C:\Windows\System\NMTpqQW.exe

Filesize
5.2MB

MD5
75ca65b198c7d201997967c220a4e0ac

SHA1
8d5f4037aa3982f9c0a754f20a217faa311c40c0

SHA256
760fa3dd7e88519bf066b1e79bb52b397f019fef982b2e2d304075828be159ad

SHA512
bef1f575b1cedad295bd72896a816cde4743ca67692685d510e7a75d1c0fbffd57b79f4da8846976123c0a83e1e296332e9d8b85435347c649b70d65d9f1d221

Download Submit
C:\Windows\System\OMYrNNE.exe

Filesize
5.2MB

MD5
810768f5af8bc6b044d21e882d7ece1d

SHA1
f3b086e5faccfdd2978def05ba01e84d8fea7073

SHA256
dee2d6e32075ae023c907d48253d81ef47b594e83a602a84bc82ab75587ee70c

SHA512
b231fd88ba9578247743e59a3ac5c8c779e672b14a33fd3e96bb23f2b79d1ed82fca83ed47c5c02b62e6b97d00e84d710c21a82790b062a41e43769a5d2d7ec7

Download Submit
C:\Windows\System\Obsotpa.exe

Filesize
5.2MB

MD5
791347b9dadd0915c3e2d05649650005

SHA1
4d4863efae9577fadf4b4c4642312c2f260f340e

SHA256
e8024850aac865b20fd17823f266199acd665ec54284b90021ed9c97632e04a4

SHA512
306ceef3fcfa6fcbc64a03b4814056a6e2ac1c3042dac18c16259045a47b205dabaf94caaa91ed799959b8d4bb8af5762ba6eb5df531bc54015d983ffa461e56

Download Submit
C:\Windows\System\UGBBaXM.exe

Filesize
5.2MB

MD5
9e0a6d66508688ff9c6ffd986009a2b4

SHA1
6a89d67fd05b8b0ad371ea122cb059e0507fb309

SHA256
224769fded731529bf94a4919e751f6df718478d66d55efb13801d4c33299a75

SHA512
dee337da7b525e745924ecb4b67a1ac9f7cfd67695af7a7b6955c6654cc958496e8e9df8ba43a51b70c1f73f3f44fd0712009341438422f675662d7b38d2b0b6

Download Submit
C:\Windows\System\UgAARGd.exe

Filesize
5.2MB

MD5
1803fbc9c8bd35eba88a35bf9d38e7f2

SHA1
03c10b96c01e40e11c9b7e06e8253cd63fe7413d

SHA256
15332e4cf20669f95d02c463539f8eaf21cea8e333faa1c84a0d1fb6661ce90f

SHA512
7126789fdcc50d948ce93e3d8715cb4710b808796d43963bfbf593afb8f3f812987bf601010c639c0dea12e620fb91cd88a8dd54e3df77e8b122d33270498f1a

Download Submit
C:\Windows\System\VPoNNGK.exe

Filesize
5.2MB

MD5
4dcb263c5c7b0861b3eb4cf4c5b8b09d

SHA1
df3866f6ff40fde9c6d8468a31f563ef0718d861

SHA256
8a8f9fdf95c11762c93ff7980f582168f9961904d30178b8074af4181c46f51e

SHA512
0958c9ab0e04e9fdf292705d1b5f9a5cd0ae3c3761a86313e65da4fc669923d91da8f68a147a36b229b54d54dc91ba8b36e242370b01355222fd0087fb419657

Download Submit
C:\Windows\System\YKYwPQd.exe

Filesize
5.2MB

MD5
7698a67fb667dc62e9555cd0b3c18a7b

SHA1
9896432072b3b11a18c991ba58e11096ec2363ca

SHA256
2d78bda14291677ba8e20daf5b5d6abaa7fd6b13e416e870df1b5efd51baad43

SHA512
b6e84c70fef5744970be764bfefedf7f6c0434e974231ed6643fc0e0399683f2f5e1604d1798f8782029717691795cf0d10b1aa67a0b02ca63b52d71569e8273

Download Submit
C:\Windows\System\bAkPbTe.exe

Filesize
5.2MB

MD5
b7bcc607077265bf6dff292fa3403adb

SHA1
de9419441fcf3dd93ec8db025728e53419d96ca6

SHA256
1f844c8a9151d391792c1b568b33d46980360450b18b8bb59f4dd26aae1e1323

SHA512
c75d2e509a396c46d44606a13b16c82227a038b1b87c7d8e69d31862cea70852928cbf74cd52983868e7839f36f0020dcd6e9b34d9b92eb4923b6262b958a294

Download Submit
C:\Windows\System\efaxyYb.exe

Filesize
5.2MB

MD5
5249d532b3a081c012085c8c1a9792f5

SHA1
3c4656e654b19ad91542b33020e994a939316880

SHA256
9525cbf64291e4e65d0bb48c005efc11d3f04a6d4d08f359bbf674c5436d5905

SHA512
7d804294f9c86e4c2778ea50f1a3edd8dc3798fbd8917df3a48e75b3071c21fc1abc2c3d18c0075997e46606f2e4d82d6487f5c5be85502e055fd8e3711d7311

Download Submit
C:\Windows\System\iDplYkY.exe

Filesize
5.2MB

MD5
58a6d80ba3a55be532b0d3c16e197d5e

SHA1
06858f5b554ef00a1bfc418fa8db5a787103cc40

SHA256
766873c59080afdfa447e5d47e2a293dea40e9fed823da35081c9ca5652f73b6

SHA512
e9db4c81511d44071389b57180ad7b0174932b00580b70bf4cf0caa03ad670f9cd1d7cbdd002109dc918d8762d70f7ab245e5df75ff2f5f4a288017618f673f2

Download Submit
C:\Windows\System\jCrBcPs.exe

Filesize
5.2MB

MD5
d948e6faf6c27895f58b0475dccad5b8

SHA1
8b2e732a887907f7d01a7e7e68bfdc6c9ee90f54

SHA256
1b44aefed7952909afd7778df4d99cb8bdb4756f07f1f745a77b788b129c5934

SHA512
463abea6983aa6594b811cf9d4a7f3a6336be74de4d86ce11663275b951e0c3aa6050ff0ba4c9bc9df1d258888e1335736e4cf4ddc709cf7faadee2932f60a62

Download Submit
C:\Windows\System\jjAUoqR.exe

Filesize
5.2MB

MD5
321dcc5504fdd64efd80bdae216d02c8

SHA1
b13c4706de445e96c4eeefc3113918259ff8f3e1

SHA256
f977ed4cf5b3cfe02626bf216fb25b509eed9a5a7b4c2425ae8bd0f3d109ac1b

SHA512
8cd6fbcabe6bfc767925584a0441bccdb9d72257abfc402d47199042af296a337b8b97042fde148a7c6201099e5840c76d6977e1dae719d6fa8e8afb33619cbe

Download Submit
C:\Windows\System\kSOeCzv.exe

Filesize
5.2MB

MD5
1744f9a165475b972543f7e35bc7295f

SHA1
51960a142f109395a8ab02272f8701f5130f3a4b

SHA256
42a4703f68be8fd9ddac1ae306db16f29495a5b6e5de6e18a15797b9d1000d4d

SHA512
ecd181cf2c54fcbc52705be319e9613e447d5ec86994343f3e06d170b0e054bb5357ab5fa65efc71794f2a21ad272676536db70269076622a2d20ceabe16af32

Download Submit
C:\Windows\System\nmZSiir.exe

Filesize
5.2MB

MD5
c02e83d987f13a2cdb14f849974b7861

SHA1
4eacc119b2dc9e0fc924abda7820354cd4c68208

SHA256
df2bc995298d43ccac47299e1752064de8912f0923bd637f6aea490582260c2e

SHA512
c9b460c08afc5932c4a8c29c731e3be340c66a37c26b593812c0d1e43755df1f780a655430d053dfaa78c46b407576a6f79d72fb621685de6124c56e5a8f7249

Download Submit
C:\Windows\System\uXBkSGv.exe

Filesize
5.2MB

MD5
261e2ae77a3b67e15f63d96cb5bfa36c

SHA1
84f4e7074b252880d562daee30e10d9e7a3266c2

SHA256
b51c7eb778bc8ab42df3fd3718db2245bb05bbab46a17d0e9f5b51bbe4ba0324

SHA512
883532853d365303a2e4a361d6f22a98a19594fa810b0e347693bc6d863aa4d0e4535679e6c975b1e15cde7c56180d64c30d82a27bec137eb6f4b78e487eed1f

Download Submit
C:\Windows\System\zEsvtmd.exe

Filesize
5.2MB

MD5
3485951b0bedcf83438a86e01d68f424

SHA1
9b7caa057741dd31afadca36ea4ffc18886bdd6d

SHA256
b0944e381a15b5cddd3ce680e45ee0ed0e55f0b5b4b7a1327a00b6c5fadd9960

SHA512
e3586087a6633b22d074cf77b72b990e07ac255403b8bbca85e263cd9aa1ba676db73c2a4a694dee22f23946e3774ab70b595157fb9a516ac6cdd26c0d3b3865

Download Submit
memory/416-13-0x00007FF614F40000-0x00007FF615291000-memory.dmp

Filesize
3.3MB

Download
memory/416-83-0x00007FF614F40000-0x00007FF615291000-memory.dmp

Filesize
3.3MB

Download
memory/416-221-0x00007FF614F40000-0x00007FF615291000-memory.dmp

Filesize
3.3MB

Download
memory/536-130-0x00007FF632150000-0x00007FF6324A1000-memory.dmp

Filesize
3.3MB

Download
memory/536-77-0x00007FF632150000-0x00007FF6324A1000-memory.dmp

Filesize
3.3MB

Download
memory/536-249-0x00007FF632150000-0x00007FF6324A1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-224-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp

Filesize
3.3MB

Download
memory/1052-18-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp

Filesize
3.3MB

Download
memory/1052-91-0x00007FF7DB0B0000-0x00007FF7DB401000-memory.dmp

Filesize
3.3MB

Download
memory/1112-232-0x00007FF7D3EE0000-0x00007FF7D4231000-memory.dmp

Filesize
3.3MB

Download
memory/1112-44-0x00007FF7D3EE0000-0x00007FF7D4231000-memory.dmp

Filesize
3.3MB

Download
memory/1216-166-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp

Filesize
3.3MB

Download
memory/1216-132-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp

Filesize
3.3MB

Download
memory/1216-273-0x00007FF61C2D0000-0x00007FF61C621000-memory.dmp

Filesize
3.3MB

Download
memory/1432-138-0x00007FF669B00000-0x00007FF669E51000-memory.dmp

Filesize
3.3MB

Download
memory/1432-80-0x00007FF669B00000-0x00007FF669E51000-memory.dmp

Filesize
3.3MB

Download
memory/1432-251-0x00007FF669B00000-0x00007FF669E51000-memory.dmp

Filesize
3.3MB

Download
memory/1500-238-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp

Filesize
3.3MB

Download
memory/1500-51-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp

Filesize
3.3MB

Download
memory/1500-108-0x00007FF77A4E0000-0x00007FF77A831000-memory.dmp

Filesize
3.3MB

Download
memory/1600-102-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp

Filesize
3.3MB

Download
memory/1600-150-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp

Filesize
3.3MB

Download
memory/1600-261-0x00007FF6A3520000-0x00007FF6A3871000-memory.dmp

Filesize
3.3MB

Download
memory/1612-50-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp

Filesize
3.3MB

Download
memory/1612-237-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp

Filesize
3.3MB

Download
memory/1612-101-0x00007FF6FA6F0000-0x00007FF6FAA41000-memory.dmp

Filesize
3.3MB

Download
memory/2148-99-0x00007FF6D2880000-0x00007FF6D2BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-257-0x00007FF6D2880000-0x00007FF6D2BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-40-0x00007FF79E8E0000-0x00007FF79EC31000-memory.dmp

Filesize
3.3MB

Download
memory/2264-231-0x00007FF79E8E0000-0x00007FF79EC31000-memory.dmp

Filesize
3.3MB

Download
memory/2428-124-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp

Filesize
3.3MB

Download
memory/2428-274-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp

Filesize
3.3MB

Download
memory/2428-162-0x00007FF7D0DD0000-0x00007FF7D1121000-memory.dmp

Filesize
3.3MB

Download
memory/2432-157-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-268-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-115-0x00007FF78E990000-0x00007FF78ECE1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-163-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-270-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-129-0x00007FF70E080000-0x00007FF70E3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-245-0x00007FF715330000-0x00007FF715681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-123-0x00007FF715330000-0x00007FF715681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-62-0x00007FF715330000-0x00007FF715681000-memory.dmp

Filesize
3.3MB

Download
memory/3120-234-0x00007FF7162F0000-0x00007FF716641000-memory.dmp

Filesize
3.3MB

Download
memory/3120-49-0x00007FF7162F0000-0x00007FF716641000-memory.dmp

Filesize
3.3MB

Download
memory/3512-92-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp

Filesize
3.3MB

Download
memory/3512-225-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp

Filesize
3.3MB

Download
memory/3512-38-0x00007FF7676C0000-0x00007FF767A11000-memory.dmp

Filesize
3.3MB

Download
memory/3628-8-0x00007FF645770000-0x00007FF645AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-219-0x00007FF645770000-0x00007FF645AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-79-0x00007FF645770000-0x00007FF645AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-109-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp

Filesize
3.3MB

Download
memory/4528-263-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp

Filesize
3.3MB

Download
memory/4528-156-0x00007FF6E8840000-0x00007FF6E8B91000-memory.dmp

Filesize
3.3MB

Download
memory/4732-66-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp

Filesize
3.3MB

Download
memory/4732-247-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp

Filesize
3.3MB

Download
memory/4732-127-0x00007FF6B69F0000-0x00007FF6B6D41000-memory.dmp

Filesize
3.3MB

Download
memory/4764-259-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp

Filesize
3.3MB

Download
memory/4764-149-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp

Filesize
3.3MB

Download
memory/4764-97-0x00007FF71E3D0000-0x00007FF71E721000-memory.dmp

Filesize
3.3MB

Download
memory/5072-167-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp

Filesize
3.3MB

Download
memory/5072-0-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp

Filesize
3.3MB

Download
memory/5072-139-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp

Filesize
3.3MB

Download
memory/5072-1-0x000001FE622D0000-0x000001FE622E0000-memory.dmp

Filesize
64KB

Download
memory/5072-72-0x00007FF6FEEE0000-0x00007FF6FF231000-memory.dmp

Filesize
3.3MB

Download